5 November 2003
(for publication in (2003) 10(6) Privacy Law & Policy Reporter, LexisNexis Australia)
APEC's draft privacy principles are little more than six months
old, but by September 2003 were already in their fifth draft. I previously
criticised Version 1 as being 'OECD Lite'
 because it did not even include all of the 1980 OECD privacy Guidelines, on which it was ostensibly based, and also because those 1980 standards were an inadequate starting point in any event for privacy standards for the Asia-Pacific in the twenty-first century. I considered that Version 2 was 'not quite so Lite'
 because it included some strengthening of the privacy Principles, and also because it appeared to be moving in the direction of adopting something like the rest of the OECD Guidelines concerning implementation.
Versions 3, 4 and 5 (the latest dated September 2003) have since
been considered by APEC's Privacy Sub Group of the E-Commerce Steering
Committee under the chairmanship of Mr Peter Ford (Australia). However,
only Version 3 is publicly available
, as Mr Ford has advised that no further versions will be made public until the Sub Group completes its deliberations on the Principles in February 2004.
Versions 3-5 have progressively weakened the APEC draft from its already
weak starting point. This weakening appear to coincide with serious United
States engagement with this APEC process. It consist of (i) further weakening
the Principles proposed in V2, in some cases to a standard lower than the
OECD; (ii) failure to consider new Principles already implemented in this
region; (iii) introduction of retrograde new Principles at the behest of
the USA; and (iv) failure to consider implementation measures. Each of
these is considered in turn.
(i) Principle 3 (Purpose Specification) was given a major strengthening in Version 2 that required secondary uses of personal information to be 'directly related' to the purposes of collection (recommended by New Zealand). Versions 3-5 revert to the lower OECD standard that secondary uses are allowed provided they are 'not incompatible' with the purpose of collection (now in Principle 3 (Use Limitation)).
(ii) Principle 3 (Use Limitation) now includes three further exceptions to the limitation on secondary uses, all of which threaten this key 'finality' principle:
(iv) Principle 7 (Individual Participation) has been transformed from the quite specific set of OECD requirements that survived into Version 3 (see below), into a vague requirement in Version 5 that only says that individuals should be given 'reasonable access' to information about them, and then further qualifies it by stating that 'Generally, individuals should have such access except where the provision of the information would be prohibitively costly, or the information should not be disclosed for legal, security or commercial proprietary reasons'. The blanket exemption from access for any 'proprietary reason' is clearly open to abuse, particularly as it does not require any considerations of proportionality, or requirements for limited disclosure or use of trusted third party intermediaries.
In summary, we may say that Version 5 involves significant weakening of the key protective privacy principles - limits on secondary use ('finality'), notice, and the right of access - to a level below both the standards set by Version 2, and by the OECD privacy principles.
As is detailed below, the APEC Sub Group is failing to consider Principles which have already been adopted in some form in a number of jurisdictions in the Asia-Pacific, and in that sense are already on the way to becoming de facto regional standards.
Proposal 2 (US). Preventing harmPersonal information protections should be designated to prevent the harmful use of personal information. Specific obligations therefore, should be proportionate to the likelihood and severity of the harm threatened by the collection, use and transfer of the personal information.While the sentiment behind such statements may seem unexceptional, it is better to place a 'prevention of harm' principle in the part dealing with implementation and remedies. Once it is accepted that the privacy Principles are of universal application to personal information, it then becomes reasonable to use a 'prevention of harm' criterion to restrict access to remedial processes (as is done in New Zealand) or to lessen the compliance burden in areas where harm is less likely.
To elevate this to a Principle on a par with the other privacy Principles makes it easier to allow wholesale exemptions from the law like Australia's 'small business' exemption (one of the reasons that European Union bodies regard the Australian law as inadequate). It also makes it easier to argue that there is no need for any uniform privacy laws at all but only for laws in sectors which pose some special danger (the approach taken in the USA to date). The problem with the creation of such 'privacy-free zones' is that even those of the Principles that are applicable, and can be implemented in a proportionate way (such as access to a person's own records) are lost by such wholesale exemptions.
