Research
Article - Asia Pacific Privacy Developments 2007 (January 2008)
|
Introduction
This article provides a brief summary of the key privacy law developments in the Asia-Pacific region in 2007. As sharing of personal details online becomes more frequent, and the accessibility of such information is enhanced by rapidly improving technologies, the privacy risks that threaten a world citizen are greater than ever before. In the Asia-Pacific region there has been significant growth in Business Process Outsourcing (BPO), which demands countries develop coherent information protection laws. A number of countries in the region are making progress towards new privacy legislation. At the same time other countries in the region with existing privacy laws are looking to amend and reform laws so that they align with current technologies, community views and international standards. One new issues that is emerging is the consideration of data breach notification rules by Asia-Pacific countries - and this is likely to be a major talking point in the region over the next few years.
New Laws
China
In China, rapid economic growth and the benefits of globalisation have come hand in hand with a number of privacy issues which citizens are facing in daily life. National concerns have stemmed from the ever-growing number of reports, alleging the selling of personal information to call centres and service providers, as well as the abuse of other readily available personal information (such as the details given in application forms). This exploitation of personal information has resulted in unwelcome phone calls, identity theft and a growing push for legislated privacy law. [1]
While privacy is recognised in China to some extent - for example the notion of ‘freedom and privacy of correspondence’ exists in their constitution as a fundamental right[2] - there is no consolidated national data protection legislation. The momentum for the development of privacy law has been building since 2003, when the State Council’s Informatization Office (SCITO) began drafting protective laws.[3] While the submission of the initial draft in 2005 did not amount to implementation, it operated as a foundation for the drafting of Data Protection Laws in 2007.[4]
The development of Data Protection Laws is being driven and supported by the EU-China Information Society Project (EUCISP), who held a workshop on 14 June 2007. The Workshop unveiled a report on Personal Data Protection in Europe and China: What Lessons to be Learned.[5] The report, through an analysis of the successes and failings of EU Data Protection measures, proposes twenty recommendations for Chinese policy-makers.
Early in 2007, the deputy director of the policy and planning department of SCITO announced that they had finished drafting the law and would be submitting it to the State Council’s Legal Affairs Office.[6] It is hoped that these latest submissions might prove successful in establishing a legal framework for privacy and personal data information.[7]
India
With the IT hub in India growing faster than any other in the world,[8] the increasing numbers of outsourcing ventures pose growing privacy risks. Outsourcing has always held significant security risks, with sensitive data being transferred.[9] Efforts to legislate for these risks, came late in 2006 when the Information Technology (Amendment) Bill was introduced into Lok Sabha,[10] the lower house of the Parliament of India. Amongst the changes, the bill proposes section 43A and section 72A, which impose penalties for corporations and individuals found liable for negligence or fraud in maintaining ‘reasonable security practises’.[11] The bill was last considered in the winter session (November and December) of 2006, where the bill was subject to preliminary debate.
In order to maintain India’s profile as a prime candidate for outsourcing, without legislation, companies throughout India are keen to show that privacy measures exist, and have implemented protective safeguards, such as storing confidential data on the servers of the companies who are outsourcing.
The National Association of Software Services Companies (NASSCOM) is working throughout India to align their data privacy legislation with international standards.[12]> It is training officers in different areas of India to be able to investigate data theft and breaches (such a unit has already been established in Bombay Police Department). Furthermore, NASSCOM are supporting an international audit for all 860 of their member companies, and promoting an international law supplement to Indian privacy law.
The Indian government, in cooperation with the IT industry hopes to pass new privacy legislation and establish the Data Security Council (DSC).[13] The new Data Protection Bill, (which is in addition to the proposed amendments to the Information Technology (Amendment) Bill 2006) is currently being drafted and is expected to be passed during 2008. The legislation will provide clearer provisions for contracting in India’s Outsourcing industry.
Malaysia
After a number of years of drafting, Malaysia’s Personal Data Protection Bill is in the final stages of development.[14] Early in November 2007, Malaysia’s Energy, Water and Communications Minister Datuk Shaziman Abu has announced he believed the bill will be tabled in Parliament by the end 2007, or early 2008.[15]
Thailand
Privacy rights in Thailand have, to a large extent, been afforded by Constitutional recognition of a person’s ‘family rights, dignity, reputation or the right of privacy’. The Official Information Act 1997 also provides guidelines for agencies that hold personal information. However, with widespread technological advances, and growing opportunities in the Business Process Outsourcing (BPO) industry, there have been calls for legislative privacy guards. In February of this year managing director of Oracle ASEAN, stated that in order for Thailand to seize BPO opportunities, the government needed to pass a Data Privacy Act without delay.[16] Thailand is in the early stages of developing draft privacy legislation.
