JR manages a system of electronic money called
SUICA, which started from an electronic ticket for JR’s trains but now is one
of the strongest electronic money widely used all over Japan.
Recently, JR announced that JR and its
partner company would sell the marketing report based on the data of SUICA users on
(1) which station they get on and get off, (2) when they used the train, (3)
how old they are, and (4) their gender. For this purpose, JR gives the anonymized data
of SUICA users to its partner company. At
first, JR got no consent from the users. There was no opt-in nor opt-out for the
sale of their data. When the announcement
was made, there are many people opposing the usage, claiming that the sales of
user data are an invasion of users’ privacy.
From the viewpoint of the Act on the
Protection of Personal Information, which aims to protect personal information,
JR may make an argument that it is not violating the Act. The act generally prohibits
the transfer of personal information without obtaining the consent. But it is understood
that the personal information defined does not include the anonymized
information.
However, the fear of the users is that, many
people are now using SUICA as their primary means of payment (partly because of
SUICA point system whereby some percentages of the purchase are refunded), the
log of the SUICA usage is a kind of life-log.
Whereas SUICA data can include sensitive information such as the
purchase of certain kinds of books and magazines, it is sometimes possible to identify an
individual by a sophisticated analysis of the life-log like data. Finally, JR
apologized and offered an opt-out procedure.
It reminds me of the sentence in Viktor
Mayer-Schonberger’s recent book “Big Data.” The book
argued that the current concept of privacy is out of date in the era of Big Data.
At least, one lesson is that companies dealing with Japanese customers which
are collecting life-log like data ( including electronic money), must be very
careful about its reputation risk when they “sell” user’s information even if
they are anonymized.
DISCLAIMER: "IT Law issues in
Japan" only provides general information about Japanese information
technology law and does not, under any circumstances, constitute legal advice.
You should first obtain the advice of professional legal counsel who is qualified
in Japan before acting or refraining from acting based on this blog.
No comments:
Post a Comment