Corporate Japan's unapologetic information sharing with police sparks privacy fears as bilateral EU data accord takes effect
24 January 2019. By Sachiko Sakamaki.
The willingness with which Japanese businesses hand over their customers' personal data to law enforcement agencies may come as a shock to some, but to many of Japan's biggest companies, voluntary transfers of such data to police and other agencies are unproblematic.
However, yesterday — the same day a long-awaited agreement to streamline data flows between the European Union and Japan went into force — the sharing of data on individuals without court-issued requests became a political issue in the nation's parliament, throwing into stark relief the gap between Japan and other jurisdictions when it comes to the treatment of personal information.
During a meeting of the lower house of parliament's legal committee on Wednesday, opposition Constitutional Democratic Party of Japan lawmaker Shiori Yamao asked a National Police Agency official and the country's justice minister for their views on privacy when police asked companies to loosen their data protection policies. She referred specifically to a decision by the operator of T Card, one of Japan’s most popular shopping reward cards, to start sharing customer data with law enforcement without having been requested to do so by courts.
T Card's operator, Cultural Convenience Club, has recently come under fire for providing its members’ personal information to police and prosecutors without court approval. It responded to those criticisms by breezily informing consumers on Monday that their data could be provided to government agencies without users' consent, making clear that it had abandoned a privacy protection policy it had operated until 2012.
The company, which runs Tsutaya video rental shops and bookstores, gave no indication that it would end more than a half-decade of quiescence in the face of requests for personal data from the country's law enforcement authorities, requiring only written enquiry forms from them and not court paperwork.
The police official told the parliamentary committee that the agency had asked Cultural Convenience Club to provide personal data by sending it enquiry forms. The official said police had also asked other companies to hand over data on individuals by the same means, unless such data were protected under communication confidentiality provisions in Japan's constitution.
Justice minister Takashi Yamashita said police would pursue investigations using the powers at their disposal while protecting human rights, adding that enquiry forms were a legal means of investigation under Japan's Code of Criminal Procedure.
A Cultural Convenience Club spokeswoman told MLex that the company had decided to deepen its cooperation with law enforcement investigations amid repeated requests by authorities for such information, and because it felt a certain responsibility as an operator of “social infrastructure” after the use of T Cards had grown rapidly.
In 2012, T Card had about 40 million users; today that figure is around 68 million, more than half of Japan's population. The card can be used at nearly 1 million retail outlets run by 185 companies, including such household names as FamilyMart convenience stores, Yahoo Japan and Eneos petrol stations, with consumers earning points for purchases.
Cultural Convenience Club's spokeswoman said the company would not change its policy on providing users' personal information to authorities, but that it would state clearly in a detailed revision of the terms and conditions of its user agreement that their data could be provided to investigative agencies, ahead of an annual update that had been due in October.
Cultural Convenience Club declined to tell MLex what kind of personal data it provided to law enforcement authorities, or how often it did so. According to local media reports, cardholders' names, addresses, birthdates, phone numbers, purchase records and the titles of their rental videos are among that data. In one recorded instance, the company's provision of such data led police to detain an individual who shopped at a particular convenience store on a daily basis.
The Cultural Convenience Club spokeswoman said the firm's policy had not violated Japanese privacy law, and sought to emphasize that it had been mindful of its compliance obligations under the law and in its guidelines on the provision of personal data to third parties.
Tip of an iceberg
Japanese public prosecutors have a list of 290 organizations from which authorities can collect personal data using only enquiry forms, according to newswire Kyodo. The data involved can fall into any of 360 categories, including an individual's use of public transportation, their purchases, their borrowing histories and their location. Only 22 types of data among the 360 require court warrants, according to Kyodo, and most companies' user agreements state that personal data may be provided to third parties in accordance with laws and regulations.
Other reward card operators, such as e-commerce giant Rakuten, pre-eminent mobile carrier NTT Docomo and East Japan Railway, have told the Asahi newspaper that they provide personal data more or less as requested by investigative agencies armed only with enquiry forms.
Hidetoshi Nakano, a lawyer at Tokyo-based Grow-will International Law Firm, said Cultural Convenience Club had been compelled to make a "delicate decision” between respecting privacy and fulfilling its social responsibilities as a major company managing a hugely popular reward card.
He said the use of enquiry forms by law enforcement authorities was not sanctioned by court approval, and that it was up to companies to decide whether or not to cooperate with requests made via such means. He also said that Japanese people showed more culturally ingrained deference to law enforcement agencies than their American and European counterparts, and that Cultural Convenience Club's decision to comply with such requests may also have had its roots in that tradition.
The compliant attitude adopted by Cultural Convenience Club stands in stark contrast to tech giant Apple's refusal several years ago to obey a court order to help the US Federal Bureau of Investigation unlock an encrypted iPhone used by a suspected terrorist.
Apple was ordered in 2016 by a California court to create software to unlock the encrypted phone, but it refused to do so, describing the order as unconstitutional and saying that defeating encryption would harm civil liberties.
Other US tech companies, including Google, Facebook and Microsoft, supported Apple in its fight with the government, saying that ordering a private company to create such software would set a dangerous precedent and threaten individuals' security and privacy.
The requests made of Cultural Convenience Club are much easier to comply with than the demand Apple faced, as the Japanese company has only to decide whether to provide information it possesses or not, and it is not confronted with the dilemma involved in developing software that could put all its users’ privacy at risk. Yet neither police or prosecutors have bothered to seek approval from courts to obtain such data.
“This is not a matter of a legal framework but practice,” said Hiroshi Miyashita, an associate law professor at Chuo University in Tokyo.
Miyashita said a cultural climate existed in Japan in which citizens readily accepted the sharing of personal data with authorities. And he said that the bigger a Japanese company became, the more importance it tended to attach to helping law enforcement rather than protecting individuals’ privacy.
Miyashita said that Cultural Convenience Club and other companies holding consumers’ personal data should start disclosing transparent reports on government agencies’ requests and their own provision of user data to those agencies.
Big US tech companies such as Google, Apple and Twitter issue such reports, but in Japan, messaging and calling app LINE is the only major firm known to do so.
Referring to Cultural Convenience Club's policy of passing user data on to government agencies, Miyashita said: “This is exactly the kind of thing European data regulators were worried about when they assessed data protection adequacy in Japan.”
Striking the European Union data transfer agreement was something of a coup for Japan, whose data protection rules are not as robust as the EU's General Data Protection Regulation, coming as it did despite EU member states’ data protection regulators having raised concerns about data access by public authorities in comments on the draft adequacy decision as recently as last month.
In response to EU concerns, Japan’s Personal Information Protection Commission is setting up an English-language telephone service for EU citizens who have complaints about their data being handed to Japanese government agencies.