Privacy Law and Policy Reporter
APEC Privacy Principles: more Lite with every version
APEC’s draft privacy principles are little more than six months old, but by September 2003 were already in their fifth draft. I previously criticised Version 1 as being ‘OECD Lite’ because it did not even include all of the 1980 OECD Privacy Guidelines, on which it was ostensibly based, and also because those 1980 standards were an inadequate starting point in any event for privacy standards for the Asia-Pacific region in the 21st century. I considered that Version 2 was ‘not quite so Lite’ because it included some strengthening of the Privacy Principles, and also because it appeared to be moving in the direction of adopting something like the rest of the OECD Guidelines concerning implementation.
Versions 3, 4 and 5 (the latest dated September 2003) have since been considered by APEC’s Privacy Sub-Group of the E-Commerce Steering Committee under the chairmanship of Mr Peter Ford (Australia). However, only Version 3 is publicly available, as Mr Ford has advised that no further versions will be made public until the Sub-Group completes its deliberations on the Principles in February 2004.
Versions 3–5 have progressively weakened the APEC draft from its already weak starting point. This weakening appear to coincide with serious United States engagement with this APEC process. It consists of:
(1) further weakening the principles proposed in V2, in some cases to a standard lower than the OECD;
(2) failure to consider new principles already implemented in this region;
(3) introduction of retrograde new principles at the behest of the US; and
(4) failure to consider implementation measures.
Each of these is considered in turn.
Further weakening the Principles
Version 5’s implementation of the privacy Principles in the OECD Guidelines is weaker than Version 2 in the following four ways.
1. Principle 3 (Purpose Specification) was given a major strengthening in Version 2 that required secondary uses of personal information to be ‘directly related’ to the purposes of collection (recommended by New Zealand). Versions 3–5 revert to the lower OECD standard that secondary uses are allowed provided they are ‘not incompatible’ with the purpose of collection (now in Principle 3 (Use Limitation)).
2. Principle 3 (Use Limitation) now includes three further exceptions to the limitation on secondary uses, all of which threaten this key ‘finality’ principle.
• The standard term ‘consent’ to describe the exception based on the agreement of the data subject (used in most regional legislation) has been changed to the less clear wording of ‘requested or authorised’.
• There is a new exception for purposes ‘individuals were told about or are clear to reasonable individuals from the context in which the information was collected’. This could easily be interpreted as scrapping the requirement of notice of purposes of collection wherever they would be ‘clear’ to some ‘reasonable’ person. Such notice is one of the important privacy protections for individuals, and one of the strongest inhibitors on organisations against use for unacceptable purposes. It is particularly valuable when it is given to someone who is ‘outside the average’ and to whom the use of certain information is particularly sensitive, as it alerts them to object.
• There is a new exception for purposes ‘that would have legitimate cause to avoid immediate danger to the life, body, freedom or property of the person’. This could be acceptable in relation to avoiding immediate danger to people’s lives, or bodily harm. However, it is uncertain in scope and open to abuse in proposing that immediate danger to any ‘property’ (which could even include intellectual property) should always trump privacy rights. At least in the US context, the vague notion of threats to ‘freedom’ could include freedom of speech, implying that freedom of speech will always prevail over privacy. As the APEC Committee Chair notes in the draft, these matters can also be considered to be adequately covered by the exception for uses ‘required or authorised by law’. This at least suggests that any such exceptions should have the precision of legislative definition.
3. Principle 3 (Purpose Specification) included in Version 2 a clear requirement of notice: ‘Organisations should tell people whose data they collect what they intend to do with the data collected no later than at they time they collect the data’ (again, at NZ’s request). In Version 5 this has been reduced to a vague statement (in Principle 4 (Intended Uses)) that ‘Organisations should provide clear and accessible statements about their practices and policies on handling an individual’s personal information’, with no indication that this is at or before the time of collection — which is vague enough to allow information only to be provided on request. When coupled with the new exception for ‘clear’ purposes in Principle 3 discussed above, it seems that the protection given by notice of purpose is being scrapped.
4. Principle 7 (Individual Participation) has been transformed from the quite specific set of OECD requirements that survived into Version 3 (see below) into a vague requirement in Version 5 that only says that individuals should be given ‘reasonable access’ to information about them, and then further qualifies it by stating that ‘Generally, individuals should have such access except where the provision of the information would be prohibitively costly, or the information should not be disclosed for legal, security or commercial proprietary reasons’. The blanket exemption from access for any ‘proprietary reason’ is clearly open to abuse, particularly as it does not require any considerations of proportionality, or requirements for limited disclosure or use of trusted third party intermediaries.
In summary, we may say that Version 5 involves significant weakening of the key protective privacy principles — limits on secondary use (finality), notice, and the right of access — to a level below both the standards set by Version 2, and by the OECD privacy principles.
