No CrossRef data available.
Article contents
A Comparative Study of the APEC Privacy Framework- A New Voice in the Data Protection Dialogue?
Published online by Cambridge University Press: 16 April 2015
Abstract
The dialogue on data protection has so far been dominated by European and American voices. There are currently a few international conventions in place such as the Council of Europe's 1981 Convention for the Protection of Individuals with regard to the Automatic processing of personal data, the 1980 OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data , which apply to 30 OECD countries, and the EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data, which binds EU member states but has had some impact on non-European countries due to the restriction on cross border flow of information.
This has changed with the emergence of the APEC Privacy Framework in 2004 which focuses on the importance of the free flow of information in the digital age. Does the APEC Privacy Framework have anything of value to add or does it dilute the standards already in place? This article will examine these questions and argue that perhaps the APEC Privacy Framework is the first step towards a truly global standard for data protection.
Keywords
- Type
- Research Article
- Information
- Copyright
- Copyright © Faculty of Law, National University of Singapore 2008
References
1 Council of Europe, European Treaty Series (CETS) 108- “Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data”, open for signature on 28 January 1981
2 OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data adopted on 23 September 1980.
3 What the “right of privacy” entails has been much discussed by legal scholars. A detailed analysis is beyond the scope of this article but briefly from the body of legal literature available, four general formulations have emerged: 1) non-interference ie the right to be let alone; 2) the right to limited accessibility; 3) the right to information control; and 4) privacy as a state of possessing control over intimate aspects of one's life. See Bygrave, Lee A “Privacy Protection in a Global Context” (2004) 47 Scandinavian Studies in Law 319 Google Scholar for an overview [Bygrave].
4 OECD, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, adopted on 23 September 1980;Council of Europe, CETS 108- Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, open for signature on 28 January 1981; Guidelines for the Regulation of Computerized Personal Data Files, GA Res. 45/95, UNGAOR, 1990. See Part II (C) for further discussion.
5 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data , OJ L 281, 23.11.1995, p. 31-50
6 Council of Europe, CETS 005- Convention for the Protection of Human Rights and Fundamental Freedoms, open for signature on 4 November 1950
7 Personal Data Protection Act, Act 25,326 The Senate and The House of Representatives Of the Argentine Nation in Congress, etc, online: <http://www.privacyinternational.org/countries/argentina/argentine-dpa.html>.
8 See Personal Information Protection and Electronic Documents Act, 2000, c. 5 (‘PIPED Act’) online: Consolidated Statutes and Regulations <http://laws.justice.gc.ca/en/P-8.6/index.html>. Canada had existing federal legislation that governed public bodies; see Privacy Act, R.S 1985, c. P-21, online: Consolidated Statutes and Regulations <http://laws.justice.gc.ca/en/P-21/index.html>.
9 See Commission Decision C (2003) 1731 of 30 June 2003 - OJ L 168, 5.7.2003 (Argentina) and Commission Decision of 2002/2/EC of 20 December 2001- OJ L2/13, 4.1.2002 (Canada). The Commission decision is only with regards to Canada's PIPED Act. The Canadian Act and the Commission Decision do not cover personal data held by public bodies, both at federal and provincial level, or personal data held by private organizations and used for non-commercial purposes.
10 Legislation generally, online: <http://www.privacy.gov.au/act/index.html>.
11 Commission Decision 2000/520/EC of 26 July 2000- O.J.L 215, 25.08.00. See online: U.S. Department of Commerce, Safe Habor <http://www.export.gov/safeharbor/sh_overview.html>
12 See Graham Greenleaf, “The APEC privacy initiative: “OECD Lite” for the Asia Pacific”, online: Cyberspace Law and Policy Centre - CyberLPC - NSW Sydney Australia >www.bakercyberlawcentre.org>.
13 Member States are Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Republic of Bulgaria, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom.
14 In fact, the United Kingdom only enacted its Data Protection Act in 1984 pursuant to its obligations under the 1981 CoE Convention.
