TOKYO -- The admission Wednesday by chat app provider Line that its Chinese affiliates had access to Japanese users' personal data underscores the inadequacy of information privacy regulations governing data that could cross borders.
Line said that certain data was visible to staff members at a Chinese system development affiliate and a Dalian-based contractor. The company apologized for failing to "fully explain to users" that information on Japanese servers could be accessed from China.
But experts have raised doubts about whether this was conveyed to users clearly.
"If users had no idea that their data could be transferred to China, then whether the consent was valid is an open question," an attorney said.
The European Union's General Data Privacy Regulation mandates informed consent "using clear and plain language." Japan's revised data privacy law, expected to take effect in spring 2022, will require companies to provide users with an easy-to-understand explanation of protections in third countries where their information would be transferred.
Whether Line fulfilled its legal obligation to supervise people to whom personal data has been entrusted is another potential issue.
If Line "did not sign a contract requiring the outsourcee to follow Japanese law, then the possibility remains that the law was violated," said Hiroyasu Kageshima, an attorney at Tokyo-based Ushijima & Partners and an expert on information management.
EU regulations stipulate that data may be transferred freely only to countries considered to have "adequate" protections in place, including Japan. Discussions will be needed in Tokyo about how to handle sending personal data to countries like China where the government can legally compel companies to turn over information.
The issue stems partly from the widespread practice of outsourcing work to overseas contractors, which has taken off since the early 2000s.
In the information technology industry in particular, "companies frequently outsource work overseas because of a shortage of engineers or to cut costs," said Nobuo Miwa, president of information security company S&J.
Fujitsu has some general programming work handled in China, but usually does not outsource anything involving personal data. When NTT Data contracts out software developing to Chinese companies, it checks afterward to ensure that no backdoors have been built into the products.
A Japanese app developer said it outsources work involving personal data to a Vietnamese subsidiary. The company chose Vietnam because "labor is cheaper than in China, and there's a lower risk of the data being seen by the government," a representative said.
Japan's ruling Liberal Democratic Party is waking up to the issue. Akira Amari, who leads a group of ruling-party lawmakers taking a leading role in economic security policy, sounded the alarm Wednesday about companies' personal data protection measures.
"There are many Japanese companies that carelessly outsource to Chinese companies for talent and cost reasons," Amari told Nikkei. "We should take this opportunity to clarify the risks involved."
Amari called for guidelines to set ground rules for dealing with overseas enterprises. "It's difficult to ban doing business with foreign companies via legislation," he said. "But there's not enough concern about the possibility that we could be cut out of U.S. and European supply chains if China can get at sensitive data."