Privacy Law and Policy Reporter
The Privacy Commissioner for Personal Data of Hong Kong presented this paper entitled ‘The Asian Status with respect to the observance of the OECD Guidelines and the EU Directive’, at the 19th International Conference of Privacy Data Protection Commissioners, Brussels, Belgium, on 17-19 September 1997. Some headings have been changed for publication purposes (General Editor)
With the increasing tempo of global trade and service activities in Asia with the rest of the world coupled with the recognition and expectations of increasingly affluent Asian communities for the respects of human rights including privacy, the issue of information privacy is receiving significant attention by Asian governments. As of today, there are three jurisdictions in Asia which have generic laws for the protection of personal data. They are:
Japan: The Act for Protection of Computer Processed Personal Data held by Administrative Organs (enacted December 1988); Key Aspects: it only covers the federal agencies, and only computer processing systems with personal data
Taiwan: Law Governing Protection of Personal Data Processed by Computers (enacted July 1995); Key Aspects: it covers both the public and private sectors, but only computer processing systems with personal data
Hong Kong: The Personal Data (Privacy) Ordinance (enacted September 1995); Key Aspects: it covers both the public and private sectors, and the processing of both automated and manual data. It also creates an independent supervisory body with significant enforcement powers.
The provisions of these three laws are reviewed in terms of conformance to the OECD principles and the EU Directive concerning privacy.
The Organisation for Economic Co-operation and Development (OECD), membership of which include many European countries and USA, Australia, New Zealand and Japan, is primarily concerned with the economic development of its member states. In an effort to reconcile fundamental but competing values such as privacy and the free flow of information, OECD recommended in September 1980 to member countries to take into account in their domestic regulation, the principles concerning the protection of privacy and individual liberties set forth in a set of guidelines governing the protection of privacy and transborder flow of personal data.
Within these guidelines are eight basic principles in the protection of information privacy. These principles, and variations thereof, have been the universal basis for the formulation of national legislation in privacy and personal data protection in many countries.
There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
Hong Kong: Data Protection Principle 1 states that personal data shall be collected by means which are lawful and fair in the circumstances of the case, and that the data subject is explicitly or implicitly informed, on or before collecting the data, of whether it is obligatory or voluntary for him to supply the data, and the data collected are adequate but not excessive in relation to the purpose of collection. Observation: General conformance.
Taiwan: Article 6 requires that
The collection or utilisation of personal data shall respect the rights and interests of the principal and such personal data shall be handled in accordance with the principles of honesty and credibility so as not to exceed the scope of the specific purpose.
Observation: Limit to collection of data is explicit. Lawful collection is implied in ‘respecting the rights’ of the data subject, and fairness is implied in ‘the principles of honesty and credibility’. General conformance.
Japan: Article 4 (1) requires the data user ‘in holding a personal data file shall confine itself to the extent necessary to perform the competent function provided by law’, where ‘holding’ is explicitly defined as ‘compiling or obtaining and maintaining’. Observation: Article 4 embodies the essence of collection limitation, though there is no explicit statement regarding the lawful and fair means of data collection.
Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
Hong Kong: Data Protection Principle 2 requires that all practical steps shall be taken to ensure that personal data are accurate and personal data shall not be kept longer than is necessary for the fulfilment of the purpose. ‘Inaccurate data’ are defined in the law as data which are ‘incorrect, misleading, incomplete or obsolete’. Observation: The requirement for accuracy is conformed and the relevancy of personal data with regard to the specified purpose is conformed through requirements of deletion, when appropriate, and the limits in data collection.
Taiwan: The law requires a data user to ‘maintain the accuracy of personal data’ (Article 13) and when the specific purpose for use no longer exists, a data user shall delete the data. Observation: General conformance though there is no definition of ‘accuracy’.
Japan: Article 4(2) requires ‘data recorded in personal data files shall not exceed the limit necessary for accomplishing the purpose of holding the personal data file’. Article 5(2) requires the data user to ‘strive to ensure that the processed data should correspond with past and present facts’. Observation: The relevancy of personal data is implicitly conformed through Art 4(2), and accuracy implicitly conformed through Art 5(2).
The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.
