Over an 18 month period, we actively participated in the APEC process on privacy. We participated in meetings in Singapore and Lima. The meetings were held to progress implementation of the APEC Privacy Framework and Principles (adopted 2004).
The APEC Privacy Framework is a set of nine principles to regulate the protection of privacy. According to legal experts at Pinsent and Masons,86 the principles are enforced by a diffuse regulatory framework. Countries that sign up to the Framework must establish an enforcement mechanism, but this does not require a Privacy Commissioner by any means, and in fact the regulator can be very weak. Therefore, the criticism of the APEC principles is that they are weaker versions of international privacy principles within OECD guidelines and European conventions, and will not resolve the problem of adequately protecting European citizens' data.
Civil society must continually engage with APEC on these issues to remind Asia-Pacific governments of the need for higher standards (e.g., limits on retention, no exception to due diligence and responsibility under the accountability principle, notice requirements re: foreign outsourcing) and the potential value of the APEC process in improving cross-border enforcement of both legislation and self-regulatory standards.
Despite early misgivings, civil society acknowledges that it is now formally stated by APEC that there is no intention to undermine the requirement to comply with domestic privacy laws, some of which set higher or more specific standards than the APEC privacy principles, which should be seen as a minimum ‘floor’. The civil society view is that the APEC principles are not sufficient to stand alone as the body of a law for any regional economy.
The existence of the APEC Privacy Framework does not seem to be deterring economies from considering legislative options, with Peru, China, Thailand and the Philippines all reporting in Lima that they are well advanced with the introduction of an information privacy law. In fact, we found that the lack of data protection laws constitutes a trade barrier. At one of the APEC meetings the Peruvian government announced that it had placed data protection law on the fast track in order to attract more call centre operations. Of course the content of those laws is critical, and we should be prepared to argue for higher standards in each country, as needed.
There is a clear consensus, now also repeatedly stated, of the importance of stakeholder consultation, including with civil society, both at the international level and in domestic economies. In this spirit, there was significant overt support, and no formal objection, to our application for guest membership at the Privacy Subgroup. Regrettably one economy is understood to have objected and because APEC operates on a consensus basis, our application has been turned down. Our rejection has caused problems for the entire APEC process, and much consternation amongst other APEC members.
Given APEC’s focus on trade and economic growth, we are constantly advised that privacy should be presented as a consumer protection and trust issue rather than as a human rights/civil liberties, but while we recognise that APEC must necessarily focus on privacy as consumer protection, civil society cannot resile from its position that privacy protection is also about human rights. In particular, the transfer of personal data from the economic realm to the political realm is a genuine concern – no economy will give up its sovereign right to legislate for access to personal data held within its borders, and this must therefore be a relevant consideration for any other economy assessing the level of privacy protection.
Several participants in the APEC process continue to emphasise 'cultural differences' in relation to information privacy, often as a reason for not wanting to go down the path of comprehensive privacy legislation. We contend that this need not detract from the common ground of privacy as a universal human right, and our experience is that there is a common interest in and understanding of information privacy and personal data protection amongst citizens and consumers in all economies.
We have reported extensively on the APEC workshops on our website, and look forward to participating at future workshops to continue to represent civil society and the interests of consumer protection and human rights.
Both the APEC Framework and Galway Process show that we still need to better articulate the need for and interest in privacy so that governments can recognise that this is not just a matter of promoting trade, but rather a key protection for citizens and consumers. We also need to participate more at the international level, or else international standards will be established without adequate input from all stakeholders.