Asia-Pacific Region at the Privacy Crossroads (2008)
8. Advice and Recommendations
This article has examined current privacy developments in the Asia-Pacific region and provided some analysis of the benefits and risks of pursuing either the EU or US/APEC approach to privacy.
There is a clear and strong trend in the region to protect privacy through comprehensive legislation that is closely aligned with the EU approach. Legislation that is aligned with the EU approach tends to easily meet the self-described ‘moderate’ Principles contained in the APEC Privacy Framework.[53]
The US/APEC approach, however, is much more than just the Principles. The real focus is on the APEC Cross-Border Privacy Rules.
It is difficult to see any benefit for either government or businesses in the Asia-Pacific to adopt Cross-Border Privacy Rules. There may be important questions to answer about the amount of time and energy that has already been expended on the development of the APEC CBPRs in comparison to other important privacy issues.
For governments in the region, the comparison is fairly simple. The US/APEC approach has a significant focus on the registration of business policies with regulators. This is a step that can be avoided, as shown by the success of Canada’s privacy legislation in both achieving EU adequacy and delivering user-friendly privacy protection. Great care needs to be taken in the Asia-Pacific to ensure that the region does not import the worst aspects of the EU approach (registration requirements) through adherence to the US/APEC proposals for a CBPR regime.
From a regulator / government perspective CBPRs also represent a significant cultural change. The Asia-Pacific region currently has a low-cost complaints based privacy culture. Local regulators have no skills or experience relevant to the pre-approval of global business policies. No resources are currently allocated to this function, and the budgets of existing privacy regulators in the region are limited. There will also be significant questions about the liability of a regulator who pre-approves (or rejects) the business policy of an organisation in circumstances where the approval carries APEC-wide recognition.
For business, CBPRs look like an expensive investment, with no guarantee of wide adoption:
It remains unclear to most commentators, and to civil society stakeholders, what real benefits the APEC CBPR approach offer businesses, except perhaps a few information intensive multi-nationals who wish to outsource data processing to a range of different countries and can afford to devote substantial resources to writing the documents and getting them assessed. The vast majority of businesses, including most small and medium sized enterprises in all countries, would almost certainly prefer clear legal obligations, enforced only in the event of a breach, and in the knowledge that outsourcing to some destinations was ‘off-limits’.[54]
There is a real risk that unnecessary and expensive registration requirements will be imported into the Asia-Pacific regime for the first time. This should be resisted.
Perhaps a lesson here is that the motivation for the APEC Privacy Framework has had an unnecessary influence on any potential outcomes for the Asia-Pacific. Rather than developing solutions that helped to integrate the APEC Privacy Framework with the EU Directive and the existing privacy regimes in the region, the US/APEC approach has ignored vital elements of the EU approach.
Indeed, in the entire 6,323 words of the APEC Privacy Framework there is not a single mention of Europe, the EU Directive, or any European laws, despite their dominant position in the global privacy landscape.
Even some US commentators are now recognising the APEC Privacy Framework as a lost opportunity to consider how the EU approach and the APEC approach could work together or be integrated in a way that benefited business:
At present, it is unclear if and how the initiatives in the EU and APEC can come together to achieve a global solution to international data transfer issues. One thing is clear, however: regional solutions alone will not be sufficient to resolve this issue... While the initiatives in the EU and in APEC are laudable, regional solutions do not address the need for free information flow while protecting privacy.[55]
In practice, the US/APEC approach has found little traction in the region, and work continues apace on the drafting and implementation of EU style legislation across the region:
The existence of the APEC Privacy Framework and Pathfinder does not seem to be deterring economies from considering legislative options, with Peru, China, Thailand and the Philippines all reporting... that they are well advanced with the introduction of an information privacy law... [56]
It may be useful to conclude this article with some predictions about the future privacy landscape in the Asia-Pacific region.
In 2006, commentator Graham Greenleaf made the following prediction:
The attraction to countries in the Asia-Pacific of a blanket finding of ‘adequate’ for their laws will persist. The ideological motivation behind some of the proponents of the APEC process, particularly those in Australia and the USA, to form an ‘APEC bloc’ that either explicitly rejected or ignored any European privacy standards... has not yet succeeded in fashioning APEC into any such thing. It will probably fail to do so, and the attraction of ‘EU adequacy’ will persist over time and will influence many aspects of future Asia-Pacific privacy laws.[57]
Although that prediction was made from a privacy advocacy perspective, the issues raised should also be of concern to businesses in the region.
From a broader perspective, this Article makes the following predictions:
- 1. The APEC Privacy Framework will not be implemented as stand-alone legislation in Asia-Pacific countries. Where it is considered it will have minimal influence on the content of legislation, with perhaps only Principle 9 – Accountability having any significant uptake.
- 2. The APEC Cross-Border Privacy Rules will not be ‘recognised across APEC’ – certainly not among the Asia-Pacific members and certainly not in 2009. If CBPRs are implemented at all their recognition will be limited to a minority of jurisdictions and their impact will be minimal.
- 3. Some of the APEC Privacy Pathfinder Projects on administrative matters (such as a contacts directory) may be implemented and will prove useful.
- 4. The focus of cross-border privacy protection in the Asia-Pacific region will remain on the use of legislative conditions for data transfers, complemented by the provision of useful and practical alternatives for business compliance, such as standard contract terms. Regulation will remain ‘complaints based’ in the majority of jurisdictions.
- 5. The overall standard of privacy protection in the region will improve, and over time national laws will be harmonised through the work of local regional organisations and law reform bodies. Over time, a growing number of jurisdictions will be recognised as ‘adequate’ by the EU and by each other.
[53] Privacy International, PI presentation to Asia-Pacific Meeting (Lima, Peru), 23 February 2008, <http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-561713>.
[54] Waters N, The APEC Asia-Pacific Privacy Initiative – a new route to effective data protection or a Trojan horse for self-regulation?; refer to footnote 19.
[55] Wugmeister M, Retzer K, Rich C, Global Solution For Cross-Border Data Transfers: Making The Case For Corporate Privacy Rules, page 20; refer to footnote 11.
[56] Waters N and Lawson P, Report from representatives of civil society on meetings in Lima, Peru, February 2008 <http://www.bakercyberlawcentre.org/ipp/publications/Civil_Society_Report_APEC_Lima08.pdf>.
[57] Greenleaf G, Asia-Pacific Developments in Information Privacy Law and its Interpretation, University of New South Wales Faculty of Law Research Series, Paper 5, 2006, <http://law.bepress.com/cgi/viewcontent.cgi?article=1007&context=unswwps>.