Seoul, 10 Oct 2008

Asia-Pacific data protection laws: Regional and global trends

Graham Greenleaf

Professor of Law, UNSWCo-Director, Cyberspace Law & Policy Centre

Outline

1. Themes in Asia-Pacific data protection

2. Countries with existing laws

3. Countries proposing new laws

4. Countries with no laws as yet

5. Regional and global agreements

6. Future directions?

Asia-Pacific privacy laws- Themes to consider

• National developments– Novel elements in Asia-Pacific laws– Main influences on these laws & proposals– Do they have effective systems of enforcement?– Is an Asia-Pacific privacy jurisprudence emerging?

• Regional/global agreements and structures– Alternative ways to obtain free flow of personal

information / avoid data export limitations

– Multi-tiered regional protection could emerge

Seoul, 10 Oct 2008

A survey of developments

National trends• Survey 50+ jurisdictions from

India to Japan & Mongolia to Australia

• ‘Comprehensive’ data protection laws in 7 jurisdictions

• Proposed laws in 4 more• No significant developments

in over 40

Not covering the Americas

Regional/global trends• EU Directive - Continuing

relevance

• APEC Framework & ‘Pathfinders’

• Council of Europe Convention 108 - New relevance?

• Other regional/global agreements (ASEAN, OECD, IGF/WSIS)

• Regional groupings: Privacy Authorities; Civil Society / NGOs; Business

Seoul, 10 Oct 2008

Data protection legislation

Existing laws in the region• Australia (1988/2001)• New Zealand (1993)• South Korea

(1994/2000) • Hong Kong SAR (1995)• Taiwan (1995)• Japan (2003)• Macau SAR (2006)

Comments & Questions• As yet, data protection

laws are limited to Australasia and North-East Asia

• How similar are they?• How effectively are they

being enforced?

Effective enforcement?

• ‘Responsive regulation’ (Braithwaite, Parker et al)– Effective regulation requires

multiple types of sanctions of escalating seriousness

– It is an enforcement pyramid because sanctions at the top get used far less

– All forms of sanctions must be actually used

– Use of each level of sanction must be visible to those regulated, and consumers

– The higher levels are then incentives for the lower levels to be made to work

Enforcement pyramid in a licensing system (Braithwaite 1993)

Seoul, 10 Oct 2008

Australia (I): Legislation and case law

• APEC & OECD member• Information privacy legislation

– Federal Privacy Act covers private sector (2001) and federal public sector (1988); most States also have public sector laws

– Influenced by OECD guidelines– No significant case law after 20 years, due to structural defects– EU ‘adequacy’ still uncertain - expert report to EU Commission

2005, updated 2006; no decision yet• Australian Law Reform Commission Report 108, August 2008 proposes

major reforms, including one set of Uniform Privacy Principles• Data exports: APEC Privacy Framework’s one major influence

– Existing ‘border control’ data export restrictions to be replaced by allowance of data exports to any country, but with liability for breaches remaining under Aust. law unless exporter believed that destination had similar laws.

Seoul, 10 Oct 2008

Australia (II): New elements in the proposed UPPs

• Broad approach to ‘personal information’ retained

• Anonymity Principle to include pseudonymity

• Notice required on collection from 3rd Parties

• Direct marketing to require prior consent wherever practical

• Intermediary access where direct access refused

• Data breach notification principle

• Restrictions on using Identifiers tightened (No ID card yet)

• Public sector to be covered by anonymity, data export, destruction and identifiers principles (and perhaps direct marketing)

Australian privacy law already has novel elements, and more are proposed; Principles will be stronger if reforms adopted

Seoul, 10 Oct 2008

Australia (III): ALRC proposals to strengthen enforcement

• Rights of complainants to be strengthened– Right of appeal to Federal Court against PCO’s s52 determinations

– Parties will be able to require s52 determinations

• Commisioner’s powers to be strengthened– to order PIAs for significant new public sector projects

– to audit private sector compliance

– to order specific actions to remedy a breach

– to enforce findings in ‘own motion’ investigations

– to pursue civil penalties against parties in repeated breach

Australia’s ‘regulatory pyramid’ may be augmented and strengthened at all levels

Seoul, 10 Oct 2008

New Zealand

• APEC & OECD member

• Privacy (Cross-border Information) Amendment Bill– New legislation (Sept 08) – Allows cooperation in complaint investigation with overseas Privacy Offices– Commissioner may prohibit transfers from NZ which would circumvent a

third country’s laws– Allows non-NZ citizens to access and correct files (assists EU adequacy)– Refers to OECD Guidelines & EU Directive, but not APEC Framework!

