london, 11 dec 07 asia-pacific information privacy briefing ‘07 graham greenleaf professor of law,...

London, 11 Dec 07 QuickTime™ and a

TIFF (LZW) decompressorare needed to see this picture.

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Asia-Pacific information privacy briefing ‘07

Graham Greenleaf

Professor of Law, UNSW

Asia-Pacific Editor, PLB International Newsletter





Menu - December 11 2007

• National laws …– Australia– Japan– South Korea– Hong Kong– New Zealand

• … and proposals– Taiwan– Thailand – China (PRC)– Philippines– … and the others

• Regional developments– APEC Framework– APEC ‘Pathfinders’– Other agreements– APPA (Asia-Pacific

Privacy Authorities)– Regional NGOs

• Finding the law– WorldLII Privacy Law

Library– EPIC’s PHR 2006





Australia (I): Legislation and case law

• Information privacy legislation– No significant case law under federal Privacy Act – WA legn 2007; Only Qld & SA do not have

information privacy Acts covering govt. information– EU ‘adequacy’ still uncertain - expert report to EU

Commission 2005, updated 2006; no decision yet

• Common law – developments uncertain: Doe v ABC [2007] VCC

281 $234K damages by District Ct - on appeal– Statutory privacy tort under consideration by both

federal and NSW law reform Commissions





Australia (II): Election implications

• Rudd Labor govt. sworn in 1 December• 'Access Card’/ ID Card is dead

– Office of Access Card already shut down– Letter telling all contractors to cease work

• New Information Commissioner– Will combine FOI and privacy, with 3

Commissioners– Privacy Branch of A-Gs has already been

transferred to PM’s Dept.





Australia (III): ALRC review of federal laws

• Australian Law Reform Commission Discussion Paper 72, Sept 2007– Major reforms proposed within existing structure– APEC Privacy Framework largely ignored– One set of ‘Uniform Privacy Principles’ (UPPs) for

both private sector and federal public sector; likely to then be adopted by State public sectors

– Considerable strengthening of enforcement, particularly in allowing appeals to the Courts

– Credit reporting strict regulation will largely continue: no ‘positive reporting’; segregated data





Australia (IV): New elements in the proposed UPPs

• Broad approach to ‘personal information’ retained• Anonymity Principle to include pseudonymity• Notice required on collection from 3rd Ps• Data exports to be tightened (over)• Direct marketing to require prior consent wherever practical• Intermediary access where direct access refused• Data breach notification principle• Restrictions on using Identifiers tightened• Public sector to be covered by anonymity, data export,

destruction and identifiers principles (and perhaps direct marketing)





Australia (V): Data export proposals

• 4 bases for transfers outside Australia– ‘transfer’ includes data stored in Australia but accessible

outside Australia (so no personal data on open Internet)

1. ‘Reasonable belief’ that recipient is subject to a ‘law, binding scheme or contract’ that effectively upholds principles ‘substantially similar’ to UPPs

• Government may issue Whitelist

2. ‘Consent’ (express or implied)3. Law enforcement purposes (specified)4. Transferor remains liable for breaches, under

conditions similar to A26(1) Directive





Australia (VI): Shrinking the ‘privacy free zone’

• Many exemptions to be removed– general exemption for small organisations– For politicians and parties– For employee records (subject to confidence laws)

• Some exemptions to stay– Media exemption to be more carefully defined– Research exemption to be broadened– Police / security exemptions stay just as broad





Australia (VII): ALRC Enforcement proposals

• Rights of complainants to be strengthened– Right of appeal from PCO to Federal Court– Parties will be able to require s52 determinations

• Current PC = 0; Previous PC = 2

• PCO’s powers to be strengthened– to order PIAs for significant new projects– to audit private sector compliance– to require development of Codes– to take specific actions to remedy a breach– to enforce findings in ‘own motion’ investigations– to pursue civil penalties against parties in breach





Australia (VII): Credit reporting proposals

• ALRC wants ‘more comprehensive credit reporting’• In addition to defaults: type of each current credit

account opened (eg mortgage, personal loan, credit card); date on which opened; account’s limits, and when closed

