Following a data management incident in March, Line Corp. announced it would move sensitive user information from data centers in South Korea to Japan to ease concerns, especially from those in the public sector.
But will transferring personal information data to Japan from overseas improve its safety?
Not necessarily, critics say.
Line’s data management drew flak last month after the firm acknowledged it allowed its Chinese software firm to access users’ personal information. The messaging app giant was also storing data including photos, videos and transactions of e-money Line Pay in data centers in South Korea.
Storing and managing data within Japan may better protect against foreign governments’ attempts to obtain personal information based on their own domestic laws.
“At least, the stored data will not be influenced by the legislation of foreign governments. In that sense, (managing data in Japan) is meaningful to a certain degree,” said Kenicihi Hirano, a cybersecurity researcher at the Mitsubishi Research Institute, referring to attempts by foreign governments to acquire users’ data.
Line’s data scandal has vexed many, as users’ information might have been leaked in China or South Korea. China implemented its National Intelligence Law in 2017, which requires organizations and individuals in China to cooperate with state intelligence work.
When it comes to South Korea, though, given that Line is owned by South Korean IT giant Naver Corp., it makes sense for the firm to handle data in the neighboring country.
Hiroshi Miyashita, a professor at Chuo University and an expert in privacy protection policy, thinks the risk regarding South Korea is not as grave because Seoul has fairly strict rules on protecting personal information.
“South Korea actually has more rigorous rules than Japan’s Protection of Personal Information Act,” so it’s not easy for the authorities to gain access to data that companies have, he said.
However, because of the strained relations between Tokyo and Seoul over historical conflicts, the notion of personal data being stored in South Korea has riled some.
When Line CEO Takeshi Idezawa was asked in a news conference last month about what he believed was the problem in keeping data in South Korea, he simply said the firm “disappointed” users, so it is trying to “meet their expectations.”
Miyashita said people should discuss the level of data protection not based on emotion but based on facts including other countries’ legal systems and how they are operated.
Storing data in Japan also wouldn’t reduce the risk of personal information leaks caused by cyberattacks, which can occur regardless of where the data is stored.
For one, Japan is facing a severe shortage of IT engineers, so “if companies are focused too much on managing data within Japan, that might actually weaken their cybersecurity and pose other risks,” said Hirano.
Thus, based on the levels of sensitivity of data, companies should assess the risks of where to store and manage it, Hirano said.
And there is always a risk that insiders may steal data.
For instance, Japan’s biggest data theft, which occurred at Benesse Holdings Inc. in 2014, was caused by an engineer working for a Benesse contractor in Japan. Benesse, a major correspondence education provider for children, saw data leaks affecting 48.58 million individuals.
Still, some Japanese companies are following Line’s move to transfer data managed in other countries to Japan.
KDDI Corp., a major mobile phone carrier, said it is considering moving its customers’ phone number data stored in Hong Kong to other places including Japan because of the changing political circumstances there.
A KDDI spokesman said Line’s case has also prompted the carrier to look into that option.
KDDI stores and manages subscribers’ personal information in Japan and allows only domestic access, the spokesman said. He added KDDI has a U.S. contractor that arranges overseas roaming services and this firm stores data including phone numbers that is necessary for customers to use such services on servers in Singapore and Hong Kong.
While Line’s incident served as a wake-up call for Japanese companies over their data protection policies, they should not think that they need to move all data to Japan, Miyashita said.
He added that overreacting might facilitate “data nationalism” that would disrupt smooth cross-border data flow, hindering companies from taking advantage of healthy data usage.
In fact, Japan has been promoting the concept of “Data Free Flow with Trust” proposed by then-Prime Minister Shinzo Abe in 2019. Moreover, the country has been opposing the idea of data localization, in which nations require certain companies to set up servers and store data within their borders.
Countries such as China, Russia and other emerging nations are establishing such data localization rules that put extra burdens on companies.
“I think we need to think about what the concept of ‘Data Free Flow with Trust’ really is in a level-headed manner,” said Miyashita.
In a time of both misinformation and too much information, quality journalism is more crucial than ever.
By subscribing, you can help us get the story right.