Yes. There is a restriction on international transfer of personal data under the Act on Protection of Personal Information (Act No. 57 of 2003 as amended) ("APPI").

There are three justifications for international data transfer:

• Consent: Obtaining consent from each data subject.
• Equivalent measures: Transfer to a third party establishing a system conforming to standards prescribed by rules of the Personal Information Protection Commission ("PPC") as necessary for taking measures equivalent to those that a data owner must take concerning the handling of personal data pursuant to the provisions of the relevant articles of the APPI.
• Adequacy recognition: Transfer to a foreign country establishing a personal information protection system recognized to have equivalent standards in Japan regarding the protection of an individual's rights and interests (so far, only the EU and the UK have been designated as meeting such standards by the PPC).

Since 1 April 2022, the APPI requires the following of a business when acting as a transferor of personal data:

• When relying upon consent:

  Provide certain information (e.g., name of the recipient's country and an overview of the data protection law system in the country) to data subjects when obtaining their consent for international transfer

• When relying upon equivalent measures:

• Regularly check if (i) the recipient takes equivalent measures and (ii) there are data protection laws of the recipient's country that would prevent the recipient from taking such measures in conformity with the standards under the APPI
• Upon request from the data subject, providing information relating to such measures