Skip links

Japan draws a LINE: web giants must reveal where they store user data

Social media and search engine operators in Japan will be required to specify the countries in which users’ data is physically stored, under a planned tweak to local laws.

The Ministry of Internal Affairs and Communications this week announced it plans to submit the revision to the Telecommunications Business Law early next year.

The amendment, if passed, requires search engines, social media operators and mobile phone companies with over 10 million Japanese users to disclose where in the world they store data, and identify any foreign subcontractors that can access the data.

The proposed law applies to overseas companies that operate in Japan – meaning the likes of Twitter and Facebook will need to disclose their storage choices publicly. Oddly, search engines that just cover travel and food get a pass and don’t have to comply.

Concerns from opponents of the law expressed on Tuesday include how far the measures will extend, and that they may be overly broad and ambiguous. Business operators mused whether they would face difficult to predict management costs and technical limitations of information management.

“There is a risk that costs will be passed on to users in the form of lower service levels and price increases, causing social inefficiencies,” said one response from the Ministry’s telecommunication carrier hearing.

The move is in part a reaction to Japan’s hugely popular homegrown freeware instant communication app, LINE, which had several recent snafus related to data storage and protection.

In March of last year, it was revealed that some of LINE’s data had made its way to China – prompting Japanese government officials to stop using the app. Previously, LINE was used for many regional governments’ communications. As one Reg reader pointed out, the ban did not last long and the use of LINE has been reinstated by some regional government services.

A few months later, 100 local political figures and had their LINE communications extracted when a cyberattack managed to turn off encryption functions.

And only a few weeks ago, it was announced that 133,000 LINEpay users’ data was uploaded to the unlikely location of GitHub when a research group employee allegedly made a random oopsie.

With those incidents in mind, the government’s legislative move seems less like a knee-jerk reaction and more like warranted preemptive action against future data snafus – particularly as different countries employ varying storage standards and laws.

A company in violation of Japan’s proposed amendment could face business improvement orders and more. In addition to the amendment to the Telecommunications Business Law, businesses will have to comply with Japan’s Personal Information Protection Law from April 2022. ®