Friday, July 26, 2013

SUICA scandal and the privacy in the era of Big Data




JR manages a system of electronic money called SUICA, which started from an electronic ticket for JR’s trains but now is one of the strongest electronic money widely used all over Japan. 


Recently, JR announced that JR and its partner company would sell the marketing report based on the data of SUICA users on (1) which station they get on and get off, (2) when they used the train, (3) how old they are, and (4) their gender.  For this purpose, JR gives the anonymized data of SUICA users to its partner company.  At first, JR got no consent from the users. There was no opt-in nor opt-out for the sale of their data.  When the announcement was made, there are many people opposing the usage, claiming that the sales of user data are an invasion of users’ privacy.


From the viewpoint of the Act on the Protection of Personal Information, which aims to protect personal information, JR may make an argument that it is not violating the Act. The act generally prohibits the transfer of personal information without obtaining the consent. But it is understood that the personal information defined does not include the anonymized information.


However, the fear of the users is that, many people are now using SUICA as their primary means of payment (partly because of SUICA point system whereby some percentages of the purchase are refunded), the log of the SUICA usage is a kind of life-log.  Whereas SUICA data can include sensitive information such as the purchase of certain kinds of books and magazines, it is sometimes possible to identify an individual by a sophisticated analysis of the life-log like data. Finally, JR apologized and offered an opt-out procedure.


It reminds me of the sentence in Viktor Mayer-Schonberger’s recent book “Big Data.” The book argued that the current concept of privacy is out of date in the era of Big Data. At least, one lesson is that companies dealing with Japanese customers which are collecting life-log like data ( including electronic money), must be very careful about its reputation risk when they “sell” user’s information even if they are anonymized.


DISCLAIMER: "IT Law issues in Japan" only provides general information about Japanese information technology law and does not, under any circumstances, constitute legal advice. You should first obtain the advice of professional legal counsel who is qualified in Japan before acting or refraining from acting based on this blog.

No comments:

Post a Comment