Photo/Illutration Z Holdings CEO Kentaro Kawabe, left, and Line Chief Executive Takeshi Idezawa appear at a November 2019 news conference to announce a corporate merger. (Asahi Shimbun file photo)

Line Corp., the free messaging app operator, found itself obliged to report back to two government agencies in the next month about how it handles users’ personal information.

The request follows revelations that personal information had been accessed by Chinese engineers and photo and video data was stored in a computer in South Korea.

The telecommunications ministry announced March 19 it had asked Line to file a report within a month’s time. And in another unusual step, the government’s Personal Information Protection Commission the same day asked Line and its parent company Z Holdings Corp. to submit reports based on the Personal Information Protection Law.

Line is registered with the government as a telecommunications business. The ministry is trying to ascertain how the Chinese engineers accessed the personal data stored in a Japanese computer. The engineers working for a Line affiliate were in charge of developing artificial intelligence used in Line services. The ministry also wants assurances that the confidentiality of personal information and communications had been properly protected.

The Personal Information Protection Commission held a rare news conference on March 19 in which officials announced the requests for reports from Line and Z Holdings.

After perusing the reports and other documents, the commission will decide whether there were any violations of the Personal Information Protection Law.

Commission officials said this was the first instance of an announcement being made about a request for such reports.

The two companies have until March 23 to comply with the edicts to respond on the handling of personal information and who has access to that data.

The Personal Information Protection Law gives the commission the authority to search the offices of companies that handle personal information and ask for reports, financial records and other documents.

The law also states that the consent of users is mandatory before any of their personal information can be provided to companies overseas or allowed access from abroad.

Line officials have admitted that the company’s privacy policy did not provide a clear explanation of how personal information might be handled and said they plan to revise the policy.

Harumichi Yuasa, a professor of cybersecurity law and vice president at the Institute of Information Security, said the fact the commission made an announcement even before disciplinary action was taken showed how seriously it was taking the case.

“This is a matter not limited to Line and will become the perfect opportunity to rethink whether having computer systems abroad for cloud storage services is an appropriate move,” he added.

(This article was written by Yoko Masuda, Ryo Inoue and Toshiya Obu.)