The Seoul Declaration for the APII[114]http://www.dca.gov.au/apec/seoul.html] states that one of the five Objectives of the APII is 'to promote free and efficient flow of information'. However, it also declared that one of the ten Core Principles of APII is 'ensuring the protection of intellectual property rights, privacy and data security'. The Seoul Declaration therefore suggests that the protection of privacy is seen as a means, or perhaps a necessary pre-condition, for the achievement of ultimate ends such as regional free flow of information. This approach, where the desirability of free flow of information, including personal information, is at least in part responsible for a recognition of the necessity for the establishment of standards of privacy protection, has characterised all international agreements which focus on privacy protection. The Joint Statement following the meeting included specific items of cooperation, but no specific privacy-related initiatives were announced.
The Declaration also instructs TEL to consider in its work `the identification of key issues that will affect consumer confidence and ability to use electronic commerce within the APEC region, in particular, issues of access, affordability, privacy and security'. This work is to be consistent with TEL's `Reference Framework for Action on Electronic Commerce'. The Reference Framework notes that `Increased consumer confidence in the reliability of networks, the security of networks and the protection of personal information, and affordability to Internet access to consumers are key to increasing their purchase of goods and services by electronic means in the region.' It states that TEL's tasks include:
TEL's website[117]http://www.apecsec.org.sg/workgroup/telecom.html] does not indicate any active projects as yet which deal with privacy and data protection issues.
Lack of such laws increases the risk that advanced use of information technology will result in overly manipulative or authoritarian use of such technology by business and governments, reducing confidence in electronic commerce and electronic delivery of government services. Abuses of information systems in North America, Europe and Australasia have been documented in many recent works[118]. Protection of human rights is the most important reason for strong privacy laws, even if facilitation of e-commerce is more likely to be the driving force. The other reason for strengthening national privacy laws is, of course, to avoid restrictions on exports of personal data from Europe as a result of the EU privacy Directive, or as a result of export restrictions in regional laws.
The reasons for developing information privacy laws in the Asia-Pacific therefore stem from at least three sources: (i) a recognition of information privacy as an aspect of human rights deserving of legal protection; (iii) the need to increase confidence in e-commerce and electronic service delivery and (ii) a desire to avoid unnecessary limitations on the international free flow of personal information.
One means of dealing with such non-tariff trade barriers is an international agreement to guarantee free flow of personal information between the States which are parties to it, provided that each State provides an agreed minimum level of privacy protection in its laws, the approach taken in the OECD Guidelines, the Council of Europe Convention, and most recently in the EU Directive.
The OECD Guidelines are not an appropriate vehicle, mainly because many Asia-Pacific countries are not OECD members, because the Guidelines do not provide any method of enforcement of the minimum standards they propose, and because the content of those standards reflects an understanding of privacy protection that is over a decade old.
Although it is theoretically possible for non-European countries to become parties to the European privacy Convention, it has not yet happened, and membership of a European agreement is not an appropriate approach to developing the building blocks of the APII/APIS. First, the content of the Convention is of the same vintage as the OECD Guidelines, and secondly it is inappropriate for the Asia-Pacific to simply adopt a European model wholesale without adapting it to regional views and conditions.
There is no mechanism by which non-EU countries can become 'parties' to the EU Directive, so it is not relevant as a vehicle for implementation. Nor is the ICCPR suitable[120], for reasons such as it is too general in its terms; it cannot be used to provide any guarantee of free flow of information; and most countries in the region have not yet acceded to the optional protocol.
First, there is an agreement between the State parties to implement in their domestic law privacy protections of a certain standard. The crucial question here is whether these standards are phrased as minimum or `required maximum' standards.
Minimum standards must be implemented in the domestic law of a State that wishes to obtain the protection of the agreement against data export prohibitions. A State is still free to impose higher standards on the processing of data within its own jurisdiction provided it does not prevent data exports to countries which only observe the lower `international' standard. The OECD Guidelines and the Council of Europe Convention are of this type.
`Required maximum' standards are required to be implemented in each State's domestic law, but may not be exceeded, subject to an allowed degree of latitude and any exceptions in the agreement. Such standards help to ensure that businesses and other organisations operating at a regional level (such as across Europe) can apply the same privacy policies in all jurisdictions. the international agreement would have to be altered in order for the standards to be raised. The EU Directive is probably of this second type[121].
An Asia-Pacific agreement should only be a minimum standards agreement, at least at its inception. There is a far greater level of homogeneity in economic conditions and in attitudes toward privacy (and individual liberties generally) in Europe than there is in the Asia-Pacific. It is quite likely that countries will have very differing views about the desirable or acceptable level of privacy protection to be provided by domestic law, and the means of achieving it. It is likely to be much less difficult to reach an agreement about the minimum level of privacy protection that should be provided in one country before another country is prevented from restricting exports of personal data to it, as countries are still free to disagree about whether a higher level of protection should be provided locally.
From a privacy advocate's perspective, requiring privacy protection to be limited to `common denominator' standards is undesirable where that denominator is likely to be low. In contrast, there will be considerable advantages for some time to come in each country in the region learning from successful privacy protection `experiments' in other countries, such as Hong Kong and Australia have already learnt from the New Zealand experience.
In addition, there would clearly have to be a reasonable degree of flexibility in the methods of protecting privacy that were recognised as contributing toward an Asia Pacific notion of `adequacy'. Many countries in the region would want to insist on a more explicit recognition of non-legislative methods of protecting privacy. Despite the risks of recognition of forms of self-regulation that give no meaningful protection to privacy, it is a regional dialogue worth starting.
