Are there any restrictions on transferring personal data and how can these be overcome?
Cross-border data transfers affect all organizations that engage online IT services, cloud-based services, remote access services and global HR databases. Understanding the applications of lawful data transfer mechanisms is essential to validate recipients located outside Japan.
In Japan, the Amended Act on the Protection of Personal Information (2016) outlines that personal data is allowed to be transferred outside Japan when:
- consent is obtained in advance from the data subject (note: consent is not required in a few cases such as when the transfer is based on Japanese laws or regulations);
- the Personal Information Protection Commission (PIPC) recognizes a foreign country as having at least equal protections as Japan (note: no countries are currently recognized as having adequate protections); or,
- a third party establishes a system that continually conforms to the standards prescribed by the Personal Information Protection Commission or, is certified under an international data protection regulation admitted by the PIPC such as APEC’s Cross Border Privacy Rules.
Before transferring sensitive personal information, described as “special care-required personal information” in the Act, to a third party inside or outside Japan, you must request consent with limited exceptions (such as when the data collection is required by law). For additional details, see the Employee Consent section.
HR Best Practices: Update consent forms to include details about international data transfers, unless the foreign country has been recognized by the Commission as having equal protection of individual rights (Japan and the EU are likely to put an agreement in place sometime in 2018). Alternatively, consider establishing a personal data management process and security standard that meets the standards prescribed by the Commission. Some companies rely on the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) to transfer data outside of Japan.1
1 Gardner, Stephen. 2017. "Moving Data Between Japan, U.S.? Use Asia Privacy Rules System." The Bureau of National Affairs, Inc. September 27. Accessed January 24, 2017. https://www.bna.com/moving-data-japan-n73014470193.
Led by PeopleDoc’s Chief Legal & Compliance Officer, the HR Compliance Assist team relies on a network of internal and external compliance experts and lawyers, including the global law firm Morgan Lewis, to provide clients with best practices and recommendations on topics such as HR document retention, employee data privacy, and HR electronic records. HR Compliance Assist also provides local compliance monitoring and alert services in select countries where PeopleDoc’s customers have employees. HR Compliance Assist is a service exclusively available to PeopleDoc customers.