[Previous] [No next] [Title]

6. Towards an Asia-Pacific information privacy Convention?

The growing maturity of information technology in the countries of the Asia-Pacific means that the protection of privacy is increasingly finding its way onto national and international agendas in the region. In the concluding part of this paper I wish to renew a call[112] for the regional agenda should be the need for a multilateral agreement on information privacy between Asia-Pacific countries.

6.1. APEC's growing privacy initiatives

Since 1995 the protection of personal information is slowly but surely becoming part of the formal international agenda of Asia-Pacific countries, particularly through the increased focus of APEC (Asia-Pacific Economic Cooperation)[113]http://www.apecsec.org.sg/] on the promotion of economic commerce in the region.

The Seoul Declaration, 1995 - privacy and the APII

The Second Senior Officials Meeting on Telecommunications and Information Industry, held on May 29-30 1995 in Seoul between the ministers responsible for telecommunications and information industries in the APEC member countries to review progress in the development of the Asia Pacific Information Infrastructure (APII), was the first Asia-Pacific meeting to consider privacy issues as a matter of regional significance.

The Seoul Declaration for the APII[114]http://www.dca.gov.au/apec/seoul.html] states that one of the five Objectives of the APII is 'to promote free and efficient flow of information'. However, it also declared that one of the ten Core Principles of APII is 'ensuring the protection of intellectual property rights, privacy and data security'. The Seoul Declaration therefore suggests that the protection of privacy is seen as a means, or perhaps a necessary pre-condition, for the achievement of ultimate ends such as regional free flow of information. This approach, where the desirability of free flow of information, including personal information, is at least in part responsible for a recognition of the necessity for the establishment of standards of privacy protection, has characterised all international agreements which focus on privacy protection. The Joint Statement following the meeting included specific items of cooperation, but no specific privacy-related initiatives were announced.

The Singapore Declaration, 1998 - privacy and E-commerce

Since then, the most significant APEC document recognising the importance of privacy issues has been the 3rd APEC Ministerial Meeting on the Telecommunications and Information Industry (Telmin3) at Singapore on 3-5 June 1998. The Ministers' Singapore Declaration[115]http://www.apecsec.org.sg/download/announce/0605telmin3-SporeDeclaration.exe]http://www.apecsec.org.sg/minismtg/mtgtel98.html] stresses the importance of electronic commerce to both the Asia Pacific Information Society (APIS) and Asia-Pacific Information Infrastructure (APII). It considers the role of e-commerce in `facilitating the electronic delivery of government services' as part of this. It notes that APEC's Electronic Commerce Task Force is developing a workplan to be considered at the APEC Economic Leaders meeting in Malaysia in November 1998, and directs the Telecommunications Working Group (TEL) to assist the development of that plan.

The Declaration also instructs TEL to consider in its work `the identification of key issues that will affect consumer confidence and ability to use electronic commerce within the APEC region, in particular, issues of access, affordability, privacy and security'. This work is to be consistent with TEL's `Reference Framework for Action on Electronic Commerce'. The Reference Framework notes that `Increased consumer confidence in the reliability of networks, the security of networks and the protection of personal information, and affordability to Internet access to consumers are key to increasing their purchase of goods and services by electronic means in the region.' It states that TEL's tasks include:

Although TEL is required to collaborate with many other specialist APEC bodies[116]http://www.apecsec.org.sg/workgroup/apecwg.html]http://www.apecsec.org.sg/cti/cap97.html], there is as yet no specialist body dealing specifically with privacy issues.

TEL's website[117]http://www.apecsec.org.sg/workgroup/telecom.html] does not indicate any active projects as yet which deal with privacy and data protection issues.

6.2. Developing privacy protection in the Asia Pacific

Strengthening local privacy laws

As a consequence of the Asia-Pacific's advanced use of information technology, there is already more development of privacy laws in the Asia-Pacific (in North America, Australasia, and North Asia) than in any region outside Europe. Stronger laws for the protection of privacy can be seen as a natural consequence of the development of advanced information-based economies, an aspect of the protection of human rights that parallels technological development. Nevertheless, such privacy laws as there are in the Asia-Pacific are often not comprehensive in their coverage, particularly in the private sector. The first requirement for privacy protection in the region is therefore the extension and strengthening of national laws.

