530 likes | 733 Views
Asia-Pacific information privacy briefing ‘07. Graham Greenleaf Professor of Law, UNSW Asia-Pacific Editor, PLB International Newsletter. National laws … Australia Japan South Korea Hong Kong New Zealand … and proposals Taiwan Thailand China (PRC) Philippines … and the others.
E N D
Asia-Pacific information privacy briefing ‘07 Graham Greenleaf Professor of Law, UNSW Asia-Pacific Editor, PLB International Newsletter
National laws … Australia Japan South Korea Hong Kong New Zealand … and proposals Taiwan Thailand China (PRC) Philippines … and the others Regional developments APEC Framework APEC ‘Pathfinders’ Other agreements APPA (Asia-Pacific Privacy Authorities) Regional NGOs Finding the law WorldLII Privacy Law Library EPIC’s PHR 2006 Menu - December 11 2007
Australia (I): Legislation and case law • Information privacy legislation • No significant case law under federal Privacy Act • WA legn 2007; Only Qld & SA do not have information privacy Acts covering govt. information • EU ‘adequacy’ still uncertain - expert report to EU Commission 2005, updated 2006; no decision yet • Common law • developments uncertain: Doe v ABC [2007] VCC 281 $234K damages by District Ct - on appeal • Statutory privacy tort under consideration by both federal and NSW law reform Commissions
Australia (II): Election implications • Rudd Labor govt. sworn in 1 December • 'Access Card’/ ID Card is dead • Office of Access Card already shut down • Letter telling all contractors to cease work • New Information Commissioner • Will combine FOI and privacy, with 3 Commissioners • Privacy Branch of A-Gs has already been transferred to PM’s Dept.
Australia (III): ALRC review of federal laws • Australian Law Reform Commission Discussion Paper 72, Sept 2007 • Major reforms proposed within existing structure • APEC Privacy Framework largely ignored • One set of ‘Uniform Privacy Principles’ (UPPs) for both private sector and federal public sector; likely to then be adopted by State public sectors • Considerable strengthening of enforcement, particularly in allowing appeals to the Courts • Credit reporting strict regulation will largely continue: no ‘positive reporting’; segregated data
Australia (IV): New elements in the proposed UPPs • Broad approach to ‘personal information’ retained • Anonymity Principle to include pseudonymity • Notice required on collection from 3rd Ps • Data exports to be tightened (over) • Direct marketing to require prior consent wherever practical • Intermediary access where direct access refused • Data breach notification principle • Restrictions on using Identifiers tightened • Public sector to be covered by anonymity, data export, destruction and identifiers principles (and perhaps direct marketing)
Australia (V): Data export proposals • 4 bases for transfers outside Australia • ‘transfer’ includes data stored in Australia but accessible outside Australia (so no personal data on open Internet) • ‘Reasonable belief’ that recipient is subject to a ‘law, binding scheme or contract’ that effectively upholds principles ‘substantially similar’ to UPPs • Government may issue Whitelist • ‘Consent’ (express or implied) • Law enforcement purposes (specified) • Transferor remains liable for breaches, under conditions similar to A26(1) Directive
Australia (VI): Shrinking the ‘privacy free zone’ • Many exemptions to be removed • general exemption for small organisations • For politicians and parties • For employee records (subject to confidence laws) • Some exemptions to stay • Media exemption to be more carefully defined • Research exemption to be broadened • Police / security exemptions stay just as broad
Australia (VII): ALRC Enforcement proposals • Rights of complainants to be strengthened • Right of appeal from PCO to Federal Court • Parties will be able to require s52 determinations • Current PC = 0; Previous PC = 2 • PCO’s powers to be strengthened • to order PIAs for significant new projects • to audit private sector compliance • to require development of Codes • to take specific actions to remedy a breach • to enforce findings in ‘own motion’ investigations • to pursue civil penalties against parties in breach
Australia (VII): Credit reporting proposals • ALRC wants ‘more comprehensive credit reporting’ • In addition to defaults: type of each current credit account opened (eg mortgage, personal loan, credit card); date on which opened; account’s limits, and when closed • Still no disclosures outside the credit industry • No bureau access without an external dispute resolution scheme • Pro-active monitoring of data quality required • No collection of data on under-18s
Japan (I) New METI PIPL guidelines • METI guidelines, 2nd Ed (2007) • to Personal Information Protection Law (PIPL) • one of 35 guidelines but (I) most widely applicable due to METI’s broad purview; (ii) influences others • Abstract statements of purpose of use unacceptable • Requires consent for change of use of information • Requires additional responses in case of a data leak or other PIPL violation, including advising persons affected, and apologies • Gives exceptions when not necessary to inform • Confidentiality agreements required from employees
Japan (II) - Case law starts to produce damages • Damages against beauty salon (Aug 2007) • Tokyo High Court upheld damages decision of about US$4K to 14 plaintiffs against beauty salon chain; highest yet • Negligence action, but based on same standards as PIPL • Resulted from a ‘data spill’ onto the Internet from a negligent contractor; • JAL cabin attendants action (Nov 2007) • 190 current and former cabin attendants and their labor union • damages suit against of Japan Airlines Corp seeking 48 million yen • Claims JAL collected medical records, familial status and physical descriptions, without consent
Japan (III) - Fingerprinting foreigners • Biometric scanning of almost all foreigners entering the country, including residents (Nov 2007) • both index fingers and digital photograph • Immigration Control and Refugee Recognition Act • Privacy International for 70 international and Japanese NGOs have protested to Japanese Minister of Justice • Significance: one of first countries to follow USA • considerable effects on US tourist industry • will Japan be similarly affected, or neutralise reactions?
