Asia-Pacific Region at the Privacy Crossroads (2008)
4. The US/APEC approach
The aim of the APEC Privacy Framework 2005[10] is to promote a consistent approach to information privacy protection across APEC member economies. The history of the APEC Privacy Framework shows that it is in part a reaction to perceived problems with the EU approach. Interestingly, this development was not driven by consumer or civil society interests.
The key motivation for the development of the APEC Privacy Framework appears to stem from US business concerns regarding compliance with the EU Directive, and concerns regarding the potential expansion of the EU approach to other jurisdictions. These concerns coincided with growing interest in the US in the concept of enterprise-wide corporate privacy rules.[11]
Although this is not the sole motivating factor, and many other countries participated in the development of the APEC Privacy Framework, it is unlikely that the Framework would exist without the influence of US business interests.
For example, the Centre for Information Policy Leadership at US firm Hunton & Williams claims credit for the development of the APEC Privacy Framework:
The Centre determined in 2001 that harmonised approaches to global data flows would be a significant issue for the business community, and began to research different approaches to data protection and privacy. In 2003 the Centre published a paper laying out a global framework for privacy and shared the paper with US government officials. The Centre and its members determined that APEC would be a good candidate for establishing a flexible alternative for global data flows. The Centre began participating in the APEC Privacy Subgroup in 2004. The APEC Ministers adopted the APEC Privacy Framework in November 2004. Today the Centre takes a lead role in pushing the activities that must be completed to move APEC implementation forward. Currently the Centre is pushing forward the development of instruments that would allow businesses to display their privacy platforms in a manner that matches the APEC principles.[12]
One of the key US business concerns regarding the EU Directive is the legitimate criticism that the registration requirements in the EU Directive impose an onerous compliance burden, for little privacy benefit. However, there is no evidence that these registration requirements are being implemented in the Asia-Pacific region.
Other opposition from US businesses appears to be more ideological. For example, shortly after the EU Directive came into force, the Brookings Institute discussed the desirability of the EU assessing the adequacy of privacy protection in other jurisdictions:
In essence, the Directive sets the EU up as judge and jury over the adequacy of privacy protections of other countries, including those of the United States. The extraterritorial ambitions of the EU understandably rankle many in the United States... The EU should recognise that various forms of ‘self-regulation’ that American firms and trade associations have been exploring can, if implemented, provide ‘adequate’ privacy protection.[13]
Over time this ideological opposition has mellowed. Three important factors now influence the relationship between the US and EU in this regard:
1. The EU Directive is first and foremost an attempt to protect the personal information of EU Citizens. Although this may have knock-on consequences for business, the key motivation is sound and the US recognised this in negotiating the US Safe Harbour Regime.
2. In turn, the EU has recognised that the protection of personal information in the US is fundamentally different to the EU, based as it is on a more litigious population exercising rights under consumer protection laws:
When firms in this country [the US] hold out to the public that they are abiding by a privacy code and then fail to live up to that promise, they open themselves to legal challenge by the Federal Trade Commission and the states for engaging in an unfair trade practice, as well as to class action challenges for fraud and misrepresentation by private plaintiffs. In combination, these legal enforcement measures can provide every bit as much protection against privacy abuses as the formal legal machinery in the EU.[14]
3. In practice, concerns about the exercise of extra-territorial rights are ignored where there are pragmatic benefits to both the EU and the US (or US business interests). For example, the US has embraced the extra-territorial reach of the EU Convention on Cybercrime[15] and encourages countries in the Asia-Pacific region to join the Convention.
Despite the apparent resolution of major differences between the EU and the US regarding the protection of personal information on EU citizens, US business continues to express concern regarding the spread of the EU approach to other jurisdictions regarding non-EU citizens. Their main instrument for presenting an alternative approach to privacy protection is the APEC Privacy Framework.
The APEC Privacy Framework was published in 2004.[16] It is built around nine Privacy Principles, largely consistent with those of the 1980 OECD Guidelines on the Protection of Privacy and the Transborder Flow of Personal Data,[17] although with some minor differences.
There is ongoing debate about the extent to which the Principles either weaken or strengthen existing privacy principles found in instruments such as the EU Directive.[18] The latest view is that although there are many concerns regarding the implementation of the APEC Privacy Framework, the Principles themselves do not represent a significant departure from existing protections.[19] For the purposes of this Article only Principle 9 requires detailed analysis.
