31 May 2004
The Asia-Pacific Privacy Charter Council is a regional expert group formed in 2003 with the objective of developing independent standards for privacy protection in the Asia-Pacific region, in order to influence the enactment of privacy laws in the region in accordance with those standards, and the adoption of regional privacy agreements in accordance with those standards. Further details may be obtained from the Charter Council’s web site at <>http://www.cyberlawcentre.org/appcc/> and in particular the Announcement of the Asia-Pacific Privacy Charter Initiative at <http://www.cyberlawcentre.org/appcc/announce.htm>
The Council’s membership comprises over 30 experts from ten countries in the region, of whom details are provided at <http://www.cyberlawcentre.org/appcc/members.htm>. The Council’s Conveners are the Baker & McKenzie Cyberspace Law and Policy Centre, located at the University of New South Wales. Professor Graham Greenleaf, Co-Director of the Centre, is the Council’s contact-person in relation to this submission.
This submission follows the structure of the APEC draft Principles, Version 9 (Consultation Draft 27/2/04), and the changes of the 30 March version, indicating the most significant deficiencies (if any) of each Principle or definition, and proposing improvements where needed. Articles containing more detailed criticisms of some aspects of the APEC processes may be found on the Council’s web site.
Individual Council members may have additional criticisms of the draft APEC Privacy Principles, or criticisms that they would make in stronger terms than in this submission, and this submission should not be read as implying that all Charter Council members are satisfied with the draft except for the criticisms contained herein.
For example, some Charter Council members support an additional 'social justification principle' which would further limit the collection of personal information for socially unacceptable purposes, and others support such requirements being subject to independent audits. Similarly, many Charter Council members also support an additional Principle which would allow individuals to object to processing of their personal data unless it is legally required, particularly if the processing is commercially motivated, as is found in some European laws.
Such considerations reinforce that the APEC Privacy Principles must only be considered to be a bare minimum set of information privacy principles, because they are certainly nothing more than that.
In this submission, we have not attempted to include numerous stronger privacy principles which might gain the support of the majority of Charter Council members, but have restricted our comments and criticisms to the minimal set of draft APEC Principles, and to the extent that they fall short of their alleged origins, the OECD Guidelines. Submissions going beyond the minimal level of protection under consideration by APEC would clearly be futile, while we hope and expect that the modest improvements suggested here will be given serious consideration.
The ten most significant of the criticisms below of the APEC draft, even as a set of minimum principles, are as follows:
The elements of the APEC draft are now discussed in the order they appear. Recommended improvements follow each item discussed and are boxed. A consolidated list of recommendations is at the end.
The Preamble should be strengthened in the following ways:
The Preamble presents these guidelines as only directed at businesses in member economies, whereas the Principles are equally applicable to governments and their obligations to protect privacy in relation to government activities.
• The Preamble should be amended so that it is equally applicable to governments and their obligations to protect privacy in relation to government activities.
The Preamble does not reflect the fact that governments will have to take actions to implement it, and that self-regulation will be insufficient.
• The Preamble should be amended to reflect that the Principles will also constitute recommendations to governments in APEC economies to take action to ensure protection of privacy (once the implementation aspects are finalised).
The Preamble speaks of ‘ensuring’ free flow of information but only of ‘encouraging’ privacy protection. Similarly, the final points in the Preamble refer to free flow of information as ‘essential’, but do not accord this status to privacy protection. The examples of terminology mean that the Preamble is not even-handed (and would bias the guidelines against privacy protection).
• The Preamble should be changed to refer to ‘ensuring’ privacy protection and that privacy protection is ‘essential’.
The Preamble stresses the economic benefits of protection of privacy, but fails to give adequate recognition to the protection of privacy as an essential aspect of human rights.
• The Preamble should be amended, preferably throughout but at least in its final list of matters recognised as of importance, by referring to how the guidelines reflect the following instruments which are common to most (perhaps all) APEC economies:
• the right of privacy in Article 12 of the Universal Declaration of Human Rights 1948
• the right of privacy in Article 17 of the International Covenant on Civil and Political Rights 1966
• The Preamble should be amended to state that these guidelines represent only a minimum standard of recommended privacy protection in APEC domestic economies, and that individual economies may choose to have higher domestic standards.
This would at least recognise that most of the existing privacy laws in APEC member economies already meet a higher standard than these guidelines.