• Privacy Act 1993– Comprehensive coverage of all sectors– Appeals from Commissioner to Human Rights Review Tribunal (HRRT)

which can award compensation: largest body of case law in Asia-Pacific– Now under extensive review by NZ Law Commission - improvements likely

Bottom line: NZ’s already strong law continues to improve

Seoul, 10 Oct 2008

Japan

• Other speakers will detail, but two observations:1. Protections are being strengthened (eg METI Guidelines, 2007)2. Inadequate provisions for compensation actions

• METI guidelines, 2nd Ed (2007)– Influential Guidelines (one of 35) to Personal Information

Protection Law (PIPL); strengthened requirements re statement of purpose of use; consent for change of use; data breach notifications and confidentiality required by employees

• Case law starting, but legislation may be inadequate– Tokyo District Court decided in claim against opthalmology clinic

that breaches of PIPL did not result in a private cause of action – Damages against beauty salon chain (Aug 2007) in Tokyo High

Court; US$4K to 14 plaintiffs for ‘data spill’ onto the Internet was a negligence action, though based on same standards as PIPL

– JAL cabin attendants action against Japan Airlines (Nov 2007) for improper collection; sought 48 million yen

Seoul, 10 Oct 2008

South Korea

• No need for me to detail, but a few observations:– More comprehensive legislation is only a matter of time– KISA (Korean Information Security Agency) guidelines were

strengthening the law (eg revised RFID Privacy Protection Guideline 2007; revised Biometric Information Privacy Guidelines 2007), prior to 2008 re-arrangement

– Korea’s legislative Principles contain innovations – Korea’s Personal Information Dispute Mediation Committees

(PIDMCs) gives effective enforcement through compensation and is well-documented

Bottom line: Korea may have the most original data protection regime in the Asia-Pacific, though still incomplete

Seoul, 10 Oct 2008

Hong Kong• Constant massive data spills but no remedies

– Eg Massive data spill onto Internet concerning complaints against Police by 20K people (2007), by contractor working for Independent Police Complaints Commission (IPCC)

• No effective enforcement due to defects in the Ordinance – Commissioner finds breaches of security principle, but unless they

are repeated cannot prosecute; cannot award damages or mediate

– Damages actions in a Court under s66 ineffective - not HK$1 ever awarded - too costly, difficult and risky to go to Court

– Companies are increasingly prosecuted and fined for not complying with orders, but these are relatively minor matters

– Current Commissioner uses s48 reports to ‘name and shame’

Bottom line: HK law does not provide ‘responsive regulation’ despite the Commissioner’s attempts to enforce it

Seoul, 10 Oct 2008

Macau SAR

• APPA observer; not APEC or ASEAN• Personal Data Protection Act (2006)

– Principles based closely on Portugal’s data protection law (and therefore EU Directive)

– Includes de-identification, automated processing restriction, right to object to processing and restrictions on data matching

– Additional detailed security protections, and restrictions on offence-related data

– Transfers ‘outside the MSAR’ require legal system of destination to provide ‘an adequate level of protection’ (A 19)

Macau SAR (II)

• Office for Personal Data Protection administers Act– OPDP operating since March 2007 – Ms Sonia Hoi Fan Chan, Co-ordinator– No decisions on website as yet– Has issued exemption orders and workplace guidelines

• A quasi-registration system for some processing only– Notification within 8 days of most automated processing of

data, or processing of sensitive data, unless an exemption from notification is obtained

– ‘Prior checking’ (ie authorisation) of processing of sensitive data (in some cases), credit information, data matching, or for secondary purposes

Macau SAR (III)

• A variety of enforcement measures– Civil action for compensation for breaches– Rights to complain to Administrative Court, and to appeal to

Court of Final Appeal– Civil (administrative) offences for many types of breaches– Criminal offences for use of personal data for purposes

incompatible with collection; unauthorised data matching etc– ‘Public warning and censure’ and ‘publication of judgment’

are specific ‘additional penalties’

Macao’s law has one of the most comprehensive ‘enforcement pyramids’ - how is it being used?

