Japan — International Data Transfers

Japan's Act on the Protection of Personal Information (APPI) imposes a baseline restriction on the transfer of personal data to third parties in foreign countries under Article 28 (renumbered from Article 24 effective April 1, 2022). A personal information handling business operator (PIHBO) is the core regulated entity — defined in Article 16(2) APPI as a business operator that uses a database of personal information. The Personal Information Protection Commission (PPC) is Japan's data protection supervisory authority, established under Article 152 APPI.

"Foreign country" means "a country or region located outside the territory of Japan" (Art. 28 APPI). The restriction applies when a PIHBO provides personal data to a third party located in a foreign country, except in those cases already exempted from the domestic third-party provision rule under Article 27(1) — for instance, transfers necessary for the protection of life, body, or property when obtaining consent is difficult (Art. 27(1)(ii)), or transfers necessary for cooperation with a public authority where obtaining consent would impede performance of statutory duties (Art. 27(1)(iv)).

The three compliant pathways

Article 28 establishes three lawful mechanisms for cross-border transfers:

1. Transfers to adequate foreign countries (Art. 28 whitelist exception). A PIHBO may transfer personal data to a third party in a "foreign country establishing a personal information protection system recognized to have equivalent standards to that in Japan in regard to the protection of an individual's rights and interests," as "prescribed by rules of the Personal Information Protection Commission" (Art. 28 APPI). Transfers to countries on this PPC-designated whitelist do not require individual consent and carry no additional compliance burden beyond Article 27 (domestic third-party provision). The European Union member states are designated under the EU-Japan mutual adequacy framework (effective January 23, 2019).

2. Transfers to third parties with appropriate data-protection systems (Art. 28(1) carve-out). A PIHBO may transfer personal data to a recipient in a non-adequate foreign country if that recipient is "a person establishing a system conforming to standards prescribed by rules of the Personal Information Protection Commission as necessary for continuously taking action equivalent to the one that a personal information handling business operator shall take concerning the handling of personal data pursuant to the provisions of this Section" (Art. 28(1) APPI). This pathway is designed for transfers to affiliates, processors, or other third parties willing to implement contractual or organizational safeguards equivalent to APPI obligations. The specific system standards are set out in the PPC's Enforcement Rules.

When relying on this pathway, the PIHBO must "take necessary action to ensure that the third party appropriately and continuously takes the said action for the protection of personal information," and must "publicly announce information on the system the said third party has established and the said action the third party takes" (Art. 28(3) APPI). The PIHBO bears ongoing supervisory responsibility and a transparency obligation.

3. Individual consent with mandated information provision (Art. 28(1) principal consent). When neither of the above pathways is available, the PIHBO must "in advance obtain a principal's consent to the effect that he or she approves the provision to a third party in a foreign country" (Art. 28(1) APPI). This is not the simple consent that suffices for domestic third-party provision under Article 27(1). Article 28(2) imposes an additional mandatory information-provision obligation: before obtaining consent, the PIHBO must "in advance provide the principal with information on the personal information protection system of the foreign country, on the action the third party takes for the protection of personal information, and other information that is to serve as a reference to the principal, pursuant to rules of the Personal Information Protection Commission."

The practical effect is that consent must be meaningfully informed — the data subject receives country-level and recipient-level detail enabling her to assess the transfer risk before agreeing. The PPC's rules prescribe the content and form of this information.

Relationship to Article 27 exceptions and recordkeeping

The Article 28 restriction is expressly subject to the exceptions in Article 27(1). When an Article 27(1) exception applies (such as the life-protection or public-authority-cooperation carve-outs), the overseas transfer may proceed without consent under Article 28 as well. However, the PIHBO must still create and maintain records of the transfer under Article 28, except where the transfer falls within an Article 27(1) or (5) exception (Art. 28 cross-reference to recordkeeping provisions).

Practical compliance sequencing

A PIHBO planning an overseas transfer should evaluate the pathways in the following order:

1. Check the PPC's whitelist of adequate foreign countries. If the recipient is located in an adequate jurisdiction (such as an EU member state) and the transfer otherwise complies with Article 27, no additional consent or contract is required.

1. If the recipient is in a non-adequate country, assess whether the recipient can establish and maintain an appropriate system under PPC rule standards. This pathway is available for intra-group transfers and for transfers to processors or service providers willing to implement contractual commitments that mirror APPI obligations. The PIHBO must supervise ongoing compliance and publicly disclose the recipient's system and practices.

1. If neither pathway is available, obtain enhanced consent from the data subject after providing the mandated information about the recipient country's legal framework and the recipient's specific data-protection practices, as prescribed by PPC rules.

The 2020 amendments to APPI (effective April 2022) strengthened the cross-border transfer regime by adding the mandatory information-provision requirement for consent (Art. 28(2)) and the ongoing-supervision and public-disclosure obligations for appropriate-system transfers (Art. 28(3)). These changes reflect Japan's commitment under the EU-Japan adequacy arrangement to maintain a level of protection recognized as substantially equivalent to EU standards for personal data originating in the EU.

Source: Act on the Protection of Personal Information (APPI), Art. 28, June 2020 English translation Source: PPC notice on renumbering of Article 24 to Article 28, effective April 1, 2022

The Personal Information Protection Commission (PPC) maintains a whitelist of foreign countries designated as having "a personal information protection system recognized to have equivalent standards to that in Japan in regard to the protection of an individual's rights and interests" under Article 28 APPI. Transfers to whitelisted countries do not require the data subject's consent and do not require the data exporter to implement an appropriate-system contract, because the recipient country's legal framework itself is deemed to provide equivalent protection.

As of May 2026, only two jurisdictions are on the PPC whitelist:

1. The European Union (all EU Member States in the European Economic Area), designated effective January 23, 2019.
2. The United Kingdom, also designated effective January 23, 2019.

The Japan-EU mutual adequacy arrangement

The EU designation was adopted by the PPC at its 85th Personal Information Protection Committee meeting on January 23, 2019, based on Article 24 APPI (renumbered to Article 28 on April 1, 2022). On the same day, the European Commission adopted its reciprocal adequacy decision for Japan under Article 45 GDPR (Decision (EU) 2019/419). This created a mutual adequacy arrangement — the world's largest area of free cross-border personal-data flows based on reciprocal adequacy findings at the time of entry into force.