• Still no disclosures outside the credit industry• No bureau access without an external dispute

resolution scheme• Pro-active monitoring of data quality required• No collection of data on under-18s





Japan (I) New METI PIPL guidelines

• METI guidelines, 2nd Ed (2007)– to Personal Information Protection Law (PIPL)– one of 35 guidelines but (I) most widely applicable due to

METI’s broad purview; (ii) influences others

• Abstract statements of purpose of use unacceptable• Requires consent for change of use of information• Requires additional responses in case of a data leak

or other PIPL violation, including advising persons affected, and apologies– Gives exceptions when not necessary to inform

• Confidentiality agreements required from employees





Japan (II) - Case law starts to produce damages

• Damages against beauty salon (Aug 2007)– Tokyo High Court upheld damages decision of about US$4K to 14

plaintiffs against beauty salon chain; highest yet

– Negligence action, but based on same standards as PIPL

– Resulted from a ‘data spill’ onto the Internet from a negligent contractor;

• JAL cabin attendants action (Nov 2007)– 190 current and former cabin attendants and their labor union

– damages suit against of Japan Airlines Corp seeking 48 million yen

– Claims JAL collected medical records, familial status and physical descriptions, without consent





Japan (III) - Fingerprinting foreigners

• Biometric scanning of almost all foreigners entering the country, including residents (Nov 2007)– both index fingers and digital photograph– Immigration Control and Refugee Recognition Act

• Privacy International for 70 international and Japanese NGOs have protested to Japanese Minister of Justice

• Significance: one of first countries to follow USA– considerable effects on US tourist industry– will Japan be similarly affected, or neutralise reactions?





South Korea

• New legislation awaits election– Current public sector and private sector Acts are

inconsistent in both principles and enforcement – 3 draft bills on comprehensive data protection are before the

National Assembly– Ministry of Information and Communication (MIC) held public

hearings on its draft in August• To cover all data users, not just ‘information service providers’

(ISPs)• Increased penalties; incorporation of guidelines • Reduced use of ‘resident registration number’ in favour of

alternative IDs

– New government in 2008 will consider MIC bill or one of the 3 dormant bills





South Korea (II) Guidelines

KISA (Korean Information Security Agency) guidelines

• RFID Privacy Protection Guideline– 2005 guidelines revised September 2007– Consent required for any secondary use of RFID-acquired

personal data– Separate Location Information Act must be complied with for

personal location uses

• Biometric Information Privacy Guideline– 2005 guidelines revised September 2007– Raw data must be held separately from identified data, and

destroyed when purpose completed– Very few biometric privacy codes exist (eg Australia) - this

may be the most significant to date





Hong Kong

• Data spills but no litigation– Massive data spill onto Internet concerning complaints

against Police by 20K people, by contractor working for Independent Police Complaints Commission (IPCC)

– HK PC found breaches of security principle by IPCC, but (of course) they were immediately fixed –> no prosecution

– HK Ordinance (PDPO) theoretically allows Court damages actions under s66 - not HK$1 ever awarded

– No actions by any of the 20K people are known

• Increasing fines for breaches of HK law– In 2006-07 quite a few companies have been prosecuted

and fined for various breaches of the Ordinance (NOT the Principles)





Hong Kong (II) - Yahoo! Out of reach

• Yahoo! Case explores scope of HK law– Yahoo! Holdings (HK) Ltd handed over to SSB, in PRC,

address and phone no to match IP address – Use of s48 report, uncommon before Comm. Woo– Found that this did not constitute ‘personal data’ because it

could refer to a company not a person– Although YHHK would normally be a ‘data user’ under HK

Ordinance, because it was controlled from HK, it did not have control under these circumstances because compelled to disclose by PRC law

– BUT if this had not been a compulsory disclosure (even if a criminal investigation), HK law would have applied to actions taking place in the PRC (or elsewhere)





Hong Kong (III) - Surveillance now regulated

• HK govt. issued an Executive Order to try to cloak its surveillance practices with legality

