[Previous] [Next] [Up] [Title]

6. Towards an Asia-Pacific information privacy Convention?

The Asia-Pacific region is the world's most advanced region in the use of information technology outside of Western Europe, with North Asia being the most rapidly developing part of the region. The growing maturity of information technology in the countries of the Asia-Pacific means that the protection of privacy is increasingly finding its way onto national and international agendas in the region. This part argues that an issue on the regional agenda should be the need for a multilateral agreement on information privacy between Asia-Pacific countries.

6.1. The Asia-Pacific Information Infrastructure (APII) and privacy

The Second Senior Officials Meeting on Telecommunications and Information Industry, held on May 29-30 1995 in Seoul between the ministers responsible for telecommunications and information industries in the APEC member countries to review progress in the development of the Asia-Pacific Information Infrastructure (APII), is the first Asia-Pacific meeting to consider privacy issues as a matter of regional significance.

The Seoul Declaration for the APII states that one of the five Objectives of the APII is 'to promote free and efficient flow of information'. However, it also declares that one of the ten Core Principles of APII is 'ensuring the protection of intellectual property rights, privacy and data security'. The Seoul Declaration therefore suggests that the protection of privacy is seen as a means, or perhaps a necessary pre-condition, for the achievement of ultimate ends such as regional free flow of information. This approach, where the desirability of free flow of information, including personal information, is at least in part responsible for a recognition of the necessity for the establishment of standards of privacy protection, has characterised all international agreements which focus on privacy protection.

The Joint Statement following the meeting includes as specific items of cooperation a number of items which could involve greater dissemination of personal information, including development of global markets for services, testing of information sharing, 'initiatives to make government information more widely available via electronic means' and 'promotion of EDI'. No specific privacy-related initiatives were announced.

The fact that privacy is part of the APII agenda suggests that this is an opportune time to consider the need for greater privacy protection in the Asia-Pacific region, and the means by which such protection may be realised.

6.2. Strengthening local privacy laws

As a consequence of the Asia-Pacific's advanced use of information technology, there is already more development of privacy laws in the Asia-Pacific (in North America, Australasia, and North Asia) than in any region outside Europe. Stronger laws for the protection of privacy can be seen as a natural consequence of the development of advanced information-based economies, an aspect of the protection of human rights that parallels technological development. Nevertheless, such privacy laws as there are in the Asia-Pacific are often not comprehensive in their coverage, particularly in the private sector. The first requirement for privacy protection in the region is therefore the extension and strengthening of national laws.

Failure to do this will increase the risk that advanced use of information technology will result in authoritarian or overly manipulative use of such technology by governments and business. Such abuses in North America, Europe and Australasia have been documented in many recent works[76]. Protection of human rights is the first and most important reason for strong privacy laws.

The second reason for strengthening national privacy laws is, of course, to avoid restrictions on exports of personal data from Europe as a result of the EU data protection Directive, or as a result of export restrictions in regional laws. The reasons for developing information privacy laws in the Asia-Pacific therefore stem from at least two sources: (i) a recognition of information privacy as an aspect of human rights deserving of legal protection; and (ii) a desire to avoid unnecessary limitations on the international free flow of personal information.

6.3. The need for a regional agreement

The strengthening of national laws in the Asia-Pacific region may, however, be an inadequate response. Restrictions on the export of personal data are increasing within the Asia-Pacific, threatening the free flow of information within the region, as recognised in the Seoul Declaration for the APII. Such restrictions may be quite reasonable and understandable at a national level. A New Zealander could reasonably object to his or her medical records being held and processed in Australia, where they are largely unprotected, as a means of avoiding the strict controls of New Zealand's Health Information Privacy Code 1994 77. A Hong Kong resident could object to his or her financial data being held or processed in Japan or the USA, where it might not have the same protection as in Hong Kong.

One means of dealing with such non-tariff trade barriers is an international agreement to guarantee free flow of personal information between the States which are parties to it, provided that each State provides an agreed minimum level of privacy protection in its laws, the approach taken in the OECD Guidelines, the Council of Europe Convention, and most recently in the EU Directive.

6.4. Can existing international agreements provide a vehicle?

If such an agreement is needed in the Asia-Pacific, are any of the existing agreements a suitable vehicle?

