A Critical Framework
When we embarked on this research, we had estimated that exogenous forces would lead to the establishment of faulty privacy law. Even with the noblest of intents, governments would pass laws to, for instance, abide by European legal requirements, but would then not implement the necessary regulatory facilities to give life to the new law. Or, the resulting laws would be driven by security and international concerns, and will not enhance consumer protection and human rights standards. Indeed, we have found that this was certainly the case as laws were being proposed to protect Europeans' data in Asia, but not necessarily enhancing the rights of Asian citizens.
We therefore propose the following Framework to assess policy-issues as they arise, as we are now certain that these issues are near the top of the policy agendas in a number of countries.
Is privacy in the constitution, e.g. Thailand, or is it left to be interpreted into the constitution, as is the case in India and Malaysia? In the latter case we need to prepare legal analyses to strategise how privacy could be made to fit into the constitutional framework of Asian countries. This could be a comparative study of the constitutional protections in the region, including the latest jurisprudence.
Even constitutional rights need to be given life, otherwise they are merely words. We therefore need a critical assessment in each country of the obstacles in raising constitutional challenges on privacy grounds. Are there legal societies who take on such cases? What have been the experiences to date?
Finally, if there are constitutional grounds for privacy in a given country, can this situation be advanced to require legal protections? In some countries, including the Philippines, the constitutional right to privacy has led to the right to habeus data which requires further legislation to enable this right. Similarly, the right to informational privacy, through data protection law, is seen as a consequence of constitutional rights in some countries. Can this situation be adapted to Asian countries?
Legal Protections and Informational Privacy
As some countries in the region are moving towards implementing data protection laws, we must critically assess each proposed law. Apart from whether the law applies to the outsourcing industry or grants rights to national consumers and citizens as well, are the laws sufficiently robust? What are the definitions of 'personal information', are there qualifications of 'harm', how powerful is the regulator, what are the exemptions, how powerful are the complaints mechanisms? Most importantly, does the law cover both the private sector and the public sector or only one?
We can continue to build on our experiences around the world on data protection laws, and we will continue to monitor APEC, OECD, and European policy processes, to work with industry and regulators around the world to better understand how to deal with the new challenges of technology and globalisation.
Communications Surveillance and Cybercrime Laws
We have seen the steady increase in communications surveillance and cybercrime laws in the region. Often these laws are introduced as laws that are entirely consistent with the practices around the world. We are uniquely positioned to assess whether this is truly the case.
In the case of laws that require access to communications content, i.e. voice, emails, etc., we must be able to assess the authorisation and oversight procedures. That is, are they independently authorised and overseen by an independent body to prevent against abuse? Are there mechanisms to limit abuses? Are there restrictions on privacy-enhancing and security-enabling technologies like encryption?
In the case of laws that enable access to communications traffic and transaction logs, similar questions still apply. Additional questions arise, however, including: what qualifies as 'content' or 'traffic'? and will this require the collection of new information that organisations do not currently collect? These are key determinants of the level of invasiveness, and in turn, the level of independent authorisation and oversight that is required.
The answers to these questions are likely to be of interest to industry organisations as well, as they will be the recipient of orders and warrants to gain access to information held on their computer systems. This requires further analysis of the relationships between the telecommunications companies and the government. For instance, we've recently seen how in the UAE a telecommunications firm released spyware to Blackberry users -- was this at the request of the government or in the interests of the mobile phone company?
We continue to see the spread of new identity systems in the region. Some countries already have advanced identity systems, such as in Malaysia, and they have troubling components that must be further studied. Other countries are keen to embark on new large-scale systems, as we have seen in India and the Philippines. Soon all countries will implement international standards on biometric passports, though as we have seen in Europe, the diversity of 'compliance' is surprising. That is, in some countries highly centralised databases of fingerprints are being developed (e.g. UK and the Netherlands) while such systems would be illegal in others (e.g. Germany).
With our partners at the London School of Economics and Political Science, we have already devised a framework to study identity policy proposals that look at a variety of issues such as political risks, technological challenges, feasibility issues, costs, and civil liberties implications. We will need to apply this framework to the existing, new, and proposed systems as they arise so as to inform the policy development and deployment processes of the privacy risks therein.
Similar critical questions can be applied to privacy issues in other policy domains that we have seen arise across the region, including
- Health and Genetic Privacy (are patients' records protected adequately by law and technology? what is the nature of patient consent?)
- Media Privacy and Protection of Journalistic Sources (are individuals protected against abuse by the media? are journalists sources and records protected against search and seizure laws?)
- Marketing and Advertising (can individuals consent to online and telephone advertising? what is the nature of that consent? how is it communicated?)
- Privacy as a Political right (are there privileged relationships in society to protect the political and legal systems against abuse by the government? are governments limited in their powers to monitor political and religious activities? can individuals participate in protests without undue interference?)
- Consumer protections and consumer rights (are consumers adequately protected and informed of their rights? is the regulator or legal body that protects consumers adequately empowered?)
- Advanced surveillance regimes involving personal information (with the growth of the surveillance sector and anti-terrorism policies, are there sufficient legal safeguards against abuse?)
amongst a myriad of others that we have been able to identify in our reviews.