• Court actions by ‘Longhair’ invoked privacy provisions in Basic Law for first time; – Court of Appeal held Executive Order unconstitutional, but

delayed effect to give govt. time to legislate

• New Interception of Communications and Surveillance Ordinance 2006 governs telecoms interception and other official surveillance– Influenced by HKLRC report; quite strong controls

• First report of Surveillance Commissioner, Nov 2007– 526 applications granted, 67 refused; 177 resulting arrests





New Zealand

• Law Commission review of privacy• Stage 1: high-level policy overview (Report due)• Stage 2: Public Registers - Issues Paper (Sept 07)

– (a) existing statutory framework is ‘problematic’ – (b) problems with uses of data from public registers,

especially in relation to bulk downloading; – (c) existing protections in various statutes establishing public

registers are uneven.

• Stage 3: Civil and criminal law (2008)– Hosking v Runting (2005) - establishes privacy tort

• Stage 4: Privacy Act 2003 review (2008)





Taiwan

• Computer Processed Personal Data Protection Act 1995 – Limited coverage or effectiveness

• 2005 amending Bill on agenda again– Introduced by Executive; stalled in Legislature– Minister of Justice revived calls for passage 2007– ‘Data’ no longer limited to ‘computer-processed’ data– To cover all who process data, not only government and

designated industries– Stricter criteria for sensitive data– Fines to increase from US$1,200 to US$150K– Class actions suits for breaches permitted





Thailand

• Official Information Act, 1997– Only covers State agencies– Administered by 32 person Official Information

Commission (OIC) and the Office of the OIC– Limits personal data collection and retention;

limits disclosure; requires security; provides access and correction rights (most elements of information privacy)

– Statistics to 2005 show 880 appeals (to OIC or Information Disclosure Tribunal) from 1300 complaints against government at all levels





Thailand (II)

• Draft Personal Data Protection Law– Most recent draft to Cabinet by OIC in 2005;

legislators have also proposed Bills– Includes private sector data under OIA, with

administration by Office of OIC (similar to the expansion of the Australian Act)

– May involve a separate Personal Data Protection Board to administer the private sector aspects, including dispute resolution and prosecutions

– No progress yet due to coup (2006) and new Constitution (2007)





China (PRC)

• Draft Personal Information Protection Act– 2006 draft by Prof Zhou HANHUA, Director of the

Institute of Law, Chinese Academy of Social Sciences, and team of experts

– English translation by lawyers at Hunton & Williams, who expect it will be introduced into the National People’s Congress and influence the final legislation

– The main points are now summarised





China (II) - 8 ‘General Provisions’/Principles (Ch 1)1. Purpose

2. Lawfulness

3. Protection of rights (access and correction)

4. Balance of interests

5. Information quality (incl collection and use limits)

6. Information security

7. Professional duties (like ‘accountability’)

8. Remedy (incl admin remedies and compensation)• Plus ‘Scope of’ and ‘Exceptions to’ applicability





China (III) - Ch 2 elaboration re government authorities

• Very broad exceptions to use restrictions– Government only likely to be restricted as it wishes

• Disclosures must include conditions of use which must be observed

• Exceptions to access right are broad but ‘balance of interests’ principle applies





China (IV) - Ch 3 elaboration re ‘other data processors’

• Applies to all private sector organisations• Registration required before collection begins

– No fees to be charged– Pro forma examination in most cases, but ‘substantial

examination’ for organisations ‘whose principal business is information processing’

• Collection only for ‘clear and specific purposes’; • Secondary uses strictly limited

– (I) consent; (ii) by law; (iii) where ‘of the utmost necessity’ for protecting other interests but consent difficult; (iv) of the utmost necessity’ for government function





China (V) - ‘Cross border transfer’ (A48)

• No automatic restriction - ‘may restrict’– Contrast EU automatic restrictions + ‘whitelist’ (now

proposed for Australia)

• Restriction is by ‘government agencies in charge of information resources’ – Potential for conflicting rulings by agencies

