Privacy Law and Policy Reporter
Graham Greenleaf | University of New South Wales
The first steps toward the implementation of APEC’s new privacy standards (see PLB January 2005) were taken in Hong Kong on June 1-2 at the first APEC Electronic Commerce Steering Group (ECSG) Technical Assistance Seminar: Domestic Implementation of the APEC Privacy Framework. The Seminar did not aim to achieve anything immediate and concrete beyond its main objective of educating attendees about the Framework. The fact that it has been held little more than six months after APEC Ministers endorsed the standards is significant in itself, given the usual time-lags in implementation of international agreements. Most of the presentations are now available on the Hong Kong Privacy Commissioner’s site at <http://www.pco.org.hk/english/infocentre/apec_ecsg1_2.html.>.
Acceptances and apologies
The list of ‘developing’ economies (ie those without full information privacy laws) represented at the seminar is an indicia of success: Brunei Darussalam, Chile, Mexico, The Philippines, Singapore, and Vietnam. Taiwan and Thailand, with incomplete information privacy laws, seem interested in developing them further. Most sent at least two representatives, some as many as five (Vietnam). None of these economies seemed to be at any advanced stage in developing new privacy laws. Some other jurisdictions attended mainly to ‘instruct’ on various aspects of how they had gone about implementing their privacy laws: Hong Kong, South Korea, Canada, New Zealand, Japan, Australia and the USA. While most of these ‘tutors’ have comprehensive information privacy laws and a central enforcement body, US models may be significant, most obviously in The Philippines where the legal system is influenced strongly by US developments.
In the Asia-Pacific, a group of 15 of the 21 APEC economies like this (six ‘developing’, seven ‘developed’ and two in the middle) has never sat down for two days of discussions on implementing privacy laws. There were 60 participants from outside Hong Kong. The list of absentees was short but disappointing, despite the strenuous efforts of seminar organisers to convince them to attend. Notable no-shows were Malaysia (yet again rumoured to be about to introduce a bill), the People’s Republic of China (so many rumours about so many bills it would be difficult to know who to invite), and Indonesia (the second largest regional country, and with an increasing interest in human rights). Papua New Guinea and Peru were not represented, and Chile was represented only by its HK Consul General. There is therefore some evidence of 17 of the 21 APEC economies having an interest in developing privacy laws, and that is encouraging.
The potential significance of the APEC processes are clear. If they influence the directions of the couple of APEC countries known to be developing bills, and encourage just some of those already attending the Seminars to develop new legislation, then the point could quickly be reached where more than half of the 23 APEC economies had substantial information privacy laws with a common core of content and ongoing procedures for cooperation. At this ‘tipping point’, privacy protection could develop a momentum of its own across APEC. That is the optimistic view.
Who’s who in APEC privacy?
Who else was able to participate in the Seminar? Many of the largest computing companies and some of the largest consultancy firms were present. Quite a few obtained programme slots and presented their firms’ privacy protection activities which, although interesting, often did not seem to have very direct bearing on implementation of the APEC Privacy Framework. Some of them hosted receptions and lunches for conference delegates, and one funded the venue at the HK Convention Centre. Less than a handful of civil society representatives were invited and able to afford to travel to Hong Kong for the event without any financial assistance. As is typical of many government consultations, including past APEC privacy events, this Seminar did not make a practical attempt to ensure even-handedness between business and consumer influences.
A number of economies are investing considerable resources into encouraging others to adopt the Framework. The USA has provided about US$100,000 for the 2005 implementation exercise. The US Department of Commerce has a staff member engaged full time for most of 2005 to supervise the implementation exercise, with seminar content and participant liaison organised by Australian consultants Malcolm Crompton and Peter Ford. Hong Kong Acting Commissioner Tony Lam and his staff were fully engaged in the ‘on the ground’ hosting of a meticulous and hospitable privacy event for which that office is well known. APEC ECSG Chair Jesus Orta Martinez of Mexico attended the whole two days of the seminar, indicating ECSG commitment. The Privacy Sub-Group Chair, Peter Ferguson of Canada, led a number of sessions and was generally deferred to on questions of future directions. The implementation process appears to be ‘driven’ by the US, Canada, and Australia, with Hong Kong and South Korea also making important contributions as Seminar hosts.