Seoul, 10 Oct 2008

Taiwan / Chinese Taipei

• APEC member

• Computer Processed Personal Data Protection Act 1995 – Limited coverage: public sector and 8 specified private sector areas– Limited effectiveness: no single oversight body, left to Ministries– No known enforcement of provisions or data transfer restrictions

• 2005 amending Bill still on legislative agenda– Introduced by Executive; stalled in Legislature; Minister of Justice revived

calls for passage 2007; 1st reading May 2008; legislative pressure again after Aug 2008 bust of largest yet identity theft ring; support uncertain

– Reforms include broader scope (‘Data’ no longer limited to ‘computer-processed’ data; To cover all who process data, not only government and designated industries), stronger remedies (Fines to increase from US$1,200 to US$150K; Class actions suits for breaches permitted), and stricter criteria for sensitive data

Bottom line: Limited effectiveness, but likely to get stronger

Conclusions concerning existing 7 laws

1. Legal protections have continued to strengthen, or reforms are proposed, in all 7 jurisdictions

2. Some enforcement, with significant compensation or fines, occurs under most laws (Connolly, 2008a)

3. But none (except perhaps Macao) have the full pyramid of regulatory tools needed

4. Most laws include principles stronger than the APEC Framework, often innovative

5. But an ‘Asia Pacific privacy jurisprudence’ of consistent interpretation of Privacy Principles, is yet to emerge

Seoul, 10 Oct 2008

Legislation under development

• Thailand• Philippines• Malaysia• China (PRC)

• The next waves of data protection legislation may be from China, and from other East Asian countries

Seoul, 10 Oct 2008

Thailand • APEC and ASEAN member• Official Information Act, 1997

– Only covers State agencies– Administered by 32 person Official Information Commission

(OIC) and the Office of the OIC– Limits personal data collection and retention; limits

disclosure; requires security; provides access and correction rights (most elements of information privacy)

– Statistics to 2005 show 880 appeals (to OIC or Information Disclosure Tribunal) from 1300 complaints against government at all levels

Current proposals to expand coverage to private sector

Thailand (II)

• Competing proposals for private sector coverage– Complicated by coup (2006) and new Constitution (2007)

• OIC proposed Personal Data Protection Law– Draft proposed to Cabinet by OIC in 2005, still under consideration Dec

2007; legislators have also proposed Bills– Includes private sector data under OIA, with administration by Office of OIC

(similar to expansion of the Australian Act)

• Council of State Privacy Act proposal– Principles seem EU-influenced (Raksirivorakul, June 2008)– Organisations must have a ‘registrar’ responsible for security;– No processing of personal data without permission;– Change of use, or disclosure, or overseas transfers require written consent,

with very limited exceptions.– Notification required after overseas transfer

• Both establish a Personal Data Protection Commission/Board– Enforcement primarily through criminal offences

Philippines

• APEC and ASEAN Member• Limited rights at present

– Some constitutional protections in theory– Right of ‘Habeas data’

• adopted by Supreme Court (2008)• essentially a constitutional right of access and correction• No known uses as yet

– Electronic Commerce Act (2000) s3(e)• set general principle that businesses should give users

choice in relation to privacy, confidentiality and where appropriate, anonymity

Philippines (II)

• Current protections (cont.)– Dept Trade & Industry (DTI) Order 8 (2006)

• issues Guidelines for the private sector ICT systems• Strongly EU-influenced set of data protection rights• Weak enforcement by voluntary accreditation process for

compliance certifiers, and a proposed Privacy Complaints Office that can only advise complainants

• New sectoral Bills before Congress – spyware, identity theft, credit information, sensitive

government records

Philippines (III)

• Comprehensive Bills before Congress– 2 current Bills, one before each house– Covers both public and private sectors, all data– Both have data protection Principles strongly

influenced by EU Directive and UK 1998 Act• Additional security principles

– Both establish a National Data Protection Commission within the Office of the President

• Powers to investigate complaints and provide remedies• Oversight and coordination role in both sectors• Criminal penalties for unauthorised processing

Malaysia

• APEC & ASEAN member• Current protections not significant under

Constitution, legislation or common law• Proposed Data Protection Bill

– Minister has promised to introduce in 2008– No consultation as yet, even with Bar Council– Some pressure to complement new DNA Bill– BUT, such Bills have been introduced repeatedly

since 1998!