Failure to consider existing regional principles
Version 3 included proposals under consideration for a number of new privacy principles not found explicitly in the OECD Guidelines: ‘limited retention’; ‘anonymity’; and ‘unique identifiers’. By Version 5 the only new Principle still under consideration is ‘limited retention’.
As is detailed below, the APEC Sub-Group is failing to consider principles which have already been adopted in some form in a number of jurisdictions in the Asia-Pacific region, and in that sense are already on the way to becoming de facto regional standards.
Retrograde new principles at US behest
Instead of new privacy protective principles, APEC is considering two new principles suggested by the US which have the potential to reduce privacy protection. In Version 5 these now appear as follows:
Proposal 2 (US) Preventing harm Personal information protections should be designated to prevent the harmful use of personal information. Specific obligations therefore, should be proportionate to the likelihood and severity of the harm threatened by the collection, use and transfer of the personal information.
While the sentiment behind such statements may seem unexceptional, it is better to place a ‘prevention of harm’ principle in the part dealing with implementation and remedies. Once it is accepted that the privacy principles are of universal application to personal information, it then becomes reasonable to use a ‘prevention of harm’ criterion to restrict access to remedial processes (as is done in New Zealand) or to lessen the compliance burden in areas where harm is less likely.
To elevate this to a principle on a par with the other privacy principles makes it easier to allow wholesale exemptions from the law like Australia’s ‘small business’ exemption (one of the reasons that European Union bodies regard the Australian law as inadequate). It also makes it easier to argue that there is no need for any uniform privacy laws at all but only for laws in sectors which pose some special danger (the approach taken in the US to date). The problem with the creation of such ‘privacy-free zones’ is that even those of the principles that are applicable, and can be implemented in a proportionate way (such as access to a person’s own records), are lost by such wholesale exemptions.
Proposal 5 (US) Maximizing the Benefits of Privacy Protections
Protecting individual privacy and ensuring the free flow of information without unfair barriers within and across borders are both essential to the growth of the increasingly important global economy, and offer benefits to individuals and economies alike. In order to maximize the economic and social benefits to participants resulting from the current and evolving business models and communication media, both individual privacy protection and the free flow of information should be promoted. Therefore, approaches to personal information protections should balance these two important goals without unduly interfering with or impeding either interest.
While it might be reasonable for some such comments to go in the preamble to the APEC Guidelines, to elevate this to the status of a principle would make the operation of all the other principles completely uncertain, because ‘free flow’ could be interpreted to trump just about anything else.
Failure to consider implementation measures
Version 2 included for consideration by the APEC Sub-Group equivalents of the other Parts of the OECD Guidelines which were missing from Version 1 and were essential to their integrity and purpose. These included Pt 4 (National implementation), Pt 3 (Free flow and legitimate restrictions), and Pt 5 (International co-operation).
All of these proposals have disappeared from Version 5, being replaced by a ‘Part IV. Implementation Mechanisms’ which merely says ‘to be discussed in early 2004’. This is presumably a reference to a proposed meeting on the APEC guidelines to be held in Santiago, Chile, in August/September 2004, where it is understood that the APEC Privacy Principles will be released and regional Privacy Commissioners will then be asked to give advice on what might be desirable implementation measures.
Separating consideration of the principles from consideration of implementation makes it very difficult to understand the significance of changes in wording of the principles. For example, how detailed the principles need to be depends a great deal on whether self-certification of compliance for data export limitation purposes (as proposed by Australia) is accepted, or whether external forms of assessment will apply. If self-certification applies, then more detailed principles would act as a safeguard against abuse.
It would be preferable if the APEC process moved forward on both aspects in parallel. By the time implementation is considered, it may be too late to change the principles that will be proposed to APEC. Perhaps that is what is intended.
The only specific comment about implementation measures in Version 5 is a comment by the Chair that it might be useful to consider a data export limitation principle based on the approach of allowing transfers only if the recipient organisation has ‘taken reasonable steps to ensure that the information which it has transferred will not be held, used or disclosed by the recipient of the information inconsistently with’ the Guidelines. The US is to draft a version of this for consideration. This would seem to be a case of allowing the fox to guard the henhouse, but what it comes up with should be considered on its merits.
Alternatives: building on regional standards
In discussing the APEC process, Hong Kong Privacy Commissioner Raymond Tang has commented that:
While the OECD Guidelines and European Union Directives offered a starting point for discussions my inclination is that a more regiocentric set of guidelines will ultimately emerge in the final drafting.
Commissioner Tang does not indicate what a more regional set of privacy principles would look like, but there are at least two sources on which we can draw to develop genuinely regional standards which also give a stronger level of privacy protection: (1) existing regional privacy laws; and (2) the draft APT Privacy Guidelines.