European observers will have to accustom themselves to APEC’s lack of any constitutional structure normally associated with international bodies. This makes understanding the development of implementations of its privacy Framework a very different exercise from the relatively orderly progress of implementing a European standard, governed as they are by procedures of mature institutions and treaty requirements, in combination with politics. In APEC, which has no basis in treaties and no institutions beyond regular meetings at different political levels, political negotiation and relatively ad-hoc cooperation between changing groups of players is paramount, so it is necessary to pay particular attention to who is at the table at any given time.
Applying APEC’s 9 Privacy Principles
APEC’s nine Privacy Principles are new (November 2004) and there is as yet little public discussion as to how they will apply to concrete fact situations, or how they might be embodied in legislation (or other implementation measures). Blair Stewart (New Zealand) pointed out that principles in international agreements are rarely enacted verbatim in domestic legislation, they are always ‘translated’ into local terminology, procedures and structure.
One of the most successful sessions at the Seminar was the half day in which groups of participants (with members from both privacy-‘developed’ and ‘developing’ economies) considered how the APEC Principles could be applied to five fact scenarios, and how mechanisms from their own legal systems might implement this. For many of the ‘developing’ economy members, this was their first attempt to apply a set of IPPs to factual scenarios, and my impression is that many found this both very instructive but also reassuring that the results accorded with their own notions of what was sensible and just. This exercise deserves to be repeated as often as possible for policymakers unfamiliar with privacy. Future sessions would benefit from addition of cases concerning government respondents, since the APEC Framework is supposed to apply to all sectors.
Other than that, not a great deal of time was spent on explaining the details of the APEC Principles, the highlight being a very impressive animated powerpoint presentation of their inter-relationships by HK Acting Commission Lam, which others will now be asking to borrow.
There seemed to be general acceptance of the approach that the APEC Privacy Principles were ‘a floor not a ceiling’ (my own terminology), that legislation already enacted in Asia-Pacific jurisdictions was usually stronger on some points than APEC, and that there was nothing wrong with new entrants adopting elements of those stronger modes if they wished. This is not stated explicitly in the APEC Framework (contrast OECD Guideline 6). At various points Privacy Sub-Group Chair Peter Ferguson and consultant (and former Chair) Peter Ford both accepted the ‘floor not a ceiling’ approach, Stewart of New Zealand (a consistent participant in the Sub-Group) encouraged participants to consider the Principles in this way, and Tony Lam noted that the APEC Framework is not a ‘one size fits all’ mentality.
Modes of implementation: The friendly side
Some important aspects of implementation other than complaint resolution received due attention. More exotic strains such as Privacy Impact Assessments were not covered.
The extensive achievements of the Hong Kong Commissioner’s Office in educating the public and publicising information privacy were detailed by Acting Commissioner Lam. They show ‘a preoccupation with identifying information needs in the community and satisfying those needs’, an ‘evolutionary approach’ based on building community awareness before changing community behaviour. The HK experience in matters as diverse as mass media campaigns using striking TV spots ending with a naked consumer, transport advertising and billboard posters, seeding privacy issues in soap opera plots, and competitions in schools and universities, is carefully thought out and implemented with confidence. It is well worth study by all other APEC regulators, though we can only assume that you also need a healthy budget (and perhaps a city-state) to do it to full HK extent.
The value of each APEC economy submitting annual Individual Action Plans (IAPs) detailing their progress on implementation of the Framework (pursuant to its Para 39) was underlined by Blair Stewart who considered that the OECD Guidelines may have been implemented more quickly if such a requirement had existed. Both Stewart and Peter Ferguson detailed the elements that economies could report in an IAP, but questions from participants seemed to indicate a desire that the Privacy Sub-Group devise a questionnaire or check-list that economies could complete, which would help ensure consistency of reporting. The annual country reports published by EPIC might provide a useful inspiration. It has not yet been stated whether IAPs will be made public on an APEC website, which would clearly be desirable for transparency of the process.
