1 / 18

APEC vs APT?: The struggle for regional privacy standards

APEC vs APT?: The struggle for regional privacy standards. Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See http://www2.austlii.edu.au/~graham/ for updates / details. Regional privacy standards. There is no global standard

dacey
Download Presentation

APEC vs APT?: The struggle for regional privacy standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See http://www2.austlii.edu.au/~graham/ for updates / details

  2. Regional privacy standards • There is no global standard • One region (Europe) has successfully developed regional standards • Council of Europe Convention 1981 • European privacy Directive 1995 • The Asia-Pacific is the next most advanced region in privacy protection • Far less political and economic unity or uniformity • Starting the most important international privacy developments since the EU Directive ….

  3. Toward an Asia-Pacific standard • APEC’s privacy initiative • Chaired by Australia - US / Aust. initiative • Asia-Pacific Telecommunity (APT) • Chaired by Korea • Asia-Pacific Privacy Charter Council • A ‘civil society’ expert group • FTAA will also affect some countries • (Free Trade Area of the Americas)

  4. APEC’s privacy Principles • Australia chairs a working group of 10 countries since Feb 03 • Starting point: OECD Guidelines (1981) • What’s the purpose?: • A minimum standard where compliance will (somehow) justify regional free flow of person information • A standard which will encourage (minimum) protection in countries where there is none

  5. APEC’s privacy Principles - Progress or stagnation? • 5 draft versions in 6 months • Do not yet reach OECD standards • Only considering very minor improvements to OECD • V2 strengthened V1, but V3 and V4 far weaker for little apparent reason • Serious US input coincides with V3 • At best it offers ‘OECD Lite’ ….

  6. APEC’s ‘OECD Lite’ • Examples of weak and outdated standards • Based on Chair’s V4 (Aug 03) - now behind closed doors • No objective limits on information collection (P1) • No requirement of notice to the data subject at time of collection (P3) • Secondary uses allowed if ‘not incompatible’ (P3) • OECD Parts 1, 3, 4 and 5 all missing as yet • Farcical national self-assessment proposed (V1) • Why start from a 20 year old standard? • Most regional countries are not members • Recognised as inadequate (eg Kirby J 1999)

  7. The alternative: A real Asia-Pacific standard • Actual standards of regional privacy laws • Eg Korea, Canada, Hong Kong, New Zealand, Taiwan, Australia, Japan, Argentina • Principles stronger than OECD are common • Expert input is needed to identity this standard, not filtered through governments • Privacy Commissioner need a collective role • No equivalent yet to A29 Committee • Santiago (Feb 04) only offers input on implementation • Asia-Pacific NGO experts are developing the APPCC • We need to adopt and learn from 25 years regional experience, not ignore it

  8. Examples of high regional standards • Collection objectively limited to where necessary for functions or activities (HK, Aus, NZ - Can stricter) • Notice upon collection (Aus, NZ, HK, Kor) • Secondary use only for a directly related purpose (HK, NZ, Aus - Kor stricter) • Right to have recipients of corrected information informed (NSW, NZ) • Deletion after use (HK, NZ, NSW, Kor)

  9. APT privacy Guidelines (draft) • Asia-Pacific Telecommunity (APT) • 32 states via Telecomms ministries (etc) • Guidelines on the Protection of Personal Information and Privacy (draft), July 2003 • Drafting by KISA (Korea), with Asian Privacy Forum • Attempts to take a distinctive regional approach • Explicitly not based solely on OECD or EU (cl8) • Says OECD Guidelines ‘reflect … the 70s and 80s’ • ‘Concrete implementation measures’ unlike OECD • Allows more variation between States that EU • Emphasises role of government, not litigation • Adds new Principles in at least five areas …

  10. APT Guidelines - implementation • Legislation required + self-regulation encouraged • A privacy supervisory authority required • Supervision and complaint investigation • Data export limits may be ‘reasonably required’ to protect ‘privacy, rights and freedoms’; • free flow of information otherwise required • Limits on these guidelines only by legislation; only to the extent necessary for other public policies • Common character string need to deal with spam

  11. APT Guidelines - new Principles • No disadvantage for exercising privacy rights (A5(2)) • Notification of corrected information to 3rd party recipients (A6(4)) • ‘Openness’ of logic of automated processes (A7) • No secondary use without consent (A 14(2)) • Deletion if consent to hold is withdrawn (A16) • Duties on change of information controller (A19) • Special provision on children’s information (A34) • Personal location information Principle (A30) • Unsolicited communications Princple (A31)

  12. Conclusions • Why are APEC and APT so different? • Membership similar except for the USA • Australia’s APEC initiative had a defensive and outdated starting point (OECD) • Inadequate process: no collective expert input, and now behind closed doors • OECD Guidelines were by an ‘expert group’ • A more consultative, confident, and region-based APEC initiative is needed

  13. Coda: APPCC contribution • Asia-Pacific Privacy Charter Council • 35 non-government privacy experts from 10 regional countries, and growing • On 12/11/03, meeting to consider 1st working draft • Headings of Principles under consideration for Charter are over - only a first draft • Covers surveillance and intrusions as well as IPPs • An attempt to find a positive regional standard

  14. APPCC draftPart I - General Principles

  15. APPCC draft - Part II - Information Privacy Principles

  16. APPCC draft - Part III - Surveillance limitation principles

  17. APPCC draft - Part IV - Intrusion limitation principles

  18. APPCC principles - Part V - Implementation and compliance principles

More Related