Recommendations
for Improvements to
APEC
Privacy Principles (Version 9)
Submission to the
APEC Electronic Commerce
Steering Group Privacy
Sub-Group
19 March 2004
The Australian Privacy Foundation is the primary
non-government association in Australia dedicated to protecting the privacy
rights of Australians. It has operated since 1987. The Foundation aims to focus
public attention on emerging issues which pose a threat to the freedom and
privacy of Australians. The Foundation has led the fight to defend the right of
individuals to control their personal information and to be free of excessive
intrusions. Further details may be obtained from the Foundation’s web site
at http://www.privacy.org.au/index.html.
The Foundation’s contact representative on this matter
is Professor Graham
Greenleaf, a member of the Foundation’ss Board, and Professor of Law,
University of New South Wales, and Co-Director, Baker & McKenzie Cyberspace
Law and Policy Centre.
This submission follows the structure of the APEC draft
Principles, Version 9
(Consultation Draft 27/2/04), indicating the most significant deficiencies
(if any) of each Principle or definition, and proposing improvements where
needed. Articles by Professor Greenleaf containing background to the APEC
process and more detailed criticisms of some aspects of the APEC processes may
be found at http://www.bakercyberlawcentre.org/appcc/.
SUMMARY OF CRITICISMS
The ten most significant of the criticisms below of the APEC
draft, even as a set of minimum principles, are as follows:
- The
categories of ‘national exceptions’ are open-ended;
- There
are ineffective controls on the scope of any particular ‘national
exception’.
- Notice
is not clearly required to be given to individuals from whom information is
collected.
- Collection
is not limited to the minimum information necessary for purpose.
- Secondary
uses are allowed for ‘compatible’ purposes, a very weak test.
- The
elevation of ‘choice’ (or consent) to a separate Principle
facilitates the commodification of privacy.
- ‘Commercial
proprietary’ reasons should not be an exception to access and
correction.
- ‘Maximising
Benefits’ should not become a Principle.
- The
OECD Principles of Purpose Specification, Openness and Data Export Limitation
are missing and their content should be reinstated in the APEC Principles.
- At
least an additional Deletion Principle should be added for a minimum
set.
In summary, the APEC Principles do not even
meet the 20 year old OECD standard, whereas they should include some significant
strengthening where OECD is now too weak. The APEC draft is inadequate as a set
of privacy principles for Asia-Pacific countries.
Recommendations for improvements
The elements of the APEC draft are discussed below in the
order they appear. Recommended improvements follow each item discussed and are
underlined. A consolidated list of recommendations is at the end.
PART I. PREAMBLE
The Preamble should be strengthened in the following
ways:
The Preamble presents these guidelines as only directed at
businesses in member economies, whereas the Principles are equally applicable to
governments and their obligations to protect privacy in relation to government
activities.
The Preamble should be amended so that it is equally
applicable to governments and their obligations to protect privacy in relation
to government activities.
The Preamble does not reflect the fact that governments will
have to take actions to implement it, and that self-regulation will be
insufficient.
The Preamble should be amended to reflect that the
Principles will also constitute recommendations to governments in APEC economies
to take action to ensure protection of privacy (once the implementation aspects
are finalised).
The Preamble speaks of ‘ensuring’ free flow of
information but only of ‘encouraging’ privacy protection.
Similarly, the final points in the Preamble refer to free flow of information as
‘essential’, but do not accord this status to privacy protection.
The examples of terminology mean that the Preamble is not even-handed (and would
bias the guidelines against privacy protection).
The Preamble should be changed to refer to
‘ensuring’ privacy protection and that privacy protection is
‘essential’.
The Preamble stresses the economic benefits of protection of
privacy, but fails to give adequate recognition to the protection of privacy as
an essential aspect of human rights.
The Preamble should be amended, preferably throughout
but at least in its final list of matters recognised as of importance, by
referring to how the guidelines reflect the following instruments which are
common to most (perhaps all) APEC
economies:
- the
right of privacy in Article 12 of the
Universal
Declaration of Human
Rights
1948
- the
right of privacy in Article 17 of the
International
Covenant on Civil and Political
Rights
1966
The Preamble should be amended to state that these
guidelines represent only a minimum standard of recommended privacy protection
in APEC domestic economies, and that individual economies may choose to have
higher domestic standards.
This would at least recognise that most of the existing
privacy laws in APEC member economies already meet a higher standard than these
guidelines.
The Preamble should also state that prohibitions on the
export of personal data may be legitimate limitations on the free flow of
personal information, as is the case with the OECD Guidelines.