The arrangement applies to commercial transfers between personal information handling business operators (PIHBOs) in Japan and controllers/processors in the EU. It does not currently cover transfers in the context of public-sector regulatory cooperation or academic research, though both the PPC and the European Commission have indicated interest in expanding the scope to those sectors following the 2021 APPI amendments that extended the law to Japan's public sector.

Personal data transferred from the EU to Japan under the adequacy decision is subject to the Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU and the United Kingdom based on an Adequacy Decision (adopted by the PPC in January 2019, most recently revised March 15, 2023, effective April 1, 2023). The Supplementary Rules impose additional obligations on Japanese PIHBOs handling EU-origin data — for instance, stricter limitations on onward transfers to third countries, enhanced transparency requirements, and a prohibition on using consent as a lawful basis for onward transfers except in narrow circumstances. The European Commission conducted the first periodic review of the adequacy decision in 2021–2023, concluding in March 2023 that the level of protection in Japan remains essentially equivalent to EU standards.

The Japan-UK adequacy arrangement

The UK was added to the PPC whitelist on the same date as the EU (January 23, 2019), initially as part of the EU designation. Following Brexit, the UK maintained its adequacy status with Japan. In October 2023, the PPC and the UK Information Commissioner's Office (ICO) signed a Memorandum of Cooperation to deepen enforcement collaboration. The UK adequacy designation operates in parallel with the EU arrangement, and personal data transferred from the UK to Japan under the adequacy finding is governed by the same Supplementary Rules that apply to EU-origin data.

Countries NOT on the whitelist

No other country or region — including the United States, Canada, Australia, Singapore, South Korea, or China — is currently designated as adequate by the PPC. Transfers to these jurisdictions must rely on one of the other two Article 28 pathways: either the data exporter and recipient must implement an appropriate system of data protection equivalent to APPI standards (typically via a cross-border data transfer agreement or binding corporate rules), or the data exporter must obtain the data subject's enhanced consent after providing mandated information about the recipient country's legal framework and the recipient's specific data-protection measures.

The PPC's Global Strategy for FY2025, published in March 2025, states that the PPC "will continue to work toward expanding the scope or the number of countries and regions covered by the mutual adequacy arrangements" as a top priority, including by concluding consultations with the EU and UK on extending the existing adequacy arrangement to academia and the public sector and by "initiating discussions about a new mutual adequacy arrangement with like-minded countries and regions having shared fundamental values with Japan."

APEC CBPR certification is NOT a whitelist substitute

Certification under the APEC Cross-Border Privacy Rules (CBPR) system (now the Global CBPR System, launched April 2024) is an example of an "international framework" that may satisfy the appropriate-system pathway under Article 28 APPI. However, CBPR certification does not place the recipient on the PPC whitelist and does not eliminate the need for a transfer mechanism. A PIHBO relying on a CBPR-certified recipient must still either implement an appropriate-system contract with the recipient (the CBPR certification helps demonstrate that the recipient has equivalent protections in place) or obtain enhanced consent. CBPR certification is a compliance tool, not an adequacy designation.

Practical compliance sequencing

When planning a cross-border transfer, a PIHBO should first check whether the recipient is located in an EU Member State or the UK. If yes, and if the transfer otherwise complies with Article 27 APPI (domestic third-party provision rules), the transfer may proceed without additional Article 28 compliance steps — no consent, no contract, no public disclosure. For all other destinations, the PIHBO must evaluate the appropriate-system or enhanced-consent pathways and comply with the attendant information-provision, supervision, and transparency obligations described in the base Article 28 section of this guide.

Source: PPC announcement on Japan-EU mutual adequacy framework entry into force, January 23, 2019 Source: PPC Global Strategy for FY2025, March 26, 2025 Source: European Commission Report on first review of Japan adequacy decision, March 2023 Source: Supplementary Rules for EU/UK-origin data, revised March 15, 2023

When a personal information handling business operator (PIHBO) transfers personal data to a recipient in a non-adequate foreign country (any country other than EU member states or the UK), the PIHBO may rely on the appropriate-system pathway under Article 28(1) APPI as an alternative to obtaining enhanced consent. This pathway permits the transfer if the foreign recipient "is a person establishing a system conforming to standards prescribed by rules of the Personal Information Protection Commission as necessary for continuously taking action equivalent to the one that a personal information handling business operator shall take concerning the handling of personal data pursuant to the provisions of this Section."

The appropriate-system pathway is the workhorse mechanism for cross-border transfers to the United States, Singapore, China, Canada, Australia, and other major trading partners not on the PPC whitelist. It is designed for intra-corporate transfers within a multinational group, for transfers to service providers and processors under contract, and for transfers to joint controllers or other third parties willing to implement equivalent data-protection safeguards.

PPC Enforcement Rule 11-2 — the required system elements

Article 11-2 of the PPC's Enforcement Rules for the Act on the Protection of Personal Information prescribes the specific standards the foreign recipient's system must meet. The Rule requires the recipient to establish a system that includes:

1. A framework equivalent to the PIHBO's obligations under APPI Section 2 (Articles 20–39, covering purpose limitation, accuracy, security, third-party provision restrictions, transparency, and data-subject rights). The recipient must adopt internal rules, policies, or contractual commitments that impose obligations on the recipient mirroring those a PIHBO would bear under APPI if the recipient were operating in Japan.

1. Procedures for responding to data-subject requests for disclosure, correction, suspension of use, and erasure under Articles 32–34 APPI, either directly or by assisting the data exporter in responding.

1. Organizational and technical safeguards to prevent unauthorized access, loss, destruction, falsification, or leakage of personal data, equivalent to the security management measures required under Article 23 APPI.

1. A framework for handling complaints from data subjects regarding the handling of personal data, equivalent to Article 40 APPI.

The recipient's system may be evidenced by:

• A data processing agreement (DPA) or cross-border data transfer agreement between the data exporter and the recipient that contractually binds the recipient to APPI-equivalent obligations;
• Binding corporate rules (BCRs) adopted within a corporate group and binding on all group entities;
• A privacy policy or internal rules adopted by the recipient and enforceable by the data exporter; or
• APEC Cross-Border Privacy Rules (CBPR) certification obtained by the recipient under the Global CBPR System (launched April 2024, successor to the original APEC CBPR framework). CBPR certification is expressly recognized by the PPC as evidence that the recipient has established an appropriate system, though it does not eliminate the data exporter's ongoing supervision obligations.