15 The treaty was adopted in 1980 and was opened for ratification on January 1981. Supra footnote 1
16 For a more detailed discussion, see Bygrave, Lee A, Data Protection Law: Approaching its Rationale, Logic and Limits, (Aspen: Aspen Publishers Inc, 2002) at c. 6–8 Google Scholar.
17 See Part II (C) (1) and (2) which discuss the 1981 CoE Convention and the OECD Guidelines.
18 Adopted and proclaimed by General Assembly resolution 217 A (III) of 10 December 1948
19 See supra note 6.
20 Adopted and opened for signature, ratification and accession by General Assembly resolution 2200A (XXI) of 16 December 1966
21 SFS 1974:152, online at http://www.riksdagen.se/templates/R_Page_6307.aspx
22 Online at http://www.folketinget.dk/pdf/constitution.pdf
23 Online at http://www.bundestag.de/htdocs_e/parliament/function/legal/germanbasiclaw.pdf See the respective country reports, online: <http://www.privacyinternational.org/survey>.
24 See Bennett, & Raab, , The Governance of Privacy: Policy Instruments in Global Perspective (Burlington, VT: Ashgate. 2003) Chapter 5 at 101–104 [Bennett & Raab]Google Scholar.
25 Personal data is defined as “any information relating to an identified or identifiable individual”, see Article 2(a).
26 Article 6 provides “Personal data revealing racial origin, political opinions or religious or other beliefs, as well as personal data concerning health or sexual life, may not be processed automatically unless domestic law provides appropriate safeguards. The same shall apply to personal data relating to criminal convictions.”
27 See Article 12.
28 Bainbridge, , The EC Data Protection Directive (London: Butterworths, 1996) at 10 Google Scholar.
29 Online: <http://conventions.coe.int/Treaty/en/Treaties/Html/181.htm>. 30 See Treaty Office at <http://conventions.coe.int.>.
31 Supra note 24, Chapter 4 at 74-77.
32 See paragraphs 20-21 of the Explanatory Memorandum of the OECD Guidelines, online: <http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html> and paragraphs 14-16 of the Explanatory Report to the 1981 CoE Convention, online: <http://conventions.coe.int/Treaty/en/Reports/Html/108.htm>.
33 Supra note 32, paragraphs 19(a) and 45 of the Explanatory Memorandum of the OECD Guidelines.
34 Ibid, paragraph 56 of the Explanatory Memorandum of the OECD Guidelines.
35 Bygrave, supra note 16, Chapter 1 at 2. See also Chapter 3 for detailed discussion.
36 Bennett & Raab supra note 24, Chapter 4 at 77.
37 Bennett & Raab, supra note 24, Chapter 4 at 78.
38 For an illustration as to how Article 8 of the European Convention on Human Rights and Fundamental Freedoms, supra note 6, has been interpreted, see Von Hannover v Germany (2000), (Application no. 59320/00), date of judgment 24 June 2004 , a decision by the European Court of Human Rights. The case concerned the publication of photographs by tabloids in Germany of Princess Von Hannover. The Court was asked to decide between the competing rights of the right to privacy as argued by the Applicant and the tabloids' right to the freedom of expression that the German Government said it was bound to uphold. The Court eventually decided in favor of the Applicant after it used a balancing test and concluded that the “contribution” to society in this instance was not sufficient for the right of expression to triumph over one's individual right to privacy.
39 See Recital 8.
40 Admittedly, there is some ambiguity in the wording of Article 15, see Bygrave, Lee A, “Minding the Machine - Article 15 of the EC Data Protection Directive and Automated Profiling” (2000) 7 PLPR Google Scholar and also Bygrave supra note 16, Chapters 18 and 19 for a more detailed discussion.
41 Bennett & Rabb, supra note 24, Chapter 4 at 77.
42 European Union - Consolidated Versions Of The Treaty On European Union And Of The Treaty Establishing The European Community, OJ C 321E of 29 December 2006
43 See Article 3 of the Directive. See also supra note 42.
44 “Bennett & Raab, supra note 24, Chapter 4 at 80.
