Privacy Law and Policy Reporter
The Second Asia Pacific Forum on Privacy and Data Protection (ASPAC II) was held on Sunday 12 September 1999 at the Hong Kong Convention and Exhibition Centre. The first ASPAC meeting was hosted by Stephen Lau, the Hong Kong Privacy Commissioner for Personal Data in April 1998. This second forum was jointly organised by the Australian federal and New Zealand Privacy Commissioners’ offices. This report was supplied by the Australian Privacy Commissioner’s Office.
ASPAC II was a one day meeting aimed at fostering an international exchange of information and practical experience about privacy and data protection issues. The meeting was specifically focused on the promotion of privacy protection within the Asia Pacific region and was designed to complement the 21st International Conference on Privacy and Personal Data Protection, also held in Hong Kong on 13-15 September 1999.
Key aims of the ASPAC II Forum included:
It was encouraging to see a broad range of jurisdictions represented at ASPAC II. These included representatives from Australia, Canada, Federated States of Micronesia, Fiji, Hong Kong SAR, Indonesia, Japan, Kingdom of Tonga, Malaysia, New Zealand, Papua New Guinea, Philippines, Samoa, Singapore, Solomon Islands, Thailand, Tuvalu, United States.
There was also state level representation from Hawaii, Victoria and Western Australia.
Some participation was made possible as a result of funding from the New Zealand Ministry of Foreign Affairs and Trade and the Australian Agency for International Development (AusAID) through their International Seminar Support Scheme.
Preceding the ASPAC II Forum, a briefing session for those new to privacy and data protection issues was conducted at the premises of the Hong Kong Privacy Commissioner for Personal Data. This briefing gave participants a summary of the notion of privacy, general privacy principles and key international institutions and developments to prepare participants for discussion at the Forum. Around 10 representatives attended and presentations were given by Timothy Pilgrim and Ingrid Wilson from the Australian Office of the Federal Privacy Commissioner, and Blair Stewart, Assistant Privacy Commissioner, New Zealand.
The day was chaired jointly by Mr Bruce Slane (New Zealand Privacy Commissioner) and Mr Malcolm Crompton (Federal Privacy Commissioner, Australia).
Each country gave a brief report on the status of privacy law development in their jurisdiction. It was impressive to see that many of the smaller jurisdictions in the Asia Pacific region were making progress in this area; some jurisdictions were implementing new data protection laws, such as Thailand, while Malaysia had established an inter-agency committee to advise on the development of a data protection regime. A number of jurisdictions, such as Indonesia, where there is no specific privacy law, referred to the existence of other laws protecting various types of information such as medical records. Other jurisdictions — for example, Papua New Guinea — have a section in their constitution recognising the right to privacy. Overall, the importance of data protection was recognised and many countries reported their intention to further progress data protection and privacy on their return.
The programme featured the following sessions conducted by a number of guest speakers.
Mr Graham Greenleaf, Professor of Law at the University of NSW, gave a practical demonstration of online privacy and data protection resources. The presentation highlighted a number of key international journals and newsletters on privacy. Professor Greenleaf also gave some useful starting points for conducting privacy related research on the web; see <http://www2.austlii.edu.au/~graham/publications/aspac/resources.html >.
Ulf Brühann from the European Commission discussed the implications of the European Union Directive for countries in the Asia Pacific region. He gave a comprehensive presentation about the objectives of the relevant EU directives. He focused particularly on the restrictions on international transfers of data and provided information about processes, procedures and evaluation criteria used by the Commission for determining whether a third country has ‘adequate’ data protection.
Professor Greenleaf provided additional comment, noting the existence of data export restrictions in laws in the Asia Pacific region; for example, the Hong Kong Ordinance, Quebec and Taiwan laws, and the proposed Australian private sector law will feature controls on transborder data flows. He suggested that an Asia Pacific privacy agreement be developed so as not to impede the free flow of information in the region.
Blair Stewart gave a summary of his comprehensive paper on comparative models of national data protection agencies, which provides a useful starting point for jurisdictions which do not yet have a data protection agency. He noted typical structures of agencies, commonalities and differences between various models and discussed the issue of independence.
Michael Smith, Jersey Data Protection Commissioner, gave an example of the operation of a small jurisdiction in the bailiwick of Jersey.
A session on confronting systematic data protection issues was jointly conducted by Deborah Marshall, Manager, Investigations at the New Zealand Office of the Privacy Commissioner, and Julien Delisle, Executive Director of the Canadian Privacy Commissioner’s office. Deborah Marshall highlighted the use of complaints investigations, legislative monitoring, education and other techniques available to Commissioners to address recurring privacy problems.
Julien Delisle emphasised the importance of the audit function and how a data protection office can use audits strategically to ensure compliance with privacy legislation.
Malcolm Crompton gave a case study highlighting the need to be flexible in the application of privacy principles to ensure they are relevant to people’s needs in a day to day context. He used the example of a project undertaken by the former Privacy Commissioner to develop a set of practical guidelines to assist departmental staff in the Northern Territory to apply the Privacy Act in a way which is culturally appropriate for Aboriginal and Torres Strait Islander people in that community.
The ASPAC II Forum was wrapped up by Bruce Phillips, Privacy Commissioner Canada who provided a brief summary of the day’s discussions.
There was brief discussion of future ASPAC meetings but no decision was made about who would hold the third ASPAC meeting. If participants consider that a third ASPAC ought to be organised, their thoughts on how it should be hosted and funded would be welcome. Rotation of hosting is essential if the workload and resources implications are to be managed, and in order to ensure that the approach is refreshed.