Ongoing supervision obligations under Article 28(3)

The appropriate-system pathway is not a set-and-forget mechanism. Article 28(3) APPI imposes two continuing obligations on the data exporter:

1. Necessary action to ensure continuous implementation. The PIHBO must "take necessary action to ensure that the third party appropriately and continuously takes the said action for the protection of personal information." This supervision obligation requires the PIHBO to:

• Periodically verify that the recipient remains in compliance with the agreed-upon system (for instance, by requiring annual compliance certifications, conducting audits, or reviewing the recipient's handling practices);
• Investigate and remediate any breach or non-compliance by the recipient;
• Suspend or terminate the transfer relationship if the recipient fails to maintain the required system.

The PPC's guidance indicates that the frequency and intensity of supervision should be proportionate to the volume and sensitivity of the personal data transferred, the recipient's track record, and the risk profile of the destination country.

2. Public disclosure and data-subject information obligations. Article 28(3) APPI requires the PIHBO to "publicly announce information on the system the said third party has established and the said action the third party takes." This transparency obligation is typically satisfied by publishing on the PIHBO's website:

• The name and location of the foreign recipient (or categories of recipients, if the number is large);
• A summary of the contractual or organizational framework the recipient has adopted (e.g., "standard data processing agreement incorporating APPI-equivalent safeguards," "APEC CBPR-certified processor," or "binding corporate rules applicable to all group entities");
• The measures the PIHBO takes to supervise the recipient's ongoing compliance (e.g., annual audits, quarterly compliance certifications).

Additionally, Article 28(3) requires the PIHBO to provide this information "in response to a principal's request" — meaning any data subject whose personal data has been transferred can demand details about the recipient's system and the PIHBO's supervision measures. The PIHBO must respond "without delay" under the general transparency obligations in Article 32 APPI.

Interaction with the enhanced-consent pathway

If the foreign recipient cannot or will not establish an appropriate system meeting PPC Rule 11-2 standards, the PIHBO must instead obtain enhanced consent under Article 28(1) and (2) APPI. That consent pathway requires the PIHBO to provide the data subject, before obtaining consent, with "information on the personal information protection system of the foreign country, on the action the third party takes for the protection of personal information, and other information that is to serve as a reference to the principal, pursuant to rules of the Personal Information Protection Commission."

The appropriate-system pathway eliminates the need for individual consent but imposes contract, supervision, and transparency obligations in its place. The enhanced-consent pathway shifts the burden to the data subject to assess the transfer risk based on mandated disclosures, but it does not require the recipient to implement contractual safeguards or permit the PIHBO to rely on ongoing supervision as a substitute for consent.

Comparison to GDPR Article 46 transfer mechanisms

Practitioners familiar with the EU GDPR will recognize the appropriate-system pathway as functionally similar to GDPR Article 46 standard contractual clauses (SCCs) or binding corporate rules (BCRs). Both frameworks require the data exporter to bind the recipient to equivalent data-protection obligations and to supervise ongoing compliance. However, APPI Article 28 does not prescribe a single template for the appropriate system — unlike the EU Commission's SCCs, which are standardized and must be adopted verbatim. Japanese PIHBOs have flexibility to tailor the contractual or organizational framework to the specific transfer, provided it meets PPC Rule 11-2 standards. The PPC has indicated in enforcement guidance that it will assess the substance of the recipient's commitments, not their form.

Recordkeeping and evidence of compliance

Article 28 APPI incorporates by cross-reference the recordkeeping obligations applicable to domestic third-party provisions under Article 27. When relying on the appropriate-system pathway, the PIHBO must create and maintain records of each transfer, including the date of the transfer, the items of personal data transferred, the identity of the recipient, and the basis for the transfer (i.e., that the recipient has established an appropriate system). These records must be retained for the period prescribed by PPC rules (currently three years from the date of the transfer) and must be available for inspection by the PPC upon request.

The PIHBO should also maintain documentary evidence of the recipient's system (the signed DPA, the BCR document, the CBPR certificate, or the recipient's privacy policy and internal rules) and records of the PIHBO's supervision activities (audit reports, compliance certifications, correspondence regarding remediation of any non-compliance). In enforcement actions, the PPC has required PIHBOs to demonstrate both that the recipient's system met Rule 11-2 standards at the time of the initial transfer and that the PIHBO took "necessary action" to ensure continuous implementation thereafter.

Source: Act on the Protection of Personal Information (APPI), Art. 28, June 2020 English translation Source: PPC overview of 2020 amendments, describing reinforced restrictions on cross-border transfers

When a personal information handling business operator (PIHBO) transfers personal data to a recipient in a non-adequate foreign country (any country other than EU member states or the UK), and the recipient has not established an appropriate system of data protection under Article 28(1) APPI, the PIHBO must obtain the data subject's enhanced consent before the transfer. This consent pathway is governed by Article 28(1) and (2) APPI and differs materially from the simple consent that suffices for domestic third-party provision under Article 27.

Article 28(1) consent is distinct from Article 27 consent

Under Article 27(1) APPI, a PIHBO may provide personal data to a third party within Japan if the PIHBO "has in advance obtained a principal's consent." The statute does not prescribe the content or form of that consent, and PIHBOs typically obtain it through a short opt-in checkbox or a general privacy-policy acknowledgment. This simple consent is not sufficient for cross-border transfers.

Article 28(1) APPI requires "a principal's consent to the effect that he or she approves the provision to a third party in a foreign country" (emphasis added). The consent must be transfer-specific — it must address the cross-border nature of the provision and identify the foreign recipient or category of recipients. A blanket clause in a privacy policy permitting "sharing with service providers" or "transfers for business purposes" will not satisfy Article 28(1) unless it explicitly flags the overseas transfer and the foreign destination.

Mandatory information provision under Article 28(2) — what the data subject must receive before consenting

Article 28(2) APPI imposes a pre-consent information-provision obligation that has no analog in the domestic third-party provision regime. The PIHBO must, "in advance" of obtaining consent, "provide the principal with information on the personal information protection system of the foreign country, on the action the third party takes for the protection of personal information, and other information that is to serve as a reference to the principal, pursuant to rules of the Personal Information Protection Commission."

The statutory text identifies three categories of mandatory information:

1. Information on the personal information protection system of the foreign country. The PIHBO must describe the legal framework governing personal data in the recipient's jurisdiction. This is a country-level disclosure. The statute does not require a comprehensive treatise on foreign law, but the disclosure must give the data subject a meaningful basis for assessing the transfer risk.