APEC Privacy Framework Principle 9 deals in a limited way with trans-border data flows:
- Principle 9 – Accountability
A personal information controller should be accountable for complying with measures that give effect to the Principles stated above. When personal information is to be transferred to another person or organisation, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organisation will protect the information consistently with these Principles.
This ‘accountability’ approach to cross-border privacy protection is consistent with the approach taken in Japan, New Zealand and Canada. It is also consistent with the approach recommended by the Australian Law Reform Commission (ALRC) in their review of Australian privacy legislation, although the ALRC has recommended retaining some additional conditions as alternatives to relying on accountability alone.[20]
The APEC Privacy Framework is complemented by a series of nine Pathfinder Projects. These were formally endorsed at the meeting of APEC Ministers in Sydney in September 2007.[21]
1. Self-assessment guidelines for business;
2. Trust-mark (accountability agent) guidelines;
3. Compliance review process of Cross-Border Privacy Rules (CBPRs);
4. Directories of compliant organisations;
5. Contact directories for data protection authorities and privacy contact officers within economies, as well as with accountability agents;
6. Templates for enforcement cooperation arrangements;
7. Templates for cross-border complaint handling forms;
8. Guidelines and procedures for responsive regulation in CBPR systems, and
9. A pilot program that can test and implement the results of the projects leading to the testing of a complete system.
A major, indeed dominant focus of the APEC work is now the development of Cross Border Privacy Rules. Cross Border Privacy Rules are described in detail below.
[10] More information on the Framework and Principles is available at:
<http://www.apec.org/content/apec/apec_groups/committees/committee_on_trade/electronic_commerce.html>.
[11] Wugmeister M, Retzer K, Rich C, Global Solution For Cross-Border Data Transfers: Making The Case For Corporate Privacy Rules, April 2007, <http://findarticles.com/p/articles/mi_qa4140/is_200704/ai_n19511009/>.
[12] The Centre for Information Policy Leadership, APEC and Global Data Flows, Hunton & Williams LLP, 2008, <http://www.hunton.com/Resources/Sites/general.aspx?id=325>.
[13] Litan R, The European Union Privacy Directive, Brookings Institution, 11 August 2008,
<http://www.brookings.edu/testimony/1998/0507technology_litan.aspx>.
[14] Litan R, The European Union Privacy Directive; refer to footnote 13.
[15] Council of Europe, Convention on Cybercrime, CETS 185, signed 23 November 2001, entered into force 1 July 2004, <http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm>.
[16] More information on the Framework and principles is available at:
<http://www.apec.org/content/apec/apec_groups/committees/committee_on_trade/electronic_commerce.html>.
[17] Organisation for Economic Cooperation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 1980, <http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html> (‘OECD Guidelines’).
[18] Refer for example to Tan J, A Comparative Study of the APEC Privacy Framework – A New Voice in the Data Protection Dialogue?, 2008, Asian Journal of Comparative Law, vol 3 issue 1, <http://www.bepress.com/asjcl/vol3/iss1/art7/>; Greenleaf G, The APEC privacy initiative: ‘OECD Lite’ for the Asia-Pacific?, 2004, Privacy Laws and Business International Newsletter, issue 71, <http://www2.austlii.edu.au/~graham/publications/2004/APEC_V8article.html>; Greenleaf G, Five years of the APEC Privacy Framework: Failure or promise?, 2008, Asian Law Institute Conference (Singapore 2008); Pounder C, Why the APEC Privacy Framework is unlikely to protect privacy, Out-Law.com, 15 October 2007, <http://www.out-law.com/page-8550>; and Bennett C, The APEC Privacy Framework: A Trading-Up of Standards or the Opposite?, presented to the Conference on Privacy and Security, February 2006, <http://www.mser.gov.bc.ca/privacyaccess/Conferences/Feb2006/ConfPresentations/Bennett_Colin.pdf>.
[19] Waters N, The APEC Asia-Pacific Privacy Initiative – a new route to effective data protection or a Trojan horse for self-regulation?, June 2008, <http://www.pacificprivacy.com.au/NW APEC paper final.pdf>.
[20] Australian Law Reform Commission, For Your Information: Australian Privacy Law and Practice, Report 108, August 2008, chapter 31, <http://www.austlii.edu.au/au/other/alrc/publications/reports/108/31.html> (‘ALRC Report 108’).
[21] Full details of the Australian meetings regarding APEC are at <http://www.pmc.gov.au/privacy/apec/index.cfm>.