An Overview of the Principles Established by the APEC Privacy ...

International Privacy Framework198019952004OECD GuidelinesRepresent internationalconsensus on the basicrules governing theprotection of personaldata and privacyEU Directive95/46/ECEnsure the free movementof personal data betweenMember States in theEuropean CommunityAPEC PrivacyFrameworkPromote a consistentapproach to informationprivacy protection as ameans of ensuring the freeflow of information in theAsia Pacific region3

International Privacy FrameworkA Common Theme“… . were very aware of the impactof automatic data processing (newtechnologies) upon personal dataprivacy and of the need to sustainthe economic value of informationby ensuring the transfer of data”4

APEC Privacy Framework: Development1998 APEC Blueprint for Actionon Electronic Commerce“The potential of electronic commerce could not be realized withoutgovernment and business cooperation to develop and implementtechnologies and policies, which build trust and confidence in safe,secure and reliable communication, information and delivery systems,and which address issues including privacy, security and consumerprotection.”5

APEC Privacy Framework: Milestones1998 APEC Ministers endorsed Blueprint1999 ECSG established2002 Mapping exercise on data protection approachesFeb 2003 Data Privacy Subgroup establishedMar 2004 Consultation draft Framework releasedNov 2004 APEC Leaders endorsed Framework6

APEC Privacy FrameworkPart IPreamblePrinciples-basedPrivacy FrameworkSets Sets out out the thefocus focus and andobjectivesPart IIScopeMakes Makes clear clearthe the extent extent of ofcoveragePart IIIInformationPrivacy PrinciplesIncludescommentaryon on PrinciplesPart IVImplementationGuidance on onmatters matters of ofimplementation7

APEC Privacy Principles: Focus“APEC economies realize the key part of efforts toimprove consumer confidence and ensure thegrowth of electronic commerce must becooperation to balance and promote both effectiveinformation privacy protection and the free flow ofinformation in the Asia Pacific region”… …Part I - Preamble“The perceived value and benefits of e-commerce has become the drivingforce behind the quest to seek compatibility in privacy development”8

APEC Privacy Principles: Objectives– To develop appropriate privacyprotections for personal information– To prevent the creation of unnecessarybarriers to information flows– To enable multinational businesses to implement uniform approachesto the collection, use and processing of data– To facilitate both domestic and international efforts to promote andenforce information privacy protections“It encourages compatibility yet it respects the different cultural, social,economic requirements that exist within member economies”9

APEC Privacy Principles: Scope• The principles should be interpreted as awhole rather than individually as there isa close relationship among them• Balancing privacy rights and the publicinterest– Not intended to impede governmental activitiesauthorized by law– Allow exceptions to the principles that suitparticular domestic circumstances10

APEC Privacy Principles: Application• Applies to information about living individuals– Personal information in connection with domesticaffairs are excluded– Limited exclusion to “publicly availableinformation”• Applies to persons or organizations in thepublic and private sectors– who control the collection, holding, processing oruse of personal information– Organizations acting as agents for others areexcluded from compliance11

APEC Information Privacy Principles1 Preventing Harm2 Notice3 Collection Limitation4 Use of PersonalInformation5 Choice6 Integrity of PersonalInformation7 Security Safeguards8 Access & Correction9 Accountability12

APEC Privacy Principles: RelationshipUse ofPersonalInformationPersonal Information ControllerCollectionLimitationIntegrity ofPersonalInformationChoicePreventingHarmAccountabilityNoticeSecuritySafeguardsAccess andCorrection13

APEC Information Privacy PrinciplesPrinciple 3 – Collection Limitation• This provides for the lawful and fair collection of personalinformation that is relevant to the purposes of collection, and whereappropriate, with notice to, or consent of, the individual concerned.Principle 4 – Use of Personal Information• This limits the use of personal information to fulfilling the purposes ofcollection and other compatible or related purposes.Principle 5 – Choice• This provides, where appropriate, for individuals to be providedwith mechanisms to exercise choice in relation to the collection,use and disclosure of their personal information.15

APEC Information Privacy PrinciplesPrinciple 6 – Integrity of Personal Information• This provides that personal information should beaccurate, complete and kept up-to-date to the extentnecessary for the purpose of use.Principle 7 – Security Safeguards• This requires appropriate security safeguards to beapplied to personal information that are proportional tothe likelihood and severity of the harm threatened, thesensitivity of the information and the context in which itis held.16

APEC Information Privacy PrinciplesPrinciple 8 – Access and Correction• This provides for individuals to have rights ofaccess to their personal information, tochallenge the accuracy of the information and,as appropriate, to request correction of suchinformation.Principle 9 – Accountability• This requires a personal information controller to be accountable forcomplying with measures that give effect to the Principles. Whentransferring personal information, reasonable steps should be taken to ensurerecipients protect the information in a manner consistent with thesePrinciples.17

Concluding Remarks• Observations presented reflect our understanding in thecourse of Subgroup discussions• Agreements are reached by open dialogue and consensus• A credible instrument that honours culturaldiversities and accords due regard to regionaldifferences – an essential ingredient in ensuringbroad-based acceptance and lasting utility• More work to be done18