Four Exceptions Permitting Cross-Border Transfers of Personal Data from Japan Without Data Subject Consent

1. Introduction

The cross-border transfer of personal data has become an essential feature of modern economic and technological activity. As businesses increasingly rely on global cloud services, international outsourcing arrangements, and multinational corporate structures, personal data frequently moves across national borders as part of ordinary business operations.

In Japan, the legal framework governing the protection and transfer of personal data is primarily established under the Act on the Protection of Personal Information (J-APPI), together with its enforcement rules and the guidelines issued by the Personal Information Protection Commission (PPC). These rules aim to balance two key objectives: protecting the rights and interests of individuals while enabling the legitimate international flow of data necessary for global economic activities.

Because personal data transferred to foreign jurisdictions may be subject to different legal systems and regulatory standards, the J-APPI establishes specific requirements for transferring personal data to foreign third parties. Article 28 of the J-APPI provides the main legal framework governing cross-border data transfers.

As a general rule, Japanese business operators must obtain the consent of the data subject before transferring personal data to a third party located outside Japan. However, the law also provides several mechanisms under which such transfers may occur without obtaining the data subject’s consent. These mechanisms allow businesses to continue operating efficiently in the global digital economy while ensuring that personal data remains adequately protected.

2. General Rule: Data Subject Consent

Under Article 28(1) of the J-APPI, when a business operator in Japan provides personal data to a third party located in a foreign country, the operator must generally obtain the prior consent of the data subject. Importantly, the consent must specifically relate to the overseas transfer of personal data. The data subject must be informed that the personal data will be transferred to a foreign country and must agree to such transfer.

3. Exception 1: Transfers to Countries with Equivalent Data Protection

The first exception applies where personal data is transferred to a country that has been officially recognized as having a level of personal data protection equivalent to that of Japan.

Currently, Japan recognizes the European Union and the United Kingdom as jurisdictions with equivalent levels of personal data protection. Personal data can therefore be transferred to organizations in these jurisdictions without obtaining the data subject’s consent, provided that other J-APPI requirements are satisfied.

However, this exemption generally applies only when the transfer occurs under three certain legal bases:

  1. business outsourcing (in Japanese as “業務委託”)
  2. joint use of personal data (in Japanese as “共同利用”)
  3. business succession, such as mergers or corporate acquisitions (in Japanese as “合併・事業承継”)

If the transfer falls outside these situations, consent from the data subject may still be required.

4. Exception 2: Ensuring Equivalent Safeguards Through Contracts

Another mechanism allows cross-border transfers without obtaining the data subject’s consent when the foreign recipient has implemented safeguards equivalent to those required under J-APPI.

In practice, this requirement is typically satisfied through contractual arrangements between the Japanese data exporter and the foreign recipient. These agreements often take the form of Data Processing Agreements (DPA) or contractual clauses similar to Standard Contractual Clauses (SCCs). Such contracts usually require the foreign recipient to limit the use of personal data to specified purposes, implement appropriate security measures, restrict further disclosure, and cooperate with regulatory authorities.

Japanese companies must also conduct ongoing monitoring and supervision to ensure that these safeguards are properly implemented.

However, as same as Exception 1, such exemption generally applied only when transfer purpose limited to:

  1. business outsourcing
  2. joint use of personal data
  3. business succession

5. Exception 3: Certification Under International Privacy Frameworks

The third mechanism allows cross-border transfers without data subject consent when the foreign recipient has obtained certification under internationally recognized privacy frameworks.

In particular, certification under the APEC Cross-Border Privacy Rules (CBPR) System or the Global CBPR System may provide sufficient assurance that personal data will be handled appropriately. The subject consent is generally not required where transferring Japanese personal data to foreign company (which obtains such certification) and within the purpose of:

  1. business outsourcing
  2. joint use of personal data
  3. business succession

6. Exception 4: Public-Interest Exceptions Under Article 27

The final exception arises when the transfer falls within certain public-interest exceptions provided under Article 27 of the J-APPI.

These include situations where:

  1. disclosure required by law
  2. necessary to protect a person’s life, body, or property where consent is difficult to obtain
  3. necessary for public health or the sound development of children where consent is difficult
  4. necessary to cooperate with governmental duties
  5. unavoidable academic publication or teaching
  6. joint academic research
  7. academic research by the recipient institution

7. Conclusion

In practice, Exceptions (1) and (2) are commonly relied upon in B2B transactions in Japan, particularly where a Japanese company outsources work to an overseas entity. It should also be noted that the opt-out mechanism is not applicable to cross-border transfers, as it would be impractical to require an overseas company to complete the registration procedures in Japan.