Seoul, 10 Oct 2008

China (PRC)

• New criminal penalties for corrupt use of personal information– 11th NPC Standing Committee considering Criminal Law

amendment, final legislation expected by 10 October 2008

– Criminal penalties for employee selling or offering to sell personal information

– To cover employees of government, hospitals, schools, and telecomm, financial, or transportation companies

– Penalties could also apply to those illegally obtaining data

• Draft Personal Information Protection Act (2006)– 2006 draft by Prof Zhou HANHUA, Director of the Institute of Law,

Chinese Academy of Social Sciences, and a team of experts

– Not proceeding at present, but main points give an idea of type of law supported by a significant part of PRC elite opinion

– Considerable consultation between EU and China

China (II) - Draft Personal Information Protection Act

• 8 ‘General Provisions’/Principles (Ch 1)1. Purpose

2. Lawfulness

3. Protection of rights (access and correction)

4. Balance of interests

5. Information quality (incl collection and use limits)

6. Information security

7. Professional duties (like ‘accountability’)

8. Remedy (incl admin remedies and compensation)– Plus ‘Scope of’ and ‘Exceptions to’ applicability

• ‘Cross border transfer’ (A48) – No automatic restriction - ‘may restrict’– Grounds for restriction include that recipient country/area ‘cannot give

sufficient legal protection’

China (III) - Draft Personal Information Protection Act

• Application to government authorities– Very broad exceptions to use restrictions

• Application to ‘other data processors’– Applies to all private sector organisations– Registration required before collection begins– Collection only for ‘clear and specific purposes’; – Secondary uses strictly limited

• Administration (Ch 4) – widely distributed among all agencies ‘above county level’;

no ‘Privacy Commissioner’– General regulations to be made at State Council level

China (IV) - Draft Personal Information Protection Act

• Safeguards and remedies (Ch 4 & 5)– Administrative review always available, with right of appeal to

Peoples’ Court– Alternative judicial remedy at any time in People’s Court– All data processors ‘should bear liability for compensation in

accordance with law’– Administrative liabilities and criminal liabilities (Ch 5)

• Bottom line– Depending on implementing regulations, could be more like an EU

law than an APEC implementation– Feasible that an EU adequacy finding could follow– If anything like this Draft is enacted by PRC, significant implications

through Asia

Seoul, 10 Oct 2008

Nothing significant yet - 40 more jurisdictions

• Singapore– The world’s only developed

country without privacy legislation (Connolly, 2008)

– Model Data Protection Code (2002) an industry-based self regulatory code with no known effect

– ASEAN commitment by 2015

– Joining APEC pathfinders

• Vietnam– Considering APEC

reference in a new law

• Other ASEAN countries: Indonesia, Myanmar, Cambodia, Laos, Brunei– ASEAN commitment by

2015

• All South Asian countries– Insignificant Indian laws

– No SAARC initiatives

• All Pacific Island countries– Cyberlaw harmonisation

project (Pacific Islands Forum)

• But Mongolia is different …

Mongolia

• Not in any regional organisation• Law on Personal Secrecy (1995), then…• Law on Personal Secrecy (Privacy Law)

– Covers correspondence, health information, property, family, and other secrecy defined by laws

– Creates right to sue for breaches, and regulates exceptions– 20 laws amended as a result– Training for officials, including taking of an oath

Bottom line: Mongolia is developing its own approach

National trends

1. Influences on privacy principles

2. Novel regional privacy principles?

3. An Asia-Pacific privacy jurisprudence?

4. Effective enforcement?

5. Limitations of scope to ‘identification’

Shared principles

• Regional data protection laws are in the same ‘family’, primarily OECD-influenced and EU-influenced

• ‘Novel’ Principles found in at least 2 regional laws (but not in APEC Framework)

Openness Anonymity option

Collection from the individual Identifier limitations

Data retention Automated decisions

Third party notice of correction Sensitive information

Data export limitations Public register principles

Is an Asia-Pacific privacy jurisprudence emerging?

• The data protection laws of the region differ, but are part of the same ‘family’ of laws

– Many common OECD-influenced and EU-influenced elements– Plus some ‘novel’ principles shared by a number of regional laws

• Are these common elements being similarly interpreted?– Can the interpretations in one jurisdiction inform others?

• We cannot yet say with confidence, there are too few reported Court, Tribunal or Commissioner decisions, and too little comparative analysis

• Since 2003, regional privacy authorities have improved their reporting practices very considerably, and developed standards

• WordLII’s International Privacy Law Library publishes all their decisions in one searchable location: <http://www.worldlii.org/int/special/privacy/>

• The ‘Interpreting Privacy Principles’ project at UNSW investigates this question.

