Document Sample
GreenleafAPECvAPT Powered By Docstoc
					APEC vs APT?: The struggle
for regional privacy standards

       Graham Greenleaf
    ‘Terrorists & Watchdogs’
  Conference, 8 September 2003
Regional privacy standards
   There is no global standard
   One region (Europe) has successfully
    developed regional standards
       Council of Europe Convention 1981
       European privacy Directive 1995
   The Asia-Pacific is the next most advanced
    region in privacy protection
       Far less political and economic unity or uniformity
       Starting the most important international privacy
        developments since the EU Directive ….
Toward an Asia-Pacific standard
   APEC’s privacy initiative
       Chaired by Australia
   Asia-Pacific Telecommunity (APT)
       Chaired by Korea
   Asia-Pacific Privacy Charter Council
       A ‘civil society’ expert group
   FTAA will also affect some countries
       (Free Trade Area of the Americas)
APEC’s privacy Principles
   Australia chairs a working group of 10
    countries since Feb 03
   Starting point: OECD Guidelines (1981)
   What’s the purpose?:
       A minimum standard where compliance will
        (somehow) justify regional free flow of person
        A standard which will encourage (minimum)
        protection in countries where there is none
APEC’s privacy Principles -
Progress or stagnation?
   5 draft versions in 6 months
       Do not yet reach OECD standards
       Only considering very minor improvements
        to OECD
       V2 strengthened V1, but V3 and V4 far
        weaker for little apparent reason
       Serious US input coincides with V3
   At best it offers ‘OECD Lite’ ….
APEC’s ‘OECD Lite’
   Examples of weak and outdated standards
            Based on Chair’s V4 (Aug 03) - now behind closed doors
       No objective limits on information collection (P1)
       No requirement of notice to the data subject at
        time of collection (P3)
       Secondary uses allowed if ‘not incompatible’ (P3)
       OECD Parts 1, 3, 4 and 5 all missing as yet
       Farcical national self-assessment proposed (V1)
   Why start from a 20 year old standard?
       Most regional countries are not members
       Recognised as inadequate (eg Kirby J 1999)
The alternative:
A real Asia-Pacific standard
   Actual standards of regional privacy laws
       Eg Korea, Canada, Hong Kong, New Zealand,
        Taiwan, Australia, Japan, Argentina
       Principles stronger than OECD are common
       Expert input is needed to identity this standard,
        not filtered through governments
            Privacy Commissioner need a collective role
                  No equivalent yet to A29 Committee
            Santiago (Feb 04) only offers input on implementation
            Asia-Pacific NGO experts are developing the APPCC
   We need to adopt and learn from 25 years
    regional experience, not ignore it
Examples of high regional
    Collection objectively limited to where
     necessary for functions or activities (HK,
     Aus, NZ - Can stricter)
    Notice upon collection (Aus, NZ, HK, Kor)
    Secondary use only for a directly related
     purpose (HK, NZ, Aus - Kor stricter)
     Right to have recipients of corrected
     information informed (NSW, NZ)
     Deletion after use (HK, NZ, NSW, Kor)
APT privacy Guidelines (draft)
    Asia-Pacific Telecommunity (APT)
    32 states via Telecomms ministries (etc)
    Guidelines on the Protection of Personal
     Information and Privacy (draft), July 2003
         Drafting by KISA (Korea), with Asian Privacy Forum
    Attempts to take a distinctive regional approach
         Explicitly not based solely on OECD or EU (cl8)
         Says OECD Guidelines ‘reflect … the 70s and 80s’
         ‘Concrete implementation measures’ unlike OECD
         Allows more variation between States that EU
         Emphasises role of government, not litigation
         Adds new Principles in at least five areas …
APT Guidelines - implementation
     Legislation required + self-regulation encouraged
     A privacy supervisory authority required
          Supervision and complaint investigation
     Data export limits may be ‘reasonably required’ to
      protect ‘privacy, rights and freedoms’;
          free flow of information otherwise required
     Limits on these guidelines only by legislation; only
      to the extent necessary for other public policies
     Common character string need to deal with spam
APT Guidelines - new Principles
     No disadvantage for exercising privacy rights
     Notification of corrected information to 3rd party
      recipients (A6(4))
     ‘Openness’ of logic of automated processes (A7)
     No secondary use without consent (A 14(2))
     Deletion if consent to hold is withdrawn (A16)
     Duties on change of information controller (A19)
     Special provision on children’s information (A34)
     Personal location information Principle (A30)
     Unsolicited communications Princple (A31)
   Why are APEC and APT so different?
       Membership similar except for the USA
   Australia’s APEC initiative had a defensive
    and outdated starting point (OECD)
   Inadequate process: no collective expert
    input, and now behind closed doors
   A more consultative, confident, and region-
    based APEC initiative is needed

Shared By: