Privacy Law and Policy Reporter
This article is a revised extract from a paper given to the Federation of Korean Information Industries, Seoul, 28 June 1995.
The Asia-Pacific region is the world's most advanced region in the use of information technology outside of Western Europe, with North Asia being the most rapidly developing part of the region. The growing maturity of information technology in the countries of the Asia-Pacific means that the protection of privacy will increasingly find its way onto national and international agendas in the region. One effect of the European Union privacy Directive (see 2 PLPR 81 and 105) is that it is likely to make this occur more quickly, both by its example, and because of the 'knock-on' effect of its provisions prohibiting export of personal data. This article argues that an issue on the regional agenda should be the need for a multilateral agreement on information privacy between Asia-Pacific countries.
The Second Senior Officials Meeting on Telecommunications and Information Industry, held on 29-30 May 1995 in Seoul between the ministers responsible for telecommunications and information industries in the APEC member countries to review progress in the development of the Asia-Pacific Information Infrastructure (APII), is perhaps the first Asia-Pacific regional meeting to consider privacy issues as a matter of regional significance.
The Seoul Declaration for the APII states that one of the five objectives of the APII is 'to promote free and efficient flow of information'. However, it also declares that one of the ten core principles of APII is 'ensuring the protection of intellectual property rights, privacy and data security'. The Seoul Declaration therefore suggests that the protection of privacy is seen as a means, or perhaps a necessary pre-condition, for the achievement of ultimate ends such as regional free flow of information. This approach, where the desirability of free flow of information, including personal information, is at least in part responsible for a recognition of the necessity for the establishment of standards of privacy protection, has characterised all international agreements which focus on privacy protection.
The joint statement following the meeting includes as specific items of co-operation a number of items which could involve greater dissemination of personal information, including development of global markets for services, testing of information sharing, 'initiatives to make government information more widely available via electronic means' and 'promotion of EDI'. No specific privacy-related initiatives were announced.
The fact that privacy is part of the APII agenda suggests that this is an opportune time to consider the need for greater privacy protection in the Asia-Pacific region, and the means by which such protection may be realised.
Since the Swedish Data Act (1973), national legislation has now been enacted in 20 European countries. Seven countries in the Asia-Pacific region (NZ, Australia, Japan, US, Canada, South Korea and Hong Kong) have also enacted such laws, based upon the protection of a 'bundle' of information privacy rights. They have been influenced directly or indirectly to varying extents by the OECD privacy Guidelines (1980) and, in the Hong Kong case, by the European Directive. Sectoral legislation concerning financial, criminal and other sensitive records has also been enacted in many countries.
All European data protection Acts contain provisions by which their national data protection agency has authority to restrict 'exports' of personal data where the personal data would not receive sufficient protection in the 'importing' country. These European provisions restricting 'trans-border data flows' (TBDF) have already been enforced on many occasions, including examples relating to information concerning employees, medical treatment, product research, direct marketing, telecommunications, airline passengers, financial services, off-shore data processing, religion, gambling 'blacklists', social security, immigration, and archives, according to [Vassilaki 1993]. There is no doubt that European countries are already taking a serious approach to the enforcement of TBDF restrictions in national laws, even though (in most countries) the imposition of such restrictions is not mandatory but at the discretion of the national authority.
The EU data protection Directive will make such enforcement mandatory (see 2 PLPR 105), and can be expected to increase the number of enforced restrictions against Asia-Pacific countries.
Until this year, the privacy laws of Asia-Pacific countries did not yet contain such TBDF restrictions. At best, provisions in laws such as those in Australia and NZ dealing with secondary use and disclosure of personal information could have the incidental effect of prohibiting disclosures outside the jurisdiction simply because there were no legitimate users of the information outside the jurisdiction, but never because of the inadequacy of the laws in the recipient's jurisdiction.
Since July 1995, Hong Kong's new Personal Data (Privacy) Ordinance 1995 (see 2 PLPR 100) does prohibit the export of personal information from Hong Kong unless the information will receive similar protection in the importing country to that which it is given under Hong Kong law, or certain exceptions apply (s 33). The approach taken in the Hong Kong law is to prohibit the data user from transferring personal data to a place outside Hong Kong (including to other parts of China) unless one of the following conditions apply:
(a) the place has been specified by a Gazette notice to have laws which are substantially similar to, or serve the same purpose as, the Hong Kong law; or
(b) the user has reasonable grounds for believing that the place has such laws; or
(c) the data subject has consented in writing to the transfer; or
(d) the user has reasonable grounds for believing that the transfer is to mitigate adverse action against the data subject, who would have consented to it if it was practicable to obtain their consent; or
(e) the data are covered by an exemption from data protection principle 3 under Pt VIII ('domestic purposes', 'security', 'crime prevention', 'health', reporting news, and some others); or
(f) 'the user has taken all reasonable precautions and exercised all due diligence' to ensure that the data will not be dealt with in any manner in that place which, if it had occurred in Hong Kong, would contravene the Ordinance.
