Five years of the apec privacy framework failure or promise
This presentation is the property of its rightful owner.
Sponsored Links
1 / 22

Five years of the APEC Privacy Framework - Failure or Promise? PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

Five years of the APEC Privacy Framework - Failure or Promise?. Graham Greenleaf Faculty of Law, University of New South Wales ASLI Conference, NUS, Singapore, May 2008. Outline. The APEC Privacy Framework 2003-08 Deficiencies in the APEC principles Lack of enforcement mechanisms

Download Presentation

Five years of the APEC Privacy Framework - Failure or Promise?

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Five years of the apec privacy framework failure or promise

Five years of the APEC Privacy Framework - Failure or Promise?

Graham GreenleafFaculty of Law, University of New South Wales

ASLI Conference, NUS, Singapore, May 2008



  • The APEC Privacy Framework 2003-08

    • Deficiencies in the APEC principles

    • Lack of enforcement mechanisms

    • ‘Pathfinder’ projects and CBPR

    • Effect on privacy laws in APEC region

  • Influence of the EU privacy Directive

  • Council of Europe Convention 108

    • New/old option for Asia-Pacific countries

  • WSIS/IGF potential role?

Apec privacy framework

APEC Privacy Framework

  • Why is APEC important?

    • ‘Asia-Pacific Economic Cooperation’ (APEC)

    • 21 ‘economies’ from Chile to Singapore

    • 4 continents; 1/3 world population; 1/2 world GDP; 1/2 world trade

  • No ‘APEC treaties’, no constitution

    • Everything works on consensus and cooperation

    • Few if any legal requirements or constraints

    • ‘Agreements’ in APEC are very different from the binding treaties or Directives of Europe

The possibilities of the apec privacy framework

The possibilities of theAPEC Privacy Framework

  • Asia-Pacific has more privacy laws than any other region outside Europe

  • A regional agreement was logical:

    • To create a minimum privacy standard

    • To help ensure free flow of personal data

  • Is it either of these possibilities?

    • The most significant global privacy initiative since the EU Directive: a spur for new laws?

    • A divisive low-standard ‘counter bloc’ to the EU?

History of the apec privacy framework

History of the APEC Privacy Framework

  • Few APEC privacy developments pre-2003

  • US, Aust etc hostile to EU privacy Directive

    • Aust proposal to base APEC privacy standards on OECD privacy Guidelines of 1981 (Feb 03)

  • Developed by APEC ECSG privacy sub-group (03-05)

    • Business orgs included, consumer NGOs excluded

    • No external consultation until 9th draft of IPPs

    • No external consultation on implementation (Pt IV)

  • APEC Ministers announce Framework (Nov 04)

    • But data export elements were missing until Sept 05

Apec s 9 privacy principles

APEC's 9 Privacy Principles

I Preventing Harm

II Notice

III Collection limitation

IV Uses of personal information

V Choice

VI Integrity of Personal Information

VII Security Safeguards

VIII Access and Correction

IX Accountability (includes Due diligence in transfers)

Apec s ipps oecd lite 5 types of criticisms

APEC's IPPs = 'OECD Lite’5 types of criticisms

  • Weaknesses inherent in OECD IPPs

    • OECD now 20 years old, even Kirby is critical

    • Allows secondary uses for‘compatible or related purposes’

    • Weak collection limitations; No deletion IPPs

  • Further weakening of OECD IPPs

    • OECD ‘Purpose specification’ and ‘Openness’ IPPs missing - both are valuable

    • Broader allowance of exceptions

    • Otherwise substantially adopts OECD

    • Slightly stronger than OECD on notice

Apec s ipps oecd lite 5 types of criticisms1

APEC's IPPs = 'OECD Lite’5 types of criticisms

  • Potentially retrograde new IPPs

    • ‘Preventing harm’ (I) - sentiment is OK, but a strange IPP; really a basis for rationing remedies or lowering burdens; could justify piecemeal coverage

    • ‘Choice’ (V) - redundant in use and disclosure IPPs; does not seem to justify contracting out of other IPPs

Apec s ipps oecd lite 5 types of criticisms2

APEC's IPPs = 'OECD Lite’5 types of criticisms

(4)Regional experience ignored

  • No borrowings from the often stronger laws in the region (eg Korea, HK, NZ, Australia, Canada) - 17 years ignored

  • Some additional IPPs are A-P ‘standards’

    (5)EU compatibility ignored

  • No borrowings of new EU IPPs (eg automated processing)

  • Is this an attempt to define ‘adequacy’ as ‘OECD Lite’? - or ‘just don’t care’?

  • If well implemented, could be ‘adequate’

10 missing ipps found in at least 2 regional laws


Collection from the individual

Data retention

Third party notice of correction

Data export limitations

Anonymity option

Identifier limitations

Automated decisions

Sensitive information

Public register principles

10 ‘missing’ IPPs- Found in at least 2 regional laws -

Implementation anything goes

Implementation - anything goes!

  • Framework Part IV(A): ‘Domestic Implementation’

    • non-prescriptive in the extreme

  • Any form of regulation is OK

    • Legislation not required or even recommended

    • ‘an appropriate array of remedies’ advocated

    • ‘commensurate with the extent of the actual or potential harm’

    • Choice of remedies supported

  • No central enforcement body required

    • A central access point for information advocated

    • Education and civil society input advocated

Implementation anything goes1

Implementation - anything goes!