The circumstances in which these guidelines will recognise
legitimate restrictions on free flow of personal information are presumably to
be set out in the implementation measures, but the Preamble should at least
recognise the general concept, otherwise its references to free flow of
information being ‘essential’ are misleading.
PART II. SCOPE
Definitions 'personal
information'
This is uncontentious.
['personal information controller']
[Square brackets around an item means it is not yet finally
included in the APEC draft but still under discussion.] The exception of agents
from primary liability to comply may be acceptable as they are only excluded
when acting as agents (so the principal will remain liable). The exclusion of
‘domestic’ activities is common and acceptable. In general, this
definition is uncontentious.
'publicly available information'
The most important thing about this definition is that it
does not constitute a general exception from the Principles of publicly
available information. It only applies as an exception to the Choice Principle
(5) in relation to collection,, and as an exception to the requirement of notice
where not appropriate. These make the definition of minimal effect. If it was
a more general exception (eg applying to use and disclosure) it would be
dangerous as it is ill-drafted and over-broad.
Recommendation:
The scope of application of the exception for publicly available
information should not be expanded in any way.
Application [Exceptions]
Exceptions are impliedly left to be matters of national
decision. The general principles set out here presumably are intended to
indicate when national exceptions may still be regarded as ‘within the
Principles’.
APEC therefore accepts any ‘national
exceptions’, which are not exhaustively categorised but left open-ended,
and specifically ‘including those relating to national sovereignty,
national security, public safety, and public policy’.
Recommendation:
The acceptable categories of national exceptions should be specified,
even though it is recognised that the latitude for interpretation of each
category will be considerable, reflecting the variety of APEC economies.
The controls on any particular national exceptions are
only that they must be ‘limited’ (this means nothing) and
proportional to the stated objectives (this could mean something if EU
jurisprudence is any indication) , and either (i) ‘made known to the
public’ or (ii) ‘in accordance with law’. This last
‘or’ is clearly wrong and should say ‘and”: at present
it opening the prospect of a law authorizing the making of secret exemptions to
any of the Principles if a law allows this (not just secrecy in the application
of an exemption, as may occur in various forms of surveillance). OECD required
all exceptions to be ‘made known to the public’.
Recommendation:
The controls on exceptions should be altered by deletion of
‘or’, to state ‘made known to the public
and in accordance with law’.
It is not clear that these limits on exceptions (weak though
they are) also apply to those exceptions already included in the Principles (eg
to Principle 8 Access and Correction). They should apply.
Recommendation:
The limits on exceptions should apply to all exceptions to the
Principles, including those to Principle 8 Access and Correction.
PART III. APEC INFORMATION PRIVACY PRINCIPLES
1. Preventing Harm
While the sentiment behind this may seem unexceptional, it
is better to place a 'prevention of harm' principle in the part dealing with
implementation and remedies, where it can be used to ration access to remedial
processes (as in New Zealand) or to lessen compliance burdens where harm is
less likely. Alternatively, it could go in the Preamble.
To elevate this to a Principle on a par with the other
privacy Principles makes it easier to allow wholesale exemptions from the law
like Australia's 'small business' exemption or to argue that there is no need
for any uniform privacy laws at all but only for laws in sectors which pose some
special danger ( as in the USA).
Recommendation:
Principle 1 should either be moved to the implementation provisions or
moved to the Preamble.
2. Notice
While entitled ‘Notice’ and specifying that
purposes of collection and other matters must be disclosed, Principle 2 only
requires that this be done by ‘clear and easily accessible
statements’, and does not state that it should be by notices given to
individuals. This weakness was reinforced by the Explanatory Memorandum [for
Version 8] comment that ‘one method of compliance ... is for personal
information controllers to post it on their website’ [Version 9 EM not yet
available]. Such notices are one of the important privacy protections for
individuals, and one of the strongest inhibitors on organisations against use
for unacceptable purposes.
It does now state that notice should be provided
‘before or at the time of collection’ if ‘reasonably
practicable.
The OECD has no explicit requirement that notice of purpose
of collection must be given to the
individual at or before the time of collection, although most national
legislation in the Asia-Pacific has such a requirement.
Recommendation:
Principle 2 should be amended to state that ‘wherever practicable
such information should be given to the individual from whom information is
collected either before or at the time of collection’.
3. Collection limitation
No objective limits on
purpose of collection The OECD principles only say 'there should be
limits on the collection of personal information', failing to define those
limits by any objective standard (eg the functions of the collecting
organisation). National legislation often includes this improvement (eg Hong
Kong). Nor do they include any form of ‘purpose justification
principle’. APEC Principle 3 reflects these weaknesses and only limits
collection by ‘relevance’ to the organisation’s self-defined
purposes of collection.