South Korea • New legislation awaits election • Current public sector and private sector Acts are inconsistent in both principles and enforcement • 3 draft bills on comprehensive data protection are before the National Assembly • Ministry of Information and Communication (MIC) held public hearings on its draft in August • To cover all data users, not just ‘information service providers’ (ISPs) • Increased penalties; incorporation of guidelines • Reduced use of ‘resident registration number’ in favour of alternative IDs • New government in 2008 will consider MIC bill or one of the 3 dormant bills
South Korea (II) Guidelines KISA (Korean Information Security Agency) guidelines • RFID Privacy Protection Guideline • 2005 guidelines revised September 2007 • Consent required for any secondary use of RFID-acquired personal data • Separate Location Information Act must be complied with for personal location uses • Biometric Information Privacy Guideline • 2005 guidelines revised September 2007 • Raw data must be held separately from identified data, and destroyed when purpose completed • Very few biometric privacy codes exist (eg Australia) - this may be the most significant to date
Hong Kong • Data spills but no litigation • Massive data spill onto Internet concerning complaints against Police by 20K people, by contractor working for Independent Police Complaints Commission (IPCC) • HK PC found breaches of security principle by IPCC, but (of course) they were immediately fixed –> no prosecution • HK Ordinance (PDPO) theoretically allows Court damages actions under s66 - not HK$1 ever awarded • No actions by any of the 20K people are known • Increasing fines for breaches of HK law • In 2006-07 quite a few companies have been prosecuted and fined for various breachesof the Ordinance (NOT the Principles)
Hong Kong (II) - Yahoo! Out of reach • Yahoo! Case explores scope of HK law • Yahoo! Holdings (HK) Ltd handed over to SSB, in PRC, address and phone no to match IP address • Use of s48 report, uncommon before Comm. Woo • Found that this did not constitute ‘personal data’ because it could refer to a company not a person • Although YHHK would normally be a ‘data user’ under HK Ordinance, because it was controlled from HK, it did not have control under these circumstances because compelled to disclose by PRC law • BUT if this had not been a compulsory disclosure (even if a criminal investigation), HK law would have applied to actions taking place in the PRC (or elsewhere)
Hong Kong (III) - Surveillance now regulated • HK govt. issued an Executive Order to try to cloak its surveillance practices with legality • Court actions by ‘Longhair’ invoked privacy provisions in Basic Law for first time; • Court of Appeal held Executive Order unconstitutional, but delayed effect to give govt. time to legislate • New Interception of Communications and Surveillance Ordinance 2006 governs telecoms interception and other official surveillance • Influenced by HKLRC report; quite strong controls • First report of Surveillance Commissioner, Nov 2007 • 526 applications granted, 67 refused; 177 resulting arrests
New Zealand • Law Commission review of privacy • Stage 1: high-level policy overview (Report due) • Stage 2: Public Registers - Issues Paper (Sept 07) • (a) existing statutory framework is ‘problematic’ • (b) problems with uses of data from public registers, especially in relation to bulk downloading; • (c) existing protections in various statutes establishing public registers are uneven. • Stage 3: Civil and criminal law (2008) • Hosking v Runting (2005) - establishes privacy tort • Stage 4: Privacy Act 2003 review (2008)
Taiwan • Computer Processed Personal Data Protection Act 1995 • Limited coverage or effectiveness • 2005 amending Bill on agenda again • Introduced by Executive; stalled in Legislature • Minister of Justice revived calls for passage 2007 • ‘Data’ no longer limited to ‘computer-processed’ data • To cover all who process data, not only government and designated industries • Stricter criteria for sensitive data • Fines to increase from US$1,200 to US$150K • Class actions suits for breaches permitted
Thailand • Official Information Act, 1997 • Only covers State agencies • Administered by 32 person Official Information Commission (OIC) and the Office of the OIC • Limits personal data collection and retention; limits disclosure; requires security; provides access and correction rights (most elements of information privacy) • Statistics to 2005 show 880 appeals (to OIC or Information Disclosure Tribunal) from 1300 complaints against government at all levels
