Editorials

Tighten rules on data privacy

The operator of T Card, one of the most popular reward cards in Japan, has been providing personal information of cardholders to investigation authorities upon their request. Though the data was supposedly used for criminal investigations, the practice raises important questions about privacy protection. Since 2012, the personal information, including the names and addresses of cardholders, and records of their purchases and use of services at shops using the cards, has been released without court warrants, and the operator failed to inform the roughly 67 million cardholders in the terms of its service that their information could be supplied to investigators.

In fact, Culture Convenience Club (CCC), which manages the card and runs the Tsutaya rental video and bookstore chain, is just one of many companies that cooperate with police and prosecutors’ investigations by voluntarily providing such information — which can offer clues on what specific individuals were doing at a specific time and place. Investigators reportedly obtain such information on a routine basis without being vetted by third-party oversight, such as by getting a court warrant, on how the information will be used in their investigations, as well as how they manage (or destroy, when appropriate) such data.

The Criminal Procedure Law allows investigators to request public and private organizations to provide information relevant to criminal investigations, and the data on T Card holders have been supplied upon such requests from police and prosecutors. Unlike when they are mandated to do so by a court warrant, parties called on to supply the information won’t be punished if they refuse to comply with the requests, but most businesses reportedly comply voluntarily.

The law on protecting personal information, which prohibits businesses from releasing private information on their customers to third parties without the consent of the individuals, makes an exception for police requests for such data in criminal investigations.

Investigators are said to greatly value the information provided on the subjects of their investigation because they serve as the individuals’ footprints. T Card holders accumulate reward points by spending money at CCC chain outlets and a range of other establishments affiliated with its card service, including convenience stores, restaurants, gas stations and hotels.

The records of their purchases and use of services can effectively enable investigators to trace their movements. In one reported example, investigators learned from their target’s record of card use that the suspect visited a certain convenience store at a certain time almost daily, so they staked out the shop and apprehended the person.

Such information can indeed be useful and necessary in criminal investigations. Investigators reportedly request businesses for information instead of obtaining court warrants because it’s impractical to seek a warrant every time they need the massive volume of data in their daily investigations.

That means, however, that pieces of information that can be used to shed light on individuals’ private life — which are also obtained through security cameras that are everywhere, or the records of them using IC cards to pass through electronic gates on public transportation — are routinely being exchanged without individuals’ knowledge or third-party oversight.

The personal data provided to the investigators may include information unrelated to criminal activities. A deeper analysis of these pieces of information may even enable investigation authorities to identify the individuals’ private behavioral patterns, personal tastes and beliefs. We should stop and consider whether that’s acceptable in terms of privacy protection when weighed against the public interest in the success of criminal investigations.

In connection with the question of criminal investigations and privacy protection, the Supreme Court in 2017 ruled that police use of GPS devices that are attached to the vehicles of suspects without court warrants to track their movement was illegal — on the grounds that the use of GPS devices can violate the privacy of the suspects because that will involve a continuous and comprehensive monitoring of the individuals’ movements, which will entail an encroachment by the public powers into the individuals’ private sphere.

A “continuous and comprehensive monitoring” of the movements of specific individuals is also made possible by combining and analyzing the various sets of individuals’ private information such as records of their use of loyalty cards at shops that investigators have access to without having to obtain court warrants.

To make sure that the personal information provided to investigation authorities is properly used and managed, clear rules need to be established on the conditions and procedures for investigators to obtain such information for criminal investigation purposes, how the data should be controlled and how they should be destroyed when they are no longer necessary for the investigation. The entire process should be placed under third-party oversight and no longer left entirely to the discretion of investigation authorities.