PPC guidance suggests that the country-level information should address:

• Whether the recipient country has comprehensive data-protection legislation (such as GDPR in the EU, PIPL in China, LGPD in Brazil) or sector-specific rules (such as HIPAA in the United States for health data);
• The existence and authority of a data-protection supervisory authority or regulator in the recipient country;
• Whether the recipient country's legal system permits government access to personal data (for instance, under U.S. FISA Section 702 or Chinese national-security laws) and, if so, the scope and procedural safeguards governing that access;
• Whether the recipient country's law provides data subjects with rights equivalent to those under APPI (such as access, correction, and erasure rights).

The PIHBO is not required to provide a legal opinion on the adequacy of the foreign regime — that determination is reserved to the PPC under the whitelist process. However, the disclosure must be factual and current. A PIHBO that tells a data subject "the United States has robust privacy protections" without disclosing the absence of a federal comprehensive privacy law or the breadth of national-security access authorities would fail the Article 28(2) standard.

2. Information on the action the third party takes for the protection of personal information. The PIHBO must describe the recipient-specific data-protection measures the foreign third party has adopted or will adopt. This is a supplement to the country-level disclosure — even if the recipient country's legal framework is weak, the recipient organization may have implemented strong contractual or organizational safeguards.

The recipient-specific disclosure should address:

• The recipient's internal privacy policies and procedures (for instance, whether the recipient has adopted a privacy policy, appointed a data-protection officer or privacy lead, or implemented access controls and encryption);
• Contractual commitments the recipient has made to the PIHBO (for instance, under a data processing agreement that mirrors APPI obligations);
• Certification under a recognized privacy framework, such as the APEC Cross-Border Privacy Rules (CBPR) system or ISO 27001 information-security management standards;
• The recipient's history of data breaches or enforcement actions, if known to the PIHBO and material to the transfer risk.

The statute does not prescribe a minimum level of detail, but the disclosure must give the data subject a reference point for evaluating the recipient's practices. A generic statement that "the recipient will protect your data in accordance with industry standards" is insufficient. The disclosure should identify the specific measures the recipient has implemented or will implement under the transfer agreement.

3. Other information that is to serve as a reference to the principal, pursuant to rules of the Personal Information Protection Commission. This is a catch-all category delegated to PPC rulemaking. The PPC's Enforcement Rules for the Act on the Protection of Personal Information prescribe additional disclosure items, including:

• The name and contact information of the foreign recipient (or, if the number of recipients is large and disclosure of individual names is impracticable, the categories of recipients — e.g., "cloud service providers located in the United States");
• The purpose for which the recipient will use the personal data (which must be consistent with the purpose notified to the data subject at the time of collection under Article 18 APPI);
• The types or items of personal data that will be transferred (e.g., "name, email address, purchase history," rather than a vague "personal information");
• The method by which the data subject can withdraw consent (Article 28 does not create a statutory right to withdraw cross-border transfer consent after the transfer has occurred, but if the PIHBO's internal policy permits withdrawal, that fact must be disclosed).

Form and timing of the information provision

Article 28(2) requires that the information be provided "in advance" of obtaining consent. The PIHBO must give the data subject an opportunity to review the information and make an informed decision before clicking "I agree" or signing a consent form. A disclosure that appears only after the data subject has consented — for instance, in a confirmation email — does not satisfy Article 28(2).

The statute does not prescribe the medium of disclosure. PIHBOs typically provide the Article 28(2) information through:

• A dedicated cross-border transfer notice presented to the data subject in a pop-up or interstitial screen before the consent checkbox, with a link to a detailed disclosure document;
• An integrated privacy notice that combines the Article 18 purpose-of-use notification, the Article 27 third-party provision disclosure, and the Article 28(2) cross-border transfer information in a single layered document, with the Article 28(2) information highlighted or separately flagged;
• A separate consent form for cross-border transfers, distinct from the general terms of service or privacy-policy acknowledgment, that embeds the Article 28(2) information above the signature line.

The PPC has emphasized in guidance that the Article 28(2) information must be easily accessible and understandable. A disclosure buried in a 30-page privacy policy or written in dense legalese will not satisfy the statute's reference-to-the-principal standard, even if all required items are technically present. The PIHBO should use plain language, break the information into digestible sections (country-level framework, recipient-specific measures, data-subject rights), and ensure that the disclosure is presented in a manner that draws the data subject's attention before consent is obtained.

Consequences of non-compliance

Failure to provide the Article 28(2) information, or obtaining consent without "in advance" disclosure, renders the consent invalid. The cross-border transfer proceeds without a lawful basis under Article 28 and constitutes a violation of the restriction on overseas provision of personal data. The Personal Information Protection Commission (PPC) may issue a recommendation or order under Article 145 or 146 APPI directing the PIHBO to suspend the transfer, implement remedial measures, and notify affected data subjects. Violation of a PPC order is subject to criminal penalties under Article 178 APPI (imprisonment of up to one year or a fine of up to ¥1 million for individuals; fines of up to ¥100 million for corporations under Article 179).

The PPC has not yet published a major enforcement action focused solely on Article 28(2) information-provision failures, but the 2020 amendments to APPI (effective April 2022) that introduced the mandatory information-provision requirement reflect the PPC's concern that data subjects were consenting to cross-border transfers without understanding the risks. PIHBOs should treat Article 28(2) compliance as a gating requirement — if the information cannot be provided accurately and comprehensibly, the PIHBO should pursue the appropriate-system pathway under Article 28(1) or limit the transfer to whitelisted jurisdictions (EU/UK).

Comparison to GDPR Article 49(1)(a) derogation for explicit consent

Practitioners familiar with GDPR will note parallels between APPI Article 28(1)/(2) enhanced consent and GDPR Article 49(1)(a), which permits cross-border transfers on the basis of "explicit consent" when no adequacy decision or appropriate safeguard (such as SCCs) is available. Both regimes require informed, transfer-specific consent and impose higher standards than consent for ordinary processing. However, APPI Article 28(2) is more prescriptive than GDPR Article 49(1)(a) in specifying the content of the pre-consent disclosure — GDPR recital 111 states that the data subject must be informed of "the possible risks of such transfers," while APPI Article 28(2) mandates disclosure of the foreign country's legal framework and the recipient's specific measures. The APPI approach reflects Japan's civil-law tradition of detailed statutory specification, whereas GDPR leaves greater room for case-by-case assessment by supervisory authorities.

