Privacy Law and Policy Reporter
This article was first published by UK based Privacy Laws and Business (http://www.privacylaws.com/) and is reproduced here with their permission.
The APEC (Asia-Pacific Economic Cooperation) Privacy Framework has been completed at meetings following the second Implementation Seminar, held in Kyongju, South Korea on 7-8 September 2005 (see PL&B International, Jan/Feb 2005 and June/July 2005 for background).
The original (Nov 2004) version of the Framework had little to say concerning the transfer of personal information between APEC economies (or to non-APEC jurisdictions), or issues of cross-border cooperation, only that the Part IV(B) of the Framework concerning these matters was not complete and would be addressed in future work of the ECSG Privacy Sub Group’. From that time until now, it seemed possible that the Framework (via Part IV (B)) might seek to discourage or prevent data export limitations in regional privacy laws, or attempt to provide guarantees of free flow of personal data within APEC despite such limitations.
However, such concerns have not been borne out. The Second APEC Implementation Seminar was held in Kyongju, Korea, in early September 2005, followed by Privacy Sub-Group discussions concerning the missing Part IV(B) which recommended a final version to the ECSG (E-commerce Steering Group), which was then forwarded to higher APEC authorities for formal endorsement. This final (September 2005) version of Part (IV) B of the Framework says nothing directly about personal data exports – either in terms of limitation rules or requirements to allow them. Part B III. ‘Cooperative Development of Cross-border privacy rules’ only deals with ‘recognition or acceptance of organizations’ cross-border privacy rules across the APEC region’ (APEC Framework Part B, 2005). The full text is available at http://www.cpsr-peru.org/privacidad/apec/framework.
As a result, the APEC Framework does not do any of the following:
(i) Forbid data exports to countries without APEC-compliant laws (contrast the EU Directive);
(ii) Explicitly allow restrictions on data exports to countries without APEC-compliant laws (contrast the OECD Guidelines and the Council of Europe Convention);
(iii) Require data exports to be allowed to countries that have APEC-compliant laws (or equivalent protections) (contrast any other international privacy agreement).
The APEC Privacy Framework is therefore extremely non-prescriptive in relation to data exports, consistent with its general non-prescriptive nature. This rather benign result means that the fears expressed by some commentators (see Greenleaf in PL&B June/July 2005, p3), that the APEC Framework might create a data protection ‘bloc’ which is antagonistic to the EU’s ‘adequacy’ requirements, have not been borne out. Even though APEC has no such requirements of its own, it does not attempt to prevent its member economies having data export restriction rules whether for domestic privacy protection purposes or so as to meet to the EU’s ‘onward transfer’ requirements.
The final version does not seem to take as strong a position as suggested by the Consultant’s Issues Paper (Crompton and Ford, July 2005) prepared for the second seminar in Korea. The consultants proposed that one of three ‘implementation objectives’ APEC ‘should work toward’ is that ‘prevention of data flow across borders should not be put forward as a generally suitable remedy for privacy infringements that involve two or more economies.’ The final version is consistent with this proposal of the APEC consultants, but does not goes as far as the tenor of the rest of their remarks suggest, which would have at least involved discouraging APEC economies from adopting data export restrictions. Such discouragement is not found in the APEC Framework, and nor is it found in the official Report on the second seminar (APEC ECSG Privacy 2005). Whether export restrictions will be discouraged in future APEC implementation seminars is another question, but it is not found in the words of the Framework itself.
At the end of this two and a half year process of development of the APEC Privacy Framework, its final form is that of a relatively low set of privacy standards (at best, OECD-near-equivalent), no requirements of any specific enforcement measures, and no substantive provisions concerning data exports. In this sense it is the weakest international privacy standard yet developed. But because it does not attempt to attach consequences in terms of data exports, its weak principles and domestic implementation requirements do not matter so much. If it becomes a low standard to which Asia-Pacific countries only now starting to develop privacy laws can aspire, and the APEC processes help them achieve such standards, it may perform a valuable role. The second implementation seminar saw the involvement of two of the regional countries not involved in the first seminar (China and Indonesia), so APEC’s processes are helping to engage the attention of policymakers in major countries without privacy laws. At least it is now safe for those who would prefer higher privacy standards to cooperate with APEC.
Graham Greenleaf is Professor of Law at the University of New South Wales and General Editor of PLPR.