You are here:
AustLII >>
Databases >>
Privacy Law and Policy Reporter >>
1998 >>
[1998] PrivLawPRpr 36
Database Search
| Name Search
| Recent Articles
| Noteup
| LawCite
| Help
Lau, Stephen; Waters, Nigel --- "Bringing the region - Asia Pacific Forum meets in Hong Kong" [1998] PrivLawPRpr 36; (1998) 5(1) Privacy Law & Policy Reporter 14
Bringing the region together — Asia Pacific Forum meets in Hong Kong
Stephen Lau and Nigel Waters
Privacy Commissioner Stephen Lau hosted a meeting of a new Asia Pacific Forum
on Privacy and Personal Data Protection on 13 and 14
April this year (the first
such Forum was arguably that held by British Columbia Commissioner David
Flaherty in Victoria BC in January
1996). Attending the Hong Kong meeting, in
addition to Lau and Flaherty, were Privacy Commissioners Bruce Phillips
(Canada), Moira
Scollay (Australia), and Bruce Slane (NZ) as well as
representatives from Japan, South Korea and Singapore. A number of guests
attended
for specific sessions.
Bruce Slane outlined the objectives of the forum — to provide
opportunities for an exchange of views; to debate on some of the
privacy issues
that delegates were facing in their jurisdictions and to encourage other Asian
countries to address privacy issues.
Country reports
Points of particular interest from country reports were:
Canada
- In Canada, following the January 1998 federal Electronic Commerce Task
Force Discussion Paper The Protection of Personal Information, a draft
bill for regulation of the private sector is expected later this year.
- The
Canadian Government has also legislated for the usage of DNA evidence in law
enforcement, eg to allow the Police to collect and
retain DNA
samples.
Hong Kong Special Administrative Region (SAR)
- In Hong Kong, a total of 15,973 enquiries and 305 complaint cases had been
received by the Privacy Commissioner as at the end of
March 1998.
- The PCO
has so far issued two codes of practice — on consumer credit and on
personal identifiers; and guidelines on transborder
data flow, cold calling,
internet privacy and human resources.
- There have been eight cases where the
Privacy Commissioner had found a breach of the law but where the Secretary for
Justice decided
not to prosecute. These cases had served to arouse public
awareness on privacy and sent a clear message to the public that the PCO
would
institute action against any organisations contravening the
Ordinance.
Japan
- Japan has implemented various measures on the protection of personal data,
including legislation to protect the highly confidential
information in specific
sectors such as personal credit data, medical care and lawsuits.
- In a joint
government/business initiative, a system of granting privacy-protection marks
has been introduced from 1 April 1998.
This includes the establishment by the
Ministry of International Trade and Industry (MITI) in February 1998 of a
Supervisory Authority
for the Protection of Personal Data, to monitor the
granting of privacy-protection marks to businesses by the Japan Information
Processing
Development Center (JIPDEC), and compliance with privacy
standards.
Singapore
- Singapore has no data protection law, and currently relies on law of
contract, law of confidence and statutory bars to provide data
protection;
- A policy group, chaired by the Attorney General, is examining
the impact of EU Directive to see if it could rely on EU’s exemptions
to
facilitate data flow; and considering if there is a need to have a data
protection regime and if so, whether legislation or codes
of practice should be
adopted;
- The Singapore government has a one stop shop service concept which
shares a common pool of relevant
data.
South Korea
- In 1996, the Korean government announced a plan to introduce
‘electronic resident cards’ by 1998. The envisaged resident
card
would contain 41 items of personal information about the holder and function as
a driver’s certificate, medical insurance
card, national pension
certificate, seal, fingerprints and resident register. The plan was later
withdrawn due to strong opposition
from various social groups claiming that it
constituted an intrusion into the privacy of
people.
New Zealand
Key points in the current review of the Privacy Act, being undertaken
by the Commissioner, include:
- in spite of a claim by the ‘data users’ of high compliance
costs the review is finding little evidence of significant
costs;
- there are
concerns about the lack of ‘plain English’ in the Privacy
Act;
- because of the increasing workload of the Privacy
Commissioner’s Office, the possibility of giving the Privacy Commissioner
discretion to refuse investigation of trivial complaints was being
explored;
- the need to ensure ‘adequacy’ under EU Directive
— particularly in relation to controls on transborder
transfers;
- support for some controls on the administration of public
registers through the Public Register Privacy Principles in the
Act.
