Sanno Park Tower 12F (Reception) and 14F,
11-1, Nagatacho 2-chome, Chiyoda-ku,
Tokyo 100-6114, Japan

Tokyo Metro Ginza Line: G06 Tameike-sanno Station, Exit 7 (directly accessible through the second basement)

Tokyo Metro Nanboku Line: N06 Tameike-sanno Station, Exit 7 (directly accessible through the second basement)

Tokyo Metro Chiyoda Line: C07 Kokkai-gijido-mae Station, Exit 5 (3 minutes’ walk)

Tokyo Metro Marunouchi Line: M14 Kokkai-gijido-mae Station, Exit 5 (10 minutes’ walk through Chiyoda Line platform)

Special Topics
Special Topics

Legislation for the Protection of Personal Information in Countries for which the Personal Information Protection Commission does not provide information

Under the revised Act on Protection of Personal Information (APPI) that went into effect on April 1, 2022, there are many cases where it is necessary to investigate foreign legislation for the protection of personal information. Typical situations include, for example, using foreign cloud services or data centers, outsourcing to foreign vendors, sharing information with foreign group companies, and providing information to foreign companies or government agencies.

As it is difficult for private companies to investigate the legislation of other countries/jurisdictions themselves, the Personal Information Protection Commission (PPC) has published the results of its investigations into the legislation of the 40 foreign countries/jurisdictions mentioned below on “Legislation of Foreign Countries/Jurisdictions” webpage.

United States (Federal), □ United States (Illinois), □ United States (California), □ United States (New York), □ United Arab Emirates (Federal), □ United Arab Emirates (ADGM), □ United Arab Emirates (DHC), □ United Arab Emirates (DIFC), □ India, □ Indonesia, □ Ukraine, □ Australia, □ Canada, □ Cambodia, □ Singapore, □ Switzerland, □ Thailand, □ Republic of Korea, □ Taiwan, □China, □ Turkey, □ New Zealand, □ Philippines, □ Brazil, □ Viet Nam, □ Hong Kong, □ Malaysia, □ Myanmar, □ Mexico, □ Lao People’s Democratic Republic, □ Russian Federation, □ Israel, □ Qatar, □ Costa Rica, □ Tunisia, □ Panama, □ Peru, □ South Africa, □ Morocco, □ Mongolia

These investigations need to be regularly updated (see Article 18.1.1 of the Enforcement Rules). Therefore, Ushijima and Partners has requested foreign law firms to check whether there are any necessary updates to the investigation reports of the PPC and published them on this webpage.

In addition, it seems to be even more difficult for private companies to investigate foreign legislation on their own regarding countries/jurisdictions other than the 40 countries/jurisdictions mentioned above. Therefore, Ushijima and Partners has requested foreign law firms to conduct investigations on personal information protection laws and other systems related to the protection of personal information in their jurisdictions and published the results on this webpage.
(Last update: October 10, 2023)

Update of “Legislation of Foreign Countries/Jurisdictions” by the PPC

The red portions indicate the updates from the original text by the PPC. Please note that we regularly check for updates, and the absence of an update does not mean that there is no update for a country/jurisdiction not listed in this section.

Legislation of countries/jurisdictions for which the PPC does not provide information

The background of this survey is as follows

Obligation to investigate foreign legal systems

The amended APPI which went into effect on April 1, 2022, makes it necessary to understand foreign legislation for the protection of personal information.

Specifically, the APPI addresses the following situations:

Article 23 (Security Control Measures): General Guidelines (Attachment) 10-7

“10-7 Understanding the external environment”

When a business operator handling personal information handles personal data in a foreign country, the business operator must take necessary and appropriate measures for the secure management of personal data after understanding the legislation, etc., concerning the protection of personal information in that foreign country.

Article 32 (Publication of Matters Concerning Retained Personal Data, etc.): General Guidelines 3-8-1(1)

(Understanding the external environment)

(Example) Implementing safety control measures after understanding the legislation for the protection of personal information in “Country A” where personal data is stored.

