Implementing the APEC Privacy Framework: A New Approach
Malcolm Crompton and Peter Ford
The Asia-Pacific Economic Cooperation forum comprises 21 economies around the Pacific Ocean, including very significant economies such as the United States, Canada, China, Japan, South Korea, Australia and others. APEC Ministers have endorsed an APEC Privacy Framework.
The Framework is a different document from the EU Privacy Directive. While the Framework is likely to be compared to the EU Privacy Directive, the Framework has key differences in Principles 1 and 9.
APEC Principle 1 extends the concept of Proportionality that permeates a lot of thinking in the design of EU frameworks. It particular, it extends the concept of proportionality of redress ("let the punishment fit the crime") so that it also gives guidance to regulators in focusing their activities. To put it another way, the principle is nothing more than an explicit recognition of the reality that most organizations, regulators or otherwise, have limited resources at their disposal and have to prioritize. The key will be to ensure an appropriately broad approach to the concept of "harm," in particular ensuring it extends beyond immediate harm measurable only in financial terms.
Principle 9, though, is the most important difference between the APEC Privacy Framework and the EU Directive. In effect, the APEC Privacy Framework is saying that "accountability should follow the data." Once an organization has collected personal information, it remains accountable for the protection of that data — even if it changes hands or moves from one jurisdiction to another. The Directive instead focuses on border controls — in particular, whether the data moving from one jurisdiction which has "adequate" data protection to another that has "adequate" protection.
This paper records the first steps in implementing the Framework, which took the form of two implementation seminars.
It is worth noting the terms in which Ministers endorsed the Framework in 2004:
˜Recognizing the importance of the development of effective privacy protections, which avoid barriers to information flows, to continued trade and economic growth in the APEC region, Ministers endorsed the APEC Privacy Framework and the Future Work Agenda on International Implementation of the APEC Privacy Framework."
Two points should be made about this statement.
Secondly, Ministers endorsed a continuing program of work to implement the Framework. In partial fulfilment of this goal, the Electronic Commerce Steering Group of APEC carried out two seminars in 2005, the first, dealing with domestic implementation, in Hong Kong in June and the second, dealing with international implementation, in Gyeongju, South Korea, in September.
First seminar — Domestic Implementation
Some 90 delegates represented 15 APEC economies at the seminar.
The conference was hosted by the Hong Kong Privacy Commissioner's Office and the papers are available at: www.pco.org.hk/english/infocentre/apec_ecsg1_2.html. The focus of this first seminar was on applying the general language of the APEC Privacy Framework, whether through legislation or other means, by APEC economies. It was recognized at the outset that some economies have had privacy protection in place for several years while the subject is new to others.
Mapping the Environment
The Preamble to the Framework notes Ministers' endorsement of APEC's 1998 Blueprint for Action on Electronic Commerce and their references to the need to "build trust and confidence in safe, secure and reliable communication, information and delivery systems, and which address issues including privacy... ." References to aspects of globalization, the core values of the OECD's 1980 Privacy Guidelines, and for the need to consider law enforcement imperatives also are included.
The need to hold discussions with relevant bodies about implementation of the Framework, including law enforcement and security agencies, is referred to in Part IV (Part A — Guidance for Domestic Implementation).
Ways of undertaking consultation on the domestic implementation of the Privacy Principles were outlined and analyzed in detail. For example, it was noted that, while it is important to maintain transparency, in some particular circumstances it might be more appropriate to hold closed meetings to receive confidential information.
Australia's domestic consultation was highlighted as an example of the kind of steps that policy-makers may wish to consider.
The Framework exhorts economies to engage in dialogue between the public and private sectors. Attendees learned about Thailand's experience of the cooperation between public and private sectors, and the work of the Global Business Dialogue and other businesses that supported government initiatives.
Educating and Publicizing
The Framework emphasizes the need to seek the cooperation of non-government entities, to notify individuals of their rights and to educate personal information controllers and individuals.
Attendees heard details of the Hong Kong Privacy Commissioner's measures to promote effectiveness, efficiency and ethics in public education and to measure the results. Businesses and regulators discussed their efforts to develop short privacy notices to advise consumers of their rights. Consumer representatives spoke of the need to ensure that tools to promote privacy are "consumer friendly."
The Framework urges economies to adopt an appropriate array of remedies for privacy violations. There was a discussion of the effectiveness of particular remedies with an emphasis on the experiences of economies with privacy regimes, particularly Korea with its focus on Alternative Dispute Resolution, and the United States, with its detailed legislation in specific areas of commerce.
The Framework briefly provides for economies to prepare "Individual Action Plans" for reporting purposes.