Emerging standards in existing regional privacy laws
The most obvious and significant place to look is to actual standards already implemented in regional privacy laws such as the laws of Korea, Canada, Hong Kong, New Zealand, Taiwan, Australia and Japan. By doing so we can adopt and learn from 25 years of regional experience in implementing privacy laws, not ignore it.
Principles stronger than those found in the OECD Guidelines are common in legislation in the region, and many occur in more than one jurisdiction’s laws. Some examples of higher standards, in the sense that they are found in at least two regional privacy laws, are as follows:
• collection objectively limited to where necessary for functions or activities of organisations (HK, Australia Federal, NZ; Canada is even stricter), in contrast to the vague APEC and OECD statement that there ‘should be limit’s;
• notice upon collection (Australia Federal, NZ, HK, Korea);
• secondary use only for a directly related purpose (HK, NZ, Australia Federal; Korea is even stricter);
• right to have recipients of corrected information informed (NSW, NZ); and
• deletion after use (HK, NZ, NSW, Korea).
Other principles could be mentioned, such as the anonymity principle found in the privacy laws of all Australian jurisdictions, but are omitted as they only derive from one country.
Draft APT Privacy Guidelines
The Asia-Pacific Telecommunity (APT), was established in 1979 as a regional telecommunications organisation, and is formed by agreement between 32 states represented via their telecommunications ministries or similar agencies.
In 2002 the APT decided to develop its own regional privacy guidelines, and requested a draft be prepared by the Korean Information Security Agency (KISA), with input from the Asian Privacy Forum.
KISA presented its first draft Guidelines on the Protection of Personal Information and Privacy to the APT in July 2003. The draft Guidelines attempt to take a distinctive regional approach, and are explicitly not based solely on the OECD or EU approaches (cl 8), while nevertheless drawing on them. The draft comments that the OECD Guidelines ‘reflect ... the 70s and 80s’. Unlike the OECD Guidelines, the APT Guidelines will include ‘concrete implementation measures’. They state they are different from the EU Directive in allowing more variation between states. Another stated difference is an emphasis on the role of government, not litigation.
The APT draft Guidelines add new principles which go beyond the OECD requirements in at least the following areas:
• no disadvantage for exercising privacy rights (A5(2));
• notification of corrected information to 3rd party recipients (A6(4));
• openness of logic of automated processes (A7);
• no secondary use without consent (A 14(2));
• deletion if consent to hold is withdrawn (A16);
• duties on change of information controller (A19);
• special provision on children’s information (A34);
• personal location information Principle (A30); and
• unsolicited communications principle (A31).
Whether all of these principles are justifiable as regional privacy principles (and some of them may well not be adopted in the final APT Guidelines) what we see here is a process under the leadership of an Asian country (South Korea) which is putting forward a strong and distinctive approach to privacy protection.
Concerning implementation, the APT draft Guidelines already take an approach which is consistent with, but stronger than, the OECD requirements. Some of the notable aspects are:
• legislation is required, but self-regulation is also encouraged (perhaps this should be called ‘co-regulation’);
• a privacy supervisory authority is required, with roles of supervision and complaint investigation;
• data export limits may be ‘reasonably required’ to protect ‘privacy, rights and freedoms’, and free flow of personal information may otherwise not be impeded;
• limits on these guidelines may be introduced only by legislation, and only to the extent necessary for other public policies; and
• regional uniformity in a ‘common character string’ solution to dealing with spam is required.
As with the Principles, a strong approach to enforcement and implementation is being advocated by a key Asian country with an existing commitment to privacy protection.
APEC inadequacies and future developments
Why are APEC and APT so different? Their membership is similar except for the inclusion of the US in APEC. The APEC privacy initiative gives the impression, to someone standing outside the APEC processes, of a US/Australia APEC initiative with a defensive and outdated starting point (the OECD Guidelines) and an intention to produce a set of ‘lowest common denominator’ standards.
The APEC processes are inadequate to produce a high quality result: there is no collective expert input going into the process, and it has now retreated behind closed doors following critical discussion of its first two drafts. It should not be forgotten that the OECD Guidelines were developed by an ‘expert group’ (chaired by Justice Michael Kirby of Australia) and only then adopted by OECD governments.
More input into the APEC process is needed from Commissioners and other regional experts to identity a desirable regional standard. Some individual Privacy Commissioners’ input is filtered through governments into the process, but regional Commissioners as yet have no equivalent to Europe’s Article 29 Committee of Commissioners, which gives the European Commissioners a collective voice and provides protection for individual Commissioners in relation to views that they might find difficult to express in a domestic context. The opportunity for Commissioners to contribute in Santiago only offers input on implementation, not the principles, and that is not sufficient.