45 Examples cited are found in Article 26(1) (a) and (c), the other exceptions are found in Article 26(1)(b),(d)-(f) and Article 26(2).
46 See online: Justice and Home Affairs - Data Protection - Documents adopted by the Data Protection Working Party - 1997 <http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/1997_en.htm>.
47 Ibid.
48 See online: Justice and Home Affairs - Data Protection - Documents adopted by the Data Protection Working Party - 1998 <http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/1998_en.htm>.
49 For a more detailed treatment, see Jay, Rosemary & Hamilton, Angus, Data Protection-Law and Practice, 2nd Edition (London: Sweet & Maxwell. 2003) Chapter 8 at 217–230 Google Scholar.
50 Ibid
51 See Working Party Document Opinion 3/2001 on the level of protection of the Australian Privacy Amendment (Private Sector) Act 2000, online: Justice and Home Affairs - Data Protection - Documents adopted by the Data Protection Working Party - 2001 <http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2001_en.htm>.
52 See online: Justice and Home Affairs - Data Protection - Transposition of the Directive <http://ec.europa.eu/justice_home/fsj/privacy/lawreport/index_en.htm#actions> for Special Eurobarometer 196 - Data Protection, Executive Summary at 10-11
53 See generally the 1st report on the implementation of the Data Protection Directive Data Protection Directive 15.05.03, online: Justice and Home Affairs - Data Protection - Transposition of the Directive <http://ec.europa.eu/justice_home/fsj/privacy/lawreport/index_en.htm#actions>.
54 [2003] EWCA Viv 1746.
55 Jagessar, Usha & Sedgwick, Vicky, “When is personal data not ‘personal data’ - The impact of Durant v FSA” (2005) 21 Computer Law & Security Report 501 CrossRefGoogle Scholar.
56 See Linkomies, Laura, “Slow Progress on EU Privacy Programme” Privacy Laws & Business International Newsletter (October/November 2004) at 12–13 Google Scholar.
57 Supra note 53 at section 4.4.5.
58 See Article 26(1) and (2) of the Directive.
59 See footnote 53, paragraph 32.
60 Australia; Brunei Darussalam; Canada; Chile; People's Republic of China; Hong Kong; Indonesia; Japan; Republic of Korea; Malaysia; Mexico; New Zealand; Papua New Guinea; Peru; The Republic of the Philippines; The Russian Federation; Singapore; Chinese Taipei; Thailand; United States of America; Vietnam.
61 See online: <http://www.apecsec.org.sg/apec/news__media/fact_sheets/about_apec.html>.
62 For a more comprehensive treatment, see online: <http://www.privacyinternational.org/survey>.
63 Data Privacy Workshop, 13 February 2003, Chiang Rai, Thailand. Working papers, online: <http://www.apec.org/apec/documents_reports/electronic_commerce_steering_group/2003.html>.
64 Sixteenth APEC Ministerial Meeting held at Santiago, Chile 17-18 November 2004. See the Ministerial Statement, online:
65 See the APEC Privacy Framework, particularly paragraphs 1 and 6 of the Preamble, online: <http://www.apec.org/etc/medialib/apec_media_library/downloads/taskforce/ecsg/pubs/2005.Par.00 01.File.v1.1>.
66 Ibid, see paragraph 8.
67 See Article 27 of the Directive.
68 For a more detailed treatment, see Bygrave (2004), supra note 3 at 341-342.
69 Australia, Canada, Japan, South Korea, Mexico, New Zealand and USA.
70 The Openness Principle states: “There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.” The commentary by the expert group, online: <http://www.oecd.org/document/18/0,2340,en_2649_34255_1815186_1_1_1_1,00.html> explains at paragraph 57 that “it must be possible in practice to acquire information about the collection, storage or use of personal data. Regular information from data controllers on a voluntary basis, publication in official registers of descriptions of activities concerned with the processing of personal data, and registration with public bodies are some, though not all, of the ways by which this may be brought about. The reference to means which are ‘readily available’ implies that individuals should be able to obtain information without unreasonable effort as to time, advance knowledge, travelling, and so forth, and without unreasonable cost.”
