この資料は、高谷知佐子の講義「PERSONAL DATA AND PRIVACY ISSUES IN CROSS-BORDER M&A PROCESS　Japan case」で使用した資料です。

1. PERSONAL DATA AND PRIVACY ISSUES IN
CROSS-BORDER M&A PROCESS
Japan case
Chisako Takaya
Partner, Mori Hamada & Matsumoto (Tokyo)
chisako.takaya@mhmjapan.com

2. 2
Legislation
The following laws and regulations are the basic legislation in Japan for the
protection of personal information:
• Act on the Protection of Personal Information (Act No. 57 of May 30,
2003, as amended; the “APPI”);
• Act on the Protection of Personal Information Held by Administrative
Organs (Act No. 95 of 1988 of May 30, 2003 as amended);
• Act on the Protection of Personal Information Held by Independent
Administrative Agencies; and
• local regulations (jyourei) legislated by local governments.

3. Definition
3
“Personal Information” means information about specific living individuals
which can identify them by name, date of birth or other descriptions
contained in the information (including information that will allow easy
reference to other information which may enable the individual
identification) (APPI, Article 2, paragraph 1).
The METI Guidelines give examples of information that is not Personal
Information, such as email address which will not allow easy reference to
other identifying information, and statistical information which will not
enable the identification of any specific individual.

4. Definition
4
“Personal Information Database” means an assembly of information
including the following:
(i) an assembly of information systematically arranged in such a way that
specific personal information can be retrieved by a computer; and (ii) an
assembly of information designated by a Cabinet Order as being
systematically arranged in such a way that specific personal information can
be easily retrieved (Id. Article 2, paragraph 2).
“Personal Data” means personal information constituting a Personal
Information Database (Id. Article 2, paragraph 4).

5. Definition
5
“Personal Data Handling Operator” means a business operator which holds
personal information of more than 5,000 individuals in its personal
information database at any time in the past 6 months.
The APPI will not apply to a business operator not considered as Personal
Data Handling Operator.

6. Bill for Amendment of APPI 2015
6
The main proposed amendments in the Bill are:
• New legislation on international data transfers.
• Extraterritorial application of the APPI.
• Expanding the definition of personal information.
• Distinguishing "sensitive information".
• Establishing a Personal Information Protection Commission.
• New legislation on anonymised information.
• Strengthening the protection of personal information.
Time frame of the amendment of the APPI
The House of Councillors has passed the Bill on September 3, 2015 and the
provision that establishes the Personal Information Protection Commission is
in force on 1 January, 2016. Other amendments are expected to be in force
during the course of 2017.

7. International Data Transfer
7
New legislation on international data transfer
The APPI does not have special restrictions regarding the transfer of personal
information abroad. Under the Bill, any transfer of an individual's personal
information outside of Japan will require the individual's consent. A transfer
by an "opt-out" is prohibited except where the:
Personal information will be transferred to a country determined by the
Personal Information Protection Commission as having data protection
standards that are equivalent to Japan.
Foreign transferee has data protection standards that are equivalent to the
standards specified by the Personal Information Protection Commission.

8. Extraterritorial Application
8
Extraterritorial application of the APPI
The APPI does not explicitly provide for its application outside of Japan.
The Bill establishes that the APPI will apply to entities outside of Japan if
they receive personal information in connection with the provision of goods
or services to individuals residing in Japan.

9. Expansion of Definition of Personal Information
9
Expansion of the definition of personal information
The Bill expands the definition of personal information to include "Individual
Identification Codes" (Kojin Shikibetsu Fugou). Individual Identification Codes
will be regulated in cabinet order and are divided into:
• Codes that relate to the physical characteristics of individuals.
• Codes allocated to individuals in relation to the provision of services or
goods, or documents issued to the individuals (where the codes are
individually allocated).
Discussions in the Japanese Diet suggest that face recognition data, driver's
license numbers, and passport numbers will be included in the Individual
Identification Codes. The inclusion of mobile phone numbers, credit card
numbers, and e-mail addresses is still under discussion.

10. Distinguishing Sensitive Information
10
Distinguishing sensitive information
The APPI makes no distinction between sensitive information and other
kinds of personal information. The Bill addresses the oversight by introducing
the concept of "information that needs to be treated with special care"
(Youhairyo Kojin Jyouhou).
This includes information on race, creed, social status, medical history,
criminal records, a crime victim's history, and other sensitive information
that may lead to social discrimination or disadvantage. The Bill introduces
new restrictions for sensitive information, including a prohibition on
obtaining and providing sensitive information without the data subject's
consent.

11. Personal Information Protection Commission
11
Establishing a Personal Information Protection Commission
There is no single independent regulatory authority that is responsible for
implementing the APPI. Each Ministry that regulates specific industries is
currently responsible for enforcing the APPI in that industry. The Bill
establishes a Personal Information Protection Commission (Kojin Jyouhou
Hogo Iinkai), which will be responsible overall for implementing the APPI
(see Proposed amendments to My Number Act).

12. Anonymised Information
12
New legislation on anonymised information
Under the Bill, individual consent is not necessary to transfer personal
information that is being anonymised to third parties. This framework is
expected to lead to the utilisation of big data, innovations and new
businesses. The details of the required method of anonymisation and
security control measures will be provided in the rules to be issued by the
Personal Information Protection Commission.

13. Strengthening the Protection
13
Strengthening the protection of personal information
Several amendments aim to strengthen the protection of personal
information and include the following:
• The Bill removes the exemption from certain data protection obligations
for business operators with fewer than 5,000 individuals in their personal
information database at any time within the previous six months. All
private business operators will be considered "Handling Operators"
covered by the APPI.
• The Bill penalises any Handling Operator that provides personal
information to a third party for any unlawful gain with imprisonment of
up to one year or a fine of up to JPY500,000.

14. M&A Transaction
14
 Personal Information or Personal Data can be transferred from the
Seller to the (potential) Buyer?
 The APPI prohibits the Personal Data Handling Operators from
providing Personal Data to a third party without obtaining the prior
consent of the principal, subject to certain exceptions (Id. Article 23)
such as required disclosure by laws and regulations.
 MITI guidelines stipulates that even though the Personal Data
Handling Operators obtains Personal Information from other entity
due to mergers & acquisitions, company splits or business transfer,
such Personal Information cannot be treated without obtaining prior
consent from the individual when using the same for such purpose
not contemplated when obtaining such Personal Information.

15. M&A Transaction
15
 Personal Information or Personal Data can be transferred from Japan to
outside Japan?
 The current APPI does not have special restrictions regarding the
transfer of personal information abroad.
 Under the Bill, any transfer of an individual's personal information
outside of Japan will require the individual's consent. A transfer by
an "opt-out" is prohibited except where the:

16. M&A Transaction
16
 Any obligations or penalty will be posed for the company outside
Japan?
 The APPI does not explicitly provide for its application outside of
Japan.
 The Bill establishes that the APPI will apply to entities outside of
Japan if they receive personal information in connection with the
provision of goods or services to individuals residing in Japan.
 M&A transaction situation might not be the case when the APPI will
apply to entities outside of Japan. However, if the targeted business
is retail business (BtoC), there is a possibility that the APPI will apply.