No lawful purpose
requirement There is no requirement that the information be collected
for a lawful purpose (as is common in national laws), only that the means of
collection be lawful.
No minimal collection
requirement There is no requirement that only the minimum information be
collected ( relative to purpose).
Recommendation:
Principle 3 should be amended to state that ‘The collection of
personal information should be limited to the collection of information relevant
to the lawful purposes of the personal information controller and to the minimum
information relevant to the purposes of collection ...’
4. Uses of personal information
APEC has adopted the weakest possible test of allowable
secondary uses, that it only need be for ‘compatible’ purposes
(whatever that means). The only alternative still under consideration is that it
should be for ‘related’ purposes, previous consideration of
‘directly related’ purposes (as found in some national legislation)
now being dropped. This adopts a version of the OECD test of secondary uses
being allowed if they are 'not incompatible' with the purpose of collection. A
further control on secondary uses which has been adopted in some APEC economies
and helps to give more precise control is ‘the reasonable expectations of
the person from whom the information is collected’.
Recommendation:
Principle 4 should be amended to state ‘and other directly related
purposes within the reasonable expectations of the person from whom the
information is collected’.
5. Choice
‘Choice’ has been elevated to a separate
Principle, an approach not taken in any previous international instruments. This
may be interpreted to imply that individual consent can always override any
other Principle, though this is not expressly stated. ‘Choice’ or
consent is not limited to express or explicit consent, and may be interpreted
to include forms of alleged implied consent, such as failure to opt out. There
are no limitations on whether inducements or threats of consequences may
vitiate alleged ‘choice’.
By elevating ‘choice’ to a Principle, the
commodification of privacy is facilitated.
Recommendation:
Principle 5 should be deleted or moved to the Preamble.
6. Integrity of Personal Information
This Principle is uncontentious, except that it does not
include any deletion requirement (OECD did not include this either).
7. Security Safeguards
This Principle is uncontentious.
8. Access and Correction
Rights of individual access and correction have been made
much more explicit than the OECD formulation
An exception to access and correction where ‘the
burden or expense of doing so would be unreasonable or disproportionate to the
risks to the individual’s privacy’ could be used to exclude access
to a person’s record where the risks to privacy were low, but the costs of
providing access are also low. Access costs should be internalised by businesses
in such cases.
Recommendation:
The exception to Principle 8 where ‘the burden or expense of
doing so would be unreasonable or disproportionate to the risks to the
individual’s privacy’ should be amended to where ‘the burden
or expense of doing so would be unreasonably high and disproportionate and the
risks to the individual’s privacy are low’.
There is still under consideration an exemption where
‘the information should not be disclosed for legal, security [or
commercial proprietary] reasons'. These blanket exemptions from access are very
vague and clearly open to abuse, particularly because it us unclear whether any
considerations of proportionality apply (see earlier).
Recommendation:
The proposed exception to Principle 8 for commercial proprietary reasons
should be deleted.
Limits on access should not dictate limits on correction, as
the danger of incorrect information is greater where access is prevented.
Third-party correction is needed to resolve this.
Recommendation:
Principle 8 should state that where an exception to access
applies, the
right of correction still applies but shall be exercised through an appropriate
third party.
9. Accountability
The accepted Principle is uncontentious.
The proposed US addition (not yet accepted) which imposes
a due diligence requirement on those disclosing personal information to others
might be acceptable, but not if it is intended to be a substitute for a Data
Export Limitation principle (see below).
Recommendation:
The proposed US addition to Principle 9 must not be a substitute for a
Data Export Limitation principle.
[10. Maximizing Benefits]
The US is proposing a 'Maximising the Benefits of Privacy
Protection' Principle which could elevate 'free flow of information' to a
Privacy Principle with the same status as the other Principles. This is wrong
as the Principles are already framed as a minimum set of privacy protections
which do not in themselves unduly interfere with the free flow of personal
information. The inclusion of this Principle would create the danger of more
exceptions being created to facilitate free flow of information.
It has been objected to by other all other APEC participants
on the grounds that it is only appropriate in the Preamble.
Recommendation:
Proposed Principle 10 should not be adopted.
MISSING PRINCIPLES
OECD Principles
Purpose
Specification The OECD Purpose Specification Principle that the purposes
of collection 'should be specified not later than at the time of data
collection' is not explicitly included but could be regarded as partly implied
by the requirement that Notice (which includes notice of purpose) be given
before collection wherever practicable.
Recommendation:
A Purpose Specification
Principle similar to that adopted by the OECD should be added.
Openness The OECD
‘Openness Principle’, a broad ‘political’ limitation
which allowed any person to obtain details about the existence and purpose of
personal data systems (whether or not they were included in those systems) has
been dropped by APEC. It is not encompassed by either the APEC Notice principle
or the right of individual access.
