Towards a Privacy Framework
When we began our research, we postulated that privacy was likely to rise on the agenda in Asian countries. Our research over the past 18 months has confirmed this.
There is an emerging state of privacy awareness amongst key policy constituencies in the region, and a thirst for more information to inform ongoing and upcoming policy deliberative processes. There are a number of policy drivers for privacy law and safeguards. As with other policy arenas they can be categorized as constitutional, economic, international, and security.
Many countries have the constitutional right to privacy. Although some constitutions do not have specific privacy protections, High Courts have been establishing this right through jurisprudence. Similarly, we found that in Asia over the past ten years there have been a few court decisions involving privacy. Jurisprudence is giving life to the words in constitutions and now policy-makers must make sense of the ramifications of these decisions. As we have seen in other countries, judicial decisions can be far-reaching and can lead to expansive privacy protections. For instance, in many countries the jurisprudence emerging from the constitutional right to privacy led to data protection law protecting the processing of personal information in the public and private sectors. While we have been able to review the jurisprudence developments in some countries, in particular India and in part in the Philippines, additional research is required on other recent court decisions.
In the 1990s the drive towards electronic commerce led some countries to consider data privacy laws to enhance consumer confidence. This led to an incredible expansion of privacy laws around the world. Asia has been slower to move in this direction, but it is certainly picking up the pace. For instance, a recent analysis of the Malaysian situation has asked the question as to why a Personal Data Protection Bill, drafted in 1998, remains in limbo. Our initial research has shown that there is much movement on the ground in these countries to implement 'ICT laws'.84 For instance in the Philippines there are strong pushes for a Cybercrime law; in India and Bangladesh there have been laws to promote Freedom of Information. We found research from industry that identified a number of security and information policy laws across the region.85 We also found a number of data protection initiatives, including in the Philippines, India, Pakistan, and Thailand; but they often lacked the political support that was necessary, or were weak laws established with the hope of satisfying U.S. and EU stakeholders only, and not national consumers and citizens.
Governments are realising that if they wish their economies to enjoy the benefits of global dataflows they must look to adopt data privacy laws. Without adequate laws in Asia, European Union law prevents the flow of customer information to Indian call-centres or Taiwanese data warehouses. Meanwhile, APEC is promoting weaker privacy standards that would introduce little consumer protection for Asian consumers, though they would enable continued outsourcing arrangements and international trade. This is therefore a key opportunity to promote stronger privacy protections now that international companies and APEC have opened the debates. We have been participating at the international level, in cross-Atlantic initiatives, OECD and international regulatory debates, and we have found that there is a thirst in these policy processes to know more about Asia. The reality is that Asians are given a voice only by their governments, who often focus only on trade-enhancement, and by industry players who report to the international arena that Asians are not interested in privacy. We have been able to inform some of these policy processes with our research, but the reality is that the real research on cultural attitudes to privacy remains to be done.
The drive to combat international crime and terrorism has led to an expansion of surveillance laws around the world, and particularly in Asia. Governments are introducing some limited safeguards within a legal vacuum and these minimalist safeguards are often the only actionable legal protections. Further work is required to assess any proposed safeguards and compare these with others around the world to identify weaknesses and opportunities. For instance, travel surveillance and financial surveillance laws are spreading in breadth due to international and regional agreements. Similarly, identifications laws are spreading despite prior constitutional protections, as we have seen with renewed discussion in the Philippines. We found that the security agenda was certainly strong, particularly after each security threat that emerged over the past 18 months. In each case, however, we were able to inform stakeholders of the experiences in other countries, the limitations of proposed policies and approaches, and, in some circumstances, how what they had perceived as an 'international standard' was in fact not an international standard. For instance, we found that a number of 'Cybercrime laws' that were purported to be based on the Council of Europe Convention on Cybercrime had very little in common with the convention, and in fact were dramatic increases in governments' powers, e.g. the Pakistani Cybercrime ordinance includes data retention and the death penalty, two issues that the Council of Europe was emphatic in its deliberations about preventing.