Thailand (II) • Draft Personal Data Protection Law • Most recent draft to Cabinet by OIC in 2005; legislators have also proposed Bills • Includes private sector data under OIA, with administration by Office of OIC (similar to the expansion of the Australian Act) • May involve a separate Personal Data Protection Board to administer the private sector aspects, including dispute resolution and prosecutions • No progress yet due to coup (2006) and new Constitution (2007)
China (PRC) • Draft Personal Information Protection Act • 2006 draft by Prof Zhou HANHUA, Director of the Institute of Law, Chinese Academy of Social Sciences, and team of experts • English translation by lawyers at Hunton & Williams, who expect it will be introduced into the National People’s Congress and influence the final legislation • The main points are now summarised
China (II) - 8 ‘General Provisions’/Principles (Ch 1) • Purpose • Lawfulness • Protection of rights (access and correction) • Balance of interests • Information quality (incl collection and use limits) • Information security • Professional duties (like ‘accountability’) • Remedy (incl admin remedies and compensation) • Plus ‘Scope of’ and ‘Exceptions to’ applicability
China (III) - Ch 2 elaboration re government authorities • Very broad exceptions to use restrictions • Government only likely to be restricted as it wishes • Disclosures must include conditions of use which must be observed • Exceptions to access right are broad but ‘balance of interests’ principle applies
China (IV) - Ch 3 elaboration re ‘other data processors’ • Applies to all private sector organisations • Registration required before collection begins • No fees to be charged • Pro forma examination in most cases, but ‘substantial examination’ for organisations ‘whose principal business is information processing’ • Collection only for ‘clear and specific purposes’; • Secondary uses strictly limited • (I) consent; (ii) by law; (iii) where ‘of the utmost necessity’ for protecting other interests but consent difficult; (iv) of the utmost necessity’ for government function
China (V) - ‘Cross border transfer’ (A48) • No automatic restriction - ‘may restrict’ • Contrast EU automatic restrictions + ‘whitelist’ (now proposed for Australia) • Restriction is by ‘government agencies in charge of information resources’ • Potential for conflicting rulings by agencies • Grounds for restrictions • (I) ‘state security and other significant state interests’ • (ii) duties of Chinese government under international law • (iii) recipient country/area ‘cannot give sufficient legal protection’ • (iv) ‘as provided by law’
China (VI) - Administration (Ch 4) • widely distributed; no ‘Privacy Commissioner’ • all agencies ‘above county level’ must administer in relation to their sectors • General regulations to be made at State Council level • admin review of government actions by ‘the agency in charge of information resources’ at the same level • Outside experts can be co-opted into ‘Information Committees’ to resolve complaints • ‘Self regulatory trade associations’ can resolve complaints • Conditions will be set at State Council level • Associations must be guided by local regulators
China (VII) - Safeguards and remedies (Ch 4 & 5) • Administrative review always available • ‘agency in charge of information resources’ can review both public and private sector complaints • ‘Data subject’ can then appeal to Peoples’ Court • Judicial remedy always available • Alternative course of action at any time in People’s Court • Compensation always available • All data processors ‘should bear liability for compensation in accordance with law’ • Administrative liabilities and criminal liabilities (Ch 5) • Extensive range for any breaches of the law
China (VII) - Initial appraisal • General principles (Pt 1) are not as strong as Pts 2 and 3 implementing them • All key elements of information privacy laws are covered, and some additional • Depending on administrative regulations, could be more like an implementation of the EU Directive rather than the APEC Framework • Seems very comprehensive on remedies • Could be enough for EU adequacy, depending on regulations • If enacted, significant implications through Asia
Other Asia-Pacific countries • Philippines • Right of ‘Habeas data’ is under consideration by Philippines Supreme Court (Puno CJ in address to UNESCO meeting, November 2007); essentially a constitutional right of access and correction • Malaysia • 2003 draft Bill is still a state secret • Singapore • Stated interest in APEC Pathfinders but not known to yet be involved
