Privacy Law and Policy Reporter
APEC privacy principles Version 2: not quite so Lite, and NZ wants OECD full strength
The APEC privacy initiative, explained and criticised in an earlier article as ‘OECD Lite’ (see (2003) 10(1) PLPR 1), has reached the next stage in its development with the release of the Chair of the Working Group’s draft version 2 of the Principles, and a set of issues for discussion (11 ‘Proposals’) which member economies have put forward for discussion at the APEC E-Commerce Steering Group (ECSG) Privacy Sub Group’s next meeting in August.
Some improvements to the Principles
Version 2 of the Principles, reproduced on p 48, has now discarded the alternative versions in Version 1 and the Chair (Mr Peter Ford, Australia) has settled on one version in light of the comments received. The overall effect is to strengthen the Principles. The Committee Chair has stated that it is not his intention to weaken the OECD Principles in any way.
Of the four criticisms of proposed weakening of the OECD Principles in my previous article, Version 2 has now reverted to the original, stronger, version in three instances.
• APEC IPP 2 no longer refers to ‘collections of personal information’, but reverts to the use of ‘personal data’ throughout.
• The vital control that the purposes of collection ‘should be specified not later than at the time of data collection’ has been reinstated in APEC IPP 3 (in slightly different words from the OECD).
• The OECD concept of ‘data controller’ has been reinstated, broadening the parties who are held responsible for breaches of IPPs.
The OECD right to ‘challenge data’ (IPP 7) is still replaced by the somewhat narrower APEC version of ‘challenge the accuracy of records’.
The New Zealand Government’s suggestions have also been influential in strengthening the re-draft, in at least the following respects.
• The OECD version, rather than the Chair’s version, has been retained in APEC IPP 1 (collection) and IPP 2 (data quality).
• APEC IPP 3 (purpose specification), while it retains elements of the Chair’s redraft, now includes the strengthening recommended by NZ, that secondary uses must be ‘directly related’ to the purpose of collection, not just not ‘inconsistent’ with it.
• The reinstatement of ‘data controller’ fixes other problems identified by NZ.
A remaining weakness which has not been remedied despite NZ pointing it out is that APEC IPP 4 still uses the expression ‘person whose information is collected’, which could potentially raise unnecessary questions about ownership of data. Since the expression has now been replaced elsewhere with ‘data subject’ in Version 2, the position is even worse now, as the inconsistency suggests a difference in meaning.
Other deficiencies identified in my previous article which have now been addressed are:
• there is now a requirement of notice at the time of collection; and
• the weak test of secondary uses being ‘not incompatible’ with the purpose of collection has been abandoned (see below).
However, the deficiency remains (as noted in the previous article) that the ‘limits’ to be placed on the scope of collection of personal information are not defined by any objective standard in APEC IPP 1. This is contrary to most privacy laws in this region which at least include limits such as necessity for one of the purposes or functions of the organisation, and for a lawful purpose.
The Chair has also raised the question of whether the Principles should be ‘limited to electronic data’, but Proposal 1 (by NZ) under discussion proposes to delete this even as a possibility by stren-gthening the OECD Guidelines (which left this as an option) on this point.
Additional principles under consideration
New Zealand has suggested a new principle limiting data retention:
Limited retention principle (or ‘retention principle’)
When [information/data] no longer [serves/serve] a purpose as specified in paragraph 9 (purpose specification principle), or [is/are] needed for use as allowed for in paragraph 10 (use limitation principle), [it/they] should be destroyed or given an anonymous form.
Australia, apparently adopting a suggestion by its Privacy Commissioner, has suggested the inclusion of the Anonymity Principle as found in Australia’s private sector (and some State public sector) National Privacy Principles:
Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.
Both of these would be considerable improvements, but are not the only ‘new’ (post-1981) principles needing consideration.
Other OECD Parts under consideration
A main element of my previous criticisms of Version 1 of the APEC initiative was that it abandoned all the parts of the OECD Guidelines except the Principles in Pt 2: it was indeed ‘OECD Lite’. There are now a number of ‘Proposals’ under consideration by the APEC committee that will remedy this if adopted. The previous article summarises why these other Parts are important.
