Australia's
APEC privacy initiative:
The pros and cons of ’OECD Lite‘
Graham Greenleaf
University of New South Wales
15 May 2003[Draft of an article for [2003] 10 Privacy Law & Policy Reporter 1
please check <http://www.cyberlawcentre.org/ipp/apec_privacy_framework/>
for further versions and developments <g.greenleaf [at] unsw.edu.au> ]
This initiative has the potential to encourage the development of stronger privacy laws in APEC economies that at present provide little privacy protection, and to help find a regional balance between protection of privacy and the economic benefits of trade involving personal data. It also presents considerable potential dangers to long term regional privacy protection if it becomes a means by which the APEC economies accept a second-rate standard based on some parts of the 20 year old OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)[2], particularly if this is then used to force down the standards of privacy laws in regional jurisdictions which are already stronger. The early history of the APEC initiative shows that the dangers are as great as the potential benefits.
At a meeting of the APEC E-Commerce Steering Group in Thailand in February 2003, Australia put forward a proposal for the development of APEC Privacy Principles using the OECD privacy principles as a starting point, and implementation mechanisms which address the issue of inter-country personal data transfers ('transborder data flows' in OECD terminology)[3]. A working group has been set up comprising Australia (chair), Canada, China, Hong Kong, Japan, Korea, Malaysia, New Zealand, Thailand and the United States. Consultations are to take place in each of the participating economies, and in Australia the Attorney-General has already had one meeting of his 'Core Consultative Group' (CCG) partly to discuss this issue. Further meetings of the APEC E-Commerce Steering Group 'privacy working group' will take place in Thailand in August, and in September in Sydney following the International Data Protection and Privacy Commissioner's Conference. Part of the Sydney meeting will allow for non-government input into the process.
The Australian proposal which is being used as the starting point for this initiative is based on two documents drafted by Mr Peter Ford, the head of the Information and Security Law Division of the Australian Attorney-General's Department. The draft documents are APEC Privacy Principles (Version 1) and Privacy Implementation Mechanisms (Version 1), reproduced below as they need to be read in full for the criticisms following to make sense. In fairness it must be stressed that these are only rough first drafts, which Mr Ford has put on the table as a starting point for debate within APEC. He has noted in discussions that they may need to take into account other aspects of the OECD Guidelines. However, they are almost the only documents available, and have been put forward by the Australian government specifically for the purpose of others commenting on and criticising them.
These proposals reflect views common within the Australian government, and most clearly stated in Mr Ford's own previous writings[4], that 'there is no credible international standard other than the OECD Principles', and dissatisfaction with the personal data export limitation approach of the EU's privacy Directive, particularly as they have been applied to Australia's Privacy Act 1988.
A Janus-faced initiative
What are we to make of this APEC privacy initiative?
On the positive side, it presents an opportunity to increase the standard of regional privacy laws by creating a minimum standard sufficient to justify the free flow of personal information within the region, through a genuine regional initiative.
In the negative, there is a clear danger that what will emerge from the process is a watered-down version of an already 20 year old OECD standard, one which has already been superseded by privacy laws in many APEC countries, and one which lacks many other valuable elements of those Guidelines.
The second danger is that the Australian proposal proposes meaningless self-certification as the basis for regional free flow of personal information, lacking even the mild provision for data export prohibitions found in the OECD Guidelines. On the positive side, as we shall see, New Zealand privacy officials are already suggesting a stronger alternative involving independent assessments of whether regional laws 'substantially observe' the APEC privacy standard that is adopted.
The conclusion of this paper is that the drafts that comprise this Australian initiative are far removed from where APEC's deliberations should end. They are a bad place to even start from, but start from there we must and then quickly move on.This paper sets out why 'APEC Lite' is the wrong place to start, much less to end.
Comments on suggested APEC Privacy Principles (Version 1)
The APEC Privacy Principles (Version 1) are better named 'OECD Lite' because they only include 'Part 2 - Principles of National Application' and not the equally important 'Part One - General', 'Part 3 - Basic Principles of International Application', or 'Part 4 National Implementation'.
In any event, the 1980 OECD Guidelines ('Lite' or full strength) are an inadequate starting point, as they ignore over 25 years experience of developing privacy laws in the Asia-Pacific. They are significantly weaker than the IPPs or the NPPs in Australia's own Federal Privacy Act 1988. Their inadequacies have been identified by authors over the years[5], and even the Chair of the Expert Group that drafted them, Justice Michael Kirby, has stressed the need for their revision to be suitable for the 21st Century[6]. The comments below do not encapsulate the many criticisms and suggestions in these articles, but merely point out some obvious deficiencies.
