Abstract The fundamental questions for assessing a country’s data protection level are who and what fall under the umbrella of data protection legislation. Japan’s Act on the Protection of Personal Information (APPI) defines regulatory subjects and information to be protected, covering less than the European Union’s General Data Protection Regulation (GDPR), despite their mutual adequacy decisions. Many of the gaps between the APPI and the GDPR have been resolved in the dialogue towards mutual adequacy findings. However, the difference in the definitions of regulatory subjects was omitted from that resolution. Academia also failed to point out that it is, apart from a few exceptions. In 2019, Rikunabi, one of the largest online job board services for students in Japan, was widely reprimanded for circumventing the intent of the APPI. Rikunabi used AI-based profiling to predict job applicants’ probability of declining job offers and sold this information to potential employers. This scandal symbolized the pitfalls hidden in the country’s data protection legislation. Documents and literature since 1980 reveal that Japan inadvertently employed a definition of regulatory subjects that deviates from the Organisation for Economic Co-operation and Development Privacy Guidelines. Not only the drafters and lawmakers who approved the Bill of the APPI, but also those who criticized it as a degradation of the Guidelines, failed to acknowledge the original definition.
Igaya et al. (Fri,) studied this question.