• Grounds for restrictions– (I) ‘state security and other significant state interests’– (ii) duties of Chinese government under international law– (iii) recipient country/area ‘cannot give sufficient legal

protection’– (iv) ‘as provided by law’





China (VI) - Administration (Ch 4)

• widely distributed; no ‘Privacy Commissioner’– all agencies ‘above county level’ must administer in relation

to their sectors– General regulations to be made at State Council level

• admin review of government actions by ‘the agency in charge of information resources’ at the same level

• Outside experts can be co-opted into ‘Information Committees’ to resolve complaints

• ‘Self regulatory trade associations’ can resolve complaints– Conditions will be set at State Council level– Associations must be guided by local regulators





China (VII) - Safeguards and remedies (Ch 4 & 5)

• Administrative review always available– ‘agency in charge of information resources’ can review both

public and private sector complaints– ‘Data subject’ can then appeal to Peoples’ Court

• Judicial remedy always available– Alternative course of action at any time in People’s Court

• Compensation always available– All data processors ‘should bear liability for compensation in

accordance with law’

• Administrative liabilities and criminal liabilities (Ch 5)– Extensive range for any breaches of the law





China (VII) - Initial appraisal

• General principles (Pt 1) are not as strong as Pts 2 and 3 implementing them

• All key elements of information privacy laws are covered, and some additional

• Depending on administrative regulations, could be more like an implementation of the EU Directive rather than the APEC Framework

• Seems very comprehensive on remedies• Could be enough for EU adequacy, depending on

regulations• If enacted, significant implications through Asia





Other Asia-Pacific countries

• Philippines– Right of ‘Habeas data’ is under consideration by

Philippines Supreme Court (Puno CJ in address to UNESCO meeting, November 2007); essentially a constitutional right of access and correction

• Malaysia– 2003 draft Bill is still a state secret

• Singapore– Stated interest in APEC Pathfinders but not known

to yet be involved





APEC Framework

• Asia Pacific Economic Co-operation (APEC) Privacy Framework 2004 (completed 2005)

• 21 ‘economies’ including China and USA• Region of most privacy laws outside Europe

– key to international privacy standards?

• What progress after 3 years?• Views differ of its value

– Google’s favourite international privacy agreement– Criticised as ‘OECD Lite’ and US business front





APEC's 9 Privacy Principles

I Preventing HarmII NoticeIII Collection limitationIV Uses of personal informationV ChoiceVI Integrity of Personal InformationVII Security SafeguardsVIII Access and CorrectionIX Accountability

– includes due diligence in transfers





APEC’s ‘data export’ principle?

• Part of APEC Principle 10 ‘Accountability’• any data exporter must either obtain consent

or ‘exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles’.

• Not clear if this is intended to be sufficient to justify data exports – Might not be sufficient under data export rules of

some Asia-Pacific economies (eg Australia)





APEC's IPPs = 'OECD Lite’

5 types of criticisms• Weaknesses inherent in OECD IPPs

– OECD now 20 years old, even Kirby is critical– Allows secondary uses for ‘compatible or related purposes’– Weak collection limitations; No deletion IPPs

• Further weakening of OECD IPPs– OECD ‘Purpose specification’ and ‘Openness’ IPPs missing

- both are valuable– Broader allowance of exceptions– Otherwise substantially adopts OECD– Slightly stronger than OECD on notice






5 types of criticisms• Potentially retrograde new IPPs

– ‘Preventing harm’ (I) - sentiment is OK, but a strange IPP; really a basis for rationing remedies or lowering burdens; could justify piecemeal coverage

– ‘Choice’ (V) - redundant in use and disclosure IPPs; does not seem to justify contracting out of other IPPs

[Both rejected by ALRC in its review]






5 types of criticisms• (4) Regional experience ignored

– No borrowings from the often stronger laws in the region (eg Korea, HK, NZ, Australia, Canada) - 17 years ignored

– Some stronger IPPs are ‘standards’

• (5) EU compatibility ignored– No borrowings of new EU IPPs (eg automated

processing)– Is this an attempt to define ‘adequacy’ as ‘OECD

Lite’? - or ‘just don’t care’?