APEC Framework • Asia Pacific Economic Co-operation (APEC) Privacy Framework 2004 (completed 2005) • 21 ‘economies’ including China and USA • Region of most privacy laws outside Europe • key to international privacy standards? • What progress after 3 years? • Views differ of its value • Google’s favourite international privacy agreement • Criticised as ‘OECD Lite’ and US business front
APEC's 9 Privacy Principles I Preventing Harm II Notice III Collection limitation IV Uses of personal information V Choice VI Integrity of Personal Information VII Security Safeguards VIII Access and Correction IX Accountability • includes due diligence in transfers
APEC’s ‘data export’ principle? • Part of APEC Principle 10 ‘Accountability’ • any data exporter must either obtain consent or ‘exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles’. • Not clear if this is intended to be sufficient to justify data exports • Might not be sufficient under data export rules of some Asia-Pacific economies (eg Australia)
APEC's IPPs = 'OECD Lite’ 5 types of criticisms • Weaknesses inherent in OECD IPPs • OECD now 20 years old, even Kirby is critical • Allows secondary uses for ‘compatible or related purposes’ • Weak collection limitations; No deletion IPPs • Further weakening of OECD IPPs • OECD ‘Purpose specification’ and ‘Openness’ IPPs missing - both are valuable • Broader allowance of exceptions • Otherwise substantially adopts OECD • Slightly stronger than OECD on notice
APEC's IPPs = 'OECD Lite’ 5 types of criticisms • Potentially retrograde new IPPs • ‘Preventing harm’ (I) - sentiment is OK, but a strange IPP; really a basis for rationing remedies or lowering burdens; could justify piecemeal coverage • ‘Choice’ (V) - redundant in use and disclosure IPPs; does not seem to justify contracting out of other IPPs [Both rejected by ALRC in its review]
APEC's IPPs = 'OECD Lite’ 5 types of criticisms • (4) Regional experience ignored • No borrowings from the often stronger laws in the region (eg Korea, HK, NZ, Australia, Canada) - 17 years ignored • Some stronger IPPs are ‘standards’ • (5) EU compatibility ignored • No borrowings of new EU IPPs (eg automated processing) • Is this an attempt to define ‘adequacy’ as ‘OECD Lite’? - or ‘just don’t care’?
Openness Collection from the individual Data retention Third party notice of correction Data export limitations Anonymity option Identifier limitations Automated decisions Sensitive information Public register principles APEC’s 10 ‘missing’ IPPs - in at least 2 regional laws -
APEC Implementation rules - anything goes! • Framework Part IV(A): ‘Domestic Implementation’ • non-prescriptive in the extreme • Any form of regulation is OK • Legislation not required or even recommended • ‘an appropriate array of remedies’ advocated • ‘commensurate with the extent of the actual or potential harm’ • Choice of remedies supported • No central enforcement body required • A central access point for information advocated • Education and civil society input advocated
Implementation rules - anything goes! (II) • Accountability • ‘Individual Action Plans’ - periodic national reports to APEC on progress (supposedly starting 2006) • No self-assessment or collective assessment (contra v1, 2003) • Bottom line • Part IV exhorts APEC members to implement the Framework without requiring or proposing any particular means of doing so, or any means of assessing whether they have done so • considerably weaker than any other international privacy instrument
Data exports (Pt V(B) - Final (uncontentious) result • Final version (Sept 05) only encourages recognition of binding corporate rules • Says nothing about export restrictions • APEC Framework does NOT do any of: • Forbidding exports to non-APEC compliant countries (contrast EU Directive) • Allowing restrictions on exports to such countries (contrast OECD and CoE) • Requiring exports be allowed to APEC-compliant countries (contrast EU, OECD, and CoE) • The weakest privacy agreement yet seen
Implementation of the Framework • 3 Implementation Seminars 2005-06 (Hong Kong, Seoul, Hanoi) • most APEC economies have sent delegates, including many with no privacy laws: valuable • Strong emphasis on finding ways to allow data exports • Economies were to file IAPs (Individual Action Plans) during 2006: None apparent • 3 meetings during 2007 (Canberra, Gold Coast, Vancouver) • Only business was Pathfinder projects: ‘the goal of developing and implementing an accountable Cross-Border Privacy Rules (CBPR) system within APEC’, so as ‘to protect the personal information of an individual no matter where in the APEC region that personal information is transferred or accessed’.