Recommendation:
An Openness Principle similar to
that adopted by the OECD should be added.
Data export
limitation OECD specifically allows (but does not require) data export
limitations under some circumstances. This has not been dealt with yet by APEC,
but might possibly be dealt with when it considers implementation measures. It
should be included, as it is essential to a balance being reached between
privacy and free flow of personal information.
Recommendation:
A Data Export Limitation
Principle similar to that adopted by the OECD should be added.
Other common missing principles
Like the OECD, APEC does not include any principles dealing
explicitly with identifiers, automated processing, or deletion of data.
Some examples of higher standards not included, in the sense
that they are found in at least two regional privacy laws, are as follows:
- Collection
objectively limited to where necessary for functions or activities of
organisations (HK, Australian Federal, NZ ; Canadian Federal is even
stricter);
- Notices
upon collection (Australia Federal, NZ, HK, Korea);
- Secondary
use only for a directly related purpose (HK, NZ, Australia Federal; Korea is
even stricter);
- Right
to have recipients of corrected information informed (NSW, NZ);
- Deletion
after use (HK, NZ, NSW, Korea). At least some version of this Principle would
seem desirable in any set of minimum
principles.
Recommendation:
A Deletion Principle should be
added.
CONSOLIDATED LIST OF RECOMMENDATIONS
The Preamble should be strengthened in the following
ways:
The Preamble should be amended so that it is equally
applicable to governments and their obligations to protect privacy in relation
to government activities.
The Preamble should be amended to reflect that the
Principles will also constitute recommendations to governments in APEC economies
to take action to ensure protection of privacy (once the implementation aspects
are finalised).
The Preamble should be changed to refer to
‘ensuring’ privacy protection and that privacy protection is
‘essential’.
The Preamble should be amended, preferably throughout
but at least in its final list of matters recognised as of importance, by
referring to how the guidelines reflect the following instruments which are
common to most (perhaps all) APEC
economies:
- the
right of privacy in Article 12 of the
Universal
Declaration of Human
Rights
1948
- the
right of privacy in Article 17 of the International Covenant on Civil and
Political Rights 1966
The Preamble should be amended to state that these
guidelines represent only a minimum standard of recommended privacy protection
in APEC domestic economies, and that individual economies may choose to have
higher domestic standards.
The Preamble should also state that prohibitions on the
export of personal data may be legitimate limitations on the free flow of
personal information, as is the case with the OECD Guidelines.
Recommendation:
The scope of application of the exception for publicly available
information should not be expanded in any way.
Recommendation:
The acceptable categories of national exceptions should be specified,
even though it is recognised that the latitude for interpretation of each
category will be considerable, reflecting the variety of APEC economies.
Recommendation:
The controls on exceptions should be altered by deletion of
‘or’, to state ‘made known to the public
and in accordance with law’.
Recommendation:
The limits on exceptions should apply to all exceptions to the
Principles, including those to Principle 8 Access and Correction.
Recommendation:
Principle 1 should either be moved to the implementation provisions or
moved to the Preamble.
Recommendation:
Principle 2 should be amended to state that ‘wherever practicable
such information should be given to the individual from whom information is
collected either before or at the time of collection’.
Recommendation:
Principle 3 should be amended to state that ‘The collection of
personal information should be limited to the collection of information relevant
to the lawful purposes of the personal information controller and to the minimum
information relevant to the purposes of collection ...’
Recommendation:
Principle 4 should be amended to state ‘and other directly related
purposes within the reasonable expectations of the person from whom the
information is collected’.
Recommendation:
Principle 5 should be deleted or moved to the Preamble.
Recommendation:
The exception to Principle 8 where ‘the burden or expense of
doing so would be unreasonable or disproportionate to the risks to the
individual’s privacy’ should be amended to where ‘the burden
or expense of doing so would be unreasonably high and disproportionate and the
risks to the individual’s privacy are low’.
Recommendation:
The proposed exception to Principle 8 for commercial proprietary reasons
should be deleted.
Recommendation:
Principle 8 should state that where an exception to access applies, the
right of correction still applies but shall be exercised through an appropriate
third party.
Recommendation:
The proposed US addition to Principle 9 must not be a substitute for a
Data Export Limitation principle.
Recommendation:
Proposed Principle 10 should not be adopted.
Recommendation:
A Purpose Specification Principle similar to that adopted by the OECD
should be added.
Recommendation:
An Openness Principle similar to that adopted by the OECD should be
added.
Recommendation:
A Data Export Limitation Principle similar to that adopted by the OECD
should be added.
Recommendation:
A Deletion Principle should be added.
|