APEC’s 10 ‘missing’ IPPs - in at least 2 regional laws -

• Openness• Collection from

the individual• Data retention• Third party notice

of correction• Data export

limitations

• Anonymity option• Identifier

limitations• Automated

decisions• Sensitive

information• Public register

principles





APEC Implementation rules - anything goes!

• Framework Part IV(A): ‘Domestic Implementation’– non-prescriptive in the extreme

• Any form of regulation is OK– Legislation not required or even recommended– ‘an appropriate array of remedies’ advocated– ‘commensurate with the extent of the actual or potential

harm’– Choice of remedies supported

• No central enforcement body required– A central access point for information advocated– Education and civil society input advocated





Implementation rules - anything goes! (II)

• Accountability – ‘Individual Action Plans’ - periodic national reports to APEC

on progress (supposedly starting 2006)– No self-assessment or collective assessment (contra v1,

2003)

• Bottom line– Part IV exhorts APEC members to implement the

Framework without requiring or proposing any particular means of doing so, or any means of assessing whether they have done so

– considerably weaker than any other international privacy instrument





Data exports (Pt V(B) - Final (uncontentious) result

• Final version (Sept 05) only encourages recognition of binding corporate rules– Says nothing about export restrictions

• APEC Framework does NOT do any of:– Forbidding exports to non-APEC compliant countries

(contrast EU Directive)– Allowing restrictions on exports to such countries (contrast

OECD and CoE)– Requiring exports be allowed to APEC-compliant countries

(contrast EU, OECD, and CoE)

• The weakest privacy agreement yet seen





Implementation of the Framework

• 3 Implementation Seminars 2005-06 (Hong Kong, Seoul, Hanoi) – most APEC economies have sent delegates, including many with

no privacy laws: valuable

– Strong emphasis on finding ways to allow data exports

– Economies were to file IAPs (Individual Action Plans) during 2006: None apparent

• 3 meetings during 2007 (Canberra, Gold Coast, Vancouver)– Only business was Pathfinder projects: ‘the goal of developing

and implementing an accountable Cross-Border Privacy Rules (CBPR) system within APEC’, so as ‘to protect the personal information of an individual no matter where in the APEC region that personal information is transferred or accessed’.





APEC ‘Pathfinders’

9 ‘Pathfinder’ projects econmies can elect to join

1. CBPR self-assessment guidance for organisations

2. Guidelines for trustmarks participating in a CBPR system (‘Develop guidelines for what a trustmark must do in order to be recognised as an APEC CBPR accreditation provider.’)

3. Compliance review of an organisation's CBPRs (‘Develop guidelines for trustmarks to use when assessing an organisation’s compliance with the APEC Privacy Principles.’)

4. Directory of compliant organisations (‘Develop a publicly accessible directory of organisations that have CBPRs that have been accredited as complying with the APEC Privacy Principles.’)





APEC ‘Pathfinders’ (II)

5. Data Protection Authority and Privacy Contact Officer Directory

6. Template Enforcement Cooperation Arrangements

7. Template cross-border complaint handling form

8. Guidelines and procedures for responsive regulation in a CBPR system (‘Develop guidelines and procedures (e.g. flowchart) to assist in determining at which stage of the CBPR responsive regulation pyramid a cross-border privacy complaint should be handled and identify the triggers for escalating a complaint to a higher level of the pyramid’)

9 Cross-Border Privacy Rules International Implementation Pilot Project (including participating economies identifying businesses willing to participate)





APEC ‘Pathfinders’ (III): Issues

• Where do the standards come from against which compliance in 1-4 is measured?– Is ‘due diligence’ under APEC principle 10 the only test of

whether exports are allowed?

• Who is involved? – USA & ICC participating in all 10; 5 economies in some; 5

more profess interest; – China plus another 8 not interested

• ‘All Present Except Consumers’ (A.P.E.C.)? – Rejected Privacy International request for consumer

representation (like ICC for business); – despite Pathfinder description saying consumer input in project

design is essential.





