Data Privacy Considerations in M&A Transactions in Japan

This article is an extract from Lexology In-House View: Japan M&A 2024. Click here for the full guide.

Introduction

In today’s fast-paced, information-driven society, the economic value of personal information and data has soared and is driving the need for the enhanced protection of personal information. Over the past several years, many countries and jurisdictions have responded to this by enacting data protection regulations, either comprehensive or industry-specific, and stricter regulations to protect personal information have become the global trend. Along with these stricter regulations have come more punitive penalties and the increased risk of reputational damage for violations of these regulations and data breach incidents causing companies in Japan to focus on, and even change, the ways they handle personal information.

Changes in the handling of personal information are very relevant to M&A transactions. Although it used to be an afterthought, compliance with privacy regulations has become one of the key focus areas in the due diligence phase of an M&A transaction, especially in the case of an acquisition of a company that processes large amounts of customer information or sensitive information or a company providing services with online payment capabilities. It has become increasingly important to have a good understanding of data privacy regulations applicable to a target company, to conduct efficient data privacy due diligence to discover material issues and to appropriately address any such issues.

This article aims to provide an overview of the primary law affecting the handling of personal information in Japan, the Act on Protection of Personal Information of Japan (APPI) and discusses the key points in data privacy due diligence and how to address issues found during due diligence through negotiation and the documentation process.

Overview of APPI

Overall, the basic framework of the APPI is similar to data privacy regulations in many other jurisdictions. That is to say, the APPI sets forth, among other things, the rights of data subjects, obligations of businesses, the concept of sensitive information with enhanced regulation, rules for data transfer, and security measures to take. When the APPI was originally enacted in 2005 it did not have a significant impact on the way that businesses handled personal information and data. At that time, few businesses made compliance with the APPI a priority, in part, because the penalty for non-compliance was not very punitive.

Gradually, however, the importance of protecting personal information gained recognition and significant amendments to the APPI were made in 2015, which came into effect in 2017. Thereafter, the European Commission adopted the adequacy decision in respect of Japan in 2019, which enables the transfer of personal data from GDPR member countries to a business in Japan without complying with international data transfer rules under the GDPR, so long as the business complies with the Supplemental Rule published by the Personal Information Protection Commission (PPC) in addition to the general rules under the APPI. Concurrently therewith, the PPC added countries in the European Economic Area (EEA) into its ‘white list’ in relation to international data transfer, which allows transfer of personal data to a third party in an EEA country without following stricter international data transfer rules under the APPI. The following year, the APPI was further amended (2020 Amendments) to respond to the rapid growth of IT technologies and frequent international flow of personal data.²

Key features of the 2020 Amendments include (1) expansion of the data subjects’ rights, (2) strengthening of regulations for third-party transfers, (3) introduction of a new concept of ‘person-related information’,³ (4) introduction of the concept of pseudonymous information, (5) introduction of a mandatory report to the PPC in case of certain data breaches and (6) increase in the amounts of fines for non-compliance.⁴

It is worth noting that, despite the numerous amendments to the APPI, unlike many other jurisdictions, the APPI does not require businesses to conduct data protection risk assessments or have a special rule for processing the personal information of children. Nevertheless, the strengthening of personal information protection over the years, as well as the increased penalties for violating the APPI, has caused companies subject to the APPI to make concerted efforts to comply with the APPI and take appropriate security measures to avoid monetary or reputational damages that may result from violating the APPI or any data breach.

In the context of an M&A transaction, it is crucial for the buyer to confirm such compliance to avoid assuming or acquiring any liabilities in relation to personal information and data protection. As a result, understanding the details of key regulations under the APPI, including international data transfer rules and exemptions, and how to conduct efficient data privacy due diligence is very important.