Lack of such laws increases the risk that advanced use of information technology will result in overly manipulative or authoritarian use of such technology by business and governments, reducing confidence in electronic commerce and electronic delivery of government services. Abuses of information systems in North America, Europe and Australasia have been documented in many recent works[118]. Protection of human rights is the most important reason for strong privacy laws, even if facilitation of e-commerce is more likely to be the driving force. The other reason for strengthening national privacy laws is, of course, to avoid restrictions on exports of personal data from Europe as a result of the EU privacy Directive, or as a result of export restrictions in regional laws.

The reasons for developing information privacy laws in the Asia-Pacific therefore stem from at least three sources: (i) a recognition of information privacy as an aspect of human rights deserving of legal protection; (iii) the need to increase confidence in e-commerce and electronic service delivery and (ii) a desire to avoid unnecessary limitations on the international free flow of personal information.

The need for a regional agreement

The strengthening of national laws in the Asia-Pacific region may, however, be an inadequate response. Restrictions on the export of personal data are increasing within the Asia-Pacific, threatening the free flow of information within the region, as recognised in the Seoul Declaration for the APII. Such restrictions may be quite reasonable and understandable at a national level. A New Zealander could reasonably object to his or her medical records being held and processed in Australia, where they are largely unprotected, as a means of avoiding the strict controls of New Zealand's Health Information Privacy Code 1994 119. A Hong Kong resident could object to his or her financial data being held or processed in Japan or the USA, where it might not have the same protection as in Hong Kong.

One means of dealing with such non-tariff trade barriers is an international agreement to guarantee free flow of personal information between the States which are parties to it, provided that each State provides an agreed minimum level of privacy protection in its laws, the approach taken in the OECD Guidelines, the Council of Europe Convention, and most recently in the EU Directive.

Can existing international agreements provide a vehicle?

If such an agreement is needed in the Asia-Pacific, are any of the existing agreements a suitable vehicle?

The OECD Guidelines are not an appropriate vehicle, mainly because many Asia-Pacific countries are not OECD members, because the Guidelines do not provide any method of enforcement of the minimum standards they propose, and because the content of those standards reflects an understanding of privacy protection that is over a decade old.

Although it is theoretically possible for non-European countries to become parties to the European privacy Convention, it has not yet happened, and membership of a European agreement is not an appropriate approach to developing the building blocks of the APII/APIS. First, the content of the Convention is of the same vintage as the OECD Guidelines, and secondly it is inappropriate for the Asia-Pacific to simply adopt a European model wholesale without adapting it to regional views and conditions.

There is no mechanism by which non-EU countries can become 'parties' to the EU Directive, so it is not relevant as a vehicle for implementation. Nor is the ICCPR suitable[120], for reasons such as it is too general in its terms; it cannot be used to provide any guarantee of free flow of information; and most countries in the region have not yet acceded to the optional protocol.

6.3. Elements of an Asia-Pacific agreement

It seems, therefore, that it is worth considering whether the best approach would be to develop an Asia-Pacific information privacy convention that reflects regional needs. What could be the mechanism for its development, the nature of the agreement, the content or its privacy standards, and its means of compliance? An alternative approach to the existing international agreements is to ask `what can we learn from them in fashioning a new agreement for the Asia-Pacific?'

Mechanism for development - APII/APIS within APEC?

The most promising mechanism for development would seem to be the APII/APIS structure within APEC, because privacy protection is most likely to be taken seriously as a condition of the development of the regional information infrastructure (as the Seoul and Singapore Declarations indicate), and also because it will provide a regional solution. APEC is the broadest regional grouping relevant to the discussion, and the one with most momentum at present. Privacy is already part of the APII agenda, although under-represented in its working bodies.

Content- (i) `minimum' or `required maximum' standards?

Existing international privacy agreements involve two elements, and these would also be present in any Asia-Pacific agreement.

First, there is an agreement between the State parties to implement in their domestic law privacy protections of a certain standard. The crucial question here is whether these standards are phrased as minimum or `required maximum' standards.

Minimum standards must be implemented in the domestic law of a State that wishes to obtain the protection of the agreement against data export prohibitions. A State is still free to impose higher standards on the processing of data within its own jurisdiction provided it does not prevent data exports to countries which only observe the lower `international' standard. The OECD Guidelines and the Council of Europe Convention are of this type.

`Required maximum' standards are required to be implemented in each State's domestic law, but may not be exceeded, subject to an allowed degree of latitude and any exceptions in the agreement. Such standards help to ensure that businesses and other organisations operating at a regional level (such as across Europe) can apply the same privacy policies in all jurisdictions. the international agreement would have to be altered in order for the standards to be raised. The EU Directive is probably of this second type[121].