Other agreements - Council of Europe data protection Convention 108

• Option for Asia-Pacific (A-P) countries already with advanced privacy laws

• CoE Convention allows this, but not yet used– CoE Cybercrime Convention has had global adoption– ‘Montreax Declaration 2005’ of international Privacy Commissioners

calls for this; APPA has not yet done so

• Would encourage other A-P countries to develop their laws and enforcement to CoE standard

• A standard higher than APEC, and improving– Protocol requires laws & independent authority– Also requires data export limitations - ‘adequacy’

• Would guarantee free flow of personal information within signatory A-P countries, and between any of them and Europe (will ensure EU adequacy)





Asia-Pacific Privacy Authorities (APPA)

• Privacy agencies from Australia (federal, NSW, Vic, NT), NZ, HK, South Korea are members– Meets twice per year– Canadian federal Commissioner is now joining (significant)

• Very little development of joint policy– No specific function of joint policy development– ‘APPA members re-committed to progressing the

implementation of the APEC Privacy Framework’– 2 standards on reporting cases; starting cooperation on

cross-border enforcement– Insignificant compared with Europe’s A29 committee (but

has no ‘statutory’ function to legitimate it)





Regional NGOs

• Increasingly active national NGOs– Australian Privacy Foundation since 1987; new HK NGO; NZ

NGO is dormant; consumer groups active in S Korea– Declaration in Montreal (‘global’)– APEC scepticism– Japanese fingerprinting letter (PI-led)

• Asia-Pacific Privacy Charter Council (APPCC)– Formed 2003 (experts and advocates from 10 countries) to

develop an alternative to APEC principles– Made inputs into APEC development, then dormant; but

treated by ALRC as a regioanl standard





Finding the law (I): WorldLII’s Privacy Law Library

• Free access to 30+ privacy law databases– Decisions of Courts, Tribunals + Commissioners– Legislation (Aust, NZ, HK, Korea etc)– Treaties/agreements + law reform reports– Law Journals (PLPR, EPIC, PLBI backset)

• New content being added– European content to be increased (eg A29 reports;

Irish privacy decisions)– EPIC’s Privacy & Human Rights 2006





Finding the law (II): EPIC’s Privacy & Human Rights ‘06• Annual collectively authored report - 2005 Ed.• Asia-Pacific countries covered

– Australia, New Zealand– Hong Kong, Japan, Mongolia, Philippines,

Singapore, South Korea, Sri Lanka, Taiwan, Thailand

– Canada, Chile, Gautemala, Paraguay, Peru, USA, Uraguay, Venezuala

• A very valuable guide from a civil liberties perspective - and sometimes contentious





Finding the law (III): PLB’s International Newsletter

• Privacy Laws & Business International Newsletter (Editor: James Michael; Publisher: Stewart Dresner)

• Asia-Pacific Editor: Graham Greenleaf

• Increasing coverage of Asia-Pacific developments

• Free International eNews service





References

• Asia-Pacific Privacy Agencies (APPA) <http://www.privacy.gov.au/international/appa/>

• Asia-Pacific Privacy Charter pages (includes key APEC documents and critiques) <http://www.bakercyberlawcentre.org/appcc/>

• WorldLII’s Privacy Law Project <http://www.worldlii.org/int/special/privacy/>

• Interpreting Privacy Principles (iPP) Project <http://www.worldlii.org/int/special/privacy/ipp/>

http://www.bakercyberlawcentre.org/appcc/









Acknowledgments

• Correspondents– Prof Whon-Il PARK, Kung-Hee University, South Korea– Eric Kosinski, lawyer, White & Case LLP (Tokyo)– Nakorn Serirak, Director of Policy and Planning Division,

OIC, Thailand– Atty. Jimmy Soriano, Director, e-Law Center, Arellano Law

School, Manila– Yue LIU, researcher, University of Oslo

• Acknowledgments– Hunton & Williams, for translation of PRC Bill– Website of Winkler Partners, Taipei, for Taiwan information

london, 11 dec 07 asia-pacific information privacy briefing ‘07 graham greenleaf professor of law,...

Documents