Due diligence phase

Due diligence plays an important role in a M&A transaction because a buyer will assume liabilities if the buyer fails to uncover issues within the target company through the due diligence process. Since conducting full and complete due diligence may often be difficult due to time or cost constraints, the buyer may need to appropriately narrow down the scope of due diligence depending on the importance of personal information to the businesses conducted by the target company. For example, if a target company collects personal information directly from its customers, it would be advisable to conduct a substantial due diligence on how the target handles the personal information. While the scope may vary depending on the business of the target company, the buyer should at least be aware of material matters and the following are the key areas to review from the data privacy compliance perspective:

Applicable laws

One of the first steps in data privacy due diligence is to confirm what data privacy laws and regulations apply to a target company. The APPI would apply if the target company is incorporated under the laws of Japan. However, a buyer should be aware that the APPI may also apply to a target company which collects and processes the personal information of residents in Japan in connection with the provision of goods or services to Japan residents, even if the company is incorporated under foreign laws with no physical presence In Japan. For example, it is not uncommon for companies to sell products or provide services online to Japan residents even when they do not have any office in Japan. If the buyer aims to acquire a non-Japanese company, it should make sure to confirm whether the target company complies with the APPI, as well as other applicable data privacy regulations in other jurisdictions.

Data mapping

In addition to the confirmation of applicable laws, it is critical to gain an early understanding of what personal information the target company acquires and from whom and how they will process that information (eg, how is the collected personal information used, is the personal information shared with a third party within or outside of Japan, is the collected personal information jointly used among affiliate companies, etc). This will help the buyer determine the scope and priority of data privacy due diligence, taking into consideration the value of the personal information for the businesses of the target company and potential risks which may arise from non-compliance with applicable data privacy regulations.

Review of privacy policy

A target company’s privacy policy (if available) is one of the first documents to review in order to grasp an overview of the treatment of personal information at the target company and confirm that the contents comply with applicable laws. Although the APPI does not specifically require businesses to have a privacy policy in place, it does require businesses to provide the information listed below to data subjects before collecting their personal information,⁵ and businesses⁶ usually satisfy this obligation by describing them in a privacy policy that includes:

• name and address of the business, and name of its representative in case of a corporation;
• purpose of use for each and all personal data;
• process to respond to inquiries from data subjects;
• security measures in place;
• contact information; and
• if the business is a member of an accredited personal information protection organisation, its name and contact information.

Additionally, the APPI requires a business to provide further information in cases where the business jointly uses the personal data with a specific third party, transfers personal data to a third party in Japan relying on the opt-out exemption, or transfers personal data internationally. In those cases, it would be preferrable for the privacy policy to include such further information in addition to the information generally required.

At this stage, the buyer should confirm if the privacy policy of the target company appropriately covers the information required to be disclosed to data subjects in advance or, alternatively, if the target company satisfies its data privacy obligations by allowing data subjects to make an inquiry and answering without delay upon the inquiry. Of course, the ability to confirm compliance without a privacy policy may be more difficult and require more exhaustive review of the target company’s records.

Rights of data subjects

As is the case with many foreign data privacy laws, the APPI allows a data subject to request a business⁷ to, among other things, provide information regarding its own personal data that the business processes, to correct or delete the personal data, or to cease use or data transfer of the personal data. The following is a list of data subjects’ rights under the APPI:

• right to request disclosure of the purpose of use;
• right to request disclosure of the categories of personal data collected;
• right to request disclosure of data transfer records;
• right to request correction, addition or deletion of personal data (if incorrect information is included);
• right to request cessation of use or deletion (in case of use beyond the disclosed purposes, inappropriate use or collection in an improper manner);
• right to request cessation of third-party transfer (in case of non-compliance with the third-party transfer rule); and
• right to request cessation of use or deletion, or request cessation of third-party transfer (if personal data is no longer needed, or there is actual or threatened circumstances which may damage data subjects).

During due diligence, it would be advisable to check what data subject’s rights the target company allows and how the target company handles requests from the data subjects. It is also important to know how many times the target company has received requests from data subjects in the past and whether any dispute has arisen in relation to the exercise of rights by any data subject.

Third-party transfer rule

Any failure to comply with the third-party transfer rule may cause significant damage on a breaching company. Therefore, review and confirmation of a target company’s compliance with the third-party transfer rule should be given high priority during due diligence. This is especially true if the target company shares personal data to a service provider outside of Japan for the purpose of outsourcing part of its business, or if the target company jointly uses personal data with foreign affiliates. In such cases, the buyer has to determine on what basis the target company shares personal data and confirm that the target company satisfies all applicable requirements for third-party transfers, because international transfers to service providers or the joint use among foreign affiliate companies are not automatically exempted from the third-party data transfer rule.