• The Preamble should also state that prohibitions on the export of personal data may be legitimate limitations on the free flow of personal information, as is the case with the OECD Guidelines.
The circumstances in which these guidelines will recognise legitimate restrictions on free flow of personal information are presumably to be set out in the implementation measures, but the Preamble should at least recognise the general concept, otherwise its references to free flow of information being ‘essential’ are misleading.
This is uncontentious.
*[Square brackets around an item means it is not yet finally included in the APEC draft but still under discussion.]
The exception of agents from primary liability to comply may be acceptable as they are only excluded when acting as agents (so the principal will remain liable). The exclusion of ‘domestic’ activities is common and acceptable. In general, this definition is uncontentious.
The most important thing about this definition is that it does not constitute a general exception from the Principles of publicly available information. It only applies as an exception to the Choice Principle (5) in relation to collection, and as an exception to the requirement of notice where not appropriate. These make the definition of minimal effect. If it was a more general exception (eg applying to use and disclosure) it would be dangerous as it is ill-drafted and over-broad.
Recommendation: The scope of application of the exception for publicly available information should not be expanded in any way.
Exceptions are impliedly left to be matters of national decision. The general principles set out here presumably are intended to indicate when national exceptions may still be regarded as ‘within the Principles’.
APEC therefore accepts any ‘national exceptions’, which are not exhaustively categorised but left open-ended, and specifically ‘including those relating to national sovereignty, national security, public safety, and public policy’.
Recommendation: The acceptable categories of national exceptions should be specified, even though it is recognised that the latitude for interpretation of each category will be considerable, reflecting the variety of APEC economies.
The controls on any particular national exceptions are only that they must be ‘limited’ (this means nothing) and proportional to the stated objectives (this could mean something if EU jurisprudence is any indication), and either (i) ‘made known to the public’ or (ii) ‘in accordance with law’.
This last ‘or’ is clearly wrong and should say ‘and”: at present it opening the prospect of a law authorizing the making of secret exemptions to any of the Principles if a law allows this (not just secrecy in the application of an exemption, as may occur in various forms of surveillance). OECD required all exceptions to be ‘made known to the public’.
The "or" between (b)(i) and (b)(ii) in the exceptions paragraph would also have the absurd effect that if an exception met (a), i.e. was limited and proportional etc., and (b)(i), i.e. was made known to the public, it would not need to be in accordance with law (b)(ii).
Recommendation: The controls on exceptions should be altered by deletion of ‘or’, to state ‘made known to the public and in accordance with law’.
It is not clear that these limits on exceptions (weak though they are) also apply to those exceptions already included in the Principles (eg to Principle 8 Access and Correction). They should apply.
Recommendation: The limits on exceptions should apply to all exceptions to the Principles, including those to Principle 8 Access and Correction.
While the sentiment behind this may seem unexceptional, it is better to place a 'prevention of harm' principle in the part dealing with implementation and remedies, where it can be used to ration access to remedial processes (as in New Zealand) or to lessen compliance burdens where harm is less likely. Alternatively, it could go in the Preamble.
To elevate this to a Principle on a par with the other privacy Principles makes it easier to allow wholesale exemptions from the law like Australia's 'small business' exemption or to argue that there is no need for any uniform privacy laws at all but only for laws in sectors which pose some special danger ( as in the USA).
Limitation to prevention of harm is also dangerous if ‘harm’ means only loss or damage, as it should also cover distress, humiliation etc, It is also arguable that there should be a right to privacy in some situations independent of any harm. One such area is the public disclosure of private facts.
Recommendation: Principle 1 should either be moved to the implementation provisions or moved to the Preamble.
While entitled ‘Notice’ and specifying that purposes of collection and other matters must be disclosed, Principle 2 only requires that this be done by ‘clear and easily accessible statements’, and does not state that it should be by notices given to individuals. This weakness was reinforced by the Explanatory Memorandum [for Version 8] comment that ‘one method of compliance … is for personal information controllers to post it on their website’ [Version 9 EM not yet available]. Such notices are one of the important privacy protections for individuals, and one of the strongest inhibitors on organisations against use for unacceptable purposes.
It does now state that notice should be provided ‘before or at the time of collection’ if ‘reasonably practicable.
The OECD has no explicit requirement that notice of purpose of collection must be given to the individual at or before the time of collection, although most national legislation in the Asia-Pacific has such a requirement.
