Line data policy rings security alarm in Japan

Two out of three people in Japan use the communication app Line, originally created by a Japanese subsidiary of a South Korean firm. But the Japanese government has decided to halt its use of the app after it was revealed that engineers in China were allowed access to some users' personal information, including names and phone numbers.

Line has about 86 million users in Japan. Both national and local governments have been relying heavily on the app. The Ministry of Health, Labour and Welfare has been using it to report the daily number of COVID-19 patients, while local governments have been using it to receive vaccine applications.

Temporary halt

Last month, it was revealed that engineers in China have accessed Line servers at least 32 times, enabling them to observe some users' names, phone numbers and messages. The firm says there has been no abuse or leaking of personal information stemming from the access.

Even so, the Japanese government decided to temporarily halt its use of Line this week. Chief Cabinet Secretary Katsunobu Kato told reporters that the government will set up a task force to thoroughly examine the issue. Some municipalities, including Osaka City, also suspended the use of Line for administrative services, until data security can be confirmed.

Meanwhile, operator Line Corp has already taken steps to resolve the issue. It announced on March 23 that the Chinese engineering firm it outsources work to can no longer access the data of users in Japan.

Idezawa Takashi
Line CEO Idezawa Takeshi apologizes for the security issue on March 23.

There is no Japanese law that prohibits businesses assigning work to Chinese firms, but many experts have expressed concern that the Chinese government can ask firms and individuals to submit any of their data under the country's National Intelligence Law.

Another factor that alarmed some Japanese users is the fact that personal data, including records of financial transactions made through the app, were stored on South Korean data servers. Again, there is no law prohibiting Japanese businesses from storing their data overseas.

Perhaps the most important aspect of the controversy is that the operator did not provide its users with full information on how or where their personal data would be kept. Line states in its privacy policy that some of the data could be transferred overseas as far as it abides the Japanese law. But the firm did not clearly state in which country it intended to store or transfer the data.

Call for clarity

Matsumoto Tsuneo, a former president of the National Consumer Affairs Center of Japan, says the lesson from this controversy is that it is not enough for companies to get simple, superficial approval from their customers. Instead, he says, they need to reach out to their users on the assumption that they rarely look closely at the terms and conditions of services.

One idea that firms could adopt is offering explicit explanations of how they plan to handle personal data. They should repeatedly obtain approval from users to allow data transfers to a certain country.

The Japanese government has a role to play, too. Many countries have already introduced restrictions on cross-border data flows. The Line controversy may prove to be the impetus for Japan to follow suit.