  • Accountability (at the economy level)

    • ‘Individual Action Plans’ - periodic national reports to APEC on progress (were to start 2006)

    • No self-assessment or collective assessment (contra v1, 2003)

  • Bottom line

    • Part IV exhorts APEC members to implement the Framework without requiring or proposing any particular means of doing so, or any means of assessing whether they have done so

    • considerably weaker than any other international privacy instrument

Data exports pt v b final uncontentious result

Data exports (Pt V(B) - Final (uncontentious) result

  • Final version (Sept 05) only encourages recognition of binding corporate rules

    • Says nothing about export restrictions

  • APEC Framework does NOT do any of:

    • Requiring exports be allowed to APEC-compliant countries (contrast EU, OECD, and CoE)

    • Forbidding exports to non-APEC compliant countries (contrast EU Directive)

    • Allowing restrictions on exports to such countries (contrast OECD and CoE)

  • The weakest privacy agreement yet seen

    • Will have little direct impact on data exports between EU and A-P, in either direction

Implementation of the framework

Implementation of the Framework

  • Consultant-managed projects

  • 5 Implementation Seminars 2005-08

    • some APEC economies have sent delegates, including many with no privacy laws: valuable?

    • Obsession with finding ways to allow data exports at the expense of encouraging new laws

  • Economies supposed to file privacy IAPs (Individual Action Plans) during 2006

    • None apparent on APEC website

    • Zero evidence of privacy law improvements

Implementation pathfinders 2007

Implementation: ‘Pathfinders’ 2007-

  • Ministers endorsed ‘Pathfinder’ project in 2007

    • Basis is ‘certification’ of a company’s cross-border privacy rules (CBPRs)

    • Result could be some APEC-wide trustmark

  • 13/21 economies indicated will participate

    • Not China, Indonesia, Malaysia, Philippines (+ 4 others)

  • Criticisms

    • Process bias: All Present Except Consumers (A.P.E.C)

    • Standards required of either (I) a businesses’ CBPR or (ii) a trustmark provider are uncertain

    • How willthiswork in countries with privacy laws?

Apec ipps does lite matter

APEC IPPs - Does ‘Lite’ matter?

  • Does a low APEC baseline matter?

    • No FORMAL requirement to export to countries with low standards of privacy protections

    • Danger of a counter-bloc to the EU stemming from an ‘anti-export-restriction’ Pt IV(B) has disappeared

    • Does very little to encourage countries with no privacy laws (most of APEC) to adopt any

  • APEC IPPs are a ‘floor not a ceiling’

    • Framework does not explicitly deter stronger IPPs

    • Bias in implementation for free flow of information

Continuing influence of the eu privacy directive

Continuing influence of the EU privacy Directive

  • EU’s ‘mandatory’ data export restrictions have taken longer to bite than expected

  • Few EU determinations of (in-)adequacy yet made

    • Australia, HK, NZ, Korea still to come

  • But EU adequacy will not go away, nor should it

  • Attraction of simplifying trade by obtaining a global adequacy assessment from EU will remain

    • will pull Asia-Pacific countries toward global standards

  • Question: Is there another way to achieve this?

Montreaux declaration 2005

Montreaux Declaration 2005

  • Annual meeting of world’s Privacy Commissioners – a ‘log of claims’:

    • UN should prepare a binding legal privacy treaty

    • Governments should adopt global privacy principles and extend them to their international relations as well

    • Council of Europe should invite non-European States to join Council of Europe privacy Convention 1981

    • WSIS 2005 final declaration should commit to a legal framework to protect privacy

Council of europe convention 108

Council of Europe Convention 108

  • Council of Europe privacy Convention 108 (1981)

    • 40 ratifications, broader than the 23 EU members

    • Principles similar to OECD privacy Guidelines (1981)

    • Legal guarantee of free flow between Member States

  • Optional Protocol 181 (2001) - 20 parties

    • Protocol requires laws & an independent authority

    • Also requires data export limitations - like ‘adequacy’

  • CoE Convention A23

    • allows CoE to invite non-European countries to accede (right to ratify Protocol then automatic)

    • Procedure requires a country to request to accede

    • A 23 never yet used; but CoE will in July ‘request requests’

    • CoE Cybercrime Convention has had some global adoption; CoE sees a global privacy Convention as complementary

Council of europe convention 108 a23 as the new old option for the asia pacific

Council of Europe Convention 108 –A23 as the new (old) option for the Asia-Pacific

  • Advantages of Asia-Pacific accessions:

    • Would guarantee free flow of personal information (i) between signatory A-P countries, and (ii) between each of them and 40 European countries (main advantage)

    • Might ensure EU adequacy (‘international obligations’ count)

    • Standard is higher than APEC, similar to OECD, & improving

    • Sidesteps APEC limitations & unlikelihood of a UN treaty, while creating a modest standard global privacy treaty

    • Encourage other A-P countries to develop their laws and enforcement to CoE standard, to obtain free flow benefits

Council of europe convention 108 weaknesses and questions

Council of Europe Convention 108 –Weaknesses and questions

  • Weaknesses and questions

    • CoE enforcement mechanisms are lacking; only now investigating how to deal with members who do not implement treaty obligations

    • How to Conv 108 and Optional Protocol 181 requirements mesh when not all members have adopted both

  • Possible result of Asia-Pacific adoptions

    • 2-tiered (or 3-tiered) privacy protection in A-P:

    • ‘Global’ Convention 108 for countries with privacy laws, and Optional Protocol 181 for those with stronger laws

    • APEC ‘starter kit’ for the rest (Tier 1), with aspirations to eventually reach Tier 2 or Tier 3

Un roles wsis igf

UN roles: WSIS & IGF

  • WSIS (World Summit on the Information Society )

    • 2 meetings (Geneva 2003, Tunis 2005)

    • only vague endorsements of privacy protection

    • Main achievement was not to have privacy completely subordinated to security

  • Internet Governance Forum (IGF)

    • Hyderabad, Dec 2008 agenda to include privacy

    • CoE will push privacy Convention 108 as global convention to complement CoE Cybercrime Convention

  • Login