Five Years of the Apec Privacy Framework: Failure or Promise?
Computer Law & Security Report, Vol. 25, pp. 28-43, 2009
23 Pages Posted: 16 Mar 2012
Date Written: June 30, 2009
The APEC Privacy Framework was developed from 2003, adopted by APEC in 2004 and finalised in 2005. It was intended as a means of improving the standard of information privacy protection throughout the APEC countries of the Asia-Pacific, and of facilitating the trans-border flow of personal information between those countries. In 2007 a number of ‘Pathfinder’ projects for cross-border data transfers were launched under the Framework. In the five years since the process commenced, what has it achieved, and what is it likely to achieve? This paper argues that the APEC Privacy Framework has had many flaws from its inception, including Privacy Principles that are unnecessarily weak, and no meaningful enforcement requirements.
Five grounds of criticism of the Principles are put forward: (i) Weaknesses inherent in the OECD Principles; (ii) Further weakening of the OECD Principles; (iii) Potentially retrograde new Principles (The only new principles, ‘Preventing harm’, ‘Choice’ and the ‘Due diligence in transfers’ aspect of the Accountability principle, while capable of benign interpretations, carry inherent dangers and have little to recommend them); (iv) EU compatibility is ignored; and (v) Regional experience is ignored. The APEC Principles therefore do not represent any objective ‘consensus’ of existing regional privacy laws, unless it that of the lowest common denominator of every set of Privacy Principles in the region.
In relation to enforcement, Part IV exhorts APEC members to implement the Framework without requiring any particular means of doing so, or any means of assessing whether they have done so. No means of assessment have yet been developed. The APEC Framework is therefore considerably weaker than any other international privacy instrument in terms of its implementation requirements, and its practices.
Since its adoption in 2004, little attempt has been made to encourage its use as a minimal standard for privacy legislation in developing countries (which might have been useful), and it is having little impact on the significant number of legislative developments now taking place.
Instead, the ‘Pathfinder’ projects seem to be developing toward a generalised version of the US ‘Safe Harbor’ scheme. What is known of the Pathfinder projects leaves many questions unanswered, such as what standards for data transfers they aim to implement; whether compliance with all of APEC’s own Privacy Principles will be required; and how ‘Accountability Agents’ will be accredited. Consumer input into APEC’s privacy processes has been belated and ad-hoc but business influences omnipresent. Despite these flaws, APEC could still play a useful role in the gradual development of higher privacy standards in Asia, provided its priorities are re-oriented. The major developments in Asian privacy protection are likely to come from elsewhere, including other regional groupings, and attractions of standards originating in Europe. The paper concludes with suggestions for other directions.
Keywords: APEC, Asia-Pacific, data protection, privacy, data privacy, Asia
Suggested Citation: Suggested Citation