Source: Act on the Protection of Personal Information (APPI), Art. 28, June 2020 English translation Source: PPC overview of 2020 amendments, describing mandatory information provision for cross-border transfer consent

When a personal information handling business operator (PIHBO) in Japan receives personal data from the European Union or the United Kingdom under the mutual adequacy arrangement (effective January 23, 2019), and then wishes to onward transfer that data to a third country outside Japan, the PIHBO faces stricter restrictions than those imposed by base Article 28 APPI. These enhanced restrictions are imposed by Supplementary Rule (4) of the Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU and the United Kingdom based on an Adequacy Decision, adopted by the PPC in January 2019 and most recently revised March 15, 2023 (effective April 1, 2023).

What is an onward transfer?

An onward transfer occurs when a PIHBO in Japan that has received personal data from the EU or UK (under the adequacy arrangement) subsequently provides that EU/UK-origin data to a third party located in a foreign country (i.e., outside Japan). From the perspective of Japanese law, this is simply an international data transfer governed by Article 28 APPI. However, because the data originated in the EU or UK, the European Commission's adequacy decision requires Japan to apply enhanced safeguards to ensure continuity of protection — meaning the data must remain subject to a level of protection essentially equivalent to the GDPR throughout its lifecycle, even after leaving Japan.

The Supplementary Rules are legally binding on all PIHBOs handling EU/UK-origin data and are enforceable by the PPC in the same manner as the APPI itself. PIHBOs must implement technical or organizational measures (such as data tagging or segregated databases) to identify EU/UK-origin data throughout its lifecycle and apply the Supplementary Rules to any onward transfer of that data.

Supplementary Rule (4) — the onward transfer restriction

Supplementary Rule (4) states that when a PIHBO covered by the Japan-EU adequacy decision intends to onward-transfer EU/UK-origin personal data to a third party in a foreign country, the PIHBO may not rely on all three of the standard Article 28 pathways. Instead, onward transfers of EU/UK-origin data are permitted only under the following mechanisms (without prejudice to the derogations set forth in Article 27(1) APPI, such as the life-protection and public-authority-cooperation exceptions):

1. Onward transfer to another adequate country designated by the PPC under Article 28. If the third-country recipient is located in a jurisdiction on the PPC's whitelist of adequate foreign countries — currently only EU member states and the UK — the onward transfer may proceed without additional safeguards or consent, provided it complies with the domestic third-party provision rules under Article 27 APPI. A PIHBO in Japan may freely onward-transfer EU-origin data to a recipient in Germany or France, or UK-origin data to a recipient in Ireland, without triggering Supplementary Rule (4)'s enhanced requirements.

2. Onward transfer to a recipient that has established "implementing measures providing a level of protection equivalent to the APPI, read together with the Supplementary Rules." This pathway is functionally similar to the Article 28(1) appropriate-system pathway, but the standard is higher: the foreign recipient must implement contractual or organizational safeguards that meet not only the APPI obligations under Articles 20–39 but also the enhanced protections imposed by the Supplementary Rules for EU/UK-origin data. This includes, for example, the Supplementary Rules' stricter limitations on special-category data processing, the expanded definition of sensitive data (which under Supplementary Rule (2) includes medical data, data revealing political opinions, and data concerning an individual's sex life — categories not treated as special-category data under base APPI Article 2(3)), and the enhanced information-provision requirements for onward transfers by consent (Supplementary Rule (4) itself).

The PIHBO must bind the foreign recipient to these APPI-plus-Supplementary-Rules obligations through a data transfer agreement or binding corporate rules applicable within a multinational group. The European Commission's first review of the adequacy decision, published in March 2023, noted that PIHBOs "frame their onward transfers of data originally received from the EU 'by concluding a contract that binds the recipient to measures ensuring the continuity of protection.'" However, the PPC has not published model contractual clauses or detailed guidance specifying the required content of such contracts. The European Commission and the European Data Protection Board (EDPB) have both recommended that the PPC develop model clauses or clearer guidance on the "equivalent measures" standard to assist PIHBOs and their third-country recipients in framing compliant onward-transfer agreements.

APEC CBPR certification is NOT sufficient for onward transfers of EU/UK-origin data. Supplementary Rule (4) expressly excludes reliance on APEC Cross-Border Privacy Rules (CBPR) certification as a standalone basis for onward transfers of EU/UK-origin data. While CBPR certification may satisfy the appropriate-system pathway under base Article 28 APPI for non-EU/UK data, it does not provide a level of protection equivalent to APPI plus Supplementary Rules. A PIHBO onward-transferring EU-origin data to a CBPR-certified recipient in the United States or Singapore must still execute a contract binding the recipient to APPI-plus-Supplementary-Rules obligations; the CBPR certification alone is insufficient. The European Commission's March 2023 review report and the EDPB's Statement 1/2023 on the Japan adequacy review both emphasized this exclusion and called on the PPC to clarify it in the PPC Guidelines on international transfers.

3. Onward transfer with enhanced consent after providing mandated information "on the circumstances surrounding the transfer necessary for the principal to make a decision on his/her consent." If neither of the above pathways is available — for instance, if the foreign recipient is in a non-adequate country and cannot or will not implement APPI-plus-Supplementary-Rules contractual safeguards — the PIHBO must obtain the data subject's consent before the onward transfer. This consent must be informed by the disclosure of "information on the circumstances surrounding the transfer necessary for the principal to make a decision on his/her consent" under Supplementary Rule (4).

This information-provision requirement is more stringent than the base Article 28(2) APPI mandatory disclosure for cross-border transfers. Whereas Article 28(2) requires disclosure of the foreign country's legal framework and the recipient's data-protection measures, Supplementary Rule (4) additionally requires disclosure of the risks arising from the absence of adequate protection in the third country and the absence of appropriate safeguards equivalent to APPI-plus-Supplementary-Rules. The EDPB's Opinion 28/2018 on the draft adequacy decision and the EDPB's Statement 1/2023 on the first review both emphasized that data subjects must be informed not only of the recipient's practices but also of the gaps between the third country's legal framework and the level of protection guaranteed by APPI and the Supplementary Rules.