An Asia-Pacific agreement should only be a minimum standards agreement, at least at its inception. There is a far greater level of homogeneity in economic conditions and in attitudes toward privacy (and individual liberties generally) in Europe than there is in the Asia-Pacific. It is quite likely that countries will have very differing views about the desirable or acceptable level of privacy protection to be provided by domestic law, and the means of achieving it. It is likely to be much less difficult to reach an agreement about the minimum level of privacy protection that should be provided in one country before another country is prevented from restricting exports of personal data to it, as countries are still free to disagree about whether a higher level of protection should be provided locally.

From a privacy advocate's perspective, requiring privacy protection to be limited to `common denominator' standards is undesirable where that denominator is likely to be low. In contrast, there will be considerable advantages for some time to come in each country in the region learning from successful privacy protection `experiments' in other countries, such as Hong Kong and Australia have already learnt from the New Zealand experience.

In addition, there would clearly have to be a reasonable degree of flexibility in the methods of protecting privacy that were recognised as contributing toward an Asia Pacific notion of `adequacy'. Many countries in the region would want to insist on a more explicit recognition of non-legislative methods of protecting privacy. Despite the risks of recognition of forms of self-regulation that give no meaningful protection to privacy, it is a regional dialogue worth starting.

Content - (ii) protecting free flow of personal information

The second element is, of course, an agreement between the State parties not to prohibit the export of personal data from their jurisdictions to those of any other party which provides the agreed minimum standard of protection in its law. Exceptions such as those found in OECD Guideline 17 also require consideration. Such an agreement supporting free flow of information is a feasible basis for an Asia Pacific agreement at present.

A separate issue for consideration is whether there should be an agreement to prohibit the export of personal data to other (non-party) jurisdictions which do not provide the agreed minimum standard of protection. This approach, as yet found only in the EU Directive, gives a much stronger international agreement. This would not be feasible in the Asia Pacific at this stage.

Content (iii) - privacy standards

Insofar as content is concerned, the OECD Guidelines are one obvious starting point, particularly as they are not solely European. On the other hand, Chapter II of the EU draft Directive represents the current thinking of the European nations on desirable standards of privacy protection, and is therefore a valuable starting point for discussion, particularly because adoption of a similar approach will facilitate the free flow of personal information in both directions between Europe and the Asia-Pacific.

However, the EU Directive and the OECD Guidelines should only be a starting point for developing a set of information privacy principles appropriate to Asia-Pacific countries. A privacy advocate might regard both sets of principles as too weak and reflecting thinking which is being overtaken by new technologies[122], but might nevertheless be willing to settle for a relatively low minimum international standard so as to encourage the spread of privacy laws in the region. Trade interests may accept a higher standard than they would regard as ideal if this will guarantee free flow of information from certain countries with high local privacy standards. The details are a matter of relatively unpredictable political negotiation.

The most desirable outcome would be for an Asia Pacific privacy agreement to include a set of standards which, while containing the best elements of the EU Directive's standards, went beyond them to include some of the new elements of privacy protection necessitated by cyberspace. There is no reason why the international development of privacy standards should be dominated by European approaches and initiatives. A set of Asia Pacific privacy principles for the 21st century would make any regional agreement a much more significant achievement.

If the content of an Asia-Pacific Convention approximated either the OECD Guidelines or the EU Directive, let alone something better, ratification would contribute toward a finding of 'adequate protection' by the EU, in light of the reference to 'international commitments' in A25(5) of the EU Directive, and the approach that is taken to the Council of Europe privacy Convention.

Compliance mechanisms

Compliance mechanisms present more of a problem, because the Asia Pacific region does not have, and is not likely to develop (at least in the short term), regional adjudicative and enforcement mechanisms on the same model as the European Commission and Council or the European Court of Human Rights. Other new mechanisms would need to be developed within the APII/APIS framework, possibly including a Committee of Ministers of the parties to the Convention, and, like in the EU Directive, an Advisory Committee of Privacy Commissioners.

One related factor that needs to be borne in mind is that adoption of the Optional Protocol to the ICCPR by Asia-Pacific countries could provide a parallel mechanism by which regional States could allow an international complaints mechanism (the UN Human Rights Committee) to adjudicate on the adequacy of their privacy protections. This would allow individuals, not only States, to have privacy rights under international law, and would provide some parallel to the role of the European Court of Human Rights. However, the ICCPR seems unlikely to play a significant role in APEC's deliberations, and would only occur as an incidental development.

When an agreement comes into force

As with many international agreements, there would be a need to specify how many States must ratify the agreement before it comes into force. The Council of Europe privacy Convention of 1980 came into force in October 1985, once five member States of the Council of Europe ratified it (A 22(2)), although 18 States have now done so[123].

