Interview: A Closer Look at Z Holdings' Data Protection which Puts "User Privacy First"

On May 23, 2022, Z Holdings Corporation ("Z Holdings") published its Basic Policy on Data Protection. It lays down the fundamentals for protecting the rights and interests of users, including their privacy, in the handling of data by the entire Z Holdings Group, a group which aims to become an AI tech company leading the world from Japan and Asia.
While the development of information technology continues to enhance our lives in terms of convenience, there are also concerns that the handling of vast amounts of data and the evolution of AI technology may bring disadvantages to users, such as privacy violations.
What is the Z Holdings Group's approach to such issues, and how will its Group companies such as Yahoo Japan Corporation ("Yahoo Japan") and LINE Corporation ("LINE") handle these issues effectively in the future? Two key individuals who led the project explain the process leading up to the formulation of the Basic Policy on Data Protection, and the ideas that went into it.

 

PROFILE

Takesh NAKAYAMA, Corporate Officer, Head of Privacy & Security Division, Z Holdings Corporation
Takesh Nakayama joined LINE Corporation in October 2014 and as an executive officer CPO/CISO, managed the Legal Department, Security Department, and Compliance & Risk Management Department before becoming the Head of Privacy & Security Division at Z Holdings Corporation in March 2021. He assumed the current position in April 2021.
Takesh is also an attorney at law registered in New York and Washington DC, USA, and Wales, UK.
Akira KOYANAGI, Head of GDPO Department, Z Holdings Corporation
After joining Yahoo Japan Corporation in 2003 and working in the Legal Department and Public Affairs Division, Akira Koyanagi joined Japan's Ministry of Economy, Trade and Industry (METI) in 2013, through the "Public-Private Personnel Exchange Program" and was involved in the planning/implementation of policies related to the promotion of data utilization, and the planning/implementation of policies in anticipation of the revision of the Act on the Protection of Personal Information.
He returned to Yahoo Japan Corporation in 2015 to promote revisions of privacy policies and other measures towards the revision of the Act on the Protection of Personal Information which took effect in 2016, became DPO (Data Protection Officer) of Yahoo Japan in May 2020, and assumed the current position in October 2020.

Why is the Basic Policy on Data Protection necessary and why now?

――First of all, could you give us some background on why you decided to formulate the "Basic Policy on Data Protection" at this time?

Nakayama: Back at the time of the business integration between Z Holdings and LINE, four areas were identified as keys to the handling of data: "straightforward explanations," "operation based on domestic laws," "advice/evaluation by experts," and "privacy and security first." In short, we were committed to ensuring the safety and security of users in the linkage of data between Yahoo Japan and LINE, based on the premise that users' consent is obtained. We had the idea from the beginning to develop these concepts into more specific policies.

Although we should have proceeded with this plan simultaneously with the announcement of the business integration, for various reasons, we experienced delays, and started working on the process last summer. I started by exchanging opinions with Koyanagi-san on how Z Holdings could utilize the knowledge which Yahoo Japan and LINE have accumulated so far, and incorporate them into its initiatives.

Koyanagi: As you may know, tech companies such as ours have a history of achieving rapid growth by responding promptly to users' needs through the analysis of large amounts of data. At the same time, as users become increasingly privacy conscious, the handling of data by tech companies is also under scrutiny due to privacy and security issues that have arisen.
It was therefore necessary for us to clarify our policy which gives utmost priority to users' privacy, in a way that everyone can understand.

―― I imagine that it was challenging enough to integrate the two huge tech companies, Yahoo Japan and LINE. What actual difficulties did you face in formulating the policy?

Nakayama: Although there were differences in detailed methods and approaches, both companies shared from the beginning the same basic philosophy of putting users' privacy first. Since our goals were aligned, we were able to focus our efforts on coordinating with other Group companies.

Koyanagi: So, we started by setting up the Data Protection Sub-Working Group in which we coordinated and exchanged opinions among the Group companies on how the entire Group would address data protection.

Digital platform operators have become more and more influential in recent years, and we are faced with the reality that the company's approach on how it handles data is being severely questioned. We knew that we must clarify our direction to earn the trust of all our stakeholders, including that of the society, and to do so, we have been leading discussions referencing examples from Europe and the United States, who are leaders in this field.

Prioritizing social ethics over immediate profits, to achieve medium- to long-term corporate growth

――What would you say is particularly important about this Basic Policy on Data Protection?

Koyanagi: For users, there may be times when there is no choice but to give their data in order to access a service. Therefore, services which are provided through the use of data, can only be built on the basis of user trust. This is why we felt it was necessary to communicate thoroughly to our users, the policy on which the Z Holdings Group provides its services.
One of the results of this, is the declaration in our Basic Policy on Data Protection, that the ethics of society and the interests of users prevail over our interests as a company. This is a very distinctive feature, and one that we consider most important in demonstrating our principle of "user privacy first."