Hong Kong: Data Protection Principle 1 states that the data subject is explicitly informed, on or before collecting the data, of the purpose for which the data are to be used. Observation: General conformance. In addition, on or before data collection, the data subject is explicitly informed of the class of persons to whom the data may be transferred and of his rights to request access to and to request the correction of the data.
Taiwan: Data shall not be collected by a data user unless ‘it has some specific purpose’ (Arts 6 and 18). Observation: That there is a purpose at the time of collection is implied. The law goes further to specify the purpose criteria within which the data user can collect and process data, e.g. ‘it is within the scope of job functions provided by law and regulations’, ‘there is no possibility that it shall infringe upon the rights and interests of the individual’ etc.
Japan: Article 4(1) requires the data user ‘in holding a personal data file, shall specify the purpose of such holding as much as possible’. Observation: As ‘holding’ includes ‘compiling and obtaining’, the purpose of collection is implicitly specified at or before the time of collection.
Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with the Purpose Specification Principle except : (a) with the consent of the data subject; or (b) by the authority of law.
Hong Kong: Data Protection Principle 3 requires prescribed consent from the data subject before personal data can be used for a different purpose from the one specified at the time of collection. There are exemptions to this principle, as defined in the Ordinance which takes into account the authority of law. Observation: Prescribed consent is required and there are specific conditions for change of use without consent from the data subject, for example national defence, prevention of crime, taxation assessment, health.
Taiwan: A data user ‘shall utilise personal data within the scope of the specific purposes’, and it may also utilise these data for other purposes with ‘written consent’ of the data subject, ‘provided for in the laws and regulations’, and other conditions without the consent of the data subject, including ‘safeguarding national security’, ‘improve pubic interests’, ‘preventing the rights and interests of another from being seriously damaged’, ‘benefit the rights and interests’ of the data subject, etc. Observation: Prescribed (written) consent is required; and there are broad and general conditions for change of use without the data subjects’ consent.
Japan: Article 9(1) states that ‘data shall not be used or provided for any purpose other than the file holding purpose’. Exceptions to this provision include ‘when there is a consent of the data subject’, and when permitted by law. Observation: General conformance.
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.
Hong Kong: Data Protection Principle 4 requires all practical steps shall be taken to ensure personal data held by a data user are protected against unauthorised access, processing, erasure or other uses, with particular regard to physical location, data sensitivity, automatic systems security, data integrity and people competence and data transmission. Observation: General conformance.
Taiwan: Article 17 requires the data user to ‘appoint a full time employee to handle matters relevant to the security and maintenance of said files to prevent personal data from being stolen, altered without authorisation, damaged, lost or disclosed’. Observation: General conformance.
Japan: Article 5(1) requires the data user and its current and former staff engaged in data processing to ‘strive to take measures necessary for prevention of leakage, loss, destruction of personal data or other proper managements’. Observation: General conformance.
There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.
Hong Kong: Data Protection Principle 5 requires that all practical steps shall be taken to ensure a person can access and ascertain a data user’s policies and practices in relation to personal data, be informed of the kinds of personal data held, and the main purposes personal data are used by a data user. Data Protection Principle 1 also requires at the time of data collection, the data subject be informed of his access rights and the name and address of the individual (data controller) to whom such requests may be made Observation: General conformance.
Taiwan: Article 10 requires government agencies and non-government agencies to gazette or publicly announce details including the purpose of personal data systems, the scope and classification of personal data held, name and address of agency or person responsible for data access and correction requests. Observation: General conformance.
Japan: Article 8(1) requires the co-ordinating authority, the Management & Coordination Agency, to ‘make public in the official gazette at least once a year’ details of personal data files held by data users, such details including the file holding purposes, record items, data transferees, and the name and location of the organisation which accepts data access and correction requests. Observation: General conformance.
An individual should have the right:
(a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
(b) to have communicated to him, data relating to him (i) within a reasonable time; (ii) at a charge, if any, that is not excessive; (iii) in a reasonable manner; and (iv) in a form that is readily intelligible to him;
(c) to be given reasons if a request made under sub-paragraphs (a) and (b) is denied, and to be able to challenge such denial; and
(d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.
Hong Kong: The requirements of this OECD principle are almost verbatim contained in the Data Protection Principle 6 of the Hong Kong law. The request must be responded within 40 days from the date of the request. Observation: General conformance.
