APEC_V9_critique100.jpg
Criticisms of the APEC Privacy Principles (Version 9), and recommendations for improvements

Graham Greenleaf
Professor of Law, University of New South Wales
Co-Director, Baker & McKenzie Cyberspace Law and Policy Centre
19 March 2004 (Prepared for publication and for consideration by the Australian Privacy Foundation (APF) and by the Asia-Pacific Privacy Charter Council (APPCC))
This document follows the structure of the APEC draft Principles, Version 9 (Consultation Draft 27/2/04), indicating the most significant deficiencies (if any) of each Principle or definition, and proposing improvements where needed.
Some of the comments below follow those put forward in my article on Version 8, "The APEC privacy initiative: 'OECD Lite' for the Asia-Pacific?" (February 2004), which also contains more background information about the APEC privacy processes..

Summary of criticisms

The ten most significant of the criticisms below of the APEC draft, even as a set of minimum principles, are as follows:
In summary, the APEC Principles do not even meet the 20 year old OECD standard, whereas they should include some significant strengthening where OECD is now too weak. The APEC draft is inadequate as a set of privacy principles for Asia-Pacific countries.

Recommendations for improvements

The elements of the APEC draft are now discussed in the order they appear. Recommended improvements follow each item discussed and are underlined. A consolidated list of recommendations is at the end.

PART I. PREAMBLE

The Preamble should be strengthened in the following ways:
The Preamble presents these guidelines as only directed at businesses in member economies, whereas the Principles are equally applicable to governments and their obligations to protect privacy in relation to government activities.
The Preamble does not reflect the fact that governments will have to take actions to implement it, and that self-regulation will be insufficient.
The Preamble speaks of ‘ensuring’ free flow of information but only of ‘encouraging’ privacy protection. Similarly, the final points in the Preamble refer to free flow of information as ‘essential’, but do not accord this status to privacy protection. The examples of terminology mean that the Preamble is not even-handed (and would bias the guidelines against privacy protection).
The Preamble stresses the economic benefits of protection of privacy, but fails to give adequate recognition to the protection of privacy as an essential aspect of human rights.
This would at least recognise that most of the existing privacy laws in APEC member economies already meet a higher standard than these guidelines.
The circumstances in which these guidelines will recognise legitimate restrictions on free flow of personal information are presumably to be set out in the implementation measures, but the Preamble should at least recognise the general concept, otherwise its references to free flow of information being ‘essential’ are misleading.

PART II. SCOPE
Definitions
personal information

This is uncontentious.

[personal information controller]

[Square brackets around an item means it is not yet finally included in the APEC draft but still under discussion.] The exception of agents from primary liability to comply may be acceptable as they are only excluded when acting as agents (so the principal will remain liable). The exclusion of ‘domestic’ activities is common and acceptable. In general, this definition is uncontentious.

publicly available information

The most important thing about this definition is that it does not constitute a general exception from the Principles of publicly available information. It only applies as an exception to the Choice Principle (5) in relation to collection,, and as an exception to the requirement of notice where not appropriate. These make the definition of minimal effect. If it was a more general exception (eg applying to use and disclosure) it would be dangerous as it is ill-drafted and over-broad.
Recommendation: The scope of application of the exception for publicly available information should not be expanded in any way.

Application [Exceptions]

Exceptions are impliedly left to be matters of national decision. The general principles set out here presumably are intended to indicate when national exceptions may still be regarded as ‘within the Principles’.
APEC therefore accepts any ‘national exceptions’, which are not exhaustively categorised but left open-ended, and specifically ‘including those relating to national sovereignty, national security, public safety, and public policy’.
Recommendation: The acceptable categories of national exceptions should be specified, even though it is recognised that the latitude for interpretation of each category will be considerable, reflecting the variety of APEC economies.
The controls on any particular national exceptions are only that they must be ‘limited’ (this means nothing) and proportional to the stated objectives (this could mean something if EU jurisprudence is any indication) , and either (i) ‘made known to the public’ or (ii) ‘in accordance with law’. This last ‘or’ is clearly wrong and should say ‘and”: at present it opening the prospect of a law authorizing the making of secret exemptions to any of the Principles if a law allows this (not just secrecy in the application of an exemption, as may occur in various forms of surveillance). OECD required all exceptions to be ‘made known to the public’.
Recommendation: The controls on exceptions should be altered by deletion of ‘or’, to state ‘made known to the public and in accordance with law’.
It is not clear that these limits on exceptions (weak though they are) also apply to those exceptions already included in the Principles (eg to Principle 8 Access and Correction). They should apply.
Recommendation: The limits on exceptions should apply to all exceptions to the Principles, including those to Principle 8 Access and Correction.