Nakayama: Yes, I agree that this is the most significant point. "User privacy first" can be somewhat vague, though it is unlikely that anybody would object to a company upholding this phrase. At the same time, I thought there was a danger that the degree of commitment towards users may likewise become vague, making it difficult to offer the level of security users expect. By delving deeper for something more concrete, we arrived at the idea of putting the ethics of society before the interests of the company.

While we believed this was a reasonable stance, having researched precedents and other examples, we also wondered if we should make such a committed declaration. Nevertheless, we received strong support from external experts, and our management also judged that building trust with users and the society over the medium- to long-term was more important than short-term profits.

Koyanagi: In short, it is a question of where you place your perspective. From a long-term perspective, it is clear that operating a business in a manner that conforms to the ethics of society will lead to corporate profits. The reason it was necessary to clearly state this is because we need to be aware that users may think that companies will prioritize the companies' interests over the users' interests. By stating that the Z Holdings Group prioritizes users' interests, it has clarified its intention to gain the trust of users and other stakeholders. We also hope that announcing it as a basic policy would also help our stance to be shared and reaffirmed within the entire Group.

What is the significance of establishing a Data Protection Officer?

――In conjunction with the formulation of the basic policy, introduction of the NIST Privacy Framework has been announced. What are your expectations?

Nakayama: Privacy and security tend to be on-site matters, but it is important to make them visible and to share them with the management so that they can take ownership, too. Incorporating the framework developed by the U.S. National Institute of Standards and Technology (NIST) is one way of enabling us to measure the maturity of our own data protection. We think it is a valid tool for visualizing our current position, where we would like to be at, and to close the gap in between.

Koyanagi: I think there are two perspectives for such "measurement;" one from within the company and the other from outside. Since we believe that gaining the trust of users is important, we need to demonstrate to our users and the society in a straightforward way, how our efforts are evaluated objectively, instead of just saying that we are making steadfast efforts. This is also a question of transparency and accountability.

――It was also announced that each Group company will have a Data Protection Officer (DPO), a position responsible for monitoring the use of data from an independent standpoint.

Nakayama: The purpose of establishing this post is to enable management to make decisions around critical privacy risks. As an organization that pursues profit, it is easy to overlook privacy risks so, through the DPO, we intend to make decisions on various day-to-day privacy-related issues that arise on-site. In this system, the DPO will escalate matters that are difficult to determine on-site to the management team, give objective inputs, share all necessary information, and seek for a decision.

The fact that the DPO is functioning at Yahoo Japan, however, does not mean that the system will work in the same way for all Group companies. Yahoo Japan has its own way of conducting things, and so does LINE. The DPO system must be established in a way suited to the situation of each company, and we will continue to work on this area which is a major challenge.

Koyanagi: The difficulty is that the DPO is in a very unique position within the business organization. In a sense, they are in a position to express objective opinions on behalf of the users, even without regard to business. What the users wish for, or do not wish for, are not always visible. While a company must pursue profit through its business activities, the role of the DPO is to object such company's decisions, if there are potential disadvantages to the users. Naturally, they could conflict with the business-side, and I believe that a company needs to be resolute to incorporate the DPO system into business activities.

To win further trust from users

――Having established the post of DPO regardless of what you have said must be a new challenge.

Koyanagi: Yes, it is. The role of the business-side of a company is to pursue profit, but of course, they do not wish for users to suffer any disadvantages as a consequence. It is very important that we explain to and have the understanding of the business-side on the potential disadvantages for users from an objective and professional standpoint, and determine whether we should ask the users to accept such potential disadvantages.

Nakayama: Z Holdings is not a single company, but rather a Group that consists of so many diverse and independent IT companies. Thus, it is indeed a huge challenge to control privacy within Z Holdings. There are no precedents, everything is new to us, and success is not guaranteed. But through this effort to formulate the Basic Policy on Data Protection, I felt a strong sense of encouragement and support from many of those at the top management of Yahoo Japan, LINE, and other major Group companies, to give it a try, and even if the attempt fails, to use that experience to drive further improvements. This has made me feel more at ease in some ways, and I have re-confirmed that this attitude is the culture at Z Holdings.
From the perspective of further strengthening the synergy of the Group in the time to come, it is also a worthwhile challenge.

Koyanagi: I agree. Z Holdings must continue to advocate the necessity and importance of the role of the DPO and gain understanding, so that it does not end as a mere call. What users and the society expect of companies will change over time, and in particular, the society's expectations of digital platform operators have increased in recent years. I think it is significant that we were able to demonstrate our basic values and approach to business activities in the area of privacy in the way that we have done. It would be ideal if, by fully implementing our policy, the society will associate Z Holdings with a sense of security. I hope that the entire Group will work together to ensure that Z Holdings operates businesses that live up to this basic policy.

    Please note that the English translation is provided for reference only. The original, official article is in Japanese.
    Written by: Satoshi TOMOKIYO Edited by: Yajirobe Corp