APEC Privacy Principles Version 2 -
Not quite so Lite, and NZ wants OECD full strength

Graham Greenleaf University of New South Wales June 2003

[To be published in [2003] 10 Privacy Law & Policy Reporter 3 Please check <http://www.cyberlawCentre.org/appcc/> for further versions and developments ]

• Some improvements to the Principles
• Additional Principles under consideration
• Other OECD Parts under consideration
• The Asia-Pacific Telecommunity privacy Guidelines
• Other regional inputs
• APEC Privacy Principles, Chairs draft Version 2 (May 2003)

The APEC privacy initiative, explained and criticised in an earlier article as 'OECD Lite', has reached the next stage in its development with the release of the Chair of the Working Group's draft version 2 of the Principles, and a set of issues for discussion (11 'Proposals')^[1] which member economies have put forward for discussion at the APEC E-Commerce Steering Group (ECSG) Privacy Sub Group's next meeting in August.

Version 2 of the Principles, reproduced below, has now discarded the alternative versions in Version 1 and the Chair (Mr Peter Ford, Australia) has settled on one version in light of the comments received. The overall effect is to strengthen the Principles. The Committee Chair has stated that it is not his intention to weaken the OECD Principles in any way^[2].

Of the four criticism of proposed weakening of the OECD Principles in my previous article, Version 2 has now reverted to the original, stronger, version:

• APEC IPP 2 no longer refers to 'collections of personal information', but reverts to the use of 'personal data' throughout.
  
• The vital control that the purposes of collection 'should be specified not later than at the time of data collection' has been reinstated in APEC IPP 3 (in slightly different words from the OECD).
  
• The OECD concept of 'data controller' has been reinstated, broadening the parties who are held responsible for breaches of IPPs.

The OECD right to 'challenge data' (IPP 7) is still replaced by the somewhat narrower APEC version of 'challenge the accuracy of records'.

The New Zealand government's suggestions^[3] have also been influential in strengthening the re-draft, in at least the following respects:

• The OECD version, rather than the Chair's version, has been retained in APEC IPP 1 (collection) and IPP 2 (data quality).
  
• APEC IPP 3 (purpose specification), while it retains elements of the Chair's redraft, now includes the strengthening recommended by NZ, that secondary uses must be 'directly related' to the purpose of collection, not just not 'inconsistent'.
  
• The reinstatement of 'data controller' fixes other problems identified by NZ.

A remaining weakness which has not been remedied despite NZ pointing it out is that APEC IPP 4 still uses the expression 'person whose information is collected', which could potentially raise unnecessary questions about ownership of data. Since the expression has now been replaced elsewhere with 'data subject' in Version 2, the position is even worse now, as the inconsistency suggests a difference in meaning.

Other deficiencies identified in my previous article which have now been addressed are:

• There is now a requirement of notice at the time of collection.
  
• The weak test of secondary uses being 'not incompatible' with the purpose of collection has been abandoned (see below).

However, the deficiency remains (as noted in the previous article) that the 'limits' to be placed on the scope of collection of personal information are not defined by any objective standard in APEC IPP 1. This is contrary to most privacy laws in this region which at least include limits such as necessity for one of the purposes or functions of the organisation, and for a lawful purpose.

The Chair has also raised the question of whether the Principles should be 'limited to electronic data', but Proposal 1 (by NZ) under discussion proposes to delete this even as a possibility by strengthening the OECD Guidelines (which left this as an option) on this point.

Additional Principles under consideration

New Zealand has suggested a new principle limiting data retention:

Limited retention principle (or retention principle)

When [information/data] no longer [serves/serve] a purpose as specified in paragraph 9 (purpose specification principle), or [is/are] needed for use as allowed for in paragraph 10 (use limitation principle), [it/they] should be destroyed or given an anonymous form.

Australia, apparently adopting a suggestion by its Privacy Commissioner, has suggested the inclusion of the Anonymity Principle as found in Australia's private sector (and some State public sector) National Privacy Principles.

Anonymity

Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.

Both of these would be considerable improvements, but are not the only 'new' (post-1981) Principles needing consideration.

A main element of my previous criticisms of Version 1 of the APEC initiative was that it abandoned all the parts of the OECD Guidelines except the Principles in Part 2: it was indeed 'OECD Lite'. There are now a number of 'Proposals' under consideration by the APEC committee that will remedy this if adopted. The previous article summarises why these other Parts are important.

Proposal 1 (NZ) essentially adopts the important aspects of scope and definitions of Part 1 of the OECD Guidelines. The Chair proposes to defer this (Proposal 2) until the text of the Principles is settled.

NZ also proposes (Proposal 5) the adoption of something 'quite like' OECD Part 4 ('National Implementation'), which emphasises the need for legislation, means of exercising rights, and 'adequate sanctions and remedies'. As New Zealand points out in its submission, 'the e-APEC strategy states that the economies should implement comprehensive personal data protection laws.' The Chair, however, wishes to redraft Part 4 'to avoid prescriptive language on means of national implementation' (Proposal 6). Mr Ford does not specify which aspects of Part 4 he wishes to water down.