Marty Abrams of the industry-funded Centre for Information Policy Leadership made the case for businesses and governments across APEC to embody its Notice Principle requirements in Multi-Layered Privacy Notices, explained the differences between very short, condensed and complete notices, and outlined the growing global endorsement of this approach both by privacy Commissioners and by industry take-up. Surprisingly, how to access and correct your record was not any explicit element of his ‘common template, though it was included under ‘other important information’ in the IBM and MSN examples given. No computer-readable version of the very short notice is specified, but this is the bridge to both PPP (Platform for Privacy Preferences) and the similar idea underlying the Creative Commons licences (‘computer readable’, ‘human readable’, and ‘lawyer readable’ licences, in escalating complexity).
Modes of implementation: the pointy end
The APEC Framework does not require any particular form or standard of implementation of its Principles, and does not require legislation (see PLB January 2005). The seminar programme provided plenty of opportunity for discussion of self-regulation, trust marks and other non-legislative approaches, but it is remarkable how little discussion of such approaches took place. No one presented details of any pure self-regulation that worked. Legislation seemed to be the assumed starting point for most speakers, but there was considerable interest in the variety of ways in which mediation schemes could work within a legislative framework.
In relation to modes of enforcement, it was accepted that APEC’s Framework was so non-directive, permissive of any method of implementation and enforcement, that a sensible approach would be to look at what measures had worked well in other jurisdictions in the region, and whether they might be appropriate in another jurisdiction.
The extensive mediation system which is the main implementation method in South Korea’s legislation, presented by Dr Yi Changbeom of the Korea Information Security Agency (KISA) attracted considerable interest. It seems to be the most viable alternative (though only for complaint resolution) to the Privacy Commissioner model, and it is an original Asian model. The Personal Information Dispute Mediation Committee (PICO) includes 15 independent experts from many fields who mediate disputes involving personal information and private sector information and communication networks. They mediated in 1210 cases in 2004 (a 40% increase since 2003). The mediation result acceptance rate is currently over 98%. Dissatisfied parties have recourse to the Courts.
The US Federal Trade Commission’s Markus Heyder detailed the wide range of privacy laws enforced by the FTC, particularly the Financial Privacy and Information Security Act (Gramm-Leach Bliley Act) and its relationship to the Fair Credit Reporting Act (FCRA), and the FTC Act itself. The seriousness and complexity of US enforcement activities in these areas is apparent, and is relevant to all APEC economies involved in serious e-commerce, irrespective of what approach they take to privacy remedies of general application.
I outlined nine highly desirable elements of a legislation-based enforcement regime: ‘Self-resolution’ first (giving a business or agency the opportunity to solve the problem themselves); three remedial powers needed by regulators (Apologies, which is all many complainants want provided bad practices are also changed in future; Changing practices where systemic change is needed; and Financial compensation so that real harm results in a real remedy); the desirability of Choice of procedures including both mediation and recourse to binding decisions; how Representative complaints (as are possible in both HK and Australia) allow civil society organisations to represent classes of complainants to push systemic change; the need for Rights of appeal / review because no regulator is perfect; the essential conclusion of a significant investigation, Publication of case summaries to ensure both transparency and deterrence; and the publication of cumulative Outcome statistics to ensure accountability of expensive complaint regimes and that complainants really do get remedies.
The Implementation Seminar preceded a full day (closed) meeting of the APEC ECSG Information Privacy Subgroup which evaluated the seminar, discussed completing the remaining part of the Framework (Part IV(B)) and discussed advancing implementation initiatives in such areas as Individual Action Plans (IAPs), improving privacy notices and promoting cooperative arrangements between privacy enforcement agencies.
Filling in the missing ‘cross-border elements’
The developments outlined above are constructive and a cause for optimism, but the crucial element missing from APEC’s Framework on its release, Part IV(B) concerning data exports and international cooperation in enforcement, is still not finalised. No overall assessment can take place until it is complete. The key questions about the APEC Framework that Part IV(B) will shed light on are (i) ‘how will an assessment be made of whether an economy has implemented the Framework?’; and (ii) ‘to what extent (if at all) will such an assessment require other economies to allow personal data to be exported to that economy?’
