Greenleaf, Graham --- "APEC's privacy standard regaining strength" [2004] PrivLawPRpr 5; (2004) 10(8) Privacy Law and Policy Reporter 158

APEC’s privacy standard regaining strength

Graham Greenleaf

In their last appearance in the pages of PLPR, APEC’s Privacy Principles had reached their fifth draft, and were criticised as becoming ‘more Lite with every version’: (2003) 10(6) PLPR 105. The APEC E-Commerce Steering Group Privacy Sub Group will meet again in late February 2004 (Santiago, Chile), when it may finalise the APEC Privacy Principles and move on to implementation measures.

The current version (the penultimate draft of Version 8 of 23 January 2004), accompanied by an Explanatory Memorandum, is a considerable improvement on Version 5, and goes some distance toward restoring equivalence with Pt II of the OECD Guidelines: OECD’s eight Privacy Principles (PPs). However, it still contains to some extent the four types of weaknesses in privacy protection, detailed in previous articles, which make it of questionable value as an Asia-Pacific standard unless the process of improvement continues. The following comments summarise the current position. These comments stress continuing criticisms, but there is less to criticise than before.

Weaknesses inherent in the OECD Principles

Some of the APEC defects originating in the OECD Principles remain.

• The OECD principles only say ‘there should be limits on the collection of personal information’, failing to define those limits by any objective standard (for example, the functions of the collecting organisation). Nor do they include any form of ‘purpose justification principle’. APEC PP 3 reflects these weaknesses.

• The OECD test of secondary uses being allowed if they are ‘not incompatible’ with the purpose of collection is much weaker than common formulations such as ‘directly related’. APEC has not yet decided which formulation to adopt, having vacillated between the two: APEC PP 4.

• The OECD has no explicit requirement that notice of purpose of collection must be given to the individual at or before the time of collection, although most national legislation in the Asia-Pacific region has such a requirement. APEC PP 2, while entitled ‘Notice’ and specifying that purposes of collection and other matters must be disclosed, still only requires that this be done by ‘clear and easily accessible statements’ — not notices to be given to individuals. APEC not yet decided whether to state that this should be provided ‘before or at collection’ (wherever practicable). This weakness is reinforced by the Explanatory Memorandum comment that ‘one method of compliance ... is for personal information controllers to post it on their website’.

• The OECD does not include any principles dealing explicitly with identifiers, automated processing, or deletion of data.

Further weakening the OECD Principles

Second, the APEC PPs still weaken the OECD Principles in the following ways.

• The important OECD Purpose Specification Principle that the purposes of collection ‘should be specified not later than at the time of data collection’ is not yet included, but is under consideration.

• The OECD ‘Openness Principle’, a broad ‘political’ limitation which allowed any person to obtain details about the existence and purpose of personal data systems (whether or not they were included in those systems), has been dropped. It is not encompassed by either the APEC Notice Principle or the right of individual access.

• OECD PP 4 required all exceptions to the PPs to be ‘made known to the public’, but APEC replaces this with ‘(i) made known to the public or (ii) in accordance with law’, opening the prospect of a law authorising the making of secret exemptions to any of the PPs (not just secrecy in the application of an exemption, as may occur in various forms of surveillance).

• Although the rights of individual access and correction APEC PP 8 have been made much more explicit (more so than the OECD’s), there is still under consideration an exemption where ‘the information should not be disclosed for legal, security or commercial proprietary reasons’. These blanket exemptions from access are clearly open to abuse, particularly if APEC decides not to require any considerations of proportionality.

• The US is still proposing a ‘Maximising the Benefits of Privacy Protection’ Principle (also not yet agreed), which could elevate ‘free flow of information’ to a Privacy Principle with the same status as the other Principles, and has been objected to by all other economies on the grounds that it is only appropriate in the Preamble.

Retrograde ‘preventing harm’ Principle remains

APEC PP 1, ‘Preventing harm’, suggested by the US, remains as a new Principle on a par with the other Privacy Principles. This makes it easier to allow wholesale exemptions from the law like Australia’s ‘small business’ exemption or to argue that there is no need for any uniform privacy laws at all but only for laws in sectors which pose some special danger (as in the US). It is better to place a ‘prevention of harm’ principle in the part dealing with implementation and remedies, where it can be used to ration access to remedial processes (as in NZ) or to lessen compliance burdens where harm is less likely.

Regional experience still ignored

Principles stronger than those found in the OECD Guidelines which are common in legislation in the region have still not been adopted by APEC. The APEC Principles do not improve on the OECD except for a few matters, all of which are still only under consideration:

• a requirement that any exceptions should be ‘limited and proportional to meeting the objectives to which the exceptions relate’; and

• the limiting of secondary uses to those ‘directly related’ (discussed above).

A ‘limited retention principle’, initially supported by NZ, Hong Kong, China and Taiwan, has been removed from consideration by consensus.

Implementation measures still undecided

Major parts of the OECD Guidelines as yet not included

APEC draft Version 8’s ‘Implementation Mechanisms’ simply says ‘to be discussed early 2004’. Previous versions said that Pts 1, 2, 4 and 5 of the OECD Guidelines are to be considered. Important OECD provisions not yet in the APEC principles include:

• that they are only minimum standards that may be supplemented (OECD 6);

• a requirement for protection by legislation (OECD 19(a));

• requirements for ‘reasonable means for individuals to exercise their rights’ (19(c)); for ‘adequate sanctions and remedies’ (including against data export breaches) (19(d)), and for ‘no unfair discrimination’ (19(e)); and

• recognition of the need for greater protection of sensitive classes of data (OECD 3(a)).

APEC proposals for self-assessment and data export limits

APEC’s principles do not yet include provisions allowing data export restrictions (which the OECD Guidelines do) or requiring them (as the EU Directive does), or procedures for assessment of compliance with the principles.

The US is proposing an addition to APEC PP 9, resisted as yet by other participants, that says:

When personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should exercise due diligence and take reasonable steps to ensure the recipient person or organization will protect the information consistently with these Principles.

In Version 6 the Chair suggested a data export limitation Principle based on the approach of allowing transfers only if the recipient organisation has taken such reasonable steps. Whether APEC will have a data export Principle remains uncertain.

Global implications

If it was possible to achieve cross-recognition of ‘adequacy’ between APEC standards and European or other regional standards, this would obviously solve many of the problems of international flows of personal data.

This is unlikely to be achieved by APEC if its Privacy Principles remain ‘OECD Lite’, but the draft Version 8 standards show that it is possible that APEC could adopt principles which would only need modest improvements to be acceptable to the EU. Equally important is how APEC resolves the question of a data export principle, and the related issue of assessments of compliance with the guidelines. After the APEC meeting in Santiago in late February 2004, the approach it is taking should be more clear. l

Graham Greenleaf, General Editor.