A separate issue for consideration is whether there should be an agreement to prohibit the export of personal data to other (non-party) jurisdictions which do not provide the agreed minimum standard of protection. This approach, as yet found only in the EU Directive, gives a much stronger international agreement. This would not be feasible in the Asia Pacific at this stage.
However, the EU Directive and the OECD Guidelines should only be a starting point for developing a set of information privacy principles appropriate to Asia-Pacific countries. A privacy advocate might regard both sets of principles as too weak and reflecting thinking which is being overtaken by new technologies[122], but might nevertheless be willing to settle for a relatively low minimum international standard so as to encourage the spread of privacy laws in the region. Trade interests may accept a higher standard than they would regard as ideal if this will guarantee free flow of information from certain countries with high local privacy standards. The details are a matter of relatively unpredictable political negotiation.
The most desirable outcome would be for an Asia Pacific privacy agreement to include a set of standards which, while containing the best elements of the EU Directive's standards, went beyond them to include some of the new elements of privacy protection necessitated by cyberspace. There is no reason why the international development of privacy standards should be dominated by European approaches and initiatives. A set of Asia Pacific privacy principles for the 21st century would make any regional agreement a much more significant achievement.
If the content of an Asia-Pacific Convention approximated either the OECD Guidelines or the EU Directive, let alone something better, ratification would contribute toward a finding of 'adequate protection' by the EU, in light of the reference to 'international commitments' in A25(5) of the EU Directive, and the approach that is taken to the Council of Europe privacy Convention.
One related factor that needs to be borne in mind is that adoption of the Optional Protocol to the ICCPR by Asia-Pacific countries could provide a parallel mechanism by which regional States could allow an international complaints mechanism (the UN Human Rights Committee) to adjudicate on the adequacy of their privacy protections. This would allow individuals, not only States, to have privacy rights under international law, and would provide some parallel to the role of the European Court of Human Rights. However, the ICCPR seems unlikely to play a significant role in APEC's deliberations, and would only occur as an incidental development.
If a similar standard was applied for an Asia Pacific Convention to come into force, it is likely that it would take only a few years to come into force. New Zealand would be in a position to ratify immediately, irrespective of what standard was set, but few other candidates are yet clear. Canada and Australia may be in a position to ratify within a year or two. Ratification by Taiwan involves questions of international relations which have been resolved in other APEC contexts. Other countries such as Malaysia are reported to be likely to implement privacy laws in the near future.
The Council of Europe privacy Convention allows States to accede to the Convention with a `territorial clause' specifying to which of its territories the Convention will apply, and some similar flexibility may be needed in an Asia-Pacific Convention. It is possible that a federation like Canada might be able to ratify only in respect of some Provinces, such as Québec, at the outset, as might the People's Republic of China in respect of Hong Kong.
A reasonable level of privacy protection should be one of the pre-conditions for free flow of personal information in the region. The development of an APII/APIS may be retarded if consumers, businesses and government cannot use international networks with some confidence that the privacy of transferred information will be respected. Restrictions on data exports are already developing and can be expected to multiply. A Convention need only prescribe the minimum necessary standards to guarantee free flow of personal information, and therefore not have any `coercive' component. It need only be ratified by a small number of States before coming into force, yet have the capacity to act as a catalyst for both the development of privacy laws in the region, and the free flow of information necessary for the development of an Asia-Pacific Information Infrastructure.
If one or more countries in the region put forward draft proposals for such an agreement in APEC and other suitable forum, it would at least raise the awareness of privacy issues among governments in the region. If agreement on a Convention could be reached, it would be valuable even if for some years only a handful of countries (insufficient for it to come into force) had ratified it, as it would enable quick action once other countries did become interested, and would in itself increase the likelihood of that occurring. International privacy protection laws have been developing slowly in Europe since the first national data protection Acts almost 30 years ago, to the Directive coming into force. Those who are interested in its advancement in the Asia-Pacific will need to persist for some years to come, but should not give up for that reason. Developments in public international law are usually like glaciers.
[112] A version of my argument for an Asia-Pacific Privacy Convention was first presented in a paper given to a Conference held by the Federation of Korean Information Industries in Seoul, 28 June 1995, and published in (1995) 2 PLPR 127
[113] See the APEC website at for full background information
[114] Declaration for the Asia Pacific Information Infrastructure, Seoul, Korea, 29-30 May 1995 -
[115] and Press release at
[116] Examples are the APEC Sub-Committee on Customs Procedures, Expert Group on Intellectual Property Rights, Policy Level Group on SMEs, the Human Resources Development Working Group, the Transportation Working Group, the Industrial Science and Technology Working Group - see and for reports
[118] See, for example, Flaherty, D Protecting Privacy in Surveillance Societies, University of North Carolina Press, 1989; Lyon, D The Electronic Eye - The Rise of Surveillance Society, Polity Press, Cambridge, UK, 1994; Gandy, O The Panoptic Sort - A Political Economy of Personal Information, Westview Press, 1993; Davies, S Big Brother: Australia's Growing Web of Surveillance, Sydney, Simon and Schuster, 1992
119 Longworth, E and McBride, T 'A privacy code for health', (1994) 1 PLPR 181
[120] International Covenant on Civil and Political Rights (ICCPR), Article 17 of which provides: `1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour or reputation.; 2. Everyone has the right to protection of the law against such interference or attacks.'
[121] See G Greenleaf `The European privacy Directive - completed' (1995) 2 PLPR 81
[122] This argument must be pursued elsewhere, but proposals such as the Australian Privacy Charter (Charter Council, December 1994) contain principles which go beyond both these models: see (1995) 2 PLPR 41
[123] `European Data Protection Laws' (Table), Privacy Laws & Business No 38, May 1997
[124] First Asia Pacific (ASPAC) Forum on Privacy and Personal Data Protection, April 13-14 1998, Hong Kong