The development of a common data protection jurisprudence is a future task for the region and globally

Very different pyramids of privacy

enforcement Top of pyramid Australia Hong KongCriminal offences Never used Occasionally

Civil penalties for repeated breaches

None (Now proposed)

None

Naming those in breach

Very rare S48 reports now more common

Compulsory orders (compensation etc)

S52 rarely used S66 never used

Warning notices None Widely used

Mediation of disputes

Very common ??? No explicit mediation function

Self regulation / option to resolve

Required

Techologies beyond identification

• All regional laws and agreements are too narrow in scope for some new technologies

• ‘Personal data/information’ is restricted in laws to information which can identify a person (actually or practically)

• New location and other technologies allow personalised interaction based on significant amounts of accumulated information about a person falling short of ever identifying themBottom line: Do our laws (or interpretations) need to cover interaction without identification?

Regional and global trends

1. EU Directive - Continuing relevance?

2. APEC Framework & ‘Pathfinders’ - Success?

3. CoE Convention 108 - New relevance?

4. OECD Guidelines

5. ASEAN commitments

6. IGF/WSIS possibilities

7. APPA (Asia-Pacific Privacy Authorities)

8. Regional NGOs

Overall trends:• Despite APEC, nothing

like the coherence of data protection developments in Europe

• A multi-tiered system of data transfers may emerge

ASEAN privacy commitments

• Association of South East Asian Nations • 10 countries

– 3 not in APEC: Cambodia, Laos, Myanmar

• Committed to establish ASEAN Economic Community by 2015• Harmonised e-commerce framework is part of targets, including

adoption of best practice on data protection• In related areas, ASEAN adopted harmonised e-commerce laws

in 8 countries plus 2 drafts in 5 years

Bottom line: ASEAN should not be ignored as possible driver of privacy law developments, including data export provisions

– Malaysia, Philippines, Thailand already have draft laws

Continuing influence of the EU privacy Directive

• EU’s Directive’s Principles may still be the strongest regional influence – HK (in part), Macao, PRC draft, Philippines drafts

• EU’s ‘mandatory’ data export restrictions have as yet had limited effect– Will the position change when the EU gets its own house more in order?

• Few EU determinations of (in-)adequacy yet made– Australia, HK, NZ, Korea, Japan still to come– Assessment started of Australia, not known re others– 4 Latin American countries are now ‘applying’ for adequacy

• But EU adequacy will not go away, nor should it– EU is entitled to protect the privacy of its citizens

• Attraction of simplifying trade by obtaining a global adequacy assessment from EU will remain

– will pull Asia-Pacific countries toward global standards

Question: Is there another way to achieve this?

APEC Privacy Framework - Failure or promise?

• Asia-Pacific has more privacy laws than any region outside Europe– The region (Chile to Singapore) has 1/2 world trade and GDP

• A regional agreement was logical:– To create a minimum privacy standard– To help ensure free flow of personal data

• Developed by APEC ECSG privacy sub-group (03-05)– Business orgs included, consumer NGOs excluded– No external consultation until 9th draft of IPPs – No external consultation on implementation (Pt IV)

• APEC Ministers announce Framework (Nov 04)– Some implementation elements were missing until Sept 05

Questions: After nearly 5 years, what has the Framework achieved?– In influencing more countries to protect privacy?– In developing effective means of regional personal data flows?

APEC's 9 Privacy Principles

I Preventing HarmII NoticeIII Collection limitationIV Uses of personal informationV ChoiceVI Integrity of Personal InformationVII Security SafeguardsVIII Access and CorrectionIX Accountability (includes Due diligence in transfers)

5 types of criticisms(APEC's IPPs = 'OECD Lite’)

(1) Inherits weaknesses in OECD IPPs• OECD now 20 years old, even Kirby is critical• Weak on collection limitations and secondary use

(2) Further weakening of OECD IPPs• ‘Purpose specification’ and ‘Openness’ IPPs missing• Broader allowance of exceptions

(3) New APEC IPPs are of doubtful value • ‘Preventing harm’ (I) - sentiment OK, but could be abused;• ‘Choice’ (V) - seems redundant; • Accountability (IX) can substitute for data export limitations

(4) Regional experience ignored• No borrowings from the often stronger laws in the region (eg Korea, HK,