Taiwan: The rights of the data subject are specified in the law, including request for review, request to make copies and correction, and request to discontinue processing (Article 4). The request should be ‘handled’ within 30 days (Article 15). A service fee may be prescribed by the data user (Arts 16 and 26). Denial of the data subject’s right or failure to response within 30 days by the data user could be challenged by the data subject through petitioning the agencies’ supervisory authorities (Arts 31 and 32). Observation: General conformance, though there is no qualification to the level of service fee to be charged; and there is no provision on the ‘intelligible format’ of data to be supplied in response to an access request; however the right to ‘request to discontinue processing personal data’ goes beyond this OECD principle.
Japan: Article 13(1) endows access rights to the data subject which requires a response from the data user within 30 days from the request date [Art 15(1)]. The data subject is required to pay fees ‘in accordance with the provision of cabinet order’ [Art 16(1)] plus postage for mailing [Art 16(2)]. Denial of access request requires the data user to provide reasons for such denial in writing [Art 14(2)]. The data subject can complain to the ‘head’ of the data user ‘concerning use, providing or disclosure of the processed data, or applications for correction etc.’ (Art 20). Observation: General conformance, though there is no provision of the ‘intelligible format’ of data supplied in response to an access request, and no qualification on the level of fee charges.
A data controller should be accountable for conforming with measures which give effect to the principles stated above.
Hong Kong: The Hong Kong Ordinance (Art 4) requires a data user not to do an act, or engage in a practice, that contravenes the data protection principles unless the act or practice is exempted from such principles under this Ordinance. Data users who breach the provisions in the Ordinance commit an offence and are liable on conviction to a fine and/or imprisonment up to two years. Furthermore, an individual who suffers damage by reason of a contravention of a requirement under the Ordinance by a data user is entitled to compensation from that data user for that damage, which includes injury to feelings. Observation: General conformance.
Taiwan: The law, through Arts 27-41, prescribes a whole range of damages, compensation and penalties including imprisonment for a wide spectrum of infringement of rights, improper profiteering, unlawful gains. Observation: General conformance.
Japan: Article 21 requires the ‘head’ of a data user to submit, if requested by the Management and Coordination Agency (MCA), ‘materials and to give explanation with regard to the operation of functions concerning computer processing etc of the personal data handled’ by the data user. The MCA may also ‘give an opinion to the Prime Minister’ or the heads of the data user ‘with regard to dealing with computer processed personal data’ in order to achieve the purpose of this law (Art 22). Observation: Apart from administrative accountability, there are no provision for penalties for non-compliance of the law by the data users nor compensation to the data subjects for infringement of their rights. However, data subjects seeking data access ‘by deceit or other unjust means shall be liable to a correctional fees of not more than 100,000 yen’ (Art 25).
Adopted by the Council in July 1995, the European Union Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data is another milestone in the global initiative towards the protection of personal data. While enshrining a set of data protection principles as in the OECD guidelines, it goes beyond the OECD guidelines in a number of significant aspects, including the specifications of desirable standards requirements for a legal and administrative framework for member countries, coverage of both public and private sectors without differentiating distinction, operational areas where exemptions applied with regard to the data protection principles etc. Apart from the harmonisation of privacy laws in member countries, the prohibition of the transfer of personal data from member countries to other countries which do not have adequate data protection laws could have a far reaching impact on bilateral relationship in trade and commerce between the member countries and other countries.
A number of significant requirements of the Directive are selected for discussion viz-a-viz the data protection law in Hong Kong, Taiwan and Japan — scope coverage — personal data filing systems — purpose specification — sensitive data — supervisory authority — transborder data flow — automated processing which poses risks to individual’s rights and freedom — codes of conduct — notification and registration
The Directive covers both the public and private sectors with no distinction in the rules governing both sectors.
Hong Kong: Article 3 states that the law ‘binds the Government’. Observation: General conformance. The public sector is covered by the law by virtue of Art 3. The private sector is included by virtue of the common law system in that the private sector needs to conform with all laws unless its specific exclusion is explicitly provisioned in a law.
Taiwan: The law covers ‘Government agencies at the central government or local government level’; as well as ‘non-government agencies’ which explicitly include ‘credit search businesses’, and ‘groups or individuals whose major line of business is to collect or process personal data by computers’, ‘hospital, schools, telecommunication, financial, securities, insurance and mass communications industries’, and ‘other businesses groups or individuals designated by the Ministry of Justice’. Observation: General conformance in terms of coverage as all public sector is covered as well the most obvious industries in the private sector, together with the authority to include other private sector entities as the government sees fit. However, there are differences in treatment for the two sectors.