On 10 June 2007 the interim Prime Minister signed into effect The Computer Crime Act (2007), which was drafted by the National Electronics and Computer Technology Centre (NECTEC) and is enforced by the Information Communications Technology Ministry.[17] The Act imposes penalties for identity fraud, the misuse or abuse of information on other’s computers and the interception of confidential data. However, the Act has been subject to criticism by the Asian Human Rights Commission, due to the harsh penalties and the ambiguous provisions bringing any information, deemed threatening by the State, within the scope of the Act. Other popular movements such as Freedom Against Censorship-Thailand have highlighted the vast array of powers given to officials, when handling sensitive data. [18]
Legislative Reform
Australia
In 2006, the Attorney-General of Australia asked the Australian Law Reform Commission (ALRC) to undertake a review of the Privacy Act 1988 and make recommendations to improve privacy legislation in Australia. While the final report is due in March 2008, the ALRC has recently released Discussion Paper 72. The Paper looks at amendments that might be made to the legislation, to comply with rapid developments in technology, changes in public opinions and other laws that have since been introduced into states and territories, which affect privacy. [19]
The reforms proposed include recommendations for consolidation of many areas of existing privacy law. The ALRC has proposed that there be one set of Privacy Principles, applicable to both public and private sectors, and national consensus through Federal Laws (rather than individual State and Territory law) in areas such as health. The review focuses on extending protection to a wider ranger of sensitive data and stresses the need for clarity in how personal information is dealt with. In issues of significant public concern such as direct marketing, the ALRC has recommended a special set of privacy principles, allowing for a greater protection of individual’s rights. Other recommendations have been to abolish exemptions which apply to particular groups (such as small businesses and political parties), which are found in the current Privacy Act.
New Zealand
New Zealand’s Law Commission has also commenced a review of Privacy Law, evaluating different aspects of policy in four steps. The commission is engaged in stages 1 and 2, which involve examining a broad spectrum of influencing factors, such as ‘privacy values, changes in technology, international trends and their implications for New Zealand Law’.[20] The commission is also looking at whether these privacy considerations demand changes be made to law regarding public registers. In September 2007 the Commission published ‘Public Registers Issues Paper’, dealing with stage 2, and allowing for public comment on the paper. In November 2007, ‘A Conceptual Approach to Privacy’ was made available. The paper’s aim is to establish foundations, upon which the Commission can effectively examine Privacy Law and its present legal condition.
The final reports for Stages 1 and 2 are due in early 2008. The subsequent studies begin in 2008: stage 3 relates to invasion of privacy and the civil and criminal law; and stage 4 examines the existing Privacy Act 1993.
Another significant development in the sphere of Privacy Law has been regarding personal data security breaches. In June, New Zealand’s Privacy Commissioner announced that her office was recommending that the government implement laws which require companies to inform individuals when the security of their personal data has been compromised. [21] Following this, the Office of the Privacy Commissioner released a set of ‘Privacy Breach Guidelines’ ,[22]modelled on Canadian ones, which companies can voluntarily adhere to. Several commentators have observed that it is unlikely that such loose measures will be effective, and therefore, it is thought that these will soon become mandatory.[23]
While the ALRC’s review of Australian privacy law has led to similar recommendations, so far, New Zealand is the only country in the Asia-Pacific region to seriously propose implementing data breach notification laws.
Korea
Korea’s limited privacy law is contained in the Act on Promotion of Information and Communication Network Utilization and Information Protection (2001).[24] This Act only applies to the information and telecommunications industries that are providers of information and communications services such as common carriers, Internet service providers and other intermediaries, such as content providers. The Act also covers specific offline service providers such as travel agencies, airlines, hotels, and educational institutes.
However, there is a significant push for reform of privacy law in Korea. During 2007 three bills were awaiting debate at Korea’s Government Administration and Home Affairs Committee. The Ministry of Information and Communication has also drafted a revised version of the current Act. The revised draft takes into account the unique characteristics of the IT sector as well as the rising demand for stronger personal information protection. The draft also improves upon the existing law and addresses the issues that were raised during enforcement of the law.[25]
Regional Developments
APEC Privacy Framework
The APEC Privacy Framework promotes a consistent approach to information privacy protection across APEC member economies. The Framework includes nine privacy principles for businesses operating in APEC economies.[26]
2007 was a busy year in the promotion and implementation of the Framework. In June, the APEC E-Commerce Steering Group Data Privacy Subgroup met in Cairns to develop APEC Data Privacy Pathfinder projects with a focus on cross-border privacy rules. The Pathfinder projects were formally endorsed at the meeting of APEC Ministers in Sydney in September 2007.[27]
Asia Pacific Privacy Authorities (APPA)
Asia Pacific Privacy Authorities (APPA) is a regional forum for privacy regulators to meet and exchange ideas about privacy regulation, new technologies and the management of privacy enquiries and complaints. Members include national privacy regulators from Australia, Canada, Hong Kong, Korea, New Zealand and several smaller domestic privacy agencies.[28]
During 2007 APPA met in Cairns, Australia and began work on cross-border privacy complaints, biometrics and privacy, and the reform of privacy complaints statistics. APPA is growing in importance as a regional privacy body and attracting new members.