NZ, Australia, Canada) - 17 years ignored

(5) EU compatibility ignored• No borrowings of new EU IPPs (eg automated processing)

APEC implementation standards - Weak requirements and accountability

• Framework Part IV(A): ‘Domestic Implementation’– non-prescriptive in the extreme

• Any form of regulation is OK– Legislation not required or even recommended

– Choice of remedies supported• No central enforcement body required

– But ‘Pathfinders’ assume one or more ‘government enforcement entities’

• No accountabilty for implementation– No Individual Action Plans yet visible 3 years after agreed

• Bottom line– Part IV exhorts APEC members to implement the Framework

without requiring or proposing any particular means of doing so, or any means of assessing whether they have done so

– weaker than any other international privacy instrument

Do low APEC standards matter?

• APEC could still encourage privacy laws where there are none– Framework does not explicitly deter stronger IPPs (a ‘floor not a ceiling’)– No FORMAL requirement to export to countries with low standards– Earlier danger of a counter-bloc to the EU stemming from an ‘anti-export-

restriction’ in Pt IV(B) has disappeared– Having APEC countries discuss privacy every 6 months should be useful

• But is there any evidence it succeeds in doing so?– APEC does nothing specific to encourage or assist countries with no privacy

laws (most of APEC) to adopt any– Privacy Sub-group has not Included legislation projects in work plans– Little evidence as yet of APEC Principles being adopted in new legislation– More evidence that EU Directive still has a stronger influence

Bottom line: APEC Framework possibly not dangerous (unless Pathfinders are distorted), but little evidence yet of it being useful

Data exports and the APEC Framework

• Where data exports fit in the APEC Framework– Framework says nothing directly about export restrictions – Little direct impact on data exports between EU and A-P, in either direction – Pt V(B) (Sept 05) encourages recognition of binding corporate rules– Accountability Principle(includes ‘Due diligence in transfers’) can be

interpreted as a (soft?) substitute for data export restrictions - contentious– ‘Pathfinder’ projects now try to facilitate data flows within Asia-Pacific

• APEC Framework does NOT:– Require exports be allowed to APEC-compliant countries (contrast EU,

OECD, and CoE) – Forbid exports to non-APEC compliant countries (contrast EU Directive)– Allow restrictions on exports to such countries (contrast OECD and CoE)– It is more ambiguous on exports than any previous international agreement

Implementation: ‘Pathfinders’ from 2007

• Ministers endorsed ‘Pathfinder’ project in 2007 (9 sub-projects)– Most APEC economies (15/21) now participating in some of 9

• Not Indonesia, Malaysia (+ 4 others)

• Essence: Regional acceptance of company’s data export practices1. Basis is ‘certification’ of a company’s Self Assessment of the ‘compliance’

of its cross-border privacy rules (CBPRs) by a ‘Compliance Agent’• Will include how it will deal with complaints about breaches

2. ‘Accountability Agents’ can be public (regulators) or private (trustmark schemes)• There will be a separate ‘trustmark assessment process’

3. Aim is that certification by a Compliance Agent in one APEC jurisdiction will (somehow) be recognised in all APEC economies

4. There will be a public register of ‘compliant’ companies

5. Regulators will cooperate to investigate multi-jurisdictional complaints– Overall governance of scheme as yet unresolved

‘Pathfinders’: criticisms from Civil Society organisations

• Process bias against Civil Society: All Present Except Consumers (A.P.E.C)– Business groups (ICC & GBDe) formally accredited, involved in design of Framework

and Pathfinders, and ICC a participant in all Pathfinders (leads one)– Civil Society groups (EPIC and Privacy International) have been denied formal status

and cannot formally participate in the projects, but since 2007 their members have been able to attend via national delegations and speak with observer status

• What does ‘compliance’ by a business involve?– Apparently does not mean its compliance with all APEC Principles?: Could have

meant an audit of a company’s privacy practices as a basis of certification.– Only means that it complies with Principle IX (Accountability)?: This is just another

Safe Harbor scheme, allowing avoidance of the substance of the APEC Principles

• Why should the APEC register of ‘compliant’ companies endorse the practices of companies that do not observe the APEC Principles?

– Most APEC countries have no enforcement of those Principles

• How will the ‘trustmark assessment process’ work?– Who will decide, for example, if TRUSTe is a credible compliance system?

• How will this work in countries with privacy laws?– Will countries with data export restrictions weaken them to comply with APEC?