The Hong Kong law is very significant for a number of reasons. First, the law is so comprehensive in relation to both the public and private sectors, that it is likely that it will be regarded as providing 'adequate protection' in terms of the EU Directive. It was drafted when the basic structure of the EU Directive was known, taking into account some of the thinking behind the Directive, and so may be a model for other regional legislation.
Second, otherwise comprehensive laws (such as the NZ law) could be seen from the EU perspective to have a 'loophole' in that there is nothing specific in them to stop data which is imported from Europe being 're-exported' to some other jurisdiction where no adequate privacy protection applies. Section 33 of the Hong Kong Ordinance closes this loophole.
Third, if similar export restrictions arise in the laws of other Asia-Pacific countries, then there will be barriers to the free flow of personal information within the Asia-Pacific (that is, within APII), not only between the EU and the Asia-Pacific. With the enactment of the Hong Kong law, one such set of barriers already exist. If different personal data export restrictions arise in different Asia-Pacific countries, as is already occurring, there will be significant impediments to the development of electronic services and trade within the region. Such inconsistencies between European countries was one of the main factors leading to the EU privacy Directive.
These second and third factors are the 'knock-on' effect of the EU privacy Directive.
It is arguable that there are only three jurisdictions in the whole of the Asia-Pacific region which have existing privacy laws covering the whole of their private and public sectors which would unequivocally provide 'adequate' privacy protection in terms of the EU Directive, so that no EU country could justifiably prohibit transfers of personal data to them. These are NZ (Privacy Act 1993), Quebec (Act respecting the protection of personal information in the private sector; Act respecting access to documents held by public bodies and the protection of personal information) and Hong Kong (Personal Data (Privacy) Ordinance 1995). Even in relation to Quebec and Hong Kong, the 'loophole' argument mentioned above could apply, although this is unlikely.
Otherwise, such privacy legislation as does exist in the Asia-Pacific
could only constitute 'adequate protection' for specific sectors,
if at all. For example, Australia's Privacy Act 1988 would
provide adequate protection in relation to any information held
by Federal Government agencies, and in relation to credit reporting
(Pt IIIA), but there is no other legislation which would provide
adequate protection in relation to information held by state government
agencies, or the rest of the private sector. Similarly, in Canada,
some Acts such as British Columbia's Freedom of Information
and Protection of Privacy Act would constitute adequate protection
in relation to that province's public sector records, but there
is no legislation providing
adequate protection for the whole
of the private sector. It is likely that Japan's Personal Data
Protection Act 1988 would provide adequate protection for
its public sector, and the 1994 Korean law may also do so. Other
legislation covers only
specific parts of the private sector,
such as Singapore's Banking Act s 47 and Malaysia's Banking
and Financial Institutions Act 1989, Pt XIII, which cover
the banking sector. Legislation covering some sectors only has
been proposed in Taiwan (Computerized Personal Data Protection
Law 1993) but has not proceeded. In relation to the US, a
draft report under preparation by two US academics for the EU
reported to argue that US laws as a whole do not
provide 'adequate protection', not
even on a sectoral basis (in most cases), so that any transfers of personal data to the US will have to be considered in relation to the specific organisations involved (that is, as authorisations under art 26(2)) (Privacy Journal, October 1994). The effectiveness of codes of conduct to provide adequate protection is still contentious, but is unlikely to be a panacea (see 2 PLPR 107).
While the argument sketched above requires more analysis than is possible here, we can conclude that all but three jurisdictions in the Asia-Pacific are vulnerable to restrictions on transfers of personal data from countries in the European Union, at least insofar as the majority of their private sector organisations are concerned. There may also be an increase in laws restricting transfers of personal data within the Asia-Pacific, if the Hong Kong example is followed.
As a consequence of the Asia-Pacific's advanced use of information technology, there is already more development of privacy laws in the Asia-Pacific (in North America, Australasia, and North Asia) than in any region outside Europe. Stronger laws for the protection of privacy can be seen as a natural consequence of the development of advanced information-based economies, an aspect of the protection of human rights that parallels technological development. Nevertheless, such privacy laws as there are in the Asia-Pacific are usually not comprehensive in their coverage, particularly in the private sector. The first requirement for privacy protection in the region is therefore the extension and strengthening of national laws.
Failure to do this will increase the risk that advanced use of information technology will result in authoritarian or overly manipulative use of such technology by governments and business. Such abuses in North America, Europe and Australasia have been documented in recent works such as those by (Flaherty, 1989), (Lyon, 1994), (Gandy, 1993) and (Davies, 1992). Protection of human rights is the first and most important reason for strong privacy laws.