APEC ‘Pathfinders’ 9 ‘Pathfinder’ projects econmies can elect to join 1. CBPR self-assessment guidance for organisations 2. Guidelines for trustmarks participating in a CBPR system (‘Develop guidelines for what a trustmark must do in order to be recognised as an APEC CBPR accreditation provider.’) 3. Compliance review of an organisation's CBPRs (‘Develop guidelines for trustmarks to use when assessing an organisation’s compliance with the APEC Privacy Principles.’) 4. Directory of compliant organisations (‘Develop a publicly accessible directory of organisations that have CBPRs that have been accredited as complying with the APEC Privacy Principles.’)
APEC ‘Pathfinders’ (II) 5. Data Protection Authority and Privacy Contact Officer Directory 6. Template Enforcement Cooperation Arrangements 7. Template cross-border complaint handling form 8. Guidelines and procedures for responsive regulation in a CBPR system (‘Develop guidelines and procedures (e.g. flowchart) to assist in determining at which stage of the CBPR responsive regulation pyramid a cross-border privacy complaint should be handled and identify the triggers for escalating a complaint to a higher level of the pyramid’) 9 Cross-Border Privacy Rules International Implementation Pilot Project (including participating economies identifying businesses willing to participate)
APEC ‘Pathfinders’ (III): Issues • Where do the standards come from against which compliance in 1-4 is measured? • Is ‘due diligence’ under APEC principle 10 the only test of whether exports are allowed? • Who is involved? • USA & ICC participating in all 10; 5 economies in some; 5 more profess interest; • China plus another 8 not interested • ‘All Present Except Consumers’ (A.P.E.C.)? • Rejected Privacy International request for consumer representation (like ICC for business); • despite Pathfinder description saying consumer input in project design is essential.
Other agreements - Council of Europe data protection Convention 108 • Option for Asia-Pacific (A-P) countries already with advanced privacy laws • CoE Convention allows this, but not yet used • CoE Cybercrime Convention has had global adoption • ‘Montreax Declaration 2005’ of international Privacy Commissioners calls for this; APPA has not yet done so • Would encourage other A-P countries to develop their laws and enforcement to CoE standard • A standard higher than APEC, and improving • Protocol requires laws & independent authority • Also requires data export limitations - ‘adequacy’ • Would guarantee free flow of personal information within signatory A-P countries, and between any of them and Europe (will ensure EU adequacy)
Asia-Pacific Privacy Authorities (APPA) • Privacy agencies from Australia (federal, NSW, Vic, NT), NZ, HK, South Korea are members • Meets twice per year • Canadian federal Commissioner is now joining (significant) • Very little development of joint policy • No specific function of joint policy development • ‘APPA members re-committed to progressing the implementation of the APEC Privacy Framework’ • 2 standards on reporting cases; starting cooperation on cross-border enforcement • Insignificant compared with Europe’s A29 committee (but has no ‘statutory’ function to legitimate it)
Regional NGOs • Increasingly active national NGOs • Australian Privacy Foundation since 1987; new HK NGO; NZ NGO is dormant; consumer groups active in S Korea • Declaration in Montreal (‘global’) • APEC scepticism • Japanese fingerprinting letter (PI-led) • Asia-Pacific Privacy Charter Council (APPCC) • Formed 2003 (experts and advocates from 10 countries) to develop an alternative to APEC principles • Made inputs into APEC development, then dormant; but treated by ALRC as a regioanl standard
Finding the law (I): WorldLII’s Privacy Law Library • Free access to 30+ privacy law databases • Decisions of Courts, Tribunals + Commissioners • Legislation (Aust, NZ, HK, Korea etc) • Treaties/agreements + law reform reports • Law Journals (PLPR, EPIC, PLBI backset) • New content being added • European content to be increased (eg A29 reports; Irish privacy decisions) • EPIC’s Privacy & Human Rights 2006
Finding the law (II): EPIC’s Privacy & Human Rights ‘06 • Annual collectively authored report - 2005 Ed. • Asia-Pacific countries covered • Australia, New Zealand • Hong Kong, Japan, Mongolia, Philippines, Singapore, South Korea, Sri Lanka, Taiwan, Thailand • Canada, Chile, Gautemala, Paraguay, Peru, USA, Uraguay, Venezuala • A very valuable guide from a civil liberties perspective - and sometimes contentious