1. Five years of the APEC Privacy Framework - Failure or Promise? Graham Greenleaf Faculty of Law, University of New South Wales ASLI Conference, NUS, Singapore, May 2008

2. Outline The APEC Privacy Framework 2003-08 –Deficiencies in the APEC principles –Lack of enforcement mechanisms –‘Pathfinder’ projects and CBPR –Effect on privacy laws in APEC region Influence of the EU privacy Directive Council of Europe Convention 108 –New/old option for Asia-Pacific countries WSIS/IGF potential role?

3. APEC Privacy Framework Why is APEC important? –‘Asia-Pacific Economic Cooperation’ (APEC) –21 ‘economies’ from Chile to Singapore –4 continents; 1/3 world population; 1/2 world GDP; 1/2 world trade No ‘APEC treaties’, no constitution –Everything works on consensus and cooperation –Few if any legal requirements or constraints –‘Agreements’ in APEC are very different from the binding treaties or Directives of Europe

4. The possibilities of the APEC Privacy Framework Asia-Pacific has more privacy laws than any other region outside Europe A regional agreement was logical: –To create a minimum privacy standard –To help ensure free flow of personal data Is it either of these possibilities? –The most significant global privacy initiative since the EU Directive: a spur for new laws? –A divisive low-standard ‘counter bloc’ to the EU?

5. History of the APEC Privacy Framework Few APEC privacy developments pre-2003 US, Aust etc hostile to EU privacy Directive –Aust proposal to base APEC privacy standards on OECD privacy Guidelines of 1981 (Feb 03) Developed by APEC ECSG privacy sub-group (03-05) –Business orgs included, consumer NGOs excluded –No external consultation until 9th draft of IPPs –No external consultation on implementation (Pt IV) APEC Ministers announce Framework (Nov 04) –But data export elements were missing until Sept 05

6. APEC's 9 Privacy Principles I Preventing Harm II Notice III Collection limitation IV Uses of personal information V Choice VI Integrity of Personal Information VII Security Safeguards VIII Access and Correction IX Accountability (includes Due diligence in transfers)

7. APEC's IPPs = 'OECD Lite’ 5 types of criticisms (1)Weaknesses inherent in OECD IPPs OECD now 20 years old, even Kirby is critical Allows secondary uses for ‘compatible or related purposes’ Weak collection limitations; No deletion IPPs (2)Further weakening of OECD IPPs OECD ‘Purpose specification’ and ‘Openness’ IPPs missing - both are valuable Broader allowance of exceptions Otherwise substantially adopts OECD Slightly stronger than OECD on notice

8. APEC's IPPs = 'OECD Lite’ 5 types of criticisms (3)Potentially retrograde new IPPs ‘Preventing harm’ (I) - sentiment is OK, but a strange IPP; really a basis for rationing remedies or lowering burdens; could justify piecemeal coverage ‘Choice’ (V) - redundant in use and disclosure IPPs; does not seem to justify contracting out of other IPPs

9. APEC's IPPs = 'OECD Lite’ 5 types of criticisms (4)Regional experience ignored No borrowings from the often stronger laws in the region (eg Korea, HK, NZ, Australia, Canada) - 17 years ignored Some additional IPPs are A-P ‘standards’ (5)EU compatibility ignored No borrowings of new EU IPPs (eg automated processing) Is this an attempt to define ‘adequacy’ as ‘OECD Lite’? - or ‘just don’t care’? If well implemented, could be ‘adequate’

10. 10 ‘missing’ IPPs - Found in at least 2 regional laws - Openness Collection from the individual Data retention Third party notice of correction Data export limitations Anonymity option Identifier limitations Automated decisions Sensitive information Public register principles

11. Implementation - anything goes! Framework Part IV(A): ‘Domestic Implementation’ –non-prescriptive in the extreme Any form of regulation is OK –Legislation not required or even recommended –‘an appropriate array of remedies’ advocated –‘commensurate with the extent of the actual or potential harm’ –Choice of remedies supported No central enforcement body required –A central access point for information advocated –Education and civil society input advocated

12. Implementation - anything goes! Accountability (at the economy level) –‘Individual Action Plans’ - periodic national reports to APEC on progress (were to start 2006) –No self-assessment or collective assessment (contra v1, 2003) Bottom line –Part IV exhorts APEC members to implement the Framework without requiring or proposing any particular means of doing so, or any means of assessing whether they have done so –considerably weaker than any other international privacy instrument

13. Data exports (Pt V(B) - Final (uncontentious) result Final version (Sept 05) only encourages recognition of binding corporate rules –Says nothing about export restrictions APEC Framework does NOT do any of: –Requiring exports be allowed to APEC-compliant countries (contrast EU, OECD, and CoE) –Forbidding exports to non-APEC compliant countries (contrast EU Directive) –Allowing restrictions on exports to such countries (contrast OECD and CoE) The weakest privacy agreement yet seen –Will have little direct impact on data exports between EU and A-P, in either direction