Recommendation: Principle 2 should be amended to state that ‘wherever practicable such information should be given to the individual from whom information is collected either before or at the time of collection’.
No objective limits on purpose of collection The OECD principles only say 'there should be limits on the collection of personal information', failing to define those limits by any objective standard (eg the functions of the collecting organisation). National legislation often includes this improvement (eg Hong Kong). Nor do they include any form of ‘purpose justification principle’. APEC Principle 3 reflects these weaknesses and only limits collection by ‘relevance’ to the organisation’s self-defined purposes of collection.
No lawful purpose requirement There is no requirement that the information be collected for a lawful purpose (as is common in national laws), only that the means of collection be lawful.
No minimal collection requirement There is no requirement that only the minimum information be collected (relative to purpose).
Recommendation: Principle 3 should be amended to state that ‘The collection of personal information should be limited to the collection of information relevant to the lawful purposes of the personal information controller and to the minimum information relevant to the purposes of collection …’
A more desirable change would be for the ‘lawful purposes’ to be changed to ‘legitimate purposes’.
APEC has adopted the weakest possible test of allowable secondary uses, that it only need be for ‘compatible’ purposes (whatever that means), or for ‘related’ purposes. Previous consideration of ‘directly related’ purposes (as found in some national legislation) has now been dropped. This adopts a version of the OECD test of secondary uses being allowed if they are 'not incompatible' with the purpose of collection. A further control on secondary uses which has been adopted in some APEC economies and helps to give more precise control is ‘the reasonable expectations of the person from whom the information is collected’.
Recommendation: Principle 4 should be amended to state ‘and other directly related purposes within the reasonable expectations of the person from whom the information is collected’.
APEC Principle 4 (b) authorizes use of recorded personal information “when necessary to provide a service or product requested by the individual”. This could be understood to mean, for example, that a psychiatrist’s case notes on a credit applicant could be required for credit screening, to give assurance that the applicant’s symptoms or state of mind won’t prevent him or her from paying. The fact that personal information might be useful in helping someone to decide whether to enter into a transaction with that person can’t be sufficient grounds for releasing such information.
Recommendation: Principle 4(b) should contain the added words ‘but this does not include deciding whether to provide the product or service’.
‘Choice’ has been elevated to a separate Principle, an approach not taken in any previous international instruments. This may be interpreted to imply that individual consent can always override any other Principle, though this is not expressly stated. ‘Choice’ or consent is not limited to express or explicit consent, and may be interpreted to include forms of alleged implied consent, such as failure to opt out. There are no limitations on whether inducements or threats of consequences may vitiate alleged ‘choice’.
By elevating ‘choice’ to a Principle, the commodification of privacy is facilitated.
Recommendation: Principle 5 should be deleted or moved to the Preamble.
This Principle is uncontentious, except that it does not include any deletion requirement (OECD did not include this either).
This Principle is uncontentious, but would be improved by addition of words such as ‘… proportional to the likelihood and severity of the risk’.
Recommendation: Security safeguards should be limited to those proportional to the likelihood and severity of the risk.
Rights of individual access and correction have been made much more explicit than the OECD formulation
An exception to access and correction where ‘the burden or expense of doing so would be unreasonable or disproportionate to the risks to the individual’s privacy’ could be used to exclude access to a person’s record where the risks to privacy were low, but the costs of providing access are also low. Access costs should be internalised by businesses in such cases.
Recommendation: The exception to Principle 8 where ‘the burden or expense of doing so would be unreasonable or disproportionate to the risks to the individual’s privacy’ should be amended to where ‘the burden or expense of doing so would be unreasonably high and disproportionate and the risks to the individual’s privacy are low’.
There is still under consideration an exemption where ‘the information should not be disclosed for legal, security [or commercial proprietary] reasons' (V9), now altered to '[or to protect confidential commercial information]'. This is little improvement over the previous version... These blanket exemptions from access are very vague and clearly open to abuse, particularly because it us unclear whether any considerations of proportionality apply (see earlier).
Recommendation: The proposed exception to Principle 8 for commercial proprietary reasons should be deleted.
Limits on access should not dictate limits on correction, as the danger of incorrect information is greater where access is prevented. Third-party correction is needed to resolve this.
Recommendation: Principle 8 should state that where an exception to access applies, the right of correction still applies but shall be exercised through an appropriate third party.