It was noted that the Framework provides a structure for reporting. There were brief outlines offered on the experience of Mexico and the Philippines in developing privacy law in the context of electronic commerce.
Second seminar — International Implementation
Fifteen economies were represented by about fifty delegates. The Korean Institute for Electronic Commerce and other government agencies hosted the seminar. The papers are available at: www.apec.org/content/apec/ documents_reports/electronic_commerce_steering_group/2005.html#SEM.
Identifying the Problems
The seminar commenced with a "hypothetical" devised to highlight the difficulties of applying privacy principles in an environment in which business transactions involve several economies. The sessions that followed analyzed the problems in applying the principles in this environment. The issues were further explored in a series of case studies dealing with direct marketing, the collection of personal information, the operation of international call centers the uses of personal information, alternative dispute resolution and the difficulties in opting-out of the receipt of promotional material.
It soon became clear that the regulatory mechanisms required for the protection of privacy in an international context need further development.
From the perspective of some regulators, chief among the problems was the perceived lack of authority to cooperate with their counterparts in other economies. From the perspective of business, a major concern was the need for regulators to consider that, in the context of electronic commerce, customer service may involve the storage of data simultaneously in a number of countries as well as the need to access it from business centers in different countries over an extended period. These developments may make the idea of limiting point-to-point data flows obsolete. It would be difficult to even track the movement of data — let alone regulate it.
The themes that emerged were based on a generally accepted conclusion that accountability mechanisms were more effective in international privacy protection than cross-border restrictions.
The first theme focused on the need to reach out to all stakeholders to improve awareness and understanding of the APEC Privacy Framework in both business and wider civil society circles. Some outreach is already under way through the International Association of Privacy Professionals and other bodies. Possible new activities might include education and training programs, the provision of new resource materials, continued regional workshops, seminars and opportunities for interchange of ideas and expertise. The second theme addressed the issue of cooperation between regulators for the purposes of information sharing, investigation and enforcement. The use of Memoranda of Understanding and existing cooperative arrangements also might prove useful against the background of the Framework.
The third theme involved the development of mechanisms to apply the APEC Privacy Principles to regional cross-border transfers of information. Some particular objectives relevant to this aspect are:
- Facilitating accountable transfers of information so as to maximize the benefits to business and the consumer;
- Enabling consumers to seek redress locally and easily through cooperative arrangements between regulators; and
- Allowing businesses to use information as needed for its purposes consistent with the APEC Privacy Principles and local legal requirements.
Consolidation of data processing into global systems carries many advantages but it also presents a number of challenges for the management of privacy practices. The need to comply with different legal systems is addressed through an internal governance framework, but the need for the framework arises out of modern business practices. Complex issues of accountability arise from variations in standards among economies.
This is an important point. The more that internal governance frameworks and processes can be demonstrated to be effective, the less the work that will be expected of regulators and the simpler compliance will become. Indeed, implementation of the Framework in businesses with strong internal-governance frameworks could be built on internal-governance procedures supported by strong external assurance, for example, through independent audit, with formal regulation an approach of last resort. While this approach may not be appropriate for all businesses, it may be an excellent way of demonstrating the impact of the Framework at an early stage.
Indeed, failures of internal governance in the APEC region over the last year have led to calls for increased regulation that likely will result in some consequences. Responsible business can show that this need not be necessary, but it will have to lead by strong example.
The second seminar in particular worked on surfacing the implications of ensuring that "accountability follows the data" effectively and explored options for doing so. Seminar participants made a very promising start in addressing these issues.
They also discovered that there is still work to be done, to assure individuals that their data is safe even if it moves around the region outside their own economy — all while not making it too difficult for businesses to operate. Within current legal frameworks, effective and more explicit cooperation between regulators is almost certainly the key.
The next steps are likely to include further seminars to help economies address implementation issues. APEC already has allocated funding for another seminar hosted by Vietnam.
Importantly, though, work will have to start soon on putting in place actual measures to ensure that "accountability does follow the data." Privacy authorities attending the second seminar indicated that they were willing to look at establishing cooperative arrangements to meet this goal, for example on how to address consumer complaints that involve more than one economy. Hopefully, significant progress will have been made through 2006 on this front. With the increasing interest in business-process outsourcing and increasing consumer concern about the security and privacy of personal information in at least some economies such as the U.S., doing nothing is unacceptable.
Malcolm Crompton and Peter Ford are consultants to the Electronic Commerce Steering Group of APEC for the two privacy implementation seminars APEC commissioned in 2005. Crompton also is Managing Director of Information Integrity Solutions Pty Ltd, www.iispartners.com. Ford formerly chaired the APEC Privacy Sub-Group and is now a privacy and security consultant based in Canberra, Australia. He can be reached at firstname.lastname@example.org.