The practical effect is that onward transfers of EU/UK-origin data on the basis of consent are rare and reserved for narrow, one-off transfers where the data subject has a genuine choice and the risks are transparently disclosed. For routine or bulk onward transfers — such as the use of a U.S. cloud provider to host EU-origin data received by a Japanese subsidiary — consent is not a viable mechanism, and the PIHBO must instead pursue the contractual-safeguards pathway (binding the cloud provider to APPI-plus-Supplementary-Rules obligations).

Relationship to the EU-US Data Privacy Framework

Japan's adequacy arrangement with the EU is independent of the EU-US adequacy regime. The European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF) on July 10, 2023, under Decision (EU) 2023/1795, permitting transfers of EU-origin data to U.S. organizations certified under the DPF without additional safeguards. However, the PPC has not designated the United States as an adequate foreign country under Article 28 APPI. A PIHBO in Japan onward-transferring EU-origin data to a U.S. recipient therefore cannot rely on the U.S. recipient's DPF certification to satisfy Supplementary Rule (4), even though that certification would permit a direct transfer from an EU controller to the same U.S. recipient under GDPR Article 45.

Instead, the PIHBO must treat the U.S. recipient as located in a non-adequate country and either (a) bind the U.S. recipient to APPI-plus-Supplementary-Rules contractual safeguards (the contractual-measures pathway under Supplementary Rule (4)), or (b) obtain enhanced consent from the data subject after disclosing the risks of the U.S. transfer. The European Commission's March 2023 review report acknowledged this asymmetry but did not recommend that Japan designate the United States as adequate — likely because the DPF itself applies only to commercial transfers to DPF-certified organizations, while Article 28 adequacy designations are country-wide.

Recordkeeping and enforcement

PIHBOs must maintain records of all onward transfers of EU/UK-origin data under the general recordkeeping obligations incorporated by cross-reference in Article 28 APPI. These records must identify the date of the onward transfer, the items of personal data transferred, the identity of the third-country recipient, and the basis for the transfer (adequate country, contractual safeguards, or consent). The PIHBO should also retain documentary evidence of the contractual safeguards implemented (the signed data transfer agreement or binding corporate rules) and records of any consent obtained (including the information provided to the data subject before consent).

The PPC has not yet published a major enforcement action focused on Supplementary Rule (4) onward-transfer violations, but the European Commission's March 2023 review report indicated that the PPC and the European Commission are monitoring compliance closely. The EDPB has called on the European Commission to ensure that the PPC develops clearer guidance and model clauses for onward transfers, and future periodic reviews of the adequacy arrangement (scheduled every four years under GDPR Article 45(3)) will assess whether PIHBOs are implementing Supplementary Rule (4) effectively in practice.

Practical compliance sequencing for onward transfers

A PIHBO in Japan that receives EU/UK-origin data and plans an onward transfer to a third country should evaluate the Supplementary Rule (4) pathways in the following order:

1. Check whether the third-country recipient is located in an adequate foreign country designated by the PPC (currently only EU member states and the UK). If yes, and if the transfer complies with Article 27 APPI, the onward transfer may proceed without additional safeguards or consent.

1. If the recipient is in a non-adequate country, assess whether the recipient can implement contractual or organizational measures providing a level of protection equivalent to APPI plus Supplementary Rules. This pathway requires the PIHBO to execute a data transfer agreement or adopt binding corporate rules binding the recipient to the enhanced protections applicable to EU/UK-origin data. The PIHBO must also monitor the recipient's ongoing compliance (as required by Article 28(3) APPI) and publicly disclose the recipient's system and the PIHBO's supervision measures.

1. If the recipient cannot or will not implement equivalent measures, obtain enhanced consent from the data subject after providing mandated information on the risks of the onward transfer, including the absence of adequate protection in the third country and the absence of APPI-plus-Supplementary-Rules safeguards. This pathway is viable only for narrow, one-off transfers where the data subject has genuine choice.

PIHBOs should not rely on APEC CBPR certification as a standalone basis for onward transfers of EU/UK-origin data, even though CBPR certification may satisfy the appropriate-system pathway under base Article 28 for non-EU/UK data.

Source: Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU and the United Kingdom based on an Adequacy Decision, revised March 15, 2023 Source: European Commission Implementing Decision (EU) 2019/419 on the adequate protection of personal data by Japan, January 23, 2019 Source: European Commission Report on the first review of the functioning of the adequacy decision for Japan, COM(2023) 275, March 28, 2023

The Personal Information Protection Commission (PPC) has adopted Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU and the United Kingdom based on an Adequacy Decision (most recently revised March 15, 2023, effective April 1, 2023). These Supplementary Rules are binding law for Japanese personal information handling business operators (PIHBOs) that receive personal data from the European Union or the United Kingdom under the Japan-EU/UK mutual adequacy framework.

A PIHBO that receives personal data from the EU or UK under the adequacy decision (i.e., without needing enhanced consent or an appropriate-system contract, because the adequacy whitelist eliminates the Article 28 APPI transfer barrier at the EU/UK border) must comply with both base APPI and the Supplementary Rules for that subset of data. The Supplementary Rules impose additional obligations that do not apply to personal data collected in Japan or received from non-adequate third countries. Failure to comply with the Supplementary Rules is enforceable by the PPC under Article 145–146 APPI (recommendation and order powers) and is directly actionable by EU/UK data subjects in Japanese courts under Article 84 APPI (civil liability for damages).

Purpose and legal basis of the Supplementary Rules

The Supplementary Rules were a condition of the European Commission's adequacy decision for Japan adopted on January 23, 2019 under GDPR Article 45 (Commission Implementing Decision (EU) 2019/419). The European Commission found that Japan's base APPI framework provided "essentially equivalent" protection to the GDPR for most processing activities, but identified specific gaps where APPI fell short of GDPR standards—particularly in the areas of onward transfers, sensitive data categories, data retention, and data-subject rights for short-term data. The Supplementary Rules bridge those gaps for the subset of personal data transferred from the EU/UK, ensuring that EU/UK-origin data continues to enjoy GDPR-level protection even after it arrives in Japan.

The Supplementary Rules are adopted as administrative rules under Article 6 of the Act for Establishment of the Personal Information Protection Commission (Act No. 122 of 2014). They are not statutory amendments to APPI but have equivalent binding force on regulated PIHBOs. The PPC enforces the Supplementary Rules through the same investigative, recommendation, and order mechanisms it uses for base APPI violations, and the European Commission's adequacy decision explicitly states that the Supplementary Rules are enforceable "by the independent data protection authority – the Personal Information Protection Commission (PPC) or, directly by EU individuals, in the Japanese courts."

