APEC vs APT?: The struggle for regional privacy standards

1
APEC vs APT? The struggle for regional privacy
standards

• Graham Greenleaf
• Terrorists Watchdogs Conference, 8 September
  2003
• See http//www2.austlii.edu.au/graham/ for
  updates / details

2
Regional privacy standards

• There is no global standard
• One region (Europe) has successfully developed
  regional standards
• Council of Europe Convention 1981
• European privacy Directive 1995
• The Asia-Pacific is the next most advanced region
  in privacy protection
• Far less political and economic unity or
  uniformity
• Starting the most important international privacy
  developments since the EU Directive .

3
Toward an Asia-Pacific standard

• APECs privacy initiative
• Chaired by Australia - US / Aust. initiative
• Asia-Pacific Telecommunity (APT)
• Chaired by Korea
• Asia-Pacific Privacy Charter Council
• A civil society expert group
• FTAA will also affect some countries
• (Free Trade Area of the Americas)

4
APECs privacy Principles

• Australia chairs a working group of 10 countries
  since Feb 03
• Starting point OECD Guidelines (1981)
• Whats the purpose?
• A minimum standard where compliance will
  (somehow) justify regional free flow of person
  information
• A standard which will encourage (minimum)
  protection in countries where there is none

5
APECs privacy Principles - Progress or
stagnation?

• 5 draft versions in 6 months
• Do not yet reach OECD standards
• Only considering very minor improvements to OECD
• V2 strengthened V1, but V3 and V4 far weaker for
  little apparent reason
• Serious US input coincides with V3
• At best it offers OECD Lite .

6
APECs OECD Lite

• Examples of weak and outdated standards
• Based on Chairs V4 (Aug 03) - now behind closed
  doors
• No objective limits on information collection
  (P1)
• No requirement of notice to the data subject at
  time of collection (P3)
• Secondary uses allowed if not incompatible (P3)
• OECD Parts 1, 3, 4 and 5 all missing as yet
• Farcical national self-assessment proposed (V1)
• Why start from a 20 year old standard?
• Most regional countries are not members
• Recognised as inadequate (eg Kirby J 1999)

7
The alternative A real Asia-Pacific standard

• Actual standards of regional privacy laws
• Eg Korea, Canada, Hong Kong, New Zealand, Taiwan,
  Australia, Japan, Argentina
• Principles stronger than OECD are common
• Expert input is needed to identity this standard,
  not filtered through governments
• Privacy Commissioner need a collective role
• No equivalent yet to A29 Committee
• Santiago (Feb 04) only offers input on
  implementation
• Asia-Pacific NGO experts are developing the APPCC
• We need to adopt and learn from 25 years regional
  experience, not ignore it

8
Examples of high regional standards

• Collection objectively limited to where necessary
  for functions or activities (HK, Aus, NZ - Can
  stricter)
• Notice upon collection (Aus, NZ, HK, Kor)
• Secondary use only for a directly related purpose
  (HK, NZ, Aus - Kor stricter)
• Right to have recipients of corrected
  information informed (NSW, NZ)
• Deletion after use (HK, NZ, NSW, Kor)
  

9
APT privacy Guidelines (draft)

• Asia-Pacific Telecommunity (APT)
• 32 states via Telecomms ministries (etc)
• Guidelines on the Protection of Personal
  Information and Privacy (draft), July 2003
• Drafting by KISA (Korea), with Asian Privacy
  Forum
• Attempts to take a distinctive regional approach
• Explicitly not based solely on OECD or EU (cl8)
• Says OECD Guidelines reflect the 70s and 80s
• Concrete implementation measures unlike OECD
• Allows more variation between States that EU
• Emphasises role of government, not litigation
• Adds new Principles in at least five areas

10
APT Guidelines - implementation

• Legislation required self-regulation encouraged
• A privacy supervisory authority required
• Supervision and complaint investigation
• Data export limits may be reasonably required
  to protect privacy, rights and freedoms
• free flow of information otherwise required
• Limits on these guidelines only by legislation
  only to the extent necessary for other public
  policies
• Common character string need to deal with spam

11
APT Guidelines - new Principles

• No disadvantage for exercising privacy rights
  (A5(2))
• Notification of corrected information to 3rd
  party recipients (A6(4))
• Openness of logic of automated processes (A7)
• No secondary use without consent (A 14(2))
• Deletion if consent to hold is withdrawn (A16)
• Duties on change of information controller (A19)
• Special provision on childrens information (A34)
• Personal location information Principle (A30)
• Unsolicited communications Princple (A31)

12
Conclusions

• Why are APEC and APT so different?
• Membership similar except for the USA
• Australias APEC initiative had a defensive and
  outdated starting point (OECD)
• Inadequate process no collective expert input,
  and now behind closed doors
• OECD Guidelines were by an expert group
• A more consultative, confident, and region-based
  APEC initiative is needed

13
Coda APPCC contribution

• Asia-Pacific Privacy Charter Council
• 35 non-government privacy experts from 10
  regional countries, and growing
• On 12/11/03, meeting to consider 1st working
  draft
• Headings of Principles under consideration for
  Charter are over - only a first draft
• Covers surveillance and intrusions as well as
  IPPs
• An attempt to find a positive regional standard

14
APPCC draftPart I - General Principles
1. Justification and proportionality
2. Consent
3. Accountability
4. Openness
5. Non-discrimination
6. Reasons for non-compliance

15
APPCC draft - Part II - Information Privacy
Principles
7. Anonymous transactions 14. Retention limitation
8. Collection limitation 15. Public registers
9.Identifier limitation 16. Information security
10. Information quality 17. Automated decisions
11. Use and disclosure limitations 18.Identity protection
12.Export limitations 19.Disclosure of private facts
13. Access and correction
16
APPCC draft - Part III - Surveillance limitation
principles
20. Surveillance justification
21. Notice of overt surveillance
22. Approval of covert surveillance
23. Accountability for covert surveillance
24. Surveillance security
25. Surveillance materials
26. Transborder surveillance
17
APPCC draft - Part IV - Intrusion limitation
principles
27. Intrusion limitation
28. Bodily privacy
29. Biometrics limitation
30. Private space
31. Communications cyberspace privacy
32. Personal location limitation
33. Unsolicited communication limitation
18
APPCC principles - Part V - Implementation and
compliance principles
34.Implementation by law 40.Independent appeal
35.Sufficient implementation measures 41.Transparency of official actions
36.Supervisory body 42.Individual recourse to Courts
37.Privacy impact assessments 43.International cooperation
38.Sufficient remedies for breach 44.Jurisdictional certainty
39. Obligations of information subjects