ArrowArtboardCreated with Sketch.Title ChevronTitle ChevronIcon FacebookIcon LinkedinIcon Mail ContactPath LayerIcon MailPositive ArrowIcon PrintIcon Twitter
Technology

Line's privacy blunder reveals holes in Japan's data rules

Exposure of personal info to Chinese companies raises questions about consent

Chat app provider Line apologized Wednesday for not fully informing users about exposing their data to a Chinese affiliate. (Photo by Kosaku Mimura)

TOKYO -- The admission Wednesday by chat app provider Line that its Chinese affiliates had access to Japanese users' personal data underscores the inadequacy of information privacy regulations governing data that could cross borders.

Line said that certain data was visible to staff members at a Chinese system development affiliate and a Dalian-based contractor. The company apologized for failing to "fully explain to users" that information on Japanese servers could be accessed from China.

Companies in Japan are legally required to gain user consent to transfer data outside Japan or allow it to be accessed from overseas. Line stressed that it followed the law, as its privacy policy states that the company "may transfer personal data to a third country."

But experts have raised doubts about whether this was conveyed to users clearly.

"If users had no idea that their data could be transferred to China, then whether the consent was valid is an open question," an attorney said.

The European Union's General Data Privacy Regulation mandates informed consent "using clear and plain language." Japan's revised data privacy law, expected to take effect in spring 2022, will require companies to provide users with an easy-to-understand explanation of protections in third countries where their information would be transferred.

Whether Line fulfilled its legal obligation to supervise people to whom personal data has been entrusted is another potential issue.

If Line "did not sign a contract requiring the outsourcee to follow Japanese law, then the possibility remains that the law was violated," said Hiroyasu Kageshima, an attorney at Tokyo-based Ushijima & Partners and an expert on information management.

EU regulations stipulate that data may be transferred freely only to countries considered to have "adequate" protections in place, including Japan. Discussions will be needed in Tokyo about how to handle sending personal data to countries like China where the government can legally compel companies to turn over information.

The issue stems partly from the widespread practice of outsourcing work to overseas contractors, which has taken off since the early 2000s.

In the information technology industry in particular, "companies frequently outsource work overseas because of a shortage of engineers or to cut costs," said Nobuo Miwa, president of information security company S&J.

Fujitsu has some general programming work handled in China, but usually does not outsource anything involving personal data. When NTT Data contracts out software developing to Chinese companies, it checks afterward to ensure that no backdoors have been built into the products.

A Japanese app developer said it outsources work involving personal data to a Vietnamese subsidiary. The company chose Vietnam because "labor is cheaper than in China, and there's a lower risk of the data being seen by the government," a representative said.

Akira Amari sounds the alarm about companies' personal data protection measures.

Japan's ruling Liberal Democratic Party is waking up to the issue. Akira Amari, who leads a group of ruling-party lawmakers taking a leading role in economic security policy, sounded the alarm Wednesday about companies' personal data protection measures.

"There are many Japanese companies that carelessly outsource to Chinese companies for talent and cost reasons," Amari told Nikkei. "We should take this opportunity to clarify the risks involved."

Amari called for guidelines to set ground rules for dealing with overseas enterprises. "It's difficult to ban doing business with foreign companies via legislation," he said. "But there's not enough concern about the possibility that we could be cut out of U.S. and European supply chains if China can get at sensitive data."

Sponsored Content

About Sponsored Content This content was commissioned by Nikkei's Global Business Bureau.

You have {{numberArticlesLeft}} free article{{numberArticlesLeft-plural}} left this monthThis is your last free article this month

Stay ahead with our exclusives on Asia;
the most dynamic market in the world.

Stay ahead with our exclusives on Asia

Get trusted insights from experts within Asia itself.

Get trusted insights from experts
within Asia itself.

Try 1 month for $0.99

You have {{numberArticlesLeft}} free article{{numberArticlesLeft-plural}} left this month

This is your last free article this month

Stay ahead with our exclusives on Asia; the most
dynamic market in the world
.

Get trusted insights from experts
within Asia itself.

Try 3 months for $9

Offer ends July 31st

Your trial period has expired

You need a subscription to...

  • Read all stories with unlimited access
  • Use our mobile and tablet apps
See all offers and subscribe

Your full access to Nikkei Asia has expired

You need a subscription to:

  • Read all stories with unlimited access
  • Use our mobile and tablet apps
See all offers
NAR on print phone, device, and tablet media

Nikkei Asian Review, now known as Nikkei Asia, will be the voice of the Asian Century.

Celebrate our next chapter
Free access for everyone - Sep. 30

Find out more