Home | Databases | WorldLII | Search | Feedback Privacy Law and Policy Reporter

Lau, Stephen; Waters, Nigel --- "Bringing the region - Asia Pacific Forum meets in Hong Kong" [1998] PrivLawPRpr 36; (1998) 5(1) Privacy Law & Policy Reporter 14

• Country reports
• The EU Directive
• A view from the US
• The role of international standards
• Privacy Enhancing Technology — P3P project
• Telecommunications Privacy

Bringing the region together — Asia Pacific Forum meets in Hong Kong

Stephen Lau and Nigel Waters

Privacy Commissioner Stephen Lau hosted a meeting of a new Asia Pacific Forum on Privacy and Personal Data Protection on 13 and 14 April this year (the first such Forum was arguably that held by British Columbia Commissioner David Flaherty in Victoria BC in January 1996). Attending the Hong Kong meeting, in addition to Lau and Flaherty, were Privacy Commissioners Bruce Phillips (Canada), Moira Scollay (Australia), and Bruce Slane (NZ) as well as representatives from Japan, South Korea and Singapore. A number of guests attended for specific sessions.

Bruce Slane outlined the objectives of the forum — to provide opportunities for an exchange of views; to debate on some of the privacy issues that delegates were facing in their jurisdictions and to encourage other Asian countries to address privacy issues.

Country reports

Points of particular interest from country reports were:

Canada

• In Canada, following the January 1998 federal Electronic Commerce Task Force Discussion Paper The Protection of Personal Information, a draft bill for regulation of the private sector is expected later this year.
• The Canadian Government has also legislated for the usage of DNA evidence in law enforcement, eg to allow the Police to collect and retain DNA samples.

Hong Kong Special Administrative Region (SAR)

• In Hong Kong, a total of 15,973 enquiries and 305 complaint cases had been received by the Privacy Commissioner as at the end of March 1998.
• The PCO has so far issued two codes of practice — on consumer credit and on personal identifiers; and guidelines on transborder data flow, cold calling, internet privacy and human resources.
• There have been eight cases where the Privacy Commissioner had found a breach of the law but where the Secretary for Justice decided not to prosecute. These cases had served to arouse public awareness on privacy and sent a clear message to the public that the PCO would institute action against any organisations contravening the Ordinance.

Japan

• Japan has implemented various measures on the protection of personal data, including legislation to protect the highly confidential information in specific sectors such as personal credit data, medical care and lawsuits.
• In a joint government/business initiative, a system of granting privacy-protection marks has been introduced from 1 April 1998. This includes the establishment by the Ministry of International Trade and Industry (MITI) in February 1998 of a Supervisory Authority for the Protection of Personal Data, to monitor the granting of privacy-protection marks to businesses by the Japan Information Processing Development Center (JIPDEC), and compliance with privacy standards.

Singapore

• Singapore has no data protection law, and currently relies on law of contract, law of confidence and statutory bars to provide data protection;
• A policy group, chaired by the Attorney General, is examining the impact of EU Directive to see if it could rely on EU’s exemptions to facilitate data flow; and considering if there is a need to have a data protection regime and if so, whether legislation or codes of practice should be adopted;
• The Singapore government has a one stop shop service concept which shares a common pool of relevant data.

South Korea

• In 1996, the Korean government announced a plan to introduce ‘electronic resident cards’ by 1998. The envisaged resident card would contain 41 items of personal information about the holder and function as a driver’s certificate, medical insurance card, national pension certificate, seal, fingerprints and resident register. The plan was later withdrawn due to strong opposition from various social groups claiming that it constituted an intrusion into the privacy of people.

New Zealand

Key points in the current review of the Privacy Act, being undertaken by the Commissioner, include:

• in spite of a claim by the ‘data users’ of high compliance costs the review is finding little evidence of significant costs;
• there are concerns about the lack of ‘plain English’ in the Privacy Act;
• because of the increasing workload of the Privacy Commissioner’s Office, the possibility of giving the Privacy Commissioner discretion to refuse investigation of trivial complaints was being explored;
• the need to ensure ‘adequacy’ under EU Directive — particularly in relation to controls on transborder transfers;
• support for some controls on the administration of public registers through the Public Register Privacy Principles in the Act.

The EU Directive

Dr Ulf Bruhann from DGXV of the European Commission presented a paper entitled ‘The EU Data Protection Directive and its Impact on flows of Personal Data between the European Union and the Asia Pacific Region’. He made several key points:

• European experience has shown that a general framework of rules with legally binding force together with a supervisory authority is the most effective way of providing a clear and stable regulatory framework for business together with the necessary safeguards for individual rights.
• It is wrong to conceive of such a legal framework as bureaucratic and bad for business. Many data protection obligations (for example, to keep data accurate and up-to-date) are consistent with good, sensible data management.
• In the new and potentially enormous market for electronic commerce services, consumer anxiety about the absence of effective protection of their privacy online is now seen as a major barrier to growth.
• The possibility of an international data protection and privacy standard is being examined by a working group of ISO. [see below and Private Parts in this issue — Editor]. Independent external verification is one means of fostering greater consumer confidence in the privacy protection provided by a company.
• The EU was having exploratory talks with the US, and the initial view is that the self regulation approach being developed in the US did not appear to meet the ‘adequate protection’ test.
• Subject to availability of resources, the EU was willing to assist any trading partners to develop appropriate laws or bilateral agreements to promote data protection.

Nigel Waters reported on the project he is involved in for the European Union on testing a methodology for assessing adequacy of data protection in third countries (see (1997) 4 PLPR 141).

A view from the US

Russell Pipe of the Global Information Infrastructure Commission presented his views on ‘Elements of Effective Self-Regulation for Protection of Privacy’. Key points included:

• data privacy has become an issue in the context of electronic commerce, and it does not involve other kinds of privacy;
• the EU Directive on Data Protection was a motive to prompt the US to give thought to protection of privacy;
• unlike the European approach, the Clinton Administration appeared to support private sector efforts to implement self-regulatory regimes to protect privacy;
• the private sector in the US claimed privacy was a new issue which should not be rushed;
• the US Congress appeared to favour self-regulation and was not keen to introduce any new legislation on privacy;
• in the absence of legislation and the establishment of an enforcement authority, the ‘contractual’ approach of self-regulation could be an ‘empty shell’ and might not meet the adequacy test of the EU directive.

The role of international standards

Elizabeth Longworth, who represents NZ on the International Standards Organisation’s COPOLCO Working Group on Privacy explained the current ISO initiative. [see Private Parts in this issue for an update — Editor].

• The working group’s task was ‘To advise the Technical Management Board on the desirability/practicality of ISO undertaking the development of International Standards relevant to the protection of personal information, and, if so, to recommend a future course of action’.
• The group had reported to the TMB in January 1998, but also requested an extension until June 1998 — Ms Longworth appealed for support for the development of an ISO standard, but acknowledged that there was a lot of scepticism about the need for such a standard, particularly from those who take the view that voluntary codes cannot work, and that legislation together with an enforcement authority is necessary.

Privacy Enhancing Technology — P3P project

Joseph Reagle, from the World Wide Web Consortium, gave the Forum a brief introduction to the Platform for Privacy Preferences (P3P) project, which aims to facilitate the ‘registration’ of Internet users’ privacy preferences such that they can then be respected by Internet service providers and traders.

Telecommunications Privacy

Dr Alexander Dix, the Deputy Commissioner for Berlin, gave a presentation on data protection issues in telecommunications, to be discussed at a meeting of the International Commissioners’ Working Party immediately following the Forum. [A separate report on this meeting wil be in the next issue — Editor].

Stephen Lau is Privacy Commissioner for Hong Kong and Nigel Waters (watersn@zip.com.au) is a consultant on fair information practices and Associate Editor of PLPR.