The OECD Guidelines are not an appropriate vehicle, mainly because many Asia-Pacific countries are not OECD members[78], because the Guidelines do not provide any method of enforcement of the minimum standards they propose, and possibly because the content of those standards reflects an understanding of privacy protection that is a decade old.

Although it is theoretically possible for non-European countries to become parties to the European data protection Convention, it has not yet happened, and membership of a European agreement is not an appropriate approach to developing the building blocks of the APII. First, the content of the Convention is of the same vintage as the OECD Guidelines, and secondly it is inappropriate for the Asia-Pacific to simply adopt a European model wholesale without adapting it to regional views and conditions.

There is no mechanism by which non-EU countries can become 'parties' to the EU Directive, so it is not relevant as a vehicle for implementation. Nor is the ICCPR suitable, for reasons such as it is too general in its terms; it cannot be used to provide any guarantee of free flow of information; and most countries in the region have not yet acceded to the optional protocol.

6.5. Elements of an Asia-Pacific information privacy Convention

It seems, therefore, that it is worth considering whether the best approach would be to develop an Asia-Pacific information privacy convention that reflects regional needs. What could be the mechanism for its development, the nature of the agreement, the content or its privacy standards, and its means of compliance? An alternative approach to the existing international agreements is to ask `what can we learn from them in fashioning a new agreement for the Asia-Pacific?'

Mechanism for development

The most promising mechanism for development would seem to be the APII structure within APEC, because privacy protection is most likely to be taken seriously as a condition of the development of the regional information infrastructure (as the Seoul Declaration indicates), and also because it will provide a regional solution. APEC is the broadest regional grouping relevant to the discussion, and the one with most momentum at present. Privacy is already part of the APII agenda.

Nature of the agreement

Existing international privacy agreements involve two elements, and these would also be present in any Asia-Pacific agreement.

First, there is an agreement between the State parties to implement in their domestic law privacy protections of a certain standard. The crucial question here is whether these standards are phrased as minimum or `required maximum' standards.

Minimum standards must be implemented in the domestic law of a State that wishes to obtain the protection of the agreement against data export prohibitions. A State is still free to impose higher standards on the processing of data within its own jurisdiction provided it does not prevent data exports to countries which only observe the lower `international' standard. The OECD Guidelines and the Council of Europe Convention are of this type.

`Required maximum' standards are required to be implemented in each State's domestic law, but may not be exceeded, subject to an allowed degree of latitude and any exceptions in the agreement. Such standards help to ensure that businesses and other organisations operating at a regional level (such as across Europe) can apply the same privacy policies in all jurisdictions. the international agreement would have to be altered in order for the standards to be raised. It has been argued above that the EU Directive is probably of this second type.

An Asia-Pacific agreement should only be a minimum standards agreement, at least at its inception. There is a far greater level of homogeneity in economic conditions and in attitudes toward privacy (and individual liberties generally) in Europe than there is in the Asia-Pacific. It is quite likely that countries will have very differing views about the desirable or acceptable level of privacy protection to be provided by domestic law. It is likely to be much less difficult to reach an agreement about the minimum level of privacy protection that should be provided in one country before another country is prevented from restricting exports of personal data to it, as countries are still free to disagree about whether a higher level of protection should be provided locally.

From a privacy perspective, requiring privacy protection to be limited to `common denominator' standards is undesirable where that denominator is likely to be low. In contrast, there will be considerable advantages for some time to come in each country in the region learning from successful privacy protection `experiments' in other countries, such as Hong Kong and Australia have already learnt from the New Zealand experience.

The second element is, of course, an agreement between the State parties not to prohibit the export of personal data from their jurisdictions to those of any other party which provides the minimum standard of protection in its law. Exceptions such as those found in OECD Guideline 17 also require consideration.

When an agreement comes into force

As with many international agreements, there would be a need to specify how many States must ratify the agreement before it comes into force. The Council of Europe privacy Convention of 1980 came into force in October 1985, once five member States of the Council of Europe ratified it (A 22(2)), although 18 States have now done so[79].

If a similar standard was applied for an Asia-Pacific Convention to come into force, it is likely that it would come into force fairly quickly. New Zealand, and possibly Australia, would be in a position to ratify immediately.