Proposal 5 (US) Maximizing the Benefits of Privacy ProtectionsProtecting individual privacy and ensuring the free flow of information without unfair barriers within and across borders are both essential to the growth of the increasingly important global economy, and offer benefits to individuals and economies alike. In order to maximize the economic and social benefits to participants resulting from the current and evolving business models and communication media, both individual privacy protection and the free flow of information should be promoted. Therefore, approaches to personal information protections should balance these two important goals without unduly interfering with or impeding either interest.While it might be reasonable for some such comments to go in the Preamble to the APEC guidelines, to elevate this to the status of a Principle would make the operation of all the other principles completely uncertain, because 'free flow' could be interpreted to trump just about anything else.
All of these proposals have disappeared from Version 5, being replaced by a 'Part IV. Implementation Mechanisms' which merely says 'to be discussed in early 2004'. This is presumably a reference to a proposed meeting on the APEC guidelines to be held in Santiago, Chile, in August/September 2004 where it is understood that the APEC privacy Principles will be released and regional Privacy Commissioners will then be asked to give advice on what might be desirable implementation measures.
Separating consideration of the Principles from consideration of implementation makes it very difficult to understand the significance of changes in wording of the Principles. For example, how detailed the Principles need to be depends a great deal on whether self-certification of compliance for data export limitation purposes (as proposed by Australia) is accepted, or whether external forms of assessment will apply. If self-certification applies, then more detailed Principles would act as a safeguard against abuse.
It would be preferable if the APEC process moved forward on both aspects in parallel. By the time implementation is considered, it may be too late to change the Principles that will be proposed to APEC. Perhaps that is what is intended.
The only specific comment about implementation measures in Version 5 is a comment by the Chair that it might be useful to consider a data export limitation Principle based on the approach of allowing transfers only if the recipient organisation has 'taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with' the Guidelines. The USA is to draft a version of this for consideration. This would seem to be a case of allowing the fox to guard the henhouse, but what they come up with should be considered on its merits.
While the OECD Guidelines and European Union Directives offered a starting point for discussions my inclination is that a more regiocentric set of guidelines will ultimately emerge in the final drafting.Commissioner Tang does not indicate what a more regional set of privacy Principles would look like, but there are at least two sources on which we can draw to develop genuinely regional standards which also give a stronger level of privacy protection: (i) existing regional privacy laws; and (ii) the draft APT privacy Guidelines.
Principles stronger than those found in the OECD Guidelines are common in legislation in the region, and many occur in more than one jurisdiction's' laws. Some examples of higher standards, in the sense that they are found in at least two regional privacy laws, are as follows:
In 2002 the APT decided to develop its own regional privacy guidelines, and requested a draft be prepared by the Korean Information Security Agency (KISA), with input from the Asian Privacy Forum.
KISA presented its first draft Guidelines on the Protection of Personal Information and Privacy to the APT in July 2003. The draft Guidelines attempt to take a distinctive regional approach, and are explicitly not based solely on the OECD or EU approaches (cl8), while nevertheless drawing on them. The draft comments that the OECD Guidelines `reflect ... the 70s and 80s'. Unlike the OECD Guidelines, the APT Guidelines will include 'concrete implementation measures'. They state they are different from the EU Directive in allowing more variation between States. Another stated difference is an emphasis on the role of government, not litigation.
The APT draft Guidelines add new Principles which go beyond the OECD requirements in at least the following areas:
Concerning implementation, the APT draft Guidelines already take an approach which is consistent with, but stronger than, the OECD requirements. Some of the notable aspects are:
The APEC processes are inadequate to produce a high quality result: there is no collective expert input going into the process, and it has now retreated behind closed doors following critical discussion of its first two drafts. It should not be forgotten that the OECD Guidelines were developed by an `expert group (Chaired by Justice Michael Kirby of Australia), and only then adopted by OECD governments.
More input into the APEC process is needed from Commissioners and other regional experts to identity a desirable regional standard. Some individual Privacy Commissioners input is filtered through governments into the process, but regional Commissioners as yet have no equivalent to Europe's Article 29 Committee of Commissioners, which gives the European Commissioners a collective voice and provides protection for individual Commissioners in relation to views that they might find difficult to express in a domestic context. The opportunity for Commissioners to contribute in Santiago only offers input on implementation, not the Principles, and that is not sufficient.
