May 13, 2021 19:00:00

The Electronic Frontier Foundation points out the ``deficiency of Japan's personal information protection law seen in the Rikunabi problem''

In 2019, it was revealed that Rikunabi, a job information site, used user data to predict the probability that individual job seekers would decline a job offer, and sold it to client companies. Rikunabi's inappropriate use of customer data was widely reported as the ``

Rikunabi problem '', but the Electronic Frontier Foundation pointed out that ``This Rikunabi problem shows the danger of loopholes that exist in privacy-related laws.'' I'm here.

Japan's Rikunabi Scandal Shows The Dangers of Privacy Law Loopholes | Electronic Frontier Foundation
https://www.eff.org/deeplinks/2021/05/japans-rikunabi-scandal-shows-dangers-privacy-law-loopholes

Technology users around the world are becoming increasingly concerned about data protection, yet many are unaware of exactly how data is collected about them. What is commonly known as user data collection is the creation of an extensive profile of user behavior using tracking technologies such as cookies that websites use to recognize your browser.

Based on this user profile, the rate of job refusal was calculated and sold to client companies. The Electronic Frontier Foundation said, ``The Rikunabi issue shows how companies are using loopholes to avoid data protection obligations while adhering to the Personal Information Protection Act (APPI). It highlights the inadequacy of the law and the danger of loopholes that exist there.'

The revised Personal Information Protection Act, which amends the Personal Information Protection Act so far, is scheduled to come into force in April 2022, but the Electronic Frontier Foundation said, ``Even the revised Personal Information Protection Act is insufficient to completely close the loophole. It is,' he points out.

Rikunabi, the job information site that caused the Rikunabi problem, was operated by Recruit Career (operated by Recruit at the time of writing), which was a subsidiary of the Recruit Group, which owns Indeed and Glassdoor. Rikunabi is a site for job seekers to search for job opportunities, mostly aimed at college students and working adults just beginning their careers. Rikunabi, like many Internet platforms, used cookies to collect data about how users searched, browsed and interacted with job postings.

Rikunabi Career then used the data collected by Rikunabi without the user's consent to create an algorithm that predicts the rate of job refusal by individual job seekers. From March 2018 to February 2019, we sold this data on job refusal rates to client companies. Thirty-five companies, including major companies such as Toyota and Mitsubishi Electric, are listed as client companies. After it was reported that Recruit Career was selling data on job refusal rates based on information from Rikunabi, the company signed a contract with client companies not to use data on job refusal rates for recruitment. However, ``There is no guarantee that it was actually treated that way,'' the Electronic Frontier Foundation pointed out. Since lifelong employment is still deeply rooted in Japan, it is

pointed out that ``the data on job refusal rates sold by Recruit Career may have had a significant impact on students' employment and future careers.''

[Rikunavi 2022 for job hunting] Job hunting and recruitment information site for new and existing graduates

A loophole in Japan's personal information protection law is an important factor in understanding the Rikunabi problem. Japan , the world's third largest economy and one of the world's most technologically advanced countries, has data protection laws with a level of protection equivalent to the EU's General Data Protection Regulation (GDPR). was first recognized as However, the Electronic Frontier Foundation points out that Japan's Personal Information Protection Law is 'far behind' EU cookie regulations.

The GDPR, which provides stronger and stricter data protection, treats cookies as ``things that may constitute personal information''. In addition, as it is considered personal information under the GDPR, the identifier cannot be used in conjunction with the user's legal name (national ID or ID on driver's license). The data we process may also be designed to allow us to identify you 'indirectly' based on 'multiple data such as cookies' and 'other identifiers that may distinguish you from other users'. , the data we process is considered personal data.

In other words, in the EU, identifying an individual, linking two or more pieces of information about an individual to identify an individual, or examining a specific characteristic and comparing it to other characteristics to identify an individual is all It is considered to be the act of identifying a person, and the information handled in it is regarded as personal information. Therefore, the EU requires platforms to 'notify users of the use of cookies and ask for their consent' when using cookies, with some exceptions such as 'information on products in the shopping cart'. increase.