The first version of the draft APEC Privacy Principles in early 2003 included a set of options for ‘Implementation Mechanisms’ concerning mutual recognition of different privacy regimes. The then-Chair of the Privacy Sub-Group Peter Ford proposed various forms of recognition of ‘self certification’ of APEC compliance by economies. In reply Blair Stewart of New Zealand proposed various means of collective recognition of APEC compliance. There is room for a great deal of dispute here as to what course APEC should take. Many who do not wish APEC to follow the EU’s approach to third party ‘adequacy’ assessments will nevertheless be uncomfortable with self-assessments of compliance. APEC agreements are not treaties and APEC does not usually attempt to require its members to take particular steps. Nevertheless, a strongly worded statement in the Framework that data exports should be allowed in certain circumstances is likely to be very influential and treated as a requirement for ‘compliance’.
There was no further advance of this discussion until the USA tabled a proposal for a draft Part IV(B) ‘Guidance for International implementation’, at the Privacy Subgroup meeting in Hong Kong on June 3, following the Implementation Seminar. Part II of this is ‘Cross-border privacy rules’, a brief three paragraphs. They can be read as merely encouraging Member Economies to develop mechanisms which enable them to recognise when cross-border privacy rules of corporations are sufficient to satisfy ‘the local data protection requirements’. The second paragraph can be read as only encouraging APEC economies to take a consistent approach to the development of such mechanisms, though it is ambiguous and could also be read as encouraging a mechanism to enable recognition in one economy to be accepted in other economies. Whichever is correct, we can say of the current draft that it is as non-prescriptive as Part IV(a). It focuses on recognition of APEC compliance at the level of individual corporations, rather than at the level of whole economies At the Privacy Sub-group meeting in June, Hong Kong made detailed comments on the US proposal, and a working group consisting of Australia, Canada, New Zealand, Hong Kong, Chinese Taipei and the US would develop it further, possibly expanding its language.
This is still only a draft, and any final assessments will have to wait until it is finalised. It may emerge with stronger language which attempts to ‘require’ mutual recognition of corporate rules once they have been accepted in one jurisdiction. It is also still possible that some version of the original options fior economies to self-certify might also be added to Part IV(B)(II), but there is no sign of that at present.
This US proposal reduces previous concerns (see Greenleaf, 2005) that the Part IV(B) gap in the Framework is suspicious, possibly indicating an unfinished agenda to convert the APEC Framework into a mechanism for ‘ensuring’ free flow of personal information within APEC (as the Framework requires) without sufficient protection against low and unverified ‘implementations’ of the Framework by economies – ‘free flow at any price’. On the evidence of this draft (only), it seems more likely that Section B will turn out to be as non-prescriptive as Section A.
Once matter which is unclear is whether any public input will be sought before finalisation of part IV(B). APEC Ministers did not endorse the part III Principles in the Framework until most of it had gone through ten drafts and there had been a call for public submissions. No similar consultation process was followed with Part IV(A), and none seems to be proposed for Part IV(B). Other economies have been invited to comment. There are no APEC requirements of public consultation. It is not even clear that APEC Ministers will be required to endorse part IV(B): ECSG may be able to incorporate it in the Framework on its own initiative.
There are therefore still good reasons to be cautious and to closely watch the process until it is completed. The next meeting of the Privacy Subgroup will be in Korea in September, and a different draft may emerge from that meeting.
Maintaining the APEC momentum
Can APEC maintain (and preferably increase) the engagement of economies without mature information privacy laws in its processes? This is now the key to success. The continuing participation of HK, New Zealand, Canada, Korea, Australia, the USA and other key participants in the development of the Framework can be assumed to continue unless ‘developing’ economies show no interest.
APEC is holding a second Technical Assistance Seminar, this time on ‘International Implementation’ in Kyongju, South Korea, in early September. The focus is to be on implementation of measures concerning data exports (and implications for free flow of personal information), and methods of cooperation between different national authorities where an issue crosses boundaries. With the APEC Framework still missing Part IV(B), the Korean seminar is in the anomalous position that there is this ‘international’ element is not yet finalised, though discussion of the US draft of Part IV(B) is underway. Nor should its finalisation be rushed, as noted above.
The current position is that the Privacy Sub-group Chair, the two implementation consultants and the US Commerce Department (as project manager) are working out whether the seminar in Korea will merely explore the issues involved in international issues in implementation, or whether a version of the US proposal for ‘Guidance for International Implementation’ will be proposed as the basis for implementation discussions. The APEC process is at another important junction.
Graham Greenleaf, University of New South Wales Faculty of Law and General Editor
This article was written while the author was a visitor at the City University of Hong Kong for the week of the seminar