PART III. APEC INFORMATION PRIVACY PRINCIPLES
1. Preventing Harm

While the sentiment behind this may seem unexceptional, it is better to place a 'prevention of harm' principle in the part dealing with implementation and remedies, where it can be used to ration access to remedial processes (as in New Zealand) or to lessen compliance burdens where harm is less likely. Alternatively, it could go in the Preamble.
To elevate this to a Principle on a par with the other privacy Principles makes it easier to allow wholesale exemptions from the law like Australia's 'small business' exemption or to argue that there is no need for any uniform privacy laws at all but only for laws in sectors which pose some special danger ( as in the USA).
Recommendation: Principle 1 should either be moved to the implementation provisions or moved to the Preamble.

2. Notice

While entitled ‘Notice’ and specifying that purposes of collection and other matters must be disclosed, Principle 2 only requires that this be done by ‘clear and easily accessible statements’, and does not state that it should be by notices given to individuals. This weakness was reinforced by the Explanatory Memorandum [for Version 8] comment that ‘one method of compliance ... is for personal information controllers to post it on their website’[Version 9 EM not yet available]. Such notices are one of the important privacy protections for individuals, and one of the strongest inhibitors on organisations against use for unacceptable purposes.
It does now state that notice should be provided ‘before or at the time of collection’ if ‘reasonably practicable.
The OECD has no explicit requirement that notice of purpose of collection must be given to the individual at or before the time of collection, although most national legislation in the Asia-Pacific has such a requirement.
Recommendation: Principle 2 should be amended to state that ‘wherever practicable such information should be given to the individual from whom information is collected either before or at the time of collection’.

3. Collection limitation

No objective limits on purpose of collection The OECD principles only say 'there should be limits on the collection of personal information', failing to define those limits by any objective standard (eg the functions of the collecting organisation). National legislation often includes this improvement (eg Hong Kong). Nor do they include any form of ‘purpose justification principle’. APEC Principle 3 reflects these weaknesses and only limits collection by ‘relevance’ to the organisation’s self-defined purposes of collection.
No lawful purpose requirement There is no requirement that the information be collected for a lawful purpose (as is common in national laws), only that the means of collection be lawful.
No minimal collection requirement There is no requirement that only the minimum information be collected ( relative to purpose).
Recommendation: Principle 3 should be amended to state that ‘The collection of personal information should be limited to the collection of information relevant to the lawful purposes of the personal information controller and to the minimum information relevant to the purposes of collection ...’

4. Uses of personal information

APEC has adopted the weakest possible test of allowable secondary uses, that it only need be for ‘compatible’ purposes (whatever that means). The only alternative still under consideration is that it should be for ‘related’ purposes, previous consideration of ‘directly related’ purposes (as found in some national legislation) now being dropped. This adopts a version of the OECD test of secondary uses being allowed if they are 'not incompatible' with the purpose of collection. A further control on secondary uses which has been adopted in some APEC economies and helps to give more precise control is ‘the reasonable expectations of the person from whom the information is collected’.
Recommendation: Principle 4 should be amended to state ‘and other directly related purposes within the reasonable expectations of the person from whom the information is collected’.

5. Choice

‘Choice’ has been elevated to a separate Principle, an approach not taken in any previous international instruments. This may be interpreted to imply that individual consent can always override any other Principle, though this is not expressly stated. ‘Choice’ or consent is not limited to express or explicit consent, and may be interpreted to include forms of alleged implied consent, such as failure to opt out. There are no limitations on whether inducements or threats of consequences may vitiate alleged ‘choice’.
By elevating ‘choice’ to a Principle, the commodification of privacy is facilitated.
Recommendation: Principle 5 should be deleted or moved to the Preamble.

6. Integrity of Personal Information

This Principle is uncontentious, except that it does not include any deletion requirement (OECD did not include this either).

7. Security Safeguards

This Principle is uncontentious.

8. Access and Correction

Rights of individual access and correction have been made much more explicit than the OECD formulation
An exception to access and correction where ‘the burden or expense of doing so would be unreasonable or disproportionate to the risks to the individual’s privacy’ could be used to exclude access to a person’s record where the risks to privacy were low, but the costs of providing access are also low. Access costs should be internalised by businesses in such cases.
Recommendation: The exception to Principle 8 where ‘the burden or expense of doing so would be unreasonable or disproportionate to the risks to the individual’s privacy’ should be amended to where ‘the burden or expense of doing so would be unreasonably high and disproportionate and the risks to the individual’s privacy are low’.
There is still under consideration an exemption where ‘the information should not be disclosed for legal, security [or commercial proprietary] reasons'. These blanket exemptions from access are very vague and clearly open to abuse, particularly because it us unclear whether any considerations of proportionality apply (see earlier).
Recommendation: The proposed exception to Principle 8 for commercial proprietary reasons should be deleted.
Limits on access should not dictate limits on correction, as the danger of incorrect information is greater where access is prevented. Third-party correction is needed to resolve this.
Recommendation: Principle 8 should state that where an exception to access applies, the right of correction still applies but shall be exercised through an appropriate third party.

