Legislation for the Protection of Personal Information in Countries for which the Personal Information Protection Commission does not provide information
Under the revised Act on Protection of Personal Information (APPI) that went into effect on April 1, 2022, there are many cases where it is necessary to investigate foreign legislation for the protection of personal information. Typical situations include, for example, using foreign cloud services or data centers, outsourcing to foreign vendors, sharing information with foreign group companies, and providing information to foreign companies or government agencies.
However, while the Personal Information Protection Commission (PPC) has published the results of its investigations into the legislation of the 40 countries/jurisdictions mentioned below, it appears difficult for private companies to investigate the foreign legislation of other countries/jurisdictions.
Therefore, Ushijima and Partners surveyed foreign law firms on the legislation related to the protection of personal information in the following countries/jurisdictions:
The background of this survey is as follows
Obligation to investigate foreign legal systems
The amended APPI which went into effect on April 1, 2022, makes it necessary to understand foreign legislation for the protection of personal information.
Specifically, the APPI addresses the following situations:
Article 23 (Security Control Measures): General Guidelines (Attachment) 10-7
“10-7 Understanding the external environment”
When a business operator handling personal information handles personal data in a foreign country, the business operator must take necessary and appropriate measures for the secure management of personal data after understanding the legislation, etc., concerning the protection of personal information in that foreign country.
Article 32 (Publication of Matters Concerning Retained Personal Data, etc.): General Guidelines 3-8-1(1)
(Understanding the external environment)
(Example) Implementing safety control measures after understanding the legislation for the protection of personal information in “Country A” where personal data is stored.
Article 28(2) (provision of personal data to a third party located in a foreign country based on “consent”)
The provision of information pursuant to Article 28, paragraph (2) of APPI or Article 31, paragraph (1), item (ii) of APPI shall be made with respect to the following matters:
(1) Name of the foreign country concerned
(2) Information on the legislation for the protection of personal information in the foreign country concerned obtained by appropriate and reasonable means
(3) Information on measures taken by the third party to protect personal information
Article 28(3) (Provision of personal data to a third party located in a foreign country based on “implementation of appropriate measures”)
The measures necessary to ensure the continuous implementation of the appropriate measures by a third party located in a foreign country pursuant to the provisions of Article 28, paragraph (3) of APPI (including cases where it is applied mutatis mutandis by replacing the relevant terms in Article 31, paragraph (2) of APPI) shall be the following measures:
(1) Periodically confirming, in an appropriate and reasonable manner, the status of implementation of the relevant equivalent measures by the third party and the existence or non-existence of any foreign system that may affect the implementation of the relevant appropriate measures, and the details thereof.
(2) If any hindrance arises in the implementation of the appropriate measures by the third party, to take necessary and appropriate measures, and if it becomes difficult to ensure the continuous implementation of the appropriate measures, suspend the provision of personal data (in the case where the term “personal data” is used in Article 31, Paragraph 2 of the Act, as applied mutatis mutandis by replacing it with the term “personally referable information”) to the third party.
Provision of Information by the PPC
For the following 31 countries/jurisdictions, the PPC published its reports on its website.
□United States (Federal), □United States (Illinois), □United States (California), □United States (New York), □United Arab Emirates (Commonwealth), □United Arab Emirates (ADGM), □United Arab Emirates (DHC), □DIFC, □India, □Indonesia, □Ukraine, □ Australia, □ Canada, □ Cambodia, □ Singapore, □ Switzerland, □ Thailand, □ Korea, □ Taiwan, □ China, □ Turkey, □ New Zealand, □ Philippines, □ Brazil, □ Vietnam, □ Hong Kong, □ Malaysia, □ Myanmar, □ Mexico, □ Laos, □ Russia
In addition, the PPC published its reports of the following nine countries on April 28, 2022.
□Israel, □Qatar, □Costa Rica, □Tunisia, □Panama, □Peru, □South Africa, □Morocco, □Mongolia
Investigation by Ushijima and Partners
However, transferring personal information to countries not covered by the PPC’s survey requires an independent investigation.
Therefore, we have decided to publish the results of investigations by local law firms for the jurisdictions in which we have received requests from our clients. We would like to express our deepest gratitude to our clients and to the law firms in each jurisdiction that have consented to our publication.
Please note that we are not responsible for the accuracy or validity of the survey results, and we ask that you use the survey results at your own discretion.
What this survey covers and what it does not cover
The purpose of the PPC’s survey and our survey is to cover the aforementioned understanding of the external environment under Articles 23 and 32 of the APPI, as well as the survey of the legislation under Article 28 of the APPI. This is to clarify what kinds of protections are available and what kinds of risks for the data subjects are involved when a Japanese business operator handling personal information transfers such personal information overseas. This means that this investigation is necessary for the transfer of personal information from Japan to a foreign country.
However, this does not cover the measures that companies need to take to process personal information in the foreign countries. This is because it is necessary to: (1) comply with the local laws and regulations necessary for companies to process personal information, and (2) comply with the laws and the regulations for the transfer of personal information from such foreign country to Japan.
In (1), typical issues include, for example, what information needs to be provided in privacy policies or privacy notices, whether consent or another legal basis is required for processing personal information, and whether notification to authorities is required.
In (2), there are many countries where it is necessary to conclude an agreement (e.g., Data Transfer Agreement) or obtain the consent of the data subject to comply with the regulations when transferring the information to a foreign country.
Ushijima and Partners has a great deal of experience in establishing global information management systems for our clients that comply with these foreign laws and regulations.
We assist our clients with data mapping, drafting of global privacy policies, internal rules for personal information management, various detailed internal regulations and templates, and employee training. Ushijima and Partners can utilize its global network of law firms to carry out global projects as a one-stop, integrated solution, including reviews by local attorneys in various countries around the world.