[1] Xinhua News Agency, Lawmaker Urges Legislation to Curb Rampant Privacy Infringement, 6 March 2005, <http://www.china.org.cn/english/2005lh/121920.htm>.
[2] Article 40, Constitution of the People’s Republic of China 1982 (China), <http://english.people.com.cn/constitution/constitution.html>.
[3] People’s Daily Online, China to legislate for protection of personal information, 25 January 2005, <http://english.peopledaily.com.cn/200501/25/eng20050125_171801.html>.
[4] China Economic Net, Law on personal info ‘next year’, 6 August 2007, <http://en.ce.cn/National/Politics/200708/06/t20070806_12435867.shtml>.
[5] EU-China Information Society Project, Research Final Workshop: ‘Personal Data Protection’, 20 June 2007,
<http://www.eu-china-infso.org/Regulation/[email protected]>.
[6] China Economic Net, Law on personal info ‘next year’, 6 August 2007, <http://en.ce.cn/National/Politics/200708/06/t20070806_12435867.shtml>.
[7] China View, New law expected to protect privacy, 6 August 2007,
<http://news.xinhuanet.com/english/2007-08/06/content_6480490.htm>.
[8] Lexelerator, Information Technology, <http://www.lexelerator.eu/?q=node/255>.
[9] India Web Developers, Outsourcing Information Security: How is India dealing with data privacy and security issues?, <http://www.indiawebdevelopers.com/outsourcing/data_privacy.asp>.
[10] Ministry of Parliamentary Affairs, Legislative Business Transacted in Parliament during Winter Session 2006, <http://mpa.nic.in/postw06.htm>.
[11] <http://164.100.24.208/ls/bills-ls-rs/2006/96_2006.pdf
[12] India Web Developers, Outsourcing Information Security: How is India dealing with data privacy and security issues?, <http://www.indiawebdevelopers.com/outsourcing/data_privacy.asp>.
[13] NASSCOM, Data Security Council of India (DSCI), 8 August 2007, <http://www.nasscom.in/Nasscom/templates/NormalPage.aspx?id=51973>.
[14] Malaysian National News Agency, Ministry Finalising Draft of Personal Data Protection Bill, 5 November 2007 <http://www.bernama.com/bernama/v3/news.php?id=294211>.
[15] The star online, Act to keep personal data private, 6 November 2007, <http://thestar.com.my/news/story.asp?file=/2007/11/6/parliament/19387238&sec=parliament>.
[16] Bangkok Post, We need data privacy act to attract BPO, 7 February 2007, <http://www.bangkokpost.net/20th_database/07Feb2007_data52.php>.
[17] The Nation Headlines, Thai police get tough Net laws, 18 July 2007, <http://www.nationmultimedia.com/2007/07/18/headlines/headlines_30041329.php>.
[18] Asian Human Rights Commission, Thailand: Unintelligible Computer ‘law’ passed under junta’s watch, 25 July 2007 <http://www.ahrchk.net/statements/mainfile.php/2007statements/1133>.
[19] Australian Law Reform Commission, Review of Australian Privacy Law, Discussion Paper 72, 31 July 2007, <http://www.austlii.edu.au/au/other/alrc/publications/dp/72/>.
[20] Law Commission (NZ), Review of Privacy, <http://www.lawcom.govt.nz/ProjectGeneral.aspx?ProjectID=129>.
[21] ComputerWorld, Australian data-breach shift puts heat on NZ, 15 August 2007, <http://computerworld.co.nz/news.nsf/scrt/ED2470D42A339C97CC257337006D38C2>.
[22] Privacy Commissioner (NZ), Privacy Breach Guidelines, August 2007, <http://www.privacy.org.nz/library/privacy-breach-guidelines>.
[23] Identity and Privacy Blog, NZ: data breach law: quick and light, 27 August 2007 <http://yes2privacy.wordpress.com/2007/08/27/nz-data-breach-law-quick-and-light/>.
[24] Act on Promotion of Information and Communications Network Utilization and Information Protection 2001 (Kr) <http://www.ecommerce.or.kr/activities/policy_view.asp?bNo=336&Page=1>.
[25] National Internet Development Agency of Korea, Korea Internet White Paper 2006, NIDA, 21 July 2006, Seoul, <http://www.mic.go.kr/eng/secureDN.tdf?seq=10&idx=1&board_id=E_04_03>, at page 78:
[26] More information on the Framework and principles is available at:
<http://www.apec.org/content/apec/apec_groups/committees/committee_on_trade/electronic_commerce.html>.
[27] Full details of the Australian meetings regarding APEC are at <http://www.ag.gov.au/apec_privacy>.
[28] <http://www.privacy.gov.au/international/appa/>