Update technical-faq.yml

akirayuppie · web-flow · commit a4e9b6ca9af2 · 2025-10-10T11:08:56.000+09:00
This FAQ addition addresses a common question from Japanese enterprise customers regarding compliance with the Act on the Protection of Personal Information (APPI) in the context of Microsoft Defender for Identity (MDI). Specifically, it clarifies whether end-user consent is required for overseas data transfer when using MDI.

Justification and Accuracy:
The content has been carefully reviewed against official guidance from Japan’s Personal Information Protection Commission (PPC), particularly Q&amp;A 12-3, as well as legal commentaries. According to the PPC and current legal interpretations, providing personal data to Microsoft as part of using MDI is classified as “outsourcing” rather than a “provision to a third party in a foreign country.” Therefore, explicit end-user consent for cross-border data transfer is not required, as long as the proper contractual and supervisory safeguards are in place.

This clarification is important for legal compliance and customer assurance. The FAQ content accurately reflects the current legal requirements and aligns with both Japanese government guidance and Microsoft’s standard contractual obligations.
diff --git a/defender-for-identity/technical-faq.yml b/defender-for-identity/technical-faq.yml
@@ -87,6 +87,10 @@ sections:
       - question: Is my data isolated from other customer data?
         answer: Yes, your data is isolated through access authentication and logical segregation based on customer identifiers. Each customer can only access data collected from their own organization and generic data that Microsoft provides.
 
+      - question: When using Microsoft Defender for Identity (MDI), is end-user consent required for overseas data transfer under Japan’s Act on the Protection of Personal Information (APPI)?
+        answer: |
+           No, end-user consent is not required. Providing personal data to MDI constitutes “outsourcing” rather than a “provision to a third party in a foreign country” under the APPI. Therefore, explicit end-user consent for cross-border data transfer is not necessary.
+
       - question: Do I have the flexibility to select where to store my data?
         answer: |
           No. When your Defender for Identity workspace is created, it's stored automatically in the Azure region that's closest to your Microsoft Entra tenant's geographical location. Once your Defender for Identity workspace is created, Defender for Identity data can't be moved to a different region.
