After news came to light last month that Line Corp. had allowed a Chinese software company to access users’ personal information despite Beijing’s tighter data control regulations, the firm was roundly criticized over its handling of personal information and has taken to revising its data-handling policy.
The operator of the Line messaging app said it had cut access from China and also plans to move sensitive data stored in South Korea to Japan.
But the question remains over what went wrong with Line’s data management.
Since its inception in 2011, Line has become a dominant communication tool, with some 86 million domestic users, that even the public sector — government ministries and municipalities— utilizes for administrative services, including vaccination reservations.
Even though it is common for Japanese companies to outsource product development to Chinese companies, Line’s case was different, said Hiroshi Miyashita, a professor at Chuo University and an expert in personal information protection.
“If information regarding national security was exchanged via Line, such information and data might possibly be accessed by the Chinese government” due to the National Intelligence Law that came into effect in 2017, Miyashita said. Outsourcing to Chinese companies is a reasonable practice, “but considering Line’s service and position, it’s quite problematic that the firm disregarded the risk.”
In March, following a news report, Line admitted that its subsidiary in China had been able to access users’ personal information including names, email addresses and chat messages, stored in data centers in Japan for product development, leaving some users uneasy about possible data leaks to the Chinese government.
In effect, that means Chinese authorities could have acquired and used Line users’ data for their political agenda through the country’s National Intelligence Law that states all organizations and individuals are subject to cooperation with state intelligence work — an uneasy reality for Japan’s public sector.
“We have caused users inconvenience and worry, and we take it very seriously that we betrayed the trust of a lot of people,” Line CEO Takeshi Idezawa said at a news conference in March, although he noted that there was legally nothing wrong with it.
“We overlooked the turning point brought about by China’s National Intelligence Law. In other words, we lacked consideration for our users,” Idezawa said.
Line was also not transparent about informing users that some of their data would be managed in China and South Korea. Under Japan’s current Protection of Personal Information Act, firms basically need to get users’ consent to transfer their data overseas, but it does not require them to name the recipient countries. However, the law was revised last year to require companies to specify the locations. The revised law will come into effect next year.
But Line is not the only company to face criticism. Japanese companies are generally not taking privacy protection as seriously as they should, Miyashita said.
“Companies need to think that protecting users’ personal information means protecting their human rights,” Miyashita added.
And since outsourcing product development to Chinese firms has been a popular practice among Japanese firms, chances are other Japanese companies have been allowing their Chinese partners to access sensitive data, according to Kenichi Hirano, a cybersecurity researcher at the Mitsubishi Research Institute.
“It’s probably better for companies that deal with personal information to take some steps,” said Hirano.
Local media have reported that the Financial Services Agency, Japan’s financial watchdog, has launched an investigation into financial institutions, asking them to report where they are outsourcing and storing data and how they manage it.
The Line incident has prompted the government to be more alert on data protection now, but critics claim the central and local governments should have been more cautious when they first started using Line services.
“I think pre-assessment (by the central and local governments) was inadequate. They were probably assuming that Line was safe because everyone was using it. As administrative entities, they should have checked more carefully,” Hirano said.
Yoichiro Itakura, partner and lawyer at Hikari Sogoh Law Offices and an expert in personal information protection, said the incident also highlighted Japan’s lack of awareness in gathering privacy protection information about other countries through diplomacy.
He said it is doubtful that the Japanese government has information on exactly how and in what situations South Korean and Chinese authorities require companies to submit their data.
Tokyo should negotiate with other nations to clarify how and when the authorities require companies to submit their data, Itakura said.
“Can the Chinese authorities access data anytime they want without procedures based on the National Intelligence Law? … How the system works is unclear, so we don’t really know just how risky it is,” said Itakura.
While the heightened tension between Beijing and Washington has many concerned over Chinese firms’ connections with their government, some have flatly denied that they were feeding Beijing information.
Huawei Technologies Co. founder Ren Zhengfei, for example, reportedly said that the firm would not help with espionage work for the Chinese government even when required to by law.
The European Union runs checks on countries to judge whether they can be trusted with data transfers based on its General Data Protection Regulation or GDPR — indeed, Japan had to commit to implementing a number of measures to help protect transfered personal data when reaching an agreement wit hthe EU — a move Itakura supports.
“Europe openly conducts these checks … Japan should do the same,” he said.
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.