The second reason for strengthening national privacy laws is, of course, to avoid restrictions on exports of personal data from Europe as a result of the EU data protection Directive, or as a result of export restrictions in regional laws such as in Hong Kong. The reasons for developing information privacy laws in the Asia-Pacific therefore stem from at least two sources: (a) a recognition of information privacy as an aspect of human rights deserving of legal protection; and (b) a desire to avoid unnecessary limitations on the international free flow of personal information.
The strengthening of national laws in the Asia-Pacific region may, however, be an inadequate response. There is a danger that restrictions on the export of personal data may increase within the Asia-Pacific region, threatening the free flow of information within the region, as recognised in the Seoul Declaration for the APII. Such restrictions may be quite reasonable and understandable at a national level. A New Zealander could reasonably object to his or her medical records being held and processed in Australia, where they are largely unprotected, as a means of avoiding the strict controls of NZ's Health Information Privacy Code 1994 (see Longworth and McBride, 1994). A Hong Kong resident could object to his or her financial data being held or processed in Japan or the US, where it might not have the same protection as in Hong Kong.
One means of dealing with such non-tariff trade barriers is an international agreement to guarantee free flow of personal information between the states which are parties to it, provided that each state provides an agreed minimum level of privacy protection in its laws, the approach taken in the OECD Guidelines, the Council of Europe Convention, and most recently in the EU Directive.
If such an agreement is needed in the Asia-Pacific, are any of the existing agreements a suitable model?
There are two existing international sources of general privacy obligations that affect countries of the Asia-Pacific: the OECD Guidelines and the ICCPR.
The Organisation for Economic Cooperation and Development's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD, Paris, 1981) are a Recommendation by the Council of the OECD, adopted in 1980. Recommendations of the Council are not legally binding on member states, whereas Decisions are. The Guidelines attempt to balance the protection of privacy and individual liberties and the advancement of free flows of personal data through eight privacy principles which, if observed, are supposed to guarantee a free flow of personal information from other OECD countries. All 25 member countries of the OECD have adopted the Guidelines (Tucker, 1988), but, outside Europe, only NZ and Quebec (Canada) have implemented them in full by legislation covering both the public and private sectors.
The Council of Europe's Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (Convention No. 108) has been in force since 1985, and by 1994 had been signed by 19 European countries and ratified by 14. Unlike the OECD Guidelines, the Convention is a binding instrument in international law. Breaches of the Convention are dealt with at the diplomatic level by the Council of Ministers. The Convention contains eight articles which constitute 'Basic Principles for Data Protection', and are in many respects similar to those of the OECD Guidelines. Article 23 of the Convention allows the Committee of Ministers of the Council of Europe to allow States which are not members of the Council of Europe to accede to the Convention, provided that all of the Contracting States entitled to sit on the Committee agree. It is therefore possible in theory for Asia-Pacific countries to become a party to the Convention, but as yet no non-member of the Council of Europe has done so.
Various Asia-Pacific countries are parties to the International Covenant on Civil and Political Rights (ICCPR), art 17 of which provides:
Some ratifications are qualified in respect of art 17, such as by Australia's declaration that art 17 was accepted without prejudice to 'the right to enact and administer laws which, insofar as they authorise action which infringes on a person's privacy, family, home or correspondence, are necessary in a democratic society in the interests of national security, public safety, the economic well-being of the country, the protection of public health or morals, or the protection of the rights and freedoms of others'. Article 8 of the European Convention on Human Rights (1950) is in very similar terms, and considerable case law by the European Court of Human Rights has elaborated its meaning. The ICCPR is therefore very different from the OECD Guidelines or the European Convention, as it contains only a very general statement of privacy as a right.
Some countries have acceded to the First Optional Protocol to the ICCPR, thereby agreeing to individuals taking complaints ('communications') that they have breached a provision of the ICCPR to the United Nations Human Rights Committee. The Human Rights Committee is made up of 18 experts from different countries, elected for four year terms by countries that are ICCPR parties. For example, in Toonen v Australia (UN Human Rights Committee, Views on Communication No. 488/1992, adopted 31 March 1994 - see 1 PLPR 50) the Committee held that Australia was in breach of art 17 because of legislation in an Australian state (Tasmania) which criminalised homosexual conduct in private. The Australian Commonwealth Government then legislated to nullify the effect of the Tasmanian legislation (Human Rights (Sexual Conduct) Act 1994 - see Greenleaf, 1994b).
In addition to these general agreements, there are a number of important more specific international agreements, including OECD Guidelines on Security of Information Systems (see Kirby, 1993, and a proposed EU Directive on telecommunications privacy (see Tucker, 1994). The Council of Europe has also issued numerous influential sectoral recommendations.
