apec vs apt?: the struggle for regional privacy standards graham greenleaf ‘terrorists &...
TRANSCRIPT
![Page 1: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/1.jpg)
APEC vs APT?: The struggle for regional privacy standards
Graham Greenleaf
‘Terrorists & Watchdogs’ Conference, 8 September 2003
See http://www2.austlii.edu.au/~graham/ for updates / details
![Page 2: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/2.jpg)
Regional privacy standards There is no global standard One region (Europe) has successfully
developed regional standards Council of Europe Convention 1981 European privacy Directive 1995
The Asia-Pacific is the next most advanced region in privacy protection Far less political and economic unity or uniformity Starting the most important international privacy
developments since the EU Directive ….
![Page 3: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/3.jpg)
Toward an Asia-Pacific standard APEC’s privacy initiative
Chaired by Australia - US / Aust. initiative Asia-Pacific Telecommunity (APT)
Chaired by Korea Asia-Pacific Privacy Charter Council
A ‘civil society’ expert group FTAA will also affect some countries
(Free Trade Area of the Americas)
![Page 4: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/4.jpg)
APEC’s privacy Principles Australia chairs a working group of 10
countries since Feb 03 Starting point: OECD Guidelines (1981) What’s the purpose?:
A minimum standard where compliance will (somehow) justify regional free flow of person information
A standard which will encourage (minimum) protection in countries where there is none
![Page 5: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/5.jpg)
APEC’s privacy Principles - Progress or stagnation? 5 draft versions in 6 months
Do not yet reach OECD standards Only considering very minor improvements
to OECD V2 strengthened V1, but V3 and V4 far
weaker for little apparent reason Serious US input coincides with V3
At best it offers ‘OECD Lite’ ….
![Page 6: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/6.jpg)
APEC’s ‘OECD Lite’ Examples of weak and outdated standards
Based on Chair’s V4 (Aug 03) - now behind closed doors No objective limits on information collection (P1) No requirement of notice to the data subject at time
of collection (P3) Secondary uses allowed if ‘not incompatible’ (P3) OECD Parts 1, 3, 4 and 5 all missing as yet Farcical national self-assessment proposed (V1)
Why start from a 20 year old standard? Most regional countries are not members Recognised as inadequate (eg Kirby J 1999)
![Page 7: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/7.jpg)
The alternative: A real Asia-Pacific standard Actual standards of regional privacy laws
Eg Korea, Canada, Hong Kong, New Zealand, Taiwan, Australia, Japan, Argentina
Principles stronger than OECD are common Expert input is needed to identity this standard, not
filtered through governments Privacy Commissioner need a collective role
No equivalent yet to A29 Committee Santiago (Feb 04) only offers input on implementation Asia-Pacific NGO experts are developing the APPCC
We need to adopt and learn from 25 years regional experience, not ignore it
![Page 8: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/8.jpg)
Examples of high regional standards
Collection objectively limited to where necessary for functions or activities (HK, Aus, NZ - Can stricter)
Notice upon collection (Aus, NZ, HK, Kor) Secondary use only for a directly related
purpose (HK, NZ, Aus - Kor stricter) Right to have recipients of corrected
information informed (NSW, NZ) Deletion after use (HK, NZ, NSW, Kor)
![Page 9: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/9.jpg)
APT privacy Guidelines (draft) Asia-Pacific Telecommunity (APT) 32 states via Telecomms ministries (etc) Guidelines on the Protection of Personal Information
and Privacy (draft), July 2003 Drafting by KISA (Korea), with Asian Privacy Forum
Attempts to take a distinctive regional approach Explicitly not based solely on OECD or EU (cl8) Says OECD Guidelines ‘reflect … the 70s and 80s’ ‘Concrete implementation measures’ unlike OECD Allows more variation between States that EU Emphasises role of government, not litigation Adds new Principles in at least five areas …
![Page 10: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/10.jpg)
APT Guidelines - implementation Legislation required + self-regulation encouraged A privacy supervisory authority required
Supervision and complaint investigation Data export limits may be ‘reasonably required’ to
protect ‘privacy, rights and freedoms’; free flow of information otherwise required
Limits on these guidelines only by legislation; only to the extent necessary for other public policies
Common character string need to deal with spam
![Page 11: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/11.jpg)
APT Guidelines - new Principles No disadvantage for exercising privacy rights
(A5(2)) Notification of corrected information to 3rd party
recipients (A6(4)) ‘Openness’ of logic of automated processes (A7) No secondary use without consent (A 14(2)) Deletion if consent to hold is withdrawn (A16) Duties on change of information controller (A19) Special provision on children’s information (A34) Personal location information Principle (A30) Unsolicited communications Princple (A31)
![Page 12: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/12.jpg)
Conclusions Why are APEC and APT so different?
Membership similar except for the USA Australia’s APEC initiative had a defensive
and outdated starting point (OECD) Inadequate process: no collective expert
input, and now behind closed doors OECD Guidelines were by an ‘expert group’
A more consultative, confident, and region-based APEC initiative is needed
![Page 13: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/13.jpg)
Coda: APPCC contribution Asia-Pacific Privacy Charter Council
35 non-government privacy experts from 10 regional countries, and growing
On 12/11/03, meeting to consider 1st working draft Headings of Principles under consideration for
Charter are over - only a first draft Covers surveillance and intrusions as well as IPPs An attempt to find a positive regional standard
![Page 14: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/14.jpg)
APPCC draftPart I - General Principles
1. Justification and proportionality
2. Consent
3. Accountability
4. Openness
5. Non-discrimination
6. Reasons for non-compliance
![Page 15: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/15.jpg)
APPCC draft - Part II - Information Privacy Principles7. Anonymous transactions 14. Retention limitation
8. Collection limitation 15. Public registers
9.Identifier limitation 16. Information security
10. Information quality 17. Automated decisions
11. Use and disclosure limitations
18.Identity protection
12.Export limitations 19.Disclosure of private facts
13. Access and correction
![Page 16: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/16.jpg)
APPCC draft - Part III - Surveillance limitation principles
20. Surveillance justification
21. Notice of overt surveillance
22. Approval of covert surveillance
23. Accountability for covert surveillance
24. Surveillance security
25. Surveillance materials
26. Transborder surveillance
![Page 17: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/17.jpg)
APPCC draft - Part IV - Intrusion limitation principles
27. Intrusion limitation
28. Bodily privacy
29. Biometrics limitation
30. Private space
31. Communications & cyberspace privacy
32. Personal location limitation
33. Unsolicited communication limitation
![Page 18: APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003 See graham](https://reader036.vdocuments.us/reader036/viewer/2022072013/56649e5d5503460f94b55ee6/html5/thumbnails/18.jpg)
APPCC principles - Part V - Implementation and compliance principles
34.Implementation by law 40.Independent appeal
35.Sufficient implementation measures
41.Transparency of official actions
36.Supervisory body 42.Individual recourse to Courts
37.Privacy impact assessments
43.International cooperation
38.Sufficient remedies for breach
44.Jurisdictional certainty
39. Obligations of information subjects