課題Ⅰ 第４編③ 外国にある第三者への提供の制限・記録義務・確認義務（法28条〜30条）

Article 28 of the Act on the Protection of Personal Information establishes restrictions on providing personal data to third parties located in foreign countries. In addition to the domestic third-party provision rules (Article 27), extra requirements are imposed on cross-border transfers. The purpose is to protect the rights and interests of the individual, because foreign legal systems do not necessarily ensure a level of protection equivalent to Japan’s.

There are broadly three lawful routes for providing personal data to a third party in a foreign country. Route 1 is obtaining the individual’s consent. Route 2 is providing data to a country recognized by the Personal Information Protection Commission. Route 3 is providing data to a foreign business operator that has established an appropriate system of safeguards. Each route is examined in detail below.

Route 1: Consent of the individual. As a general rule, providing personal data to a third party in a foreign country requires the prior consent of the individual. However, under the 2022 amendment, simply asking "may we provide your data to a third party abroad?" is no longer sufficient. Before obtaining consent, the operator must now provide the individual with information about the personal information protection regime in the destination country (the information provision obligation).

Specifically, the information that must be provided is as follows. (a) The name of the destination foreign country. (b) An outline of the personal data protection regime in that country (e.g., whether an independent supervisory authority exists, the system of individual rights, etc.). (c) Information about the measures the destination third party takes for the protection of personal information. This information must be specific enough for the individual to make a reasonable judgment.

Route 2: Countries recognized by the Personal Information Protection Commission. Provision to a foreign country recognized as having a level of protection equivalent to Japan’s can be handled in the same manner as domestic third-party provision. Currently, the only countries recognized by the Commission are the EU (European Union) and the United Kingdom. This means the countries available under Route 2 are extremely limited, and provision to other countries must follow Route 1 or Route 3.

Route 3: Foreign business operators with an established system. If the destination foreign operator continuously implements measures equivalent to Japan’s Act on the Protection of Personal Information, data may be provided without the individual’s consent. Specifically, this includes cases where the foreign party has obtained APEC CBPR system certification, has concluded a contract with the provider concerning the handling of personal data, or has formulated intra-group regulations (BCR: Binding Corporate Rules).

When using Route 3, two ongoing obligations are imposed on the providing operator. First, it must periodically verify whether the destination foreign operator continues to implement appropriate measures. Second, it must provide the individual, upon request, with information about the implementation status of the destination’s measures. If problems are discovered, the provider has an obligation to take necessary measures, including suspending the provision.

Let us organize the exam points for Article 28. First, the distinction among the three routes. Second, the content of the information provision obligation added by the 2022 amendment (items a, b, c). Third, the ongoing verification obligation under Route 3. Fourth, the point that the Japan-EU mutual recognition falls under Route 2. These are frequently tested in multiple-choice questions.

Article 29 obligates the providing business operator to create records when personal data is provided to a third party. This record-keeping obligation is part of ensuring traceability — the ability to track who personal data was transferred from and to.

The matters to be recorded are as follows. (a) The date on which the personal data was provided. (b) The name or title of the destination third party (for corporations, including the name of the representative). (c) The categories of personal data provided. In the case of provision based on the opt-out mechanism (Article 27, Paragraph 2), in addition to the above, "to the effect that it is pursuant to Article 27" and the individual’s name must also be recorded.

The retention period for records varies depending on the basis and method of provision. Provision based on the individual’s consent: 3 years. Provision based on opt-out: 3 years. Substitute records using contracts, etc. (when existing documents serve as the record): 3 years from the last provision. Batch records (when repeatedly providing to the same third party): 3 years from the last provision. The exam frequently tests these retention period figures, so they should be memorized precisely.

Three methods of creating records are permitted. First, documents (paper records). Second, electronic records (databases, files, etc.). Third, microfilm. Additionally, when continuously providing data to the same third party, there is no need to create individual records for each provision — batch record-keeping is permitted. Furthermore, if existing documents such as contracts already contain the required matters, they may serve as a substitute for the record.

As an important exception, the record-keeping obligation does not apply when provision is based on outsourcing, business succession, or joint use (Article 27, Paragraph 5). This is because these cases do not legally constitute "third-party provision." Therefore, the record-keeping obligation under Article 29 arises only when data is provided to a third party based on the individual’s consent or through the opt-out mechanism.

Exam points for Article 29: the three record items (date, name, categories), the additional items required for opt-out, the classification of retention periods, the three methods of record-keeping, and the exception that outsourcing, business succession, and joint use do not require records. These must be grasped precisely.

Article 30 stipulates the obligations of the party receiving personal data from a third party. While Article 29 governs the provider’s obligations, Article 30 governs the recipient’s obligations — the two form a paired relationship. Together, these two provisions ensure the traceability (trackability) of personal data circulation.

The first thing the recipient must do is carry out a confirmation. There are two matters to confirm. (a) The name or title and address of the provider (for corporations, including the name of the representative). (b) The circumstances under which the provider acquired the relevant personal data. Especially, the confirmation of (b) — the acquisition circumstances — is a core mechanism for preventing illicitly acquired data from entering circulation.

In addition to the confirmation, the recipient also bears the obligation to create and retain records. The matters to be recorded are as follows. (a) The date on which the data was received. (b) The confirmed matters (provider information and acquisition circumstances). (c) The categories of personal data received. The same retention period standards as Article 29 apply.

The legislative purpose of Article 30 has a historical background. Introduced by the 2015 amendment, this article was a countermeasure against the so-called "list broker" (meiboya) problem. List brokers are operators who collect and sell personal data, and the reality was that large quantities of illicitly acquired personal data were being bought and sold. By imposing a confirmation obligation on the receiving side as well, the aim is to deter the circulation of illicit data.

Let us organize the exam points for Article 30. First, the two matters to confirm (provider’s name/address and acquisition circumstances). Second, the three matters to record (date, confirmed matters, and data categories). Third, the background of its introduction in the 2015 amendment (list broker countermeasure). Fourth, the comparison with Article 29 (provider side = record only, recipient side = confirm + record).