What evidence of trustmarks protecting privacy?

Members of Asia-Pacific Trustmark Alliance (APTA)

• Asociacion Mexicana de Internet (AMIPCI);

• CommerceNet Singapore (CNSG);• Consumers Association of

Singapore (CASE);• eC Network (Japan);• Korea Institute for Electronic

Commerce (KIEC);• Secure Online Shopping

Association, Taiwan (SOSA);• TradeSafe (Japan);• TRUSTe (USA); • Vietnam E-Commerce Development

Center (ECOMVIET)

Comments• Very strong doubts about

TRUSTe’s credibility in enforcing its standards: Connolly (2008)

• Other trustmark providers may provide credible schemes, BUT almost all are generally e-commerce trustmarks, with very little emphasis on privacy

• On privacy, more evidence of enforcement is needed

• Privacy Trustmark schemes compare poorly with statutory regulators on most criteria: Connolly (2008)

Seoul, 10 Oct 2008

Council of Europe data protection Convention 108

• Convention (1981) allows for non-European countries to accede (A 23)– Requires invitation of CoE Committee of Ministers– Originally intended for OECD countries adopting OECD-like privacy laws– But no country has been invited, and there was no process for invitation

• Is ‘globalisation’ of a European convention likely?– Precedent: CoE Cybercrime Convention has been adopted outside Europe,

and is now being promoted by the OECD– Much more realistic than starting a new UN privacy Convention

• CoE has in 2008 ‘opened the door’ to non-European accessions– ‘Montreaux Declaration’ of international Privacy Commissioners (2005)

called for CoE to invite applications– Convention 108 Consultative Committee (March 2008) supported accession

by any country with data protection laws meeting Conv. 108 standards– CoE C’tee of Ministers (July 2008) agreed to examine accession requests

Bottom line: In effect, CoE has invited non-European States to apply

CoE Conv 108 standards• What standard does CoE Convention 108 require?

– Consultative Committee may advise Council of Ministers (A 19, 20) whether non-European countries meet Conv 108 requirements (uncertain as yet)

– Principles are similar to those of OECD Guidelines– Enforcement and mutual assistance requirements are modest

• Additional Protocol (ETS No 181) adds complications– 20/40 parties to Conv. 108 have acceded; 14 more have signed– Requires legislation and an independent authority (Conv 108 does not)– Requires data export limitations (Conv 108 does not)

• Which non-European countries could meet CoE accession requirements?

– Arguable that Australia and NZ could accede to both Convention and Additional Protocol

– Arguable that South Korea, Japan and Taiwan could accede to Convention– Potentially, Canada, some Latin American, and some Middle East countries

Bottom Line: Considerable scope for non-European accessions

Potential for CoE Conv 108 adoption in Asia-Pacific

• Potential advantages– Not inconsistent with APEC obligations– Joining a Convention is voluntary, not an external imposition– Would result in free flow of PI to and from signatory non-EU countries (A 12(2)

requires)– Would result in free flow of PI to and from EU countries, unless they specifically

derogate against exports to a country (A 12(3)(b))– Would encourage other Asia-Pacific countries to develop their laws and enforcement

to CoE standard, to gain the benefits of accession

• Potential disadvantages– Civil Society view may be that Conv. 108 standards are too low– Might it require exports to countries whose laws are not strong enough?– No mechanism to require acceding countries to adhere to standards

Bottom Line: Deserves considerable further study by all Asia-Pacific countries with data protection laws; May be a path to a global agreement, avoiding some problems of EU ‘adequacy’; But without the Additional Protocol, it may set too low a standard

A multi-tiered system of data exports in the Asia-Pacific?

• Might something like this emerge:– Tier 1: Countries party to CoE Conv 108 +

Optional Protocol (or with EU ‘adequacy’)• If this is necessary to obtain exports from EU

– Tier 2: Countries party to CoE Conv 108 – Tier 3: Countries with national legislation,

and APEC Pathfinder involvement– Tier 4: Countries involved in APEC

Pathfinders only

OECD Guidelines• OECD = ‘30 democracies’, including Australia, Canada, Japan, Korea, NZ,

US• OECD Council Recommendation (2007) on Cross-Border Cooperation in

Enforcement– Defn. ‘Privacy Enforcement Authority’ as ‘responsible for enforcing Laws

Protecting Privacy’• ‘public bodies’ only: trustmarks etc are excluded

– Covers guidelines for mutual assistance, a national contact point for cooperation, sharing information on enforcement outcomes, and broader cooperation

• OECD Ministerial Meeting on Internet Economy, Seoul (2008)– Raised possibility of reviewing 1981 Guidelines, and the need to formalise Civil

Society and technical involvement– Civil Society input stressed need for better enforcement of existing laws claiming

‘compliance levels appear to be low and enforcement mechanisms weak’.