Article 28(2) (provision of personal data to a third party located in a foreign country based on “consent”)

(Regulation 17(2))

The provision of information pursuant to Article 28, paragraph (2) of APPI or Article 31, paragraph (1), item (ii) of APPI shall be made with respect to the following matters:

(1) Name of the foreign country concerned

(2) Information on the legislation for the protection of personal information in the foreign country concerned obtained by appropriate and reasonable means

(3) Information on measures taken by the third party to protect personal information

Article 28(3) (Provision of personal data to a third party located in a foreign country based on “implementation of appropriate measures”)

(Regulation 18.1)

The measures necessary to ensure the continuous implementation of the appropriate measures by a third party located in a foreign country pursuant to the provisions of Article 28, paragraph (3) of APPI (including cases where it is applied mutatis mutandis by replacing the relevant terms in Article 31, paragraph (2) of APPI) shall be the following measures:

(1) Periodically confirming, in an appropriate and reasonable manner, the status of implementation of the relevant equivalent measures by the third party and the existence or non-existence of any foreign system that may affect the implementation of the relevant appropriate measures, and the details thereof.

(2) If any hindrance arises in the implementation of the appropriate measures by the third party, to take necessary and appropriate measures, and if it becomes difficult to ensure the continuous implementation of the appropriate measures, suspend the provision of personal data (in the case where the term “personal data” is used in Article 31, Paragraph 2 of the Act, as applied mutatis mutandis by replacing it with the term “personally referable information”) to the third party.

Provision of Information by the PPC and Investigations by Ushijima and Partners

As stated above, the PPC published its reports on its website for the following 40 countries/jurisdictions.

□United States (Federal), □United States (Illinois), □United States (California), □United States (New York), □United Arab Emirates (Commonwealth), □United Arab Emirates (ADGM), □United Arab Emirates (DHC), □DIFC, □India, □Indonesia, □Ukraine, □ Australia, □ Canada, □ Cambodia, □ Singapore, □ Switzerland, □ Thailand, □ Korea, □ Taiwan, □ China, □ Turkey, □ New Zealand, □ Philippines, □ Brazil, □ Vietnam, □ Hong Kong, □ Malaysia, □ Myanmar, □ Mexico, □ Laos, □ Russia,□Israel, □Qatar, □Costa Rica, □Tunisia, □Panama, □Peru, □South Africa, □Morocco, □Mongolia

However, the PPC has not updated the results of the said investigations. The transferring of personal information to countries not covered by the PPC’s survey requires an independent investigation.

Therefore, we have decided to publish the results of investigations on any necessary updates conducted by local law firms for the jurisdictions in which we have received requests from our clients. We would like to express our deepest gratitude to our clients and to the law firms in each jurisdiction that have consented to our publication.

Please note that we are not responsible for the accuracy or validity of the survey results, and we ask that you use the survey results at your own discretion.

What this survey covers and what it does not cover

The purpose of the PPC’s survey and our survey is to cover the aforementioned understanding of the external environment under Articles 23 and 32 of the APPI, as well as the survey of the legislation under Article 28 of the APPI. This is to clarify what kinds of protections are available and what kinds of risks for the data subjects are involved when a Japanese business operator handling personal information transfers such personal information overseas. This means that this investigation is necessary for the transfer of personal information from Japan to a foreign country.

However, this does not cover the measures that companies need to take to process personal information in the foreign countries. This is because it is necessary to: (1) comply with the local laws and regulations necessary for companies to process personal information, and (2) comply with the laws and the regulations for the transfer of personal information from such foreign country to Japan.

In (1), typical issues include, for example, what information needs to be provided in privacy policies or privacy notices, whether consent or another legal basis is required for processing personal information, and whether notification to authorities is required.

In (2), there are many countries where it is necessary to conclude an agreement (e.g., Data Transfer Agreement) or obtain the consent of the data subject to comply with the regulations when transferring the information to a foreign country.

Ushijima and Partners has a great deal of experience in establishing global information management systems for our clients that comply with these foreign laws and regulations.

We assist our clients with data mapping, drafting of global privacy policies, internal rules for personal information management, various detailed internal regulations and templates, and employee training. Ushijima and Partners can utilize its global network of law firms to carry out global projects as a one-stop, integrated solution, including reviews by local attorneys in various countries around the world.