Scope — which data is governed by the Supplementary Rules?

The Supplementary Rules apply to personal data transferred from the European Union or the United Kingdom to a PIHBO in Japan on the basis of the adequacy decision. This includes:

• Personal data of EU/UK residents transferred by an EU/UK controller or processor to a Japanese PIHBO, relying on the adequacy finding as the transfer mechanism under GDPR Article 45 or UK GDPR Article 45;
• Personal data that originated in the EU/UK and was subsequently re-transferred to Japan by a third-country recipient (for instance, personal data transferred from France to the United States and then onward-transferred from the United States to Japan), if the initial transfer out of the EU/UK was made under the Japan adequacy decision (the Supplementary Rules follow the data through subsequent hops if the adequacy bridge was used at any point in the chain).

The Supplementary Rules do not apply to:

• Personal data collected directly in Japan from data subjects who are not EU/UK residents (even if the data subject is a French national temporarily residing in Japan, the Supplementary Rules apply only to data transferred from the EU/UK, not data collected locally);
• Personal data transferred to Japan from the EU/UK using a transfer mechanism other than the adequacy decision—for instance, if an EU controller transfers personal data to a Japanese PIHBO under GDPR Article 46 standard contractual clauses (SCCs) because the controller chooses not to rely on adequacy, the Supplementary Rules do not apply (though the SCC obligations do).

In practice, a Japanese PIHBO that receives personal data from both EU/UK sources (under adequacy) and from other jurisdictions must segregate or tag EU/UK-origin data and apply the Supplementary Rules only to that subset. The PIHBO's compliance burden is higher for EU/UK-origin data than for other personal data in its possession.

Key additional obligations under the Supplementary Rules

The Supplementary Rules impose the following enhanced protections for EU/UK-origin personal data:

1. Onward transfer restrictions — consent and appropriate-system requirements are stricter than base APPI.

When a Japanese PIHBO that received personal data from the EU/UK under the adequacy decision wishes to make an onward transfer of that data to a third country (any country other than Japan, the EU, or the UK), the PIHBO must comply with Article 28 APPI plus Supplementary Rule (4).

Supplementary Rule (4) narrows the onward-transfer pathways as follows:

• Adequacy-based onward transfers are permitted only to PPC-whitelisted countries. The PIHBO may onward-transfer EU/UK-origin data to a third party in another adequate country (currently, only EU member states or the UK) without consent and without an appropriate-system contract, because the PPC whitelist satisfies Article 28 APPI. However, onward transfers to non-adequate countries (including the United States, Canada, Australia, Singapore, China, and all other jurisdictions not on the PPC whitelist) require either an appropriate-system contract or enhanced consent.

• APEC Cross-Border Privacy Rules (CBPR) certification is NOT sufficient for onward transfers of EU/UK-origin data. Under base APPI Article 28, a Japanese PIHBO may rely on the recipient's APEC CBPR certification as evidence that the recipient has established an appropriate system of data protection equivalent to APPI standards. However, Supplementary Rule (4) expressly excludes APEC CBPR certification as a valid appropriate-system mechanism for onward transfers of EU/UK-origin data. The European Commission's adequacy decision (recital 50) explains that the APEC CBPR system "does not result from an arrangement binding the exporter and the importer in the context of their bilateral relationship and is clearly of a lower level than the one guaranteed by the combination of the APPI and the Supplementary Rules." The PIHBO must instead implement a bilateral contract, binding corporate rules (BCRs), or other binding arrangement with the onward-transfer recipient that imposes obligations equivalent to APPI plus the Supplementary Rules—not just base APPI.

• Enhanced consent requirements for onward transfers. If the PIHBO cannot establish an appropriate system with the onward-transfer recipient (because the recipient is unwilling to contractually commit to APPI-plus-Supplementary-Rules standards), the PIHBO must obtain the data subject's enhanced consent under Article 28(1) and (2) APPI. Supplementary Rule (4) requires that the consent be "provided information on the circumstances surrounding the transfer necessary for the principal to make a decision on his/her consent." The PPC and the European Data Protection Board (EDPB) have both emphasized that this consent must be genuinely informed about the risks of the onward transfer, including the absence of adequacy in the destination country and the absence of the Supplementary Rules' protections once the data leaves Japan. The EDPB's Statement 1/2023 on the first Japan adequacy review notes concern that "some clear guideline on this would be helpful to ensure that the level of protection for personal data transferred to Japan from the EEA would not be undermined in case of onward transfers on the basis of consent," particularly for employee data where there may be a power imbalance making consent unreliable.

In summary, for onward transfers of EU/UK-origin data, the PIHBO must:

1. Check whether the onward-transfer destination is on the PPC whitelist (EU/UK only). If yes, proceed under Article 28 adequacy exception.
2. If no, implement a bilateral contract or BCRs that bind the recipient to APPI-plus-Supplementary-Rules obligations (APEC CBPR is not enough).
3. If the recipient will not contractually commit, obtain enhanced consent from the data subject with full disclosure of the onward-transfer risks.

2. Expanded definition of sensitive data (special categories of personal data).

APPI Article 2(3) defines "care-required personal information" (sensitive data) to include data relating to race, creed, social status, medical history, criminal record, and fact of victimization by crime. The Supplementary Rules expand this definition for EU/UK-origin data to align with GDPR Article 9's "special categories of personal data." Supplementary Rule (2) provides that, for personal data transferred from the EU/UK, the PIHBO must also treat as sensitive data:

• Genetic data (within the meaning of GDPR Article 4(13));
• Biometric data processed for the purpose of uniquely identifying a natural person (GDPR Article 4(14));
• Data concerning health (GDPR Article 9(1));
• Data concerning a person's sex life or sexual orientation (GDPR Article 9(1)).

The expanded sensitive-data categories trigger the heightened consent and purpose-limitation obligations under APPI Article 20(2) (requirement to obtain consent for acquisition of care-required personal information, subject to narrow statutory exceptions). In practice, a PIHBO that receives health data or biometric data from the EU/UK must obtain consent for its acquisition and use under the Supplementary Rules, even if base APPI would not classify that data as care-required personal information.

