Personal data and chats of Line users (a Japanese-Korean messaging platform that is extremely popular in the Far East) have potentially ended up in the hands of Chinese national security authorities. What does this mean? The analysis of Andrea Monti, adjunct professor of law of public order and security at the Gabriele d’Annunzio University of Chieti-Pescara – Initially published in Italian by Formiche.net
Personal data and chats of Line users (a Japanese-Korean messaging platform extremely popular in the Far East) have potentially ended up in the hands of Chinese national security authorities. As Kazuaki Nagata reports in The Japan Times, the company has allowed a subsidiary based in China to access data generated by users and stored in Japanese data centres.
In itself, this fact might not be relevant since, in software development and online services, it is common practice to use subcontractors located in the most disparate places in the world. However, the problem with the Line case is that Chinese national security regulations require all companies based in China to cooperate with government authorities.
Beijing, however, is not the only source of concern for Tokyo, as users’ data are also stored in South Korea, where another subsidiary of the company operates, and relations between the two countries, while peaceful, are not idyllic. If we add to the equation the fact that Line is also used by officials of the Japanese public administration who also operate at a high level, it is easy to understand the preoccupation generated by the choices of technological delocalisation assumed by Line Corp. and by the mere possibility that ‘unfriendly’ Countries can access a very precious informative patrimony.
LINE’S REACTION
The reaction of the Asian giant to the controversy triggered by this affair was to centralise user data in Japan, following the indications of the Japanese government. This choice makes it more difficult for other countries, such as China, to exploit internal regulations to acquire critical information by gaining access from across the border. It does not eliminate the risk because, through cyber attacks or disloyal employees, hostile actors can still achieve their goals. In this case, however, we would face illegal and clandestine acts and not, as in the previous hypothesis, legitimate actions, at least from the point of view of the domestic law of the foreign country.
POSSIBLE CONSEQUENCES FOR THE CIRCULATION OF DATA IN JAPAN
From the point of view of protecting the users and the companies, the nationalisation of the data, a subject that is beginning to be also discussed within the EU, is not necessarily the solution. Prof. Hiroshi Miyashita of the University of Chuo, Tokyo, an expert in personal data protection, points out to Nagata that data-nationalism could make the transnational circulation of information for all the purposes allowed by law difficult. According to Prof. Miyashita, it is necessary to address the issue rationally by analysing the levels of legal protection guaranteed by the countries involved in the data exchange from time to time instead of reacting emotionally.
THE IMPACT ON EUROPE
While waiting to see how events will evolve, one might wonder why, as Westerners, we should be concerned about a regional affair, which is not dissimilar to the many scandals that, from time to time, concern major US technology companies.
First of all, and in general, terms, as the pandemic has tragically taught us, economic interdependence between countries of all latitudes no longer allows us to be lulled into the illusion that what happens far enough away does not affect us after all. In this specific case, it is enough to consider that the EU and Japan have signed a free trade agreement and therefore – geographical distances aside – Tokyo and Brussels are extraordinarily closer than it might seem. Consequently, understanding how the Japanese government’s approach to data governance changes is of fundamental importance.
Secondly, the Line affair must be ‘read’ on at least two levels. The first is that of protecting the personal data of the users from commercially incorrect actions, and the second is that of the use of large quantities of data for the needs (offensive or defensive) of national security.
THE LIMITED FUNCTION OF THE GDPR
On the one hand, the legal protection of users’ data from abuses committed by private companies is guaranteed, with all its limitations, by the Data Protection Regulation and by the laws of those countries, such as Japan, whose laws have been deemed compatible with the European ones. In reality, the Regulation has proved to be a weak weapon against the US, but in principle, it has its logic, and individuals are therefore formally protected against improper actions committed by private companies.
NATIONALISATION OF SECURITY DATA
When, however, interests of the State come into play, the normative shield no longer works, both for legal motives (according to the European Treaties, the EU has no powers concerning national security), and for substantial reasons: doctrines and policies of security, not only oriental, have theorised and practised the move from the rule of law to the rule by law and, therefore, the inclusion of the law in the strategic geopolitical arsenal of a State. From a geopolitical viewpoint, therefore, data centralisation within a State becomes a fundamental element of its security policy. It reduces the risk (always present) of exfiltration, but, above all, it cancels the risk of being cut off from access to crucial information if a hostile actor makes it unreachable from the outside.
Applying this approach in the EU context is not as easy as it seems.
As mentioned, the EU does not have jurisdiction in matters of national security, and to decide to share with all the other Member States a European perimeter within which to store critical data for every single nation could be, to say the least, premature: it would mean asking the 27 to make a mutual act of faith, which is unlikely to happen in the short term and, however, not until the EU is devoid of political subjectivity superimposed to the Constitutions – and, therefore, to the national sovereignty.
Realistically, therefore, the need to protect national interests from an economic point of view, but above all from a strategic one, would require encouraging the development of Italian data centres and establishing gateways for access (and exit) from our infrastructures. Even if it was not a terrorist action, the blocking of access to online services in many European countries caused by the fire at the Ovh data centre in Strasbourg is a practical example of what could happen if Italian data were stored across the border.
THE IMPACT OF THE RECOVERY PLAN AND SOVEREIGNTY
The (albeit confused) legislation on the national cybersecurity perimeter is moving in this direction. However, the Line case also highlights another element that we persist in not considering: the reckless use of software controlled by private parties, even in critical areas of the civil service.
Also if temporarily, the Japanese government has banned the use of Line for the exchange of critical information. It would be desirable for Italy not to have to wait for something to happen before taking similar measures against technologies over which national institutions have no real control.
More than data sovereignty, technological sovereignty is a central issue both in strategic terms and from a tactical perspective: the Recovery Plan and the push towards the technological modernisation of the country and the public administration are an opportunity not to be missed.
Today’s choices in terms of physical infrastructures, platforms and devices will affect Italy’s national security for years to come.
They could either deliver the country into the hands of those who control these technologies or, on the contrary, restore our technological independence, enabling us to negotiate our role in the EU not being relegated to the backseat.