International Privacy – some myths exposed
Australian business needs to recognise its own interests in international privacy protection and take a more active part in the debate.
The recent partial endorsement by the Australian Law Reform Commission of the APEC approach to privacy protection of personal information that crosses national borders (see media statement of 11 August 2008) is likely to enliven public discussion of options for international privacy protection. Already, Chris Connolly has published a critique of APEC’s accountability principle under which the exporter of personal information remains accountable for its privacy protection.[1] It is this principle that, subject to some qualifications, has been adopted in the privacy report of the Australian Law Reform Commission.[2] One of the qualifications is that the exporter should not be accountable where the laws of the receiving jurisdiction are rated as ‘adequate’. Rating is to be done by the Australian Government which, under current administrative arrangements, means Senator Faulkner supported by the Department of the Prime Minister and Cabinet. Thus, the concept of ‘adequacy’, which derives from the European Union’s Privacy Directive, enters by the back door.
The Connolly article conveniently summarises the arguments put forward in public commentary on the APEC Privacy Framework. As the former chair of the working group that drafted the Framework, it appears to me that there are three underlying arguments, repeated in the Connolly article, that should not go unchallenged – that implementation of the Framework would be more burdensome than the EU approach, that the EU approach is the only valid one and that the Framework merely reflects the dominance of US business.
APEC and the EU
‘Business compliance under the APEC Privacy Framework is complex. Domestic compliance is not affected at all – so the focus is on cross-border compliance.
Unlike the EU there is no mechanism in APEC for the provision of model contract terms as a mechanism to assist business compliance. During the early development of the APEC Privacy Framework there was some discussion of developing model contract terms, but this is no longer on the agenda.’[3]
These statements introduce the discussion of compliance under the Framework after an analysis of EU requirements. That analysis does acknowledge the complexities inherent in some of the EU processes such as the registration requirements and Binding Corporate Rules but points out that they are optional and can easily be avoided by the simpler recourse to model contractual terms. To some extent this is true, as has been attested by the ready recourse to such terms by Australian business, but, where personal information is transferred within a corporate group, the Binding Corporate Rules approach is the appropriate process and it has involved excessive bureaucracy, cost and delay.
In recognising cultural differences between APEC members and the diversity of the region, the Framework allows for different methods of implementation within an economy. The independent regulator model is only one form. Japan, for example, vests responsibility in the various ministries. It may be that more than one method of implementation may also be required at the international level. This is a major difference from the EU where member states are, of course, much more closely integrated and at similar stages of economic development, even allowing for the recent EU expansion.
There is, moreover, a very simple answer to the contention that the APEC processes are burdensome – i.e. if current implementation work should turn out to be less effective than is hoped, the Framework does not preclude the adoption of another process, including the use of model contractual terms similar to those of the EU. Recourse to contractual provisions is also available under the ALRC recommendation. Connolly’s criticisms of APEC’s approach of developing ‘Cross Border Privacy Rules’ with some kind of accreditation process may identify real weaknesses in the current work agenda but its successful completion, while it would be very useful, is not essential to implementation.
However, it would be misleading to leave this issue without pointing out that Cross Border Privacy Rules is only one of a number of APEC privacy projects. If it is successful, it will lead to a ramping up of international privacy protection rather than a ‘lowest common denominator’ approach. Other project work, being led by the Australian Deputy Privacy Commissioner to improve co-operation among regulators should also significantly contribute to meeting this objective.
EU approach – the true path?
‘Indeed, in the entire 6,323 words of the APEC Privacy Framework there is not a single mention of Europe, the EU Directive, or any European laws, despite their dominant position in the global privacy landscape.’[4]
If the APEC Privacy Framework should acknowledge the status of the 1995 EU Directive, should not the Directive also acknowledge the 1980 OECD Privacy Principles? The international organisation that is a more suitable partner for APEC is the OECD and cooperative arrangements between the two are already well established. For example, APEC’s work to improve co-operation among regulators complements work initiated in the OECD on common complaint forms. The OECD includes in its membership virtually all EU member states and seven APEC economies – the US, Canada, Mexico, Japan, Korea, Australia and New Zealand.
The suggestion that APEC member economies should sign the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, originally put forward by Graham Greenleaf,[5] would require them to adopt the adequacy approach in their domestic laws.
Deference to the EU is even more pronounced in other articles e.g.
‘It is possible that an APEC member state, for example, Australia or New Zealand, could develop rules compliant with European Directive standards. But other member states could use the