71 See Annex B for a comparative table of the OECD Guidelines, the Directive and the APEC Privacy Framework 2004.
72 See “Criticisms of the APEC Privacy Principles (Version 9) and recommendations for improvements” online Cyberspace Law and Policy Centre CyberLPC-NSW Sydney Australia, online: <http://www.bakercyberlawcentre.org>.
73 Supra note 65, see in particular paragraphs 31-34.
74 A copy of the document can be accessed online: <http://www.law.indiana.edu/instruction/fcate/3836/2005/APEC%20Framework%20as%20publis hed.pd>.
75 The Second APEC Implementation Seminar, Kyongju, South Korea on 7-8 September 2005.
76 Supra note 65 at paragraphs 34-36.
77 Ibid, see paragraph 48.
78 See Greenleaf, Graham, “APEC Privacy Framework completed: No threat to privacy standards” Privacy Laws & Business International Newsletter (September/October 2005) Issue 79 Google Scholar.
79 Greenleaf, Graham, “The APEC Privacy Framework- A new low standard” Privacy Laws & Business International Newsletter (January/February 2005) Issue 76 Google Scholar.
80 Supra note 72.
81 See Part II(D).
82 See APEC Information Privacy Framework (Review, Impact and Progress), (article delivered at the APEC Symposium on Information Privacy Protection in E-Government and E-Commerce 20-22 February 2006, Hanoi, Vietnam online: <http://www.apec.org/content/apec/documents_reports/electronic_commerce_steering_group/2006.html#SEMHK>.
83 Commission Decision of 15 June 2001 OJ L 181/19.
84 Commission Decision of 27 December 2004, OJ L385/74.
85 For a more detailed treatment, see Brown, Alexander & Pownall, Lucy, “Data transfer contracts-a new option for cross border transfers” Privacy Laws & Business International Newsletter, (January/February 2005) Issue 76 Google Scholar.
86 Supra note 82.
87 See paragraphs 40-45 of the APEC Privacy Framework 2004.
88 Supra note 82.
89 See Graham Greenleaf, “The APEC privacy initiative: ‘OECD Lite’ for the Asia Pacific”, online: <www.bakercyberlawcentre.org> in relation to the 8th draft of the APEC Privacy Framework 2004. See also supra note 72 in relation to the 9th draft of the APEC Privacy Framework 2004.
90 See Annex A.
91 See Greenleaf, Graham, “APEC's privacy framework on show in Vietnam: how much progress?” Privacy Laws & Business International Newsletter (May 2006) Issue 82 at 5 Google Scholar.
92 See Part II of the APEC Privacy Framework 2004, commentary on paragraph 10.
93 See supra note 20.
94 See supra note 6.
95 IDA's website is accessible online: <http://www.ida.gov.sg>.
96 See IDA, Media Release “IDA Shares Vision of Infocomm Landscape with Inauguration of 10 Year Infocomm Technology Roadmap” (8 March 2005), online: <http://www.ida.gov.sg/News%20and%20Events/20050711175041.aspx?getPagetype=20>.
97 See online : <http://www.in2015.sg/about.htrnMor overview and detailed reports.
98 The reports are online: <www.weforum.org/gitr>.
99 Wei, George, “Milky Way and Andromeda: Privacy, Confidentiality and Freedom of Expression” [2006] 18 Singapore Academy of Law Journal, 1 at 8–13 Google Scholar.
100 [1997] 2 All ER 426.
101 [2001] 3 SLR 454.