Proposal 1 (NZ) essentially adopts the important aspects of scope and definitions of Pt 1 of the OECD Guidelines. The Chair proposes to defer this (Proposal 2) until the text of the Principles is settled.
NZ also suggests (Proposal 5) the adoption of something ‘quite like’ OECD Pt 4 (‘National Implementation’), which emphasises the need for legislation, means of exercising rights, and ‘adequate sanctions and remedies’. As New Zealand points out in its submission, ‘the e-APEC strategy states that the economies should implement comprehensive personal data protection laws’. The Chair, however, wishes to redraft Pt 4 ‘to avoid prescriptive language on means of national implementation’ (Proposal 6). Mr Ford does not specify which aspects of Pt 4 he wishes to water down.
Proposal 3 (NZ again) adopts the equivalents of Pt 3 (‘Free flow and legitimate restrictions’) and Pt 5 (‘International Co-operation’) of the OECD Guidelines. The Chair proposes to defer consideration of Pt 3 (Proposal 4) until decisions on implementation mechanisms are adopted, but would like to adopt Pt 5 forthwith (Proposal 7). No doubt the Chair also wishes to avoid anything prescriptive about data export limitations, given the ‘self-certification’ approach of Version 1 (see earlier article).
There are therefore some differences apparent within the APEC committee, between those who want to at least stick to what the OECD Guidelines require in relation to implementation and those who wish the APEC version to be watered down as regards implementation (including data exports). The committee is comprised of Australia (chair), Canada, China, Hong Kong, Japan, Korea, Malaysia, New Zealand, Thailand and the United States. The views of members other than Australia and New Zealand are not known to the author.
The Asia-Pacific Telecommunity Privacy Guidelines
A wildcard entry into these developments may be the separate set of regional privacy Guidelines being developed by the Asia-Pacific Telecommunity (APT), chaired by Korea, a country with a strong privacy law (see (2003) 9(9) PLPR 172). APT is a regional telecommunications organisation established in 1979 under an intergovernmental agreement and responsible for the development of telecommunications services in the Asia-Pacific Region. In accordance with a request made at the 22nd APT Study Group Meeting, the Korea Information Security Agency (KISA) is drafting the APT privacy guidelines.
According to the most recent Status Report, ‘the prime objective of the APT guidelines is to help APT member countries to enact laws or make policies on personal data protection’. The approach to development of the Guidelines is as follows:
Certainly, the OECD privacy guidelines and EU Directives will be considered in outlining the APT privacy guidelines. Nonetheless, the APT privacy guidelines will be written on the basis of the diverse characteristics of APT member countries’ cultures and economies.
To complicate regional matters even further, APT expects to consult a Working Group to be organised within the Asia Privacy Forum, an internat-ional body composed of major Asian countries (see (2003) 9(10) PLPR 200 for details) but excluding APEC countries like Australia, New Zealand, Canada, US, Mexico and so on.
KISA intended that a first draft of the APT guidelines would be circulated in May 2003, with the final draft presented to the 23rd APT Study Group Meeting to be held in Maldives in July 2003. No further information is yet available on the ATP website. If final APT Guidelines are available so soon, APEC will not be working with a clean slate in the region.
Other regional inputs
Meanwhile, regional non-government privacy experts have formed the Asia-Pacific Privacy Charter Council (APPCC) to help provide ‘civil society’ input into APEC, APT and other regional and national privacy deliberations (see p 49).
Whether the Asia-Pacific privacy Commissioners will also provide any collective input into these processes, analogous to the Article 29 Committee of European Privacy Commissioners that has been so outspoken and effective, remains to be seen. There is no evidence of it at this stage. l
Graham Greenleaf, General Editor.
. A copy of the full Version 2 is available at <www.bakercyberlawcentre. org/appcc/apec_redraft_v2.htm>
. Personal communication.
. A copy has been obtained by the author under New Zealand’s Official Information Act 1982.
. Status Report on Drafting the Asia-Pacific Telecommunity (APT) Privacy Guidelines submitted by Korea to the APEC Data Privacy Workshop (Panel IV) Chiang Rai, Thailand 13 February 2003; available at <www.apecsec. org.sg/> in the directory Publications/ Publications and Library/E-Commerce.