The accepted Principle is uncontentious, except for one point. The proposed US addition (now accepted) which imposes a due diligence requirement on those disclosing personal information to others might be acceptable, but not if it is intended to be a substitute for a Data Export Limitation principle (see below).
Recommendation: The ‘due diligence’ addition to Principle 9 must not be a substitute for a Data Export Limitation principle.
The US was proposing a 'Maximising the Benefits of Privacy Protection' Principle which could elevate 'free flow of information' to a Privacy Principle with the same status as the other Principles. This is wrong as the Principles are already framed as a minimum set of privacy protections which do not in themselves unduly interfere with the free flow of personal information. The inclusion of this Principle would create the danger of more exceptions being created to facilitate free flow of information.
This has been objected to by other all other APEC participants on the grounds that it is only appropriate in the Preamble, and has been dropped, at least for the time being...
Recommendation: Proposed ‘Maximising benefits’ Principle should not be reinstated.
The OECD Purpose Specification Principle that the purposes of collection 'should be specified not later than at the time of data collection' is not explicitly included but could be regarded as partly implied by the requirement that Notice (which includes notice of purpose) be given before collection wherever practicable.
Recommendation: A Purpose Specification Principle similar to that adopted by the OECD should be added.
The OECD ‘Openness Principle’, a broad ‘political’ limitation which allowed any person to obtain details about the existence and purpose of personal data systems (whether or not they were included in those systems) has been dropped by APEC. It is not encompassed by either the APEC Notice principle or the right of individual access.
Recommendation: An Openness Principle similar to that adopted by the OECD should be added.
OECD specifically allows (but does not require) data export limitations under some circumstances. This has not been dealt with yet by APEC, but might possibly be dealt with when it considers implementation measures. It should be included, as it is essential to a balance being reached between privacy and free flow of personal information.
Recommendation: A Data Export Limitation Principle similar to that adopted by the OECD should be added.
Like the OECD, APEC does not include any principles dealing explicitly with identifiers, automated processing, or deletion of data.
Some examples of higher standards not included, in the sense that they are found in at least two regional privacy laws, are as follows:
Recommendation: A Deletion Principle should be added.
1. The Preamble should be strengthened in the following ways:
2. The scope of application of the exception for publicly available information should not be expanded in any way.
3. The acceptable categories of national exceptions should be specified, even though it is recognised that the latitude for interpretation of each category will be considerable, reflecting the variety of APEC economies.
4. The controls on exceptions should be altered by deletion of ‘or’, to state ‘made known to the public and in accordance with law’.
5. The limits on exceptions should apply to all exceptions to the Principles, including those to Principle 8 Access and Correction.
6. Principle 1 should either be moved to the implementation provisions or moved to the Preamble.
7. Principle 2 should be amended to state that ‘wherever practicable such information should be given to the individual from whom information is collected either before or at the time of collection’.
8. Principle 3 should be amended to state that ‘The collection of personal information should be limited to the collection of information relevant to the lawful purposes of the personal information controller and to the minimum information relevant to the purposes of collection …’
9. Principle 4 should be amended to state ‘and other directly related purposes within the reasonable expectations of the person from whom the information is collected’.
10. Principle 4(b) should contain the added words ‘but this does not include deciding whether to provide the product or service’.
11. Principle 5 should be deleted or moved to the Preamble.
12. Security safeguards should be limited to those proportional to the likelihood and severity of the risk
13. The exception to Principle 8 where ‘the burden or expense of doing so would be unreasonable or disproportionate to the risks to the individual’s privacy’ should be amended to where ‘the burden or expense of doing so would be unreasonably high and disproportionate and the risks to the individual’s privacy are low’.
14. The proposed exception to Principle 8 for commercial proprietary reasons should be deleted.
15. Principle 8 should state that where an exception to access applies, the right of correction still applies but shall be exercised through an appropriate third party.
16. The proposed US addition to Principle 9 must not be a substitute for a Data Export Limitation principle.
17. Proposed Principle 10 should not be reinstated.
18. A Purpose Specification Principle similar to that adopted by the OECD should be added.
19. An Openness Principle similar to that adopted by the OECD should be added.
20. A Data Export Limitation Principle similar to that adopted by the OECD should be added.
21. A Deletion Principle should be added.
[ APPCC home page ]
[ Interpreting Privacy Principles home page ]
[ Cyberlaw Centre home page ]