Bottom line: 25 year old OECD Guidelines have been overtaken in some areas but are still relevant

Internet Governance Forum

• IGF results from the World Summit on the Information Society (WSIS) 2nd meeting

• IGF next meeting in Hyderabad, Dec 08– Sessions on security and privacy, and global agreements– CoE Convention 108 will be presented by some as the path

to a global privacy convention– Also seen as a counterweight to the global nature of the CoE

Cybercrime Convention (promoted by OECD)– Civil Society grouping ‘Dynamic Coalition on Privacy’ had to

struggle to have privacy included on agenda at IGF 2007, even under ‘security’

Seoul, 10 Oct 2008

Asia-Pacific Privacy Authorities (APPA)

• Privacy agencies from Australia (federal, NSW, Vic, NT), NZ, HK SAR, South Korea, and Canada (federal, British Columbia) are members

– Meets twice per year– New Canadian members show it is not static (Macao SAR also attending)– Japan, Taiwan, USA missing as there is no central privacy agency (members must be

accredited via International Privacy Comms. Conf.)

• Very little development of joint policy, due partly to lack of mandate– No formal role in APEC Framework; could take up an OECD role ; No self-assumed

joint policy role– No adoption by APPA of call to CoE to open Convention 108 to applications– ‘APPA members re-committed to progressing the implementation of the APEC Privacy

Framework’ (28th APPA)– 2 standards on reporting cases; some consistency in development of data breach

notification guidelines; regional ‘Privacy Awareness Week’– Starting cooperation on cross-border enforcement. This could have both an APEC

dimension and an OECD dimension.

Bottom line: Useful but insignificant compared with Europe’s A29 committee - BUT has no ‘statutory’ function to legitimate it

Regional/global Civil Society/ ‘privacy NGOs’

• National privacy NGOs vary greatly between countries– Australian Privacy Foundation very active since 1987; consumer groups

very active in S Korea; new HK NGO; NZ NGO is dormant;

• EPIC (Washington-based) and Privacy International (PI) (London-based) are involved in regional issues

– Both informally admitted to APEC Privacy Sub-group; scepticism, but continuing engagement ; participated in Japanese fingerprinting protest

• Engagement in global Civil Society privacy initiatives does occur– Joint privacy declaration in at Montreal Commissioner’s meeting (2007)– Input into ‘Global Voice’ submissions to OECD Korea meeting (2008)

• Asia-Pacific Privacy Charter Council (APPCC)– Formed 2003 (experts and advocates from 10 countries) to develop an

alternative to APEC principles; – Made inputs into APEC development, then dormant; may be revived– Draft Charter was treated by ALRC as one regional standard

Bottom line: Civil Society lacks full regional privacy co-ordination

Regional business groups and privacy issues

• Who really represents business interests on regional privacy issues?:– Trustmark operators?

• TRUSTe and Asia-Pacific Trustmark Alliance (APTA) are engaged in APEC Pathfinders

– International Chamber of Commerce (ICC) and GBDe?

• They are accredited to APEC Privacy Subgroup

• Are these bodies representative of the interests of all Asia-Pacific businesses?

Future issues and directions

• Expect more and stronger national privacy laws in the region

• Weaknesses in the scope of ‘personal data/information’ definitions will become apparent

• The APEC Privacy Framework will not dominate regional thinking or developments

• The movement toward a global privacy agreement may require engagement with CoE Convention 108, as nothing else seems likely

• Regional groupings of Privacy Authorities, Civil Society and Business will all become more significant

Seoul, 10 Oct 2008

References

• Asia-Pacific Privacy Agencies (APPA) <http://www.privacy.gov.au/international/appa/>

• WorldLII’s International Privacy Law Project <http://www.worldlii.org/int/special/privacy/>

• Interpreting Privacy Principles (iPP) Project <http://www.worldlii.org/int/special/privacy/ipp/>

• Asia-Pacific Privacy Charter pages (includes key APEC documents and critiques) <http://www.bakercyberlawcentre.org/appcc/>