102 It is to be noted that the Malcomson decision was a default judgment as the Defendant had failed to file his Defence in time. The question of whether the tort of harassment exists under common law has yet to reach the Singapore Court of Appeal for consideration. For a detailed discussion of Malcomson, see Tan Keng Feng “Harassment and Intentional Tort of Negligence” [2002] Singapore Journal of Legal Studies 642. Singapore does not have the equivalent of the UK's Protection of Harassment Act 1997 (Cap 40) which prohibits acts of “harassment (defined at section 8 as ”causing the person alarm or distress; and [the] course of conduct must involve conduct on at least two occasions.”)
103 Supra note 100, see paragraph 55.
104 As the focus of this article is on data protection regimes, the writer will not venture into a detailed discussion of the current state of common law actions in Singapore jurisprudence that impact on the right of privacy. For an enlightening discussion on these issues, see supra note 99.
105 See sections 3 to 10 (of the Computer Misuse Act (Cap 50 A) generally.
106 See report by the NIAC subcommittee on the Model Code at pages 42-45 online: <http://www.agc.gov.sg/publications/docs/Model_Data_Protection_Code_Feb_2002.pdi>.
108 For criticisms of the Model Code, see Greenleaf, Graham, “Singapore Takes the softest privacy options” Privacy Law & Policy Reporter, Vol 8, No 9 March 2002 Google Scholar
109 Supra note 106, paragraph 5.15 of the report onwards.
110 Ibid, see section 6 of the report.
111 For a detailed analysis, see Lehdonvirta, Vili, “European Data Protection Directive: Adequacy of Data Protection in Singapore” [2004] Singapore Journal of Legal Studies 511 Google Scholar.
112 See Ministry of Information, Communications and the Arts, Parliament Questions Archive, online: <http://www.mica.gov.sg/Parliament/Sitting%2014-02-06.htm> and Lian, Goh Chin, “Personal Data: Panel Looking at Protection” The Straits Times (15 February 2006)Google Scholar.
113 RFID is an acronym for “Radio-frequency identification”. This is an automatic identification method, relying on storing and remotely retrieving data using devices called RFID tags or transponders. Privacy concerns have been raised as to the transmission and storage of personal data.
114 See Ministry of Information, Communications and the Arts Press Release Statement By Dr Lee Boon Yang, Minister For Information, Communications And The Arts In Parliament During COS Debate (MICA) on 3 March 2006, Singapore, Totally Connected, Wired And Wireless, online: <http://www.mica.gov.sg/pressroom/press_060303.htm>.
115 Email dated 19 July 2006 from the Ministry's Corporate Communications Department to the writer.
116 Greenleaf, Graham, “APEC Privacy Framework on show in Vietnam: How much progress’, Privacy Laws & Business International Newsletter, May 2006, Issue 82 at 5 Google Scholar.
117 Online: <http://www.bioethics-singapore.org/>.
118 See Section 3 of the report, in particular 3.2 onwards.
119 See paragraph 7 of the report.
120 “2005 marks 10th Anniversary of the EU Data Protection Directive” Privacy Laws & Business International Newsletter (December 2005) Issue 80 at 10 Google Scholar.
121 Bygrave (2004), supra note 3.
122 See Colin Bennett, Information Policy and Information Privacy- International Areas of Governance, (2002), article available online University of Victoria: <http://web.uvic.ca/polisci/Bennett>.
123 For further discussion, see Colin J. Bennett, “An International Standard for Privacy Protection: Objections to the Objections”. Paper presented to the CFP’ 2000 Workshop on “Freedom and Privacy by Design”, at 2000) an earlier draft of this paper was published in December 1997 in the Open Standards Tracking Report at: www.digital.com/info/osstr/tr1297.htm#A3, online: <http://web.uvic.ca/polisci/bennett/pdf/ilpf.pdf>.
124 See page 3, sub-paragraph (a) of the Montreux Declaration, online: >www.privacydataprotection.co.uk/documents/montreux_declaration.pdf>. See also Ahmed, Saira & Ravindra, Prashanti, “Commissions call for an international Privacy convention” Privacy Law Bulletin, Vol 2 No 6 Google Scholar