East Japan Railway (JR Higashi Nihon) has admitted selling records of its prepaid Suica e-money and train pass cards to business firms, it was reported last month. Selling data may be no surprise in this age of “big data,” but failing to inform users that information obtained from their Suica cards would be sold to market researchers is an unethical, and perhaps illegal, business practice that should be stopped.
When the sales became public knowledge, JR claimed they had removed the names and addresses of the 43 million commuters whose data they sold. They further claimed that the data sold was only “statistical information,” which they said did not constitute a violation of privacy.
However, the advanced analytic technology of market researchers makes it possible to compare seemingly anonymous data with other data to determine precisely who went where and when, and what they bought. Even if it appears anonymous and technically may not be covered by the Personal Information Protection Law, selling such information without permission violates the spirit of the law.
Commuting and consuming are daily activities, so the information is in high demand by marketing research businesses. Just the same, it should remain private. Even if the data is as innocuous as what soft drink was purchased at a station kiosk, such activities should remain under the control of individuals.
East Japan Railway offered an apology, but too late. The information was already in the computer data banks of market research companies. One confirmed purchaser of the data was Hitachi Ltd, which apparently analyzed the data and then sold the results to other firms for even more profit.
The market research firms were willing to pay a lot of money to JR Higashi Nihon, so perhaps they should be paying individuals for their personal information.
Business firms like JR Higashi Nihon should handle data only in ways to which customers willingly and knowingly agree. If customers choose to give prior consent to the use of their data, as many do in other areas, that is their choice. But most customers would no doubt prefer that the information contained in their Suica cards be kept private.
These sales may not be completely covered by the Personal Information Protection Law as it now stands, but they should be. The Land, Infrastructure, Transport and Tourism Ministry has launched an investigation.
The law clearly needs an update. Consent of users should be obtained before their data is sold. This is not a problem that will disappear, but will only become more complicated as data-mining technology improves and profits continue to be made. Consumers deserve the right of privacy for their own data. The government must enact laws to ensure that this is the case.