Data transfer within Japan

As a default rule, the consent of a data subject is required to transfer personal data to a third party in Japan. However, the APPI provides an opt-out exemption that may be used if certain requirements (eg, allowing opt-out right to data subjects, disclosure of certain information and filing an opt-out notification with the PPC) are met. A business relying on the opt-out exemption may transfer personal data to a third party in Japan without the consent of data subjects. It should be noted that data transfers in relation to outsourcing or succession of all or part of the business or joint use of personal data with a specific third-party in Japan⁸ would not be considered as data transfer, and thus, neither the consent of the data subject nor application of the opt-out exemption would be required.

International data transfer:

For international transfers of personal data, the consent of the data subject is likewise required, but before obtaining such consent, the business has to provide the data subject with the following information: (1) the name of country or area in which the third party is located, (2) the description of the personal data protection regime in the destination country or area⁹ and (3) the measures taken by the third party to protect personal data.¹⁰

Nonetheless, the APPI allows some exemptions. One of the exemptions is data transfer to a third party located in the EEA or the United Kingdom.¹¹ Another exemption is data transfer to a third party with APEC CBPR certification.¹² Further, the APPI provides an exemption from the international data transfer rule for recipient third parties if such parties are required to take appropriate measures to protect personal information under a service agreement, a binding corporate rule or other binding agreement;¹³ provided however, the APPI has not published any template service agreement or corporate rule and does not clearly stipulate the matters to be provided in such agreements, although the relevant guideline provide some guidance. As such, any business intending to transfer personal data internationally relying on this exemption should carefully consider the matters to be provided in the agreements to make sure the recipient third party takes sufficient measures to protect personal information, taking into consideration the relationship between the business and the third party and the purpose of the international data transfer.

If relying on any of the above exemptions, the international data transfer shall be subject to the rules for domestic data transfers described above.

Thus, during due diligence, the buyer should confirm if the target company transfers personal data to any third party, and if so, to whom, the location of the recipient third party, whether the target company relies on any exemption from data transfer rules, and whether the applicable data transfer requirements are met. Further, it would be important to check if the target company takes and holds records in relation to data transfer in accordance with the APPI.

Cookies

APPI does not directly regulate cookies or other online identifiers (hereinafter merely referred as to cookies),¹⁴ and information collected through cookies does not fall into the definition of personal information under the APPI unless it is possible to identify a specific living person directly from the information or by combining such information with other information held by the business. As a result, historically, transfer of information collected through cookies is not generally subject to the APPI.

However, the 2020 Amendments introduced the new concept of the Person-Related Information (which includes information collected through cookies) and provided that a business transferring Personal-Related Information may be required to confirm certain matters with the transferee if the business expects the transferee to use such Person-Related Information as personal data by collating with other information held by the transferee.

If the target company puts cookies in its website to use and analyse information collected through such cookies, a buyer should carefully review what information is collected and how it used, whether the collected information is transferred to or shared with a third party, and if so, how the target company meets requirements for Person-Related Information regulations.

Security measures

One of the most important checkpoints in data privacy due diligence is whether the target company implements appropriate security measures to protect personal information. From the legal due diligence perspective, the buyer should confirm, among other things, whether a policy on handling the personal data is in place and how the target company ensures compliance with the policy, whether a data protection officer has been appointed and, if so, its role, whether regular audits on handling of personal data either internally or externally have been conducted and audit reports have been prepared and reviewed in the past couple of years, whether appropriate access limitations to personal data are in place, and whether a rule for deletion of personal data is in place.

In addition, the buyer should be aware of the importance that the target company has and maintain appropriate IT security measures since any weakness or defect in IT security measures may permit cyber-attacks or data breaches which may greatly damage the target company. As part of its comprehensive due diligence, a buyer should consider retaining IT experts to conduct due diligence on IT security measures.

Data breach notification and communication with regulatory authority

Another critical checkpoint in data privacy due diligence is whether the target company has suffered any data breach incidents, including aborted or threatened breaches. Specifically, the buyer should confirm whether there have been any past data breach incidents and, if so, (1) what caused the data breach and how the target company handled the incident, (2) whether the target company has filed any data breach notification with regulatory authorities, (3) if the target company is aware of concerns that may lead to a data breach and (4) whether there are actual or threatened disputes with data subjects in connection with any processing of personal data. In addition, it would be important to confirm whether there have been any communications with regulatory authorities in connection with data privacy compliance, including, but not limited to, whether the target company has received any advice, recommendation or order indicating a violation of data privacy regulations or improper processing of personal data from the PPC or other regulatory authorities. It would be also advisable to check if the target company has in place an action plan for data breach incidents.

The scope of the data privacy due diligence depends on the size of the transaction, type of businesses the target company engages in, and potential risks that may arise from data privacy issues. It would be ideal to conduct a comprehensive due diligence to confirm compliance with applicable data privacy regulations. However, even if it is not possible or desirable to conduct a comprehensive due diligence, a buyer should at least review and confirm compliance with the data transfer rules, appropriate security measures, any data breach incidents or disputes with data subjects, and any communication with regulatory authorities, as they may cause significant damages to the target company. Once such issues are identified, a buyer must appropriately deal with them in the negotiation and drafting phase.

Negotiation / drafting phase

For a successful M&A transaction, any issues found through data privacy due diligence need to be addressed and resolved during the negotiation and documentation processes. A buyer’s options will depend on the nature and severity of the issues discovered, but may include the following:

Price reduction

If any material issue that may result in significant damage to the target company’s business is found in the due diligence phase (eg, a cyber-attack affecting the customers of the target company or material defects in the target company’s security measures which would require significant cost and time to cure), a buyer may seek to negotiate a reduction of the purchase price. Such an option would be especially appropriate in cases where the target company collects personal information from a number of customers, including their payment information or sensitive information, since the value of the personal data would be critical to the business of the target company and the potential damages for breaches or non-compliance may be large. In the end, the goal would be to obviate the impact on the buyer by reflecting the reduction of the company value in a corresponding reduction of the purchase price.

Holdback / escrow

Another option to deal with data privacy issues and potential liabilities is to have a portion of the purchase price be withheld and placed in escrow for a specified period, which amounts may be used to satisfy any data privacy liabilities arising during that period.

Liability allocation

One of the key negotiation points for a buyer is allocation of liability for damages. Generally speaking, the buyer should not be liable for any damages arising after the closing based on a data breach or non-compliance with data privacy regulations occurring before the closing. For example, if the target company suffered a cyber-attack before the closing and personal data (including customers’ payment information or sensitive information) was stolen, the affected customers may bring claims for damages even after the closing. In such case a buyer will want to make sure that there is an agreement that the seller will bear all liabilities relating to actions or activities occurring prior to closing. This agreement is often accompanied by the holdback / escrow option discussed above.

Conditions precedent

In cases where non-compliance with data privacy regulations identified in the due diligence phase is not material and the target company may easily cure the issue, a buyer may simply require the seller to cure the issue as one of the conditions precedents for the closing.

Representations and warranties

Even where no material issues in relation to data privacy compliance are discovered in the data privacy due diligence phase, the buyer should include appropriate representations and warranties on data privacy compliance of the target company, including, but not limited to, the purpose of use of collected personal information, compliance with applicable data privacy regulations and internal data privacy rules, no actual or threatened disputes relating to processing personal data, and no data breach incidents in the past.

Indemnification

One of the more crucial terms for any buyer is an indemnification provision. Negotiation on indemnification in relation to data privacy compliance would be particularly important if the target company did not disclose sufficient information to confirm its data privacy compliance in the course of the due diligence process. In such a case, it would be preferable to agree on permanent or longer period indemnification for breaches of the relevant representations and warranties. Likewise, if the target company was unwilling to disclose its IT security measures, it would be important for a buyer to have an indemnification provision that covers this because defects on IT security measures may result in a cyber-attacks or other data breaches, which may result in significant damage to the business of the target company.

In conclusion, it is very important to consider data privacy practices of a target company when undertaking M&A transactions in Japan. This is because any violation of the APPI or the occurrence of a data breach, as a result of insufficient security measures, is likely to have a significant negative impact on the target company and, therefore, the M&A transaction itself. As set forth above, understanding and properly treating the issues relating to data privacy compliance at a target company is one of the most crucial matters for any M&A transaction. A careful review of data privacy compliance and appropriate negotiation and documentation by the buyer will help to reduce or mitigate the risks from any issue related to data privacy compliance and may ultimately lead to a successful M&A transaction.