3. No exemption for short-term retention — data-subject rights apply to all EU/UK-origin data.

Under base APPI as it existed before the 2020 amendments, the term "retained personal data" (to which data-subject rights of disclosure, correction, suspension of use, and erasure apply under Articles 32–34 APPI) excluded personal data that the PIHBO holds for six months or less. PIHBOs could avoid disclosure obligations by deleting data within six months. The Supplementary Rules eliminate the six-month exemption for EU/UK-origin data. Supplementary Rule (3) provides that, for personal data transferred from the EU/UK, data-subject rights under Articles 32–34 APPI apply regardless of the retention period. An EU/UK data subject may demand disclosure, correction, or erasure of her personal data even if the PIHBO holds it for only a few weeks.

This restriction was incorporated into base APPI effective April 2022 by the 2020 amendments, which abolished the six-month exemption for all personal data (not just EU/UK-origin data). The Supplementary Rules remain in force to clarify that the six-month exemption never applied to EU/UK-origin data, even before the 2020 APPI amendments.

4. Enhanced transparency and information-provision obligations.

Supplementary Rule (5) requires that, when providing the mandatory information to data subjects under APPI Article 18 (purpose of use) and Article 27 (third-party provision notifications), the PIHBO must ensure that the information is "provided in an intelligible form and in clear and plain language" that enables the data subject to understand the processing. This tracks GDPR Article 12(1)'s transparency standard. The PPC's guidance clarifies that PIHBOs handling EU/UK-origin data should avoid dense legalese, use layered notices where appropriate, and ensure that key disclosures (such as onward-transfer destinations and retention periods) are prominently presented, not buried in a 30-page privacy policy.

5. Recordkeeping and accountability — the PIHBO must be able to demonstrate Supplementary Rules compliance.

The PPC conducts random audits to verify compliance with the Supplementary Rules. In its March 2023 report on the first periodic review of the Japan adequacy decision, the European Commission noted that "the PPC announced that it will carry out random checks to ensure compliance with the Supplementary Rules, rather than continuing with the exclusive use of the non-coercive, soft-law powers of guidance." PIHBOs that receive EU/UK-origin data under the adequacy framework should maintain documentation demonstrating:

• The source and legal basis of the EU/UK data transfer (confirmation from the EU/UK data exporter that the transfer relies on the Japan adequacy decision);
• The systems and procedures the PIHBO has implemented to segregate or tag EU/UK-origin data and apply the Supplementary Rules to that subset;
• Records of any onward transfers of EU/UK-origin data, including the identity of the recipient, the onward-transfer mechanism (adequacy, appropriate-system contract, or enhanced consent), and copies of any bilateral contracts or BCRs;
• Evidence of compliance with the expanded sensitive-data definitions and the no-short-term-exemption rule for data-subject rights requests.

The PPC has enforcement authority under APPI Articles 145–146 to issue recommendations and orders directing a PIHBO to cease non-compliant onward transfers, implement remedial measures, or notify affected data subjects. Violation of a PPC order is subject to criminal penalties under APPI Articles 178–179 (up to one year imprisonment or ¥1 million fine for individuals; up to ¥100 million fine for corporations).

The 2023 revision and ongoing convergence between APPI and the Supplementary Rules

The Supplementary Rules were originally adopted on January 23, 2019, simultaneously with the entry into force of the Japan-EU mutual adequacy arrangement. They were revised on March 15, 2023 (effective April 1, 2023) to reflect the 2020 amendments to APPI. Many protections that were initially unique to the Supplementary Rules have since been incorporated into base APPI, making them applicable to all personal data regardless of origin. For instance:

• The abolition of the six-month exemption for "retained personal data" (originally Supplementary Rule (3), now incorporated into base APPI Article 16(4) effective April 2022);
• The mandatory information-provision requirement for cross-border transfer consent (originally a Supplementary Rules concept, now codified in APPI Article 28(2) effective April 2022).

The European Commission's March 2023 report on the first periodic review of the Japan adequacy decision notes that "some of the additional safeguards provided under the Supplementary Rules for personal data coming from the EU, i.e. as regards data retention and the conditions for informed consent for cross-border transfers, have been incorporated into the APPI, thereby making them generally applicable to all personal data, irrespective of their origin or point of collection." This convergence reduces the compliance gap between EU/UK-origin data and other personal data, but key distinctions remain—most importantly, the onward-transfer restrictions (prohibition on APEC CBPR for onward transfers, requirement for APPI-plus-Supplementary-Rules equivalence in contracts) and the expanded sensitive-data categories continue to apply only to EU/UK-origin data.

Practical compliance sequencing for Japanese PIHBOs

A Japanese PIHBO that receives personal data from the EU or UK under the adequacy framework should:

1. Identify and tag EU/UK-origin data in its systems so that it can apply the Supplementary Rules to that subset.

1. Review onward-transfer arrangements. If the PIHBO onward-transfers EU/UK-origin data to service providers, affiliates, or other third parties in non-adequate countries (including the United States, China, Singapore, or any country other than EU/UK member states), verify that the onward-transfer mechanism is not based solely on APEC CBPR certification. Implement bilateral contracts or BCRs that impose APPI-plus-Supplementary-Rules obligations on the recipient, or obtain enhanced consent.

1. Expand sensitive-data handling procedures to cover genetic data, biometric data, health data, and sex-life/sexual-orientation data received from the EU/UK, even if base APPI would not classify those items as care-required personal information.

1. Honor data-subject rights requests from EU/UK data subjects regardless of the retention period—no six-month exemption.

1. Maintain audit-ready records of EU/UK data flows, onward-transfer contracts, and Supplementary Rules compliance measures, and be prepared for PPC random audits.

The Supplementary Rules are a reminder that adequacy is not a free pass. While the Japan-EU/UK adequacy arrangement eliminates the need for consent or contracts at the point of initial transfer from the EU/UK to Japan, it does so by imposing additional obligations on the Japanese recipient that travel with the data throughout its lifecycle in Japan and any subsequent onward transfers. A PIHBO that treats EU/UK-origin data identically to domestically collected data will violate the Supplementary Rules and jeopardize the adequacy framework.

Source: Supplementary Rules under the Act on the Protection of Personal Information for the Handling of Personal Data Transferred from the EU and the United Kingdom based on an Adequacy Decision, PPC, revised March 15, 2023, effective April 1, 2023 Source: European Commission Implementing Decision (EU) 2019/419 of 23 January 2019 on the adequate protection of personal data by Japan Source: European Commission Report on the first review of the functioning of the adequacy decision for Japan, March 2023