Japan: The law only applies to ‘national administrative organs’ (federal agencies), though ‘local government and public corporations shall take into account the national measures under the provisions of this Act, and strive to take necessary actions to secure proper dealing with personal data’ (Arts 26 and 27). Observation: Partial conformance. The law does not cover the private sector.
The definition of Personal Data Filing Systems including ‘any structured set of personal data’ intends to cover both computer and manual processing of data.
Hong Kong: Personal Data System is defined as ‘any system, whether or not automated, which is used, whether in whole or in part, by a data user for the collection, holding, processing or use of personal data, and includes any document and equipment forming part of the system’. Observation: General conformance.
Taiwan: The law is to ‘govern the processing of personal data by computers’ (Art 1). Observation: Manual processing of personal data is not covered by the law.
Japan: The act applies to ‘computer processed personal data’. Observation: Manual processing of personal data is not covered.
Article 7 requires that personal data may only be processed if
i) the data subject gives consent
ii) processing is necessary for contract performance
iii) processing is necessary for legal compliance
iv) processing is necessary to protect the vital interests of the data subject
v) processing is necessary for public interest
vi) processing is necessary for legitimate interests
Hong Kong: There is no provision for purpose specification.
Taiwan: General conformance through Arts 7 and 18 which require that personal data may only be processed if i) the data subject gives consent ii) the processing is within the scope of job functions provided by law and regulations iii) there is no possibility it shall infringe upon the rights and interests of the data subject iv) there is a contractual relationship v) the information is public knowledge vi) there is a need for academic study Observation: General conformance
Japan: Processing of data by a government agency is ‘confined to the extent necessary to perform the competent function provided by law’ (Art 4). Observation: Partial conformance.
Article 8 requires ‘member states to prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership and the processing of data concerning health or sex life except:
i) with the explicit consent of the data subject
ii) in line with employment law
iii) for the vital interests of the data subject
iv) for non-profit making bodies for their members
v) for defence of legal claims
Hong Kong: There is no provision specifying categories of sensitive data.
Article 28 requires member countries to have ‘one or more public authorities to be responsible for monitoring’ the compliance of legal provisions to protect personal data. These authorities ‘shall act with complete independence in exercising the functions entrusted to them’, and be endowed with ‘investigative powers’, ‘effective powers of intervention’, and ‘the power to engage legal proceedings’ against violations. The authority should also publish and make public reports on its activities at regular intervals.
Hong Kong: The law explicitly establishes the Office of the Privacy Commissioner for Personal Data, and the Commissioner ‘shall monitor and supervise compliance with the provision of the Ordinance’. That ‘the Commissioner shall not be regarded as a servant or agent of the Government’ [Art 5(8)] provides his independent status. The Commissioner has the power to carry out inspections of any personal data systems, and to receive and investigate complaints with powers of entry and summons. He also has the power to issue ‘enforcement notices’ to data users to remedy any contravention of the law. As a regulatory authority, the Commissioner can initiate legal proceedings on offences through referral to the Department of Justice for prosecution. The Commissioner is required to furnish an annual report to the legislature on activities relevant to his functions. This annual report is made available to the public. Observation: General conformance.
Taiwan: ‘The Ministry of Justice is responsible for coordinating and contacting matters relevant to the enforcement of the law’ (Art 42) and prescribing ‘the enforcement rules of the law’ (Art 44). Compliance with the law by a non-government agency (private sector) is supervised by the government authority in charge of the industry to which the non-government agency belongs. These government authorities have powers including the granting and revoking of registered licence to process personal data systems (Art 19), prescribing criteria for fee charging for data access and correction requests by data subjects (Art 26), handling appeals by data subjects (Art 32), investigation and enforcement (Art 25), and imposition of fines on the non-government agencies (Art 38-41). Appeals against a government agency by data subjects can be lodged with the supervisory agency of the said government agency (data user). The supervising agency is required to respond to the appeal in writing (Art 31). Observation: There does not seem to be an independent supervisory body from the perspective that there is not a public supervisory body independent of government. Apart from this issue of independence, the private sector’s supervisory government agencies have the powers to conform generally to the Directive, whereas the public sector’s data users (government agencies) do not seem to be supervised in terms of compliance. May be the role played by the overall co-ordinating Ministry of Justice might cover this supervisory aspect through its prescribed enforcement rules of the law, though such rules are not specified in the law.
