Transcript Document

APEC vs APT?: The struggle
for regional privacy standards
Graham Greenleaf
‘Terrorists & Watchdogs’
Conference, 8 September 2003
Regional privacy standards


There is no global standard
One region (Europe) has successfully
developed regional standards



Council of Europe Convention 1981
European privacy Directive 1995
The Asia-Pacific is the next most advanced
region in privacy protection


Far less political and economic unity or uniformity
Starting the most important international privacy
developments since the EU Directive ….
Toward an Asia-Pacific standard

APEC’s privacy initiative


Asia-Pacific Telecommunity (APT)


Chaired by Korea
Asia-Pacific Privacy Charter Council


Chaired by Australia
A ‘civil society’ expert group
FTAA will also affect some countries

(Free Trade Area of the Americas)
APEC’s privacy Principles



Australia chairs a working group of 10
countries since Feb 03
Starting point: OECD Guidelines (1981)
What’s the purpose?:


A minimum standard where compliance will
(somehow) justify regional free flow of person
information
A standard which will encourage (minimum)
protection in countries where there is none
APEC’s privacy Principles Progress or stagnation?

5 draft versions in 6 months





Do not yet reach OECD standards
Only considering very minor improvements
to OECD
V2 strengthened V1, but V3 and V4 far
weaker for little apparent reason
Serious US input coincides with V3
At best it offers ‘OECD Lite’ ….
APEC’s ‘OECD Lite’

Examples of weak and outdated standards







Based on Chair’s V4 (Aug 03) - now behind closed doors
No objective limits on information collection (P1)
No requirement of notice to the data subject at
time of collection (P3)
Secondary uses allowed if ‘not incompatible’ (P3)
OECD Parts 1, 3, 4 and 5 all missing as yet
Farcical national self-assessment proposed (V1)
Why start from a 20 year old standard?


Most regional countries are not members
Recognised as inadequate (eg Kirby J 1999)
The alternative:
A real Asia-Pacific standard

Actual standards of regional privacy laws



Eg Korea, Canada, Hong Kong, New Zealand,
Taiwan, Australia, Japan, Argentina
Principles stronger than OECD are common
Expert input is needed to identity this standard,
not filtered through governments

Privacy Commissioner need a collective role




No equivalent yet to A29 Committee
Santiago (Feb 04) only offers input on implementation
Asia-Pacific NGO experts are developing the APPCC
We need to adopt and learn from 25 years
regional experience, not ignore it
Examples of high regional
standards





Collection objectively limited to where
necessary for functions or activities (HK,
Aus, NZ - Can stricter)
Notice upon collection (Aus, NZ, HK, Kor)
Secondary use only for a directly related
purpose (HK, NZ, Aus - Kor stricter)
Right to have recipients of corrected
information informed (NSW, NZ)
Deletion after use (HK, NZ, NSW, Kor)
APT privacy Guidelines (draft)



Asia-Pacific Telecommunity (APT)
32 states via Telecomms ministries (etc)
Guidelines on the Protection of Personal
Information and Privacy (draft), July 2003


Drafting by KISA (Korea), with Asian Privacy Forum
Attempts to take a distinctive regional approach






Explicitly not based solely on OECD or EU (cl8)
Says OECD Guidelines ‘reflect … the 70s and 80s’
‘Concrete implementation measures’ unlike OECD
Allows more variation between States that EU
Emphasises role of government, not litigation
Adds new Principles in at least five areas …
APT Guidelines - implementation


Legislation required + self-regulation encouraged
A privacy supervisory authority required


Data export limits may be ‘reasonably required’ to
protect ‘privacy, rights and freedoms’;



Supervision and complaint investigation
free flow of information otherwise required
Limits on these guidelines only by legislation; only
to the extent necessary for other public policies
Common character string need to deal with spam
APT Guidelines - new Principles









No disadvantage for exercising privacy rights
(A5(2))
Notification of corrected information to 3rd party
recipients (A6(4))
‘Openness’ of logic of automated processes (A7)
No secondary use without consent (A 14(2))
Deletion if consent to hold is withdrawn (A16)
Duties on change of information controller (A19)
Special provision on children’s information (A34)
Personal location information Principle (A30)
Unsolicited communications Princple (A31)
Conclusions

Why are APEC and APT so different?




Membership similar except for the USA
Australia’s APEC initiative had a defensive
and outdated starting point (OECD)
Inadequate process: no collective expert
input, and now behind closed doors
A more consultative, confident, and regionbased APEC initiative is needed