Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located outside Japan.
In Japan, the Amended Act on the Protection of Personal Information (2016) outlines that personal data is allowed to be transferred outside Japan when:
- consent is obtained in advance from the data subject (note: consent is not required in a few cases such as when the transfer is based on Japanese laws or regulations);
- the Personal Information Protection Commission (PIPC) recognizes a foreign country as having at least equal protections as Japan; or,
- a third party establishes a system that continually conforms to the standards prescribed by the Personal Information Protection Commission or, is certified under an international data protection regulation admitted by the PIPC such as APEC’s Cross Border Privacy Rules.
Before transferring sensitive personal information, described as “special care-required personal information” in the Act, to a third party inside or outside Japan, you must request consent with limited exceptions (such as when the data collection is required by law). For additional details, see the Employee Consent section.
The Japanese national identification number, My Number, should typically remain with the Japanese entity. Generally, the employer is prohibited from transferring employee (and other data subject’s) My Number data to third-parties, including group companies, even with employee consent. The exception to this is when a Japanese entity delegates the handling of My Number data to a vendor for the statutory purposes of tax, social insurance and assistance in natural disasters.
HR Best Practices: Update consent forms to include details about international data transfers, unless the foreign country has been recognized by the Commission as having equal protection of individual rights. Japan and the European Union have an agreement in place that allows most personal data transfers between Japan and EU member countries (i.e. these countries are considered as having “adequate” personal data protection regulations and practices). The UK is also recognized as having adequate protections in place.
Alternatively, consider establishing a personal data management process and security standard that meets the standards prescribed by the Commission.