Japan: The Management and Coordination Agency (MCA) is the body responsible for receiving notifications from federal agencies regarding their personal data systems. MCA also has the authority to request the federal agencies to provide information and explanation when MCA finds it necessary to do so with regard to the operations concerning the computer processing of personal data, and to give an opinion to the Prime Minister or to the federal agencies on such operations (Arts 21 and 22). Observation: There does not seem to be an independent supervisory authority from the perspective that there is not a public supervisory body independent of government. Also, it seems that MCA is more a co-ordinating body than a supervisory body, with authority to request for information and advise the agencies rather than the legal power to investigate, intervene and sanction.
Article 25 provides ‘that the transfer to a third country of personal data may take place only if .... the third country in question ensures an adequate level of protection’. Exemptions from Art 25 are:
i) unambiguous consent from the data subject
ii) the transfer is necessary for the performance of a contract
iii) the transfer is in the vital interest of the data subject
iv) the transfer is in the public interest
v) the transfer is made from a public register
vi) the state may authorise data transfers if there are appropriate protection through contractual clauses between the data user and the data recipient
Hong Kong: Article 33 requires that no data should be transferred to a place outside Hong Kong unless:
i) the place has a law ‘equivalent’ to the Hong Kong Law as determined by the Commissioner
ii) the data user has reasonable grounds to believe there is an equivalent law
iii) the data subject gives his prescribed consent
iv) the data user believes that the transfer is in the data subject’s interest
v) general exemptions including public interest are applicable
vi) the data user takes all reasonable precautions and exercises due diligence to ensure equivalent protection in the receiving country for data transferred Observation: The ‘equivalence’ requirement is perceived as ‘adequacy’ to meet with the EU requirements given the breadth and depth of the Hong Kong law. In addition, Art 33 requires compliance to be responsible by data users whose principle place of business is in Hong Kong for data transferred to other places. This requirement closes the EU Directive’s loophole for possible off-shore operations to avoid legal data protection.
Taiwan: For government agencies, ‘the international transmission and utilisation of personal data by the government agency shall be handled in accordance with relevant law and regulations’. For non-government agencies (private sector), the ‘international transmission and utilisation of personal data may be limited (Art 24): where major national interests are involved; where national treaty or agreement specifies otherwise; where the nation receiving personal data lacks laws which fairly protect the rights and interests of the data subject thereby causing injury to the data subject; and where international transmission and utilisation of personal data are made through a circuitous means in order to evade the provisions of this law. Observation: Control on data transfer by the public sector ‘in accordance to relevant law and regulations’ is non-specific; the provisions for the private sector are in line with the requirements of the EU Directive except there is no provision for contractual solutions, though the EU’s loophole for data havens is closed through Art 24(4).
Japan: There is no provision relating to transborder data flow in the law.
Individual has the right not to be subject to a decision based on such automatic processing except where pursuant to a contract or authorised by law. (Art 15)
Such processing needs to be subject to prior checking by the supervisory authority. (Art 20).
Individual has the right to obtain knowledge of the logic involved in such automatic processing. (Art 12(1))
Hong Kong: Data users who wish to carry out data matching, defined as automatic matching of personal data of a data subject collected for different purposes which could result in adverse action taken against the data subject, require approval from the Commissioner through submission of an application detailing whether the matching is in the public interest, the kinds of personal data to be matched, the logic of processing, the likely consequences, any practical alternatives and the benefits derived (Art 30 and Sched 5). Observation: General conformance, and it should be noted that the rights of the individual is guarded by the independent Commissioner.
Taiwan: Data users cannot collect or process personal data if the purpose infringes upon the rights and interests of the individual (Arts 7 and 18). For private sector data users, their processing systems need to be registered and licensed by the supervisory agency in charge of the relevant industry. Observation: General conformance, though the public sector data users, seemingly without a supervisory and registration body, would exercise self-regulation in terms of compliance.