14. Implementation of the Framework Consultant-managed projects 5 Implementation Seminars 2005-08 –some APEC economies have sent delegates, including many with no privacy laws: valuable? –Obsession with finding ways to allow data exports at the expense of encouraging new laws Economies supposed to file privacy IAPs (Individual Action Plans) during 2006 –None apparent on APEC website –Zero evidence of privacy law improvements

15. Implementation: ‘Pathfinders’ 2007- Ministers endorsed ‘Pathfinder’ project in 2007 –Basis is ‘certification’ of a company’s cross-border privacy rules (CBPRs) –Result could be some APEC-wide trustmark 13/21 economies indicated will participate –Not China, Indonesia, Malaysia, Philippines (+ 4 others) Criticisms –Process bias: All Present Except Consumers (A.P.E.C) –Standards required of either (I) a businesses’ CBPR or (ii) a trustmark provider are uncertain –How will this work in countries with privacy laws?

16. APEC IPPs - Does ‘Lite’ matter? Does a low APEC baseline matter? –No FORMAL requirement to export to countries with low standards of privacy protections –Danger of a counter-bloc to the EU stemming from an ‘anti-export-restriction’ Pt IV(B) has disappeared –Does very little to encourage countries with no privacy laws (most of APEC) to adopt any APEC IPPs are a ‘floor not a ceiling’ –Framework does not explicitly deter stronger IPPs –Bias in implementation for free flow of information

17. Continuing influence of the EU privacy Directive EU’s ‘mandatory’ data export restrictions have taken longer to bite than expected Few EU determinations of (in-)adequacy yet made –Australia, HK, NZ, Korea still to come But EU adequacy will not go away, nor should it Attraction of simplifying trade by obtaining a global adequacy assessment from EU will remain –will pull Asia-Pacific countries toward global standards Question: Is there another way to achieve this?

18. Montreaux Declaration 2005 Annual meeting of world’s Privacy Commissioners – a ‘log of claims’: –UN should prepare a binding legal privacy treaty –Governments should adopt global privacy principles and extend them to their international relations as well –Council of Europe should invite non-European States to join Council of Europe privacy Convention 1981 –WSIS 2005 final declaration should commit to a legal framework to protect privacy

19. Council of Europe Convention 108 Council of Europe privacy Convention 108 (1981) –40 ratifications, broader than the 23 EU members –Principles similar to OECD privacy Guidelines (1981) –Legal guarantee of free flow between Member States Optional Protocol 181 (2001) - 20 parties –Protocol requires laws & an independent authority –Also requires data export limitations - like ‘adequacy’ CoE Convention A23 –allows CoE to invite non-European countries to accede (right to ratify Protocol then automatic) –Procedure requires a country to request to accede –A 23 never yet used; but CoE will in July ‘request requests’ –CoE Cybercrime Convention has had some global adoption; CoE sees a global privacy Convention as complementary

20. Council of Europe Convention 108 – A23 as the new (old) option for the Asia-Pacific Advantages of Asia-Pacific accessions: –Would guarantee free flow of personal information (i) between signatory A-P countries, and (ii) between each of them and 40 European countries (main advantage) –Might ensure EU adequacy (‘international obligations’ count) –Standard is higher than APEC, similar to OECD, & improving –Sidesteps APEC limitations & unlikelihood of a UN treaty, while creating a modest standard global privacy treaty –Encourage other A-P countries to develop their laws and enforcement to CoE standard, to obtain free flow benefits

21. Council of Europe Convention 108 – Weaknesses and questions Weaknesses and questions –CoE enforcement mechanisms are lacking; only now investigating how to deal with members who do not implement treaty obligations –How to Conv 108 and Optional Protocol 181 requirements mesh when not all members have adopted both Possible result of Asia-Pacific adoptions –2-tiered (or 3-tiered) privacy protection in A-P: –‘Global’ Convention 108 for countries with privacy laws, and Optional Protocol 181 for those with stronger laws –APEC ‘starter kit’ for the rest (Tier 1), with aspirations to eventually reach Tier 2 or Tier 3

22. UN roles: WSIS & IGF WSIS ( World Summit on the Information Society ) –2 meetings (Geneva 2003, Tunis 2005) –only vague endorsements of privacy protection –Main achievement was not to have privacy completely subordinated to security Internet Governance Forum (IGF) –Hyderabad, Dec 2008 agenda to include privacy –CoE will push privacy Convention 108 as global convention to complement CoE Cybercrime Convention