Regional non-government privacy experts have formed the Asia-Pacific Privacy Charter Council (APPCC) to help provide a 'civil society' input into these regional processes (see (2003) 10(3) PLPR 49), but if APEC is going to operate behind closed doors it is difficult to see how it can make use of any input beyond that brought in through national governments where they are so inclined.
A more consultative, confident, and region-based APEC initiative is needed.
(A version of this paper was presented at the Inter-Pacific Bar Association
Conference on Privacy, Data Protection & Corporate Governance in the
Internet Economy, Kuala Lumpur, Malaysia, 9 October 2003 <http://www.ippj.com.my/seminar/Seminar.html>)
|1. Collection limitation
There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
2. Data Quality
Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
3. Purpose Specification
The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose
4. Use Limitation
Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Principle 3 except:
a) with the consent of the data subject; or
b) by the authority of law: or
c) with legitimate cause to avoid immediate danger to the life, body, freedom or property of the person.
5. Security Safeguards
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data or other misuse.
There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data and the main purposes of their use, as well as the identity and usual residence of the data controller. Data controllers should take reasonable steps to make data subjects aware of their rights to obtain access to data and to challenge a denial of access or inaccurate data.
|7. Individual Participation
An individual should have the right:
a) to obtain from a data controller confirmation of whether or not the data controller has data relating to him or her;
b) to have communicated to him or her, data relating to him or her
* within a reasonable time;
* at a charge, if any, that is not excessive;
* in a reasonable manner; and
* in a form that is [readily intelligible] generally understandable (NZ text) to him or her;
c) to be given reasons if a request made under subparagraphs(a) and (b) is denied, and to be able to challenge such denial; and
d) to challenge the accuracy of data relating to him or her and, if the challenge is successful, to have the data erased, rectified, completed or amended; and
e) to refuse to provide his or her information except where required by law .
A data controller should be accountable for complying with measures which give effect to the principles stated above.
Note: Parts D and E of the APT draft Guidelines should be considered in this context.
Proposal 1: Include a new principle:
Limited Retention Principle
When data no longer serve a purpose as specified in Principle 3 - Purpose
specification, or are needed for use as allowed for in Principle 4 - Use
limitation Principle, they
shall should no longer be
retained. Where practicable, they should be destroyed or given an anonymous
Proposal 2 (Australia): Include a new principle:
Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.
Proposal 3 : Include an exception relating to national security.
Proposal 4 text to be drafted but basic concept is to anchor APEC privacy protections to alleviating harm to individuals. Privacy protections, including self-regulatory efforts, education and awareness campaigns, laws, regulations and enforcement, should be designed to prevent harm to individuals from misuse of their personal information.
Proposal 5 text to be drafted but basic concept is, as reflected in preamble, that personal information protections should reflect the benefits to participants of both protecting individual privacy and ensuring free cross-border flows of information.
Proposal 6 Add a principle concerning unique identifiers
1.2 A data controller should not require an individual to disclose any identifier assigned to that individual by a government body unless the disclosure is one of the purposes for which the identifier was assigned.
1.3 "Identifier" means a number used to uniquely identify an individual.
 G Greenleaf 'Australia's APEC privacy initiative: The pros and cons of 'OECD Lite'' (2003) 10 (1) PLPR 1
 G Greenleaf 'APEC Privacy Principles Version 2 - Not quite so Lite, and NZ wants OECD full strength' (2003) 10(3) PLPR 45
 The full version is at <http://www.BakerCyberlawCentre.org/appcc/apec_draft_v3.htm>
 Version 4 used the word 'inconsistent'.
 Orignally planned for around February 2004
 Raymond Tang 'Personal Data Privacy: The Asian Agenda' 25th International Conference of Data Protection and Privacy Commissioners, Sydney, September 2003
A more sophisticated definition of "identifier" (or it could be termed "unique identifier", "personal identifier" or "government identifier") may be required.