Rules for transferring personal data overseas?

What the Law Says

The Act on the Protection of Personal Information (APPI) sets strict conditions for transferring personal data outside Japan. These rules aim to ensure that individuals’ rights remain protected even after data leaves Japanese jurisdiction.

Under the APPI, a business operator must obtain prior consent from the individual before transferring their personal data to a third party located in a foreign country — unless an exception applies.

One key exception is when the recipient country is designated by Japan’s Personal Information Protection Commission (PPC) as providing an 'adequate level of protection' — known as the 'third-country list'. Transfers to countries on this list do not require individual consent.

If no such designation applies, the business operator may still transfer data without consent if it ensures equivalent protective measures — for example, by signing a contract imposing APPI-compliant obligations on the foreign recipient.

Business operators must also keep records of all overseas transfers for at least one year, including the date, recipient’s name and location, and categories of data transferred.

Statutory Text

A business operator shall not provide a personal information database to a third party located in a foreign country without obtaining the prior consent of the relevant individual.

— Act on the Protection of Personal Information, s. 27 — Provision to Third Parties Located in Foreign Countries

Statutory Text

The Commission may designate a foreign country whose laws or practices provide a level of protection of personal information equivalent to that provided under this Act.

— Act on the Protection of Personal Information, s. 27(3) — Designation of Foreign Countries

What to Do

Sources