The relationship of the People's Republic of China to Hong Kong and to Taiwan complicates the position of two jurisdictions which would otherwise be able to sign such an agreement forthwith. The Council of Europe privacy Convention allows States to accede to the Convention with a `territorial clause' specifying to which of its territories the Convention will apply, and some similar flexibility may be needed in an Asia-Pacific Convention. It is possible that a federation like Canada might be able to ratify only in respect of some Provinces, such as Québec, at the outset.

Content of privacy standards

Insofar as content is concerned, the OECD Guidelines are one obvious starting point, particularly as they are not solely European. On the other hand, Chapter II of the EU draft Directive represents the current thinking of the European nations on desirable standards of privacy protection, and is therefore a valuable starting point for discussion, particularly because adoption of a similar approach will facilitate the free flow of personal information in both directions between Europe and the Asia-Pacific.

However, the EU Directive and the OECD Guidelines should only be a starting point for developing a set of information privacy principles appropriate to Asia-Pacific countries. A privacy advocate might regard both sets of principles as too weak and reflecting thinking which is being overtaken by new technologies[80], but might nevertheless be willing to settle for a relatively low minimum international standard so as to encourage the spread of privacy laws in the region. Trade interests may accept a higher standard than they would regard as ideal if this will guarantee free flow of information from certain countries with high local privacy standards. The details are a matter of relatively unpredictable political negotiation.

If the content of an Asia-Pacific Convention approximated either the OECD Guidelines or the EU Directive, it seems very likely that this would be regarded as 'adequate protection' by the EU, particularly in light of the reference to 'international commitments' in A25(5) of the EU Directive.

Compliance mechanisms

Compliance mechanisms present more of a problem, because the Asia-Pacific region does not have, and is not likely to develop (at least in the short term), regional adjudicative and enforcement mechanisms on the same model as the European Commission and Council or the European Court of Human Rights. Other new mechanisms will need to be developed within the APII framework, possibly including a Committee of Ministers of the parties to the Convention, and, like in the EU Directive, an Advisory Committee of Privacy Commissioners[81].

One related factor that needs to be borne in mind is that adoption of the Optional Protocol to the ICCPR by Asia-Pacific countries could provide a parallel mechanism by which regional States could allow an international complaints mechanism (the UN Human Rights Committee) to adjudicate on the adequacy of their privacy protections. This would allow individuals, not only States, to have privacy rights under international law, and would providing some parallel to the role of the European Court of Human Rights. However, the ICCPR seems unlikely to play a significant role in APEC's deliberations.

Conclusion - Wishful thinking, or Australia's opportunity?

An Asia-Pacific privacy Convention is achievable. A reasonable level of privacy protection should be one of the pre-conditions for free flow of personal information in the region. The development of an APII may be retarded if consumers, businesses and government cannot use international networks with some confidence that the privacy of transferred information will be respected. Restrictions on data exports are already developing and can be expected to multiply. A Convention need only prescribe the minimum necessary standards to guarantee free flow of personal information. It need only be ratified by a small number of States before coming into force, yet have the capacity to act as a catalyst for both the development of privacy laws in the region, and the free flow of information necessary for the development of an APII.

The next APII Ministerial meeting will be held in Australia in September 1996. If Australia used the opportunity it has as host of the meeting to present a draft regional privacy Convention for APEC's consideration, this would be a concrete step in developing the building blocks of the Asia-Pacific Information Infrastructure.

[76] See, for example, Flaherty, D Protecting Privacy in Surveillance Societies, University of North Carolina Press, 1989; Lyon, D The Electronic Eye - The Rise of Surveillance Society, Polity Press, Cambridge, UK, 1994; Gandy, O The Panoptic Sort - A Political Economy of Personal Information, Westview Press, 1993; Davies, S Big Brother: Australia's Growing Web of Surveillance, Sydney, Simon and Schuster, 1992

77 Longworth, E and McBride, T 'A privacy code for health', (1994) 1 PLPR 181

[78] The only current Asian member is Japan, but South Korea's membership is being finalised.

[79] C Millard `European Data Protection Laws' (Table), Privacy Laws & Business No 27, December 1994

[80] This argument must be pursued elsewhere, but proposals such as the Australian Privacy Charter (Charter Council, December 1994) contain principles which go beyond both these models: see (1995) 2 PLPR 41

[81] Commissioner Flaherty of British Columbia hosted the first `non-European' meeting of Privacy Commissioners in February 1995

[Previous] [Next] [Up] [Title]