JAPAN Law and Practice Contributed by: Yoshifumi Onodera, Hiroyuki Tanaka, Naoto Shimamura and Rio Ichii, Mori Hamada & Matsumoto
If a handling operator uses cloud services, it may not be considered as entrustment and thus, the aforesaid obligation under Article 25 of the APPI does not apply. Instead, businesses that use cloud services must still take appropriate security control over the personal data stored in cloud services as part of their own duties. 3.3 Key Operational Resilience Obligations The Comprehensive Guidelines for SMB require businesses to report to the authorities when they become aware of a computer system failure or cybersecurity incident, when they are recover - ing from such incidents, and when they have identified the cause of an incident. Where the business detects that cyber-attack will or is highly likely to have an impact on customers or business, a report is required even if the system failure or incident does not occur. For details of the Comprehensive Guidelines, see 3.1 Scope of Financial Sector Operation Resilience Regu- lation . 3.4 Operational Resilience Enforcement The FSA may impose administrative disposition on financial businesses that may violate or may have violated laws and regulations. Such dispo - sition includes on-site inspections and orders to improve business operations. 3.5 International Data Transfers For offshoring, there are special restrictions on the transfer of personal data to a foreign coun - try. In principle, the APPI requires the transferor to obtain the prior consent of individuals whose personal data will be transferred to a third party located in a foreign country (Article 28). In other words, overseas transfer restrictions will apply if a foreign company transfers user data to another company outside Japan. Conversely, if a foreign company transfers user data to a company in
Japan, these overseas transfer restrictions will not apply. The overseas transfer restrictions apply even in the cases of outsourcing that are exceptions to local third-party data transfer restrictions. The data subjects’ consent to overseas data transfers is not necessary if: • the foreign country is designated by the PPC as a country with a data protection regime with a level of protection equivalent to that of Japan (only EEA member countries and the UK have been designated to date); • the third-party recipient has an equivalent system of data protection that meets the standards prescribed by the Ordinance issued by the PPC (the PPC Ordinance) – ie, either of the following: (a) there is assurance, by appropriate and reasonable methodologies, that the recipient will treat the disclosed personal data in accordance with the spirit of the requirements on handling personal data under the APPI; or (b) the recipient has been certified under an international arrangement, recognised by the PPC, regarding its system of handling personal data. The implementation of the PPC Ordinance is set out in the PPC Guidelines, which provide that “appropriate and reasonable methodologies” include agreements between the data importer and the data exporter, or inter-group privacy rules, which ensure that the data importer will treat the disclosed personal data in accord - ance with the spirit of the APPI. With respect to a PPC recognised international framework, to date, the PPC Guidelines have identified only the Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) as a recog -
172 CHAMBERS.COM
Powered by FlippingBook