Proposal 3 (NZ again) adopts the equivalents of Part 3 ('Free flow and legitimate restrictions') and Part 5 ('International Co-operation) of the OECD Guidelines. The Chair proposes to defer consideration of Part 3 (Proposal 4) until decisions on implementation mechanisms are adopted, but would like to adopt Part 5 forthwith (Proposal 7). No doubt the Chair also wishes to avoid anything prescriptive about data export limitations, given the 'self-certification' approach of Version 1 (see previous article).

There are therefore some differences apparent within the APEC committee, between those who want to at least stick to what the OECD Guidelines require in relation to implementation, and those who wish the APEC version to be watered down concerning implementation (including data exports). The committee is comprised of Australia (chair), Canada, China, Hong Kong, Japan, Korea, Malaysia, New Zealand, Thailand and the United States. The views of members other than Australia and New Zealand are not known to the author.

A wild-card entry into these developments may be the separate set of regional privacy Guidelines being developed by the Asia-Pacific Telecommunity (APT), chaired by Korea, a country with a strong privacy law (see (2003) 9 PLPR 172). APT is a regional telecommunications organization established in 1979 under an inter-governmental agreement and responsible for the development of telecommunications services in the Asia-Pacific Region. In accordance with the request made at the 22nd Asia-Pacific Telecommunity (APT) Study Group Meeting, the Korea Information Security Agency (KISA) is drafting the APT privacy guidelines.

According to the most recent Status Report,^[4] 'the prime objective of the APT guidelines is to help APT member countries to enact laws or make policies on personal data protection'. The approach to development of the Guidelines is:

'Certainly, the OECD privacy guidelines and EU Directives will be considered in outlining the APT privacy guidelines. Nonetheless, the APT privacy guidelines will be written on the basis of the diverse characteristics of APT member countries cultures and economies.'

To complicate regional matters even further, APT a expects to consult a Working Group to be organized within the Asia Privacy Forum, an international body composed of major Asian countries (see (2003) 9 PLPR 200 for details) but excluding APEC countries like Australia, New Zealand, Canada, USA, Mexico etc.

KISA intended that a first draft of the APT guidelines would be circulated in May 2003, with the final draft presented to the 23rd APT Study Group Meeting to be held in Maldives in July 2003. No further information is yet available on the ATP website^[5]. If final APT Guidelines are available so soon, APEC will not be working with a clean slate in the region.

Meanwhile, regional non-government privacy experts have formed the Asia-Pacific Privacy Charter Council (APPCC) to help provide 'civil society' input into APEC, APT and other regional and national privacy deliberations (see accompanying story).

Whether the Asia-Pacific privacy Commissioners will also provide any collective input into these processes, analogous to the 'Article 29 Committee' of European privacy Commissioners that has been so outspoken and effective, remains to be seen. There is no evidence of it at this stage.

[ This is a draft by Mr Peter Ford, the Chair of the Privacy Sub Group, APEC ECSG. He states that this version builds on the language of version 1 by taking account of comments received up until 20 May 2003.]

There should be limits to the collection of personal data and any such information should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

[Note: The term data has been used instead of information for two reasons it is easier to work with when terms such as data subject are employed and it appears to be more generally accepted in an international context. It will require definition (see Issues).]

Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

3.1 Organisations should tell people whose data they collect what they intend to do with the data collected not later than at the time they collect the data.

3.2 Personal data shall not, without the consent of the data subject, be used for any purpose other than -

(a) the purpose for which the data were to be used at the time of collection of the data; or

(b) a purpose directly related to the purpose referred to in paragraph (a).

Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Principle 3 except:

a) with the consent of the person whose information is collected; or

b) by the authority of law.

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

There should be a general policy of openness about developments, practices and policies with respect to personal data.

Means should be readily available of establishing the existence and nature of personal data and the main purposes of their use, as well as the identity and usual residence of the data controller.

An individual should have the right:

a) to obtain from a data controller confirmation of whether or not the data controller has data relating to him or her;

b) to have communicated to him or her, data relating to him or her

• within a reasonable time;
• at a charge, if any, that is not excessive;
• in a reasonable manner; and
• in a form that is readily intelligible to him or her;

c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and) to challenge the accuracy of records relating to him or her and, if the challenge is successful, to have the records erased, rectified, completed or amended.

A data controller should be accountable for complying with measures which give effect to the principles stated above.

 

^[1] A copy of the full Version 2 is available at <http://www.cyberlawcentre.org/appcc/apec_redraft_v2.htm>

^[2] Personal communication.

^[3] A copy has been obtained by the author under New Zealand's Official Information Act 1982.

^[4] Status Report on Drafting the Asia-Pacific Telecommunity (APT) Privacy Guidelines submitted by Korea to the APEC Data Privacy Workshop (Panel IV), Chiang Rai, Thailand, 13 February 2003; available at < http://www.apecsec.org.sg/ > in the directory Publications / Publications and Library/ E-Commerce.

^[5] < http://www.aptsec.org >