Regional non-government privacy experts have formed the Asia-Pacific Privacy Charter Council (APPCC) to help provide a ‘civil society’ input into these regional processes (see (2003) 10(3) PLPR 49), but if APEC is going to operate behind closed doors it is difficult to see how it can make use of any input beyond that brought in through national governments where they are so inclined.
A more consultative, confident, and region based APEC initiative is needed. l
Graham Greenleaf, General Editor.
A version of this paper was presented at the Inter-Pacific Bar Association Conference on Privacy, Data Protection & Corporate Governance in the Internet Economy, Kuala Lumpur, Malaysia, 9 October 2003 <www.ippj. com.my/seminar/Seminar.html>.
. Greenleaf G ‘Australia’s APEC privacy initiative: The pros and cons of “OECD Lite”’ (2003) 10(1) PLPR 1.
. Greenleaf G ‘APEC Privacy Principles Version 2 — Not quite so Lite, and NZ wants OECD full strength’ (2003) 10(3) PLPR 45.
. The full version is at <www.Baker CyberlawCentre.org/appcc/apec_draft_v3.htm>.
. Version 4 used the word ‘inconsistent’.
. Originally planned for around February 2004.
. Tang R ‘Personal Data Privacy: The Asian Agenda’ 25th International Conference of Data Protection and Privacy Commissioners, Sydney, September 2003.
. A more sophisticated definition of ‘identifier’ (or it could be termed ‘unique identifier’, ‘personal identifier’ or ‘government identifier’) may be required.
Extracts from APEC Privacy Principles (Chair’s Draft) Version 3, July 2003
These extracts omit Part I Preamble, Part II Scope, and comments and alternative formulations of principles from the rest of the draft. These extracts only contain the primary versions of draft principles put forward by the Chair. For the full text of Version 3, see <www.BakerCyberlaw Centre.org/appcc/apec_draft_v3.htm>.
Part III. APEC Privacy Principles (possible amendments in italics)
1. Collection limitation
There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.
2. Data quality
Personal data should be relevant to the purposes for which they are to be used and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.
3. Purpose specification
The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose
4. Use limitation
Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with Principle 3 except:
a) with the consent of the data subject; or
b) by the authority of law; or
c) with legitimate cause to avoid immediate danger to the life, body, freedom or property of the person.
5. Security safeguards
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data or other misuse.
There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data and the main purposes of their use, as well as the identity and usual residence of the data controller. Data controllers should take reasonable steps to make data subjects aware of their rights to obtain access to data and to challenge a denial of access or inaccurate data.
7. Individual participation
An individual should have the right:
a) to obtain from a data controller confirmation of whether or not the data controller has data relating to him or her;
b) to have communicated to him or her, data relating to him or her
• within a reasonable time;
• at a charge, if any, that is not excessive;
• in a reasonable manner; and
• in a form that is [readily intelligible] generally understandable [NZ text] to him or her;
c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and
d) to challenge the accuracy of data relating to him or her and, if the challenge is successful, to have the data erased, rectified, completed or amended; and
e) to refuse to provide his or her information except where required by law.
A data controller should be accountable for complying with measures which give effect to the principles stated above.
Part IV. Implementation mechanisms
[TO BE DISCUSSED]
Note: Parts D and E of the APT draft Guidelines should be considered in this context.
SECTION 2 — PROPOSALS FOR CHANGES
The following proposals need to be further discussed before being included in the draft.
Proposal 1: Include a new principle.
Limited Retention Principle
When data no longer serve a purpose as specified in Principle 3 — Purpose specification, or are needed for use as allowed for in Principle 4 — Use limitation Principle, they should no longer be retained. Where practicable, they should be destroyed or given an anonymous form.
Proposal 2 (Australia): Include a new principle.
Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.
Proposal 3: Include an exception relating to national security.
Text to be drafted but basic concept is to anchor APEC privacy protections to alleviating harm to individuals. Privacy protections, including self-regulatory efforts, education and awareness campaigns, laws, regulations and enforcement, should be designed to prevent harm to individuals from misuse of their personal information.
Text to be drafted but basic concept is, as reflected in preamble, that personal information protections should reflect the benefits to participants of both protecting individual privacy and ensuring free cross-border flows of information.
Proposal 6: Add a principle concerning unique identifiers.
.1 A data controller should not adopt as its own identifier of an individual, an identifier that has been assigned by a government body unless it is authorised to do so by law.
.2 A data controller should not require an individual to disclose any identifier assigned to that individual by a government body unless the disclosure is one of the purposes for which the identifier was assigned.
.3 ‘Identifier’ means a number used to uniquely identify an individual. l