If a similar standard was applied for an Asia Pacific Convention to come into force, it is likely that it would take only a few years to come into force. New Zealand would be in a position to ratify immediately, irrespective of what standard was set, but few other candidates are yet clear. Canada and Australia may be in a position to ratify within a year or two. Ratification by Taiwan involves questions of international relations which have been resolved in other APEC contexts. Other countries such as Malaysia are reported to be likely to implement privacy laws in the near future.

The Council of Europe privacy Convention allows States to accede to the Convention with a `territorial clause' specifying to which of its territories the Convention will apply, and some similar flexibility may be needed in an Asia-Pacific Convention. It is possible that a federation like Canada might be able to ratify only in respect of some Provinces, such as Québec, at the outset, as might the People's Republic of China in respect of Hong Kong.

6.4. Some practical steps toward an Asia Pacific agreement

An Asia-Pacific privacy Convention is achievable, but would involve APEC adopting a different role than it has to date, and would no doubt involve some years of discussion and negotiation before regional States reached any agreement on its content.

A reasonable level of privacy protection should be one of the pre-conditions for free flow of personal information in the region. The development of an APII/APIS may be retarded if consumers, businesses and government cannot use international networks with some confidence that the privacy of transferred information will be respected. Restrictions on data exports are already developing and can be expected to multiply. A Convention need only prescribe the minimum necessary standards to guarantee free flow of personal information, and therefore not have any `coercive' component. It need only be ratified by a small number of States before coming into force, yet have the capacity to act as a catalyst for both the development of privacy laws in the region, and the free flow of information necessary for the development of an Asia-Pacific Information Infrastructure.

If one or more countries in the region put forward draft proposals for such an agreement in APEC and other suitable forum, it would at least raise the awareness of privacy issues among governments in the region. If agreement on a Convention could be reached, it would be valuable even if for some years only a handful of countries (insufficient for it to come into force) had ratified it, as it would enable quick action once other countries did become interested, and would in itself increase the likelihood of that occurring. International privacy protection laws have been developing slowly in Europe since the first national data protection Acts almost 30 years ago, to the Directive coming into force. Those who are interested in its advancement in the Asia-Pacific will need to persist for some years to come, but should not give up for that reason. Developments in public international law are usually like glaciers.

A few starting points

The ways in which discussion of the benefits and practicality of an Asia Pacific privacy agreement could be started are numerous, but some version of each of these approaches needs consideration: At this stage, dialogue is the most urgent need. The need for action may not be far behind

[112] A version of my argument for an Asia-Pacific Privacy Convention was first presented in a paper given to a Conference held by the Federation of Korean Information Industries in Seoul, 28 June 1995, and published in (1995) 2 PLPR 127

[113] See the APEC website at for full background information

[114] Declaration for the Asia Pacific Information Infrastructure, Seoul, Korea, 29-30 May 1995 -

[115] and Press release at

[116] Examples are the APEC Sub-Committee on Customs Procedures, Expert Group on Intellectual Property Rights, Policy Level Group on SMEs, the Human Resources Development Working Group, the Transportation Working Group, the Industrial Science and Technology Working Group - see and for reports


[118] See, for example, Flaherty, D Protecting Privacy in Surveillance Societies, University of North Carolina Press, 1989; Lyon, D The Electronic Eye - The Rise of Surveillance Society, Polity Press, Cambridge, UK, 1994; Gandy, O The Panoptic Sort - A Political Economy of Personal Information, Westview Press, 1993; Davies, S Big Brother: Australia's Growing Web of Surveillance, Sydney, Simon and Schuster, 1992

119 Longworth, E and McBride, T 'A privacy code for health', (1994) 1 PLPR 181

[120] International Covenant on Civil and Political Rights (ICCPR), Article 17 of which provides: `1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour or reputation.; 2. Everyone has the right to protection of the law against such interference or attacks.'

[121] See G Greenleaf `The European privacy Directive - completed' (1995) 2 PLPR 81

[122] This argument must be pursued elsewhere, but proposals such as the Australian Privacy Charter (Charter Council, December 1994) contain principles which go beyond both these models: see (1995) 2 PLPR 41

[123] `European Data Protection Laws' (Table), Privacy Laws & Business No 38, May 1997

[124] First Asia Pacific (ASPAC) Forum on Privacy and Personal Data Protection, April 13-14 1998, Hong Kong

[Previous] [No next] [Title]