9. Accountability

The accepted Principle is uncontentious.
The proposed US addition (not yet accepted) which imposes a due diligence requirement on those disclosing personal information to others might be acceptable, but not if it is intended to be a substitute for a Data Export Limitation principle (see below).
Recommendation: The proposed US addition to Principle 9 must not be a substitute for a Data Export Limitation principle.

[10. Maximizing Benefits]

The US is proposing a 'Maximising the Benefits of Privacy Protection' Principle which could elevate 'free flow of information' to a Privacy Principle with the same status as the other Principles. This is wrong as the Principles are already framed as a minimum set of privacy protections which do not in themselves unduly interfere with the free flow of personal information. The inclusion of this Principle would create the danger of more exceptions being created to facilitate free flow of information.
It has been objected to by other all other APEC participants on the grounds that it is only appropriate in the Preamble.
Recommendation: Proposed Principle 10 should not be adopted.

Missing OECD Principles

Purpose Specification The OECD Purpose Specification Principle that the purposes of collection 'should be specified not later than at the time of data collection' is not explicitly included but could be regarded as partly implied by the requirement that Notice (which includes notice of purpose) be given before collection wherever practicable.
Recommendation: A Purpose Specification Principle similar to that adopted by the OECD should be added.
Openness The OECD ‘Openness Principle’, a broad ‘political’ limitation which allowed any person to obtain details about the existence and purpose of personal data systems (whether or not they were included in those systems) has been dropped by APEC. It is not encompassed by either the APEC Notice principle or the right of individual access.
Recommendation: An Openness Principle similar to that adopted by the OECD should be added.
Data export limitation OECD specifically allows (but does not require) data export limitations under some circumstances. This has not been dealt with yet by APEC, but might possibly be dealt with when it considers implementation measures. It should be included, as it is essential to a balance being reached between privacy and free flow of personal information.
Recommendation: A Data Export Limitation Principle similar to that adopted by the OECD should be added.

Other common missing principles

Like the OECD, APEC does not include any principles dealing explicitly with identifiers, automated processing, or deletion of data.
Some examples of higher standards not included, in the sense that they are found in at least two regional privacy laws, are as follows:
Recommendation: A Deletion Principle should be added..

Consolidated list of recommendations

The Preamble should be strengthened in the following ways:
Recommendation: The scope of application of the exception for publicly available information should not be expanded in any way.
Recommendation: The acceptable categories of national exceptions should be specified, even though it is recognised that the latitude for interpretation of each category will be considerable, reflecting the variety of APEC economies.
Recommendation: The controls on exceptions should be altered by deletion of ‘or’, to state ‘made known to the public and in accordance with law’.
Recommendation: The limits on exceptions should apply to all exceptions to the Principles, including those to Principle 8 Access and Correction.
Recommendation: Principle 1 should either be moved to the implementation provisions or moved to the Preamble.
Recommendation: Principle 2 should be amended to state that ‘wherever practicable such information should be given to the individual from whom information is collected either before or at the time of collection’.
Recommendation: Principle 3 should be amended to state that ‘The collection of personal information should be limited to the collection of information relevant to the lawful purposes of the personal information controller and to the minimum information relevant to the purposes of collection ...’
Recommendation: Principle 4 should be amended to state ‘and other directly related purposes within the reasonable expectations of the person from whom the information is collected’.
Recommendation: Principle 5 should be deleted or moved to the Preamble.
Recommendation: The exception to Principle 8 where ‘the burden or expense of doing so would be unreasonable or disproportionate to the risks to the individual’s privacy’ should be amended to where ‘the burden or expense of doing so would be unreasonably high and disproportionate and the risks to the individual’s privacy are low’.
Recommendation: The proposed exception to Principle 8 for commercial proprietary reasons should be deleted.
Recommendation: Principle 8 should state that where an exception to access applies, the right of correction still applies but shall be exercised through an appropriate third party.
Recommendation: The proposed US addition to Principle 9 must not be a substitute for a Data Export Limitation principle.
Recommendation: Proposed Principle 10 should not be adopted.
Recommendation: A Purpose Specification Principle similar to that adopted by the OECD should be added.
Recommendation: An Openness Principle similar to that adopted by the OECD should be added.
Recommendation: A Data Export Limitation Principle similar to that adopted by the OECD should be added.
Recommendation: A Deletion Principle should be added.