Japan: The purpose of the law is ‘to protect personal rights and interests of individuals’ (Art 1). While the processing of data by the federal agencies is confined to the purpose of ‘performing the competent function provided for by law’, exemptions to allow processing beyond the specified purpose are provided, but these exemptions should not be applied ‘where it is recognised that the rights and interests of the data subject or third parties are likely to be improperly infringed upon’. (Art 9(2)) Observation: Given the logical assumption that the functions of the federal agencies provided for by law do not pose risks to individual’s rights, the law provides safeguards to prevent infringement of rights from the use of data for other permitted purposes. The compliance to the law by the federal agencies seemingly is through self-regulation.
The member states should encourage and the supervisory authorities should assist in the drawing up of sectoral codes of conduct by trade and professional associations for personal data protection (Art 27).
Hong Kong: The Commissioner has the power to issue and approve sectoral codes of practice in consultation with relevant representative bodies (Art 12). Formal approval provides a legal basis for the code (Art 13). Apart from sectoral codes, the law also requires the Commissioner to draw up a code for the use of personal identifiers within a year of the commencement of the law. Observation: General conformance.
Taiwan: There is no provision for codes of conduct.
Japan: There is no provision for codes of conduct.
Articles 18 and 19 require data users to notify the supervisory authority of the details of automatic personal data systems before processing. A register of such operations notified should be kept by the supervisory authority and open for access by the public (Art 21).
Hong Kong: Under Art 14, the Commissioner may specify classes of data users requiring to submit notifications of details of personal data systems. Such notifications are made public and their details are kept in a register with the Commissioner available for public access (Arts 15 and 16). Observation: General conformance.
Taiwan: Government agencies are required to gazette details of personal data systems which they process, and maintain a register of such details for review (Arts 10 and 14). Non-government agencies (private sector) need to register their personal data systems with the government agency responsible for the industry and be granted a licence to process such systems (Art 20). The data user is required to maintain a register of the details of the systems which it processes (Art 22). Observation: General conformance, though the licensing aspect for the use of personal data systems in the private sector goes beyond the Directive. The registers are kept by the data users, and not the supervisory authorities.
Japan: The government agencies should notify the Management and Coordination Agency (MCA) details of their personal data systems prior to processing (Art 6). MCA is required to make public such notifications in official gazette (Art 8). A government agency should have a register of their personal data systems for public access (Art 7). Observation: General conformance, though the registers are kept by the data users and not by the supervisory authority.
The Hong Kong, Taiwan and Japan laws are in general conformance with the OECD principles.
As for the EU Directive, the preceding review indicates the following overall observations:
Hong Kong: General conformance except in some areas including — purpose specification — processing of sensitive data
Taiwan: Partial conformance. Debatable areas include — manual structured data processing - processing of sensitive data - independent supervisory body — transborder data flow for public sector — codes of conduct
Japan: Partial conformance. Debatable areas include — private sector coverage — manual structured data processing — processing of sensitive data — independent supervisory body — transborder data flow — codes of conduct
Other Asian countries
Malaysia: Malaysia plans to enact a generic law on personal data protection in March 1998. The law is expected to cover both the public and private sectors, automated and manual data processing, and to create an independent supervisory authority. A committee is currently studying the implications of the OECD Guidelines and the EU Directive to formulate the new law.
Philippines: There is no generic law on personal data protection. The Human Rights Commission is interested in this issue, with its Commissioner attended the recent Australia/New Zealand Commissioners’ meeting in Auckland in July. It is planned to have an inter-agency meeting to further this issue.
Singapore: Though there is no generic law on personal data protection, Singapore has privacy protection in specific areas including taxation, provident fund and banking. Singapore is very much aware of the OECD Guidelines and the EU Directive and is monitoring the international development in personal data protection with keen interest.
Indonesia/China: These countries have no generic law on personal data protection, and it is not clear when such law would be planned.
Author’s Note: The observations and comments on the provisions of the Hong Kong, Taiwan and Japan law with regard to conformance with the OECD principles and the EU Directive are based on my personal interpretations and inferences of the OCED principles, the EU Directive, and the English version of the three laws. It is intended to be a comparative study to achieve a better understanding of the three laws relative to two international proclamations and not a study to reflect, infer or judge the degree of ‘adequacy’ or ‘comprehensiveness’ of the three laws.
Privacy Commissioner for Personal Data, Hong Kong