On the other hand, Japan's Personal Information Protection Law adopts different standards. In

the guidelines for the Act on the Protection of Personal Information , a 'personal information database' is a system that is systematically configured so that specific personal information can be searched using a computer, and the personal information that constitutes this personal information database, etc. is defined as personal data. Therefore, if a company that collects, processes, or transfers cookies compares the cookie with other information used in the normal course of business to verify the identity of an individual, the cookie does not fall under 'personal data.' increase. However, cookies collected by companies are not considered personal data even if they match information from other companies to identify individuals. In other words, cookies that can be easily used to identify individuals are not considered personal data depending on how they are handled, so companies can freely collect, process, and transfer cookies.

The Rikunabi problem is the exploitation of such loopholes in the Personal Information Protection Law. The Rikunabi problem involves three companies: Recruit Career, Recruit Communications, and a client company that purchased data on job refusal rates. Recruit Career is the company that operates Rikunabi, and Recruit Communications is the company that created and provided the algorithm that calculates the job offer decline rate.

In the Rikunabi problem, a cookie is used to assign an individual ID to each user who accesses the Rikunabi site, and the ID is sent to the Rikunabi server. The cookie ID and user data are collated on the Rikunabi server side, and in addition to personal information such as name and email address, information such as searched companies and industries of interest are integrated. After that, Recruit Career will send the data with personal information such as contact information and name deleted to Recruit Communications and request it to calculate the job offer rejection rate so as not to violate the Personal Information Protection Law.

On the Recruit Communications side server, the data sent from Recruit Career has a cookie ID, but personal information such as real name and contact information has been deleted. Browsing history and matching. After that, an algorithm is used to calculate the job rejection rate for each ID, and this is sent to the client company. The client company was a company that was recruiting for jobs on its own website, and by comparing the company's applicant information with the information sent from Recruit Communications, it was possible to easily predict the 'recruitment rejection rate of each applicant'. It was like that.

Japan's Personal Information Protection Law prohibits sharing of users' personal data for business purposes without prior consent. Therefore, if Recruit Career calculates its own job offer rejection rate and sells it to client companies, it is necessary to ask for the user's consent in advance.

However, the Act on the Protection of Personal Information does not consider “data that cannot identify an individual even when a company compares it with other data sets” as personal data. Therefore, by intervening Recruit Communications, it became possible to exchange personal information on Rikunabi without asking users for their consent in advance.

However, based on the Employment Security Act, the Ministry of Health, Labor and Welfare accused the company of improper handling of personal information, citing that Recruit Career knew that client companies could easily associate job refusal rates with the names of applicants. administrative guidance will be provided.

Administrative guidance for recruiting Inappropriate handling of personal information of students Violation of employment security law, Ministry of Health, Labor and Welfare-Sankei news

Under these circumstances, the revised Personal Information Protection Act will be passed and enacted in June 2020. Under the revised Personal Information Protection Law, which will come into effect in April 2022, it will be necessary to ask users for their consent in advance to collect personal data. Under the revised Act on the Protection of Personal Information, all information that can be used to identify an individual by matching it with other information is treated as personal data, so schemes such as the Rikunabi problem also violate the law.

However, even under the amended Act on the Protection of Personal Information, cookies are not classified as personal data if they are 'indirectly' combined with behavioral data. The Electronic Frontier Foundation clarified this: 'This is a mistake. Cookies and similar machine-generated identifiers (such as advertising identifiers) enable extensive online tracking and profiling. Cookies are used on various websites. They are used to link behavior to a single user, which means that tracking technology allows a single profile to link the vast array of activities in a single person's life. Profiles aren't less confidential just because they're not directly connected to you.'

In addition, the Electronic Frontier Foundation points out that the data broker industry makes it easier to link information collected by cookies with individuals.