TOKYO -- With Japanese corporate management of personal information under scrutiny after revelations at messaging app Line, a Nikkei survey shows that about 40% of leading financial services institutions in Japan store or transfer customer data abroad.
Nikkei's poll included banks, brokerages, insurers, credit card issuers, leasing businesses and payment service providers. Of the 49 respondents, 21 said they have transferred customer data outside Japan, while 24 have not and four declined to answer. Destinations for the data include China, the U.S., Singapore, South Korea, Australia and France.
The finding follows a public outcry over Line's practice of exposing personal data to Chinese and South Korean subcontractors without an explicit disclosure to Japanese users. The admission in March by the app, which boasts 86 million active users in Japan including the government, prompted the Financial Services Agency and other regulators to investigate how financial institutions handle such information.
Some financial companies told Nikkei they have entrusted data management to vendors in the U.S. or Europe in order to use their cloud services or information technology tools, while one brokerage sent customer data to an American company for portfolio analyses. Four respondents, including insurers and a bank, outsourced data entry and other tasks to to Chinese firms.
Japanese law allows entrusting data management to foreign companies so long as customer consent is obtained and the service provider is supervised. Outsourcing to China is "not prohibited," even for a financial institution, a spokesperson at the Financial Services Agency said.
But multinational companies have been on edge since China enacted a national intelligence law in 2017 that authorizes Beijing to demand information from private companies and citizens.
"Cases of questionable data management are on the rise in connection with outsourcing," the FSA spokesperson said.
An official at one financial institution in Japan that uses a Chinese data entry service said the vendor is properly managed and data is processed to prevent personal identification.
"It's troubling that data processing in China is considered questionable even when it's done in compliance with the law," the official said.
Japan looks to update rules on private data transfer overseas in April 2022. Guidelines proposed last week by the Personal Information Protection Commission would require companies to disclose where data will be transferred and how data management rules in the destination country differ from those in Japanese.
Even if the protections are comparable, companies still will be required to reassess them annually and stop transferring personal data overseas if safeguards cannot be assured.
"Finance is considered a vital infrastructure in cybersecurity," said Yoichiro Itakura, a lawyer who specializes in personal data protection. "From the standpoint of national security, [Japan's] government should put forward appropriate measures for transfers of personal data to China and other countries."
"It's too much of a burden for companies to assess legal systems in different countries and make their own judgments," Itakura said.
The Nikkei survey also found that more than 70% of the respondents outsource their systems development to foreign vendors, with 14 using providers in China. Eleven said their backbone systems were developed abroad.
"When outsourcing outside of Japan, the assumption is that security measures equivalent to those in Japan are in place," said Akimasa Nakao, an analyst at research firm Gartner Japan. "Stricter management and supervision are essential."