The EU Directive
Dr Ulf Bruhann from DGXV of the European Commission presented a paper
entitled ‘The EU Data Protection Directive and its Impact
on flows of
Personal Data between the European Union and the Asia Pacific Region’. He
made several key points:
- European experience has shown that a general framework of rules with
legally binding force together with a supervisory authority
is the most
effective way of providing a clear and stable regulatory framework for business
together with the necessary safeguards
for individual rights.
- It is wrong to
conceive of such a legal framework as bureaucratic and bad for business. Many
data protection obligations (for example,
to keep data accurate and up-to-date)
are consistent with good, sensible data management.
- In the new and
potentially enormous market for electronic commerce services, consumer anxiety
about the absence of effective protection
of their privacy online is now seen as
a major barrier to growth.
- The possibility of an international data
protection and privacy standard is being examined by a working group of ISO.
[see below
and Private Parts in this issue — Editor]. Independent external
verification is one means of fostering greater consumer confidence
in the
privacy protection provided by a company.
- The EU was having exploratory
talks with the US, and the initial view is that the self regulation approach
being developed in the
US did not appear to meet the ‘adequate
protection’ test.
- Subject to availability of resources, the EU was
willing to assist any trading partners to develop appropriate laws or bilateral
agreements to promote data protection.
Nigel Waters reported on the
project he is involved in for the European Union on testing a methodology for
assessing adequacy of data
protection in third countries (see (1997) 4 PLPR
141).
A view from the US
Russell Pipe of the Global Information Infrastructure Commission presented
his views on ‘Elements of Effective Self-Regulation
for Protection of
Privacy’. Key points included:
- data privacy has become an issue in the context of electronic commerce, and
it does not involve other kinds of privacy;
- the EU Directive on Data
Protection was a motive to prompt the US to give thought to protection of
privacy;
- unlike the European approach, the Clinton Administration appeared
to support private sector efforts to implement self-regulatory
regimes to
protect privacy;
- the private sector in the US claimed privacy was a new
issue which should not be rushed;
- the US Congress appeared to favour
self-regulation and was not keen to introduce any new legislation on
privacy;
- in the absence of legislation and the establishment of an
enforcement authority, the ‘contractual’ approach of self-regulation
could be an ‘empty shell’ and might not meet the adequacy test of
the EU directive.
The role of international standards
Elizabeth Longworth, who represents NZ on the International Standards
Organisation’s COPOLCO Working Group on Privacy explained
the current ISO
initiative. [see Private Parts in this issue for an update — Editor].
- The working group’s task was ‘To advise the Technical
Management Board on the desirability/practicality of ISO undertaking
the
development of International Standards relevant to the protection of personal
information, and, if so, to recommend a future
course of action’.
- The
group had reported to the TMB in January 1998, but also requested an extension
until June 1998 — Ms Longworth appealed
for support for the development of
an ISO standard, but acknowledged that there was a lot of scepticism about the
need for such a
standard, particularly from those who take the view that
voluntary codes cannot work, and that legislation together with an enforcement
authority is necessary.
Privacy Enhancing Technology — P3P project
Joseph Reagle, from the World Wide Web Consortium, gave the Forum a brief
introduction to the Platform for Privacy Preferences (P3P)
project, which aims
to facilitate the ‘registration’ of Internet users’ privacy
preferences such that they can
then be respected by Internet service providers
and traders.
Telecommunications Privacy
Dr Alexander Dix, the Deputy Commissioner for Berlin, gave a presentation on
data protection issues in telecommunications, to be discussed
at a meeting of
the International Commissioners’ Working Party immediately following the
Forum. [A separate report on this
meeting wil be in the next issue —
Editor].
Stephen Lau is Privacy Commissioner for Hong Kong and Nigel Waters
(watersn@zip.com.au) is a consultant on
fair information practices and Associate Editor of PLPR.
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/journals/PrivLawPRpr/1998/36.html