The OECD Guidelines are not appropriate, partly because many Asia-Pacific countries are not OECD members, and also because those Guidelines do not provide any method of enforcement of the minimum standards they propose. Although it is theoretically possible for non-European countries to become parties to the European data protection Convention, it has not yet happened, and it does not seem an appropriate approach. First, the content of the Convention reflects an understanding of privacy protection that is a decade old and is being superseded by the more contemporary standards of the EU Directive, and secondly it is inappropriate for the Asia-Pacific to simply adopt a European model wholesale without adapting it to regional views and conditions. There is no mechanism by which non-EU countries can become 'parties' to the EU Directive, even though the Directive does provide a form of protection against restrictions on exports to non-EU countries with 'adequate' laws. Nor is the ICCPR sufficient, for reasons such as it is too general in its terms; it cannot be used to provide any guarantee of free flow of information; and most countries in the region have not yet acceded to the optional protocol.
It seems, therefore, that it is worth considering whether the best approach would be to develop an Asia-Pacific information privacy convention that reflects regional needs. What could be the mechanism for its development, its content, and its means of compliance?
The most promising mechanism for development would seem to be the APII structure within APEC, because privacy protection is most likely to be taken seriously as a condition of the development of the regional information infrastructure (as the Seoul Declaration indicates), and also because it will provide a regional solution. APEC is the broadest regional grouping relevant to the discussion, and the one with most momentum at present.
Insofar as content is concerned, Ch II of the EU draft Directive represents the current thinking of the European nations on minimum standards of privacy protection, and is therefore a valuable starting point for discussion. It is also a desirable starting point because adoption of a similar approach will facilitate the free flow of personal information in both directions between Europe and the Asia-Pacific. However, it should only be a starting point for developing a set of information privacy principles acceptable to Asia-Pacific countries. If such a set of principles can be developed, there is a strong likelihood that this would be regarded as 'adequate protection' by the EU, particularly in light of the reference to 'international commitments' in art 25(5) of the EU draft Directive.
Compliance mechanisms present more of a problem, because the Asia-Pacific region does not have, and is not likely to develop (at least in the short term), regional adjudicative and enforcement mechanisms on the same model as the European Commission and Council or the European Court of Human Rights. One possibility worth considering is whether adoption of the Optional Protocol to the ICCPR by Asia-Pacific countries could provide one method by which regional States could allow an international complaints mechanism to be used to adjudicate the adequacy of their privacy protections. Other new mechanisms will need to be developed within the APII framework, possibly including a Committee of Ministers of the parties to the Convention, and, like in the EU Directive, an Advisory Committee of Privacy Commissioners.
Berthold M, 'Hong Kong's data privacy proposals' (1994) 1 PLPR (Pt I) 165 and (Pt II) 188.
Davies S, Big Brother: Australia's Growing Web of Surveillance, Sydney, Simon and Schuster, 1992.
European Union (The Council) Common Position (EC) No /95. Adopted by the Council on 20 February 1995 with a view to adopting Directive 94/ /EC of the European Parliament and the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.
Flaherty D, Protecting Privacy in Surveillance Societies, University of North Carolina Press, 1989.
Gandy O, The Panoptic Sort - A Political Economy of Personal Information, Westview Press, 1993.
Greenleaf G, 'Implications for Australia of international privacy requirements' Protecting Information Privacy (Conference Proceedings), IIR Conferences, Sydney, June 1994, 64 pgs.
Greenleaf G, (1994b) Human Rights (Sexual Conduct) Bill 1994, (1994) 1 PLPR 121.
Greenleaf G, 'The European privacy Directive - completed' (1995) 2 PLPR 81.
Kirby M, 'The OECD Guidelines for the Security of Information Systems'  Computer Law and Security Report, 190-193.
Laperierre R et al, Crossing the Borders of Privacy: Transborder flows of Personal Data from Canada, Department of Justice, Canada, 1991.
Lyon D, The Electronic Eye - The Rise of Surveillance Society, Polity Press, Cambridge, UK, 1994.
Longworth E and McBride T, 'A privacy code for health', (1994) 1 PLPR 181.
Nugter A, Transborder Flow of Personal Data Within the EC Kluwer, 1990.
Reidenberg J, 'Rules of the road for global electronic highways: Merging the trade and technical paradigms' ( 1993) Harvard Journal of Law & Technology, Vol 6, p 287.
Tucker G, 'Present situation and trends in privacy protection in the OECD area', Committee for Information, Computer and Communications Policy, OECD, Paris, 1988.
Tucker G, 'Proposed European telecommunications Directive' (1994) 1 PLPR 123.
Vassilaki, Computer Law & Security Reporter (1993).