The proposed APEC Privacy Principles are generally equivalent to the OECD IPPs found in 'Part 2 - Principles of National Application', but they do weaken them in the following ways:
APEC IPP 2 has been limited to 'collections of personal information', suggesting a weaker standard that only the overall collection has to be 'accurate, complete and up-to-date', not each item. The vital control that the purposes of collection 'should be specified not later than at the time of data collection' has been dropped from APEC IPP 3. The OECD right to 'challenge data' (IPP 7) is considerably broader than the APEC version of 'challenge the accuracy of records'.(see the Explanatory Memo). The deletion of the OECD concept of 'data controller' narrows the parties who are held responsible for breaches of IPPs, and opens possibilities for avoidance.A brief comparison with the IPPs and NPPs[7] in Australia's Privacy Act 1988 reveals the following additional weaknesses of the APEC principles (and OECD 'Principles of National Application'). Even this incomplete list indicates that the OECD IPPs are possibly not the right place to start, and certainly not the right place to finish, in developing an APEC regional standard.
The 'limits' to be placed on the scope of collection of personal information are not defined by any objective standard. There is no requirement of notice at the time of collection. There is a weak test of secondary uses being 'not incompatible' with the purpose of collection. There is no data exports principle (compare NPP 9). There is no anonymity principle (compare NPP 8) There is no principle dealing specifically with identifiers (compare NPP 7, for all its limitations).If we go beyond Australian laws we find many further general privacy principles which are implemented within the region, such as (to name but two) Canada's purpose justification principle, and Korea's 'no disadvantage' principle. The NZ, HK, Canadian and Korean privacy laws are all stronger statements of privacy principles than the OECD Guidelines.
OECD Guidelines 'Part One - General' (which are omitted from the APEC principles), include the following important elements:
Responsibilities placed on 'data controllers' broadly defined (OECD 1(a)); Recognition of the need for greater protection of sensitive classes of data (OECD 3(a)); That exceptions should be as few as possible, and made public (OECD 4); That they are only minimum standards that may be supplemented (OECD 6).OECD Guidelines 'Part 4 National Implementation' (which are omitted from the APEC principles), include the following important elements:
a requirement for protection by legislation (OECD 19(a)); requirements for 'reasonable means for individuals to exercise their rights' (19(c)), for 'adequate sanctions and remedies' (including against data export breaches) (19(d)), and for 'no unfair discrimination' (19(e)).The overall result of the APEC Privacy Principles (Version 1) is a weak set of privacy principles, probably better than nothing, but not what would be regarded as acceptable in Australia, New Zealand, Canada, Hong Kong, or Korea. Since there should not be any suggestion of 'privacy protection good enough for developing countries' in an APEC instrument, the standard of protection suggested is surprisingly and unacceptably low.
Comments on Privacy Implementation Mechanisms (Version 1)
In The OECD Guidelines 'Part 3 - Basic Principles of International Application', (which are omitted from the APEC principles), OECD guideline 17 explicitly sets out three situations when data export restrictions are acceptable:
where the importing country does not 'substantially observe' the OECD Guidelines, where re-export would circumvent domestic laws (in effect, where the receiving country does not have its own data export prohibitions); and to protect sensitive data not similarly protected overseas.The OECD Guidelines do not suggest that countries should be able to self-certify that they 'substantially observe' the Guidelines.
The Australian Privacy Implementation Mechanisms (Version 1), Options 1-5 only involve (at their highest) self-certification by governments ('economies' in APEC-speak) concerning their implementation of the APEC privacy principles. Such self-certification, without any independent verification, is unlikely to engender confidence by overseas trading partners or potential investors, other governments, or on-line consumers. Nor is it likely to satisfy the requirements of the laws of countries which do include data export limitations (whether within APEC or in other regions).
In response to the Australian Implementation paper's question 'any other options?', the New Zealand Assistant Privacy Commissioner (Blair Stewart) has submitted to the APEC process an Option 6[8] which is not based on governmental self-certification but instead involves a two-tier approach of APEC regional certification:
'A committee of independent experts would assess each application and jointly offer a recommendation as to whether certification should be granted.' Normally the national expert would be the country's Privacy or Data Protection Commissioner, or an equivalent independent privacy expert if there is no national Commissioner. 'The advice of the experts committee would be public and thereby transparent'. 'The decision to certify substantial compliance would be by a committee of officials from APEC members (the 'certification Committee'). 'Certification would be recognised in applying any transborder data controls in national law in APEC members'. Stewart does not say so, but this might require legislative changes in those countries with such laws. In Australian this would be so unless the APEC standards were 'substantially similar' to Australian standards (NPP 9) - but hopefully they would be. As Stewart suggests, the process would 'promote confidence by being independent from the economy or self-regulatory scheme being certified'. If it became a sufficiently credible process it could be 'recognised beyond the region'.Stewart has adopted the formula used in the OECD Guidelines of 'substantial compliance'. His approach leaves the final decision to certify 'substantial compliance' to a committee of government officials, tempered by the advice they receive from a Committee of independent (one hopes) privacy officials. It is not a radical proposal, but is far in advance of any of the five Australian options in its respect for privacy protection.
If there was able to be cross-recognition of 'adequacy' between APEC standards and European or other regional standards, this would obviously solve many of the problems of international flows of personal data. This is unlikely to be achieved by 'OECD Lite', but could be if a higher benchmark is established.
An Asia-Pacific privacy Treaty?
The Australian APEC privacy initiative does not propose the inclusion of the APEC Privacy Principles and their implementation measures in a formal treaty or convention. However, there have been calls for such an Asia-Pacific convention to be developed from APEC structures (from this author among others)[9], and from the distinctive regional form that privacy laws have taken in the Asia-Pacific, described by Waters as 'a third way in data protection'[10]. Europe has successfully developed binding regional instruments in the field of data protection with both the Convention of 1980[11] and the Directive of 1995[12]. It would be a logical and valuable development for the Asia-Pacific, the second region in the world to develop a concentration of privacy laws, to also develop a distinctive regional Convention on data protection.
Governments have taken the first step that could lead to such a development, but they are not the only players whose voices need to be heard. Regional privacy experts are in the process of forming an Asia-Pacific Privacy Charter Council[13]. Regional Privacy Commissioners and other national data protection officials have yet to make many useful collective contributions to the development of privacy laws, unlike their European counterparts. Australia's APEC initiative means that it is time for them to stand up and make their voice heard.
Notes
[1] For information on APEC and its 21 member economies, see the APEC Secretariat home page <http://www.apecsec.org.sg/>. For other APEC links see <http://www.cba.hawaii.edu/apec/home.htm>.
[2] OECD, Paris, 1980 <http://www1.oecd.org/publications/e-book/9302011E.PDF>.
[3] These documents can be obtained at <http://www.apecsec.org.sg/> in the directory Publications / Publications and Library / E-Commerce.
[4] Peter Ford 'Implementing the Data Protection Directive - An Outside Perspective' [2003] 9 PLPR141.
[5] For example see Roger Clarke, 'Beyond the OECD Guidelines: Privacy Protection for the 21st Century' (2000) <http://www.anu.edu.au/people/Roger.Clarke/DV/PP21C.html>; G Greenleaf, 'Stopping surveillance: beyond `efficiency' and the OECD' (1996) 3 PLPR 148[6] Justice Michael Kirby 'Privacy protection, a new beginning: OECD principles 20 years on' <http://www.austlii.edu.au/au/journals/PLPR/1999/41.html>; (1999) 6 PLPR 25; Justice Michael Kirby, '25 years of information privacy law: Where have we come from and where are we going' Privacy Issues Forum, Office of the NZ Privacy Commissioner, March 2003.
[7] The Information Privacy Principles (IPPs) apply to the Commonwealth public sector; the National Privacy Principles (NPPs) apply to the private sector.[8] Blair Stewart, 'A suggested scheme to certify substantial observance of APEC Guidelines on Data Privacy' (APEC E-commerce Steering Group meeting, 2003).
[9] G Greenleaf, 'Global Protection of Privacy in Cyberspace - Implications for the Asia-Pacific' (Self-regulation, national laws and international agreements) particularly '6. Towards an Asia-Pacific information privacy Convention? ' 1998 Internet Law Symposium <http://austlii.edu.au/itlaw/articles/TaiwanSTLC.html>, Science & Technology Law Center, Institute for Information Industries World Trade Center, Taipei, Taiwan, 23-24 June 1998; G Greenleaf, 'Towards an Asian-Pacific Information Privacy Convention' 1995) 2 PLPR 127 <http://www.austlii.edu.au/au/journals/PLPR/1995/81.html>
[10] Nigel Waters, 'Rethinking information privacy - a third way in data protection? ' (2000) 6 PLPR 121 <http://www.austlii.edu.au/au/journals/PLPR/2000/6.html>
[11] Council of Europe, Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (Convention No 108) 1981 (Convention No 108) <http://conventions.coe.int/Treaty/EN/WhatYouWant.asp?NT=108>
[12] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data <http://europa.eu.int/comm/internal_market/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf >.
[13] To be discussed in more detail in a subsequent issue of PLPR. See <http://www.cyberlawcentre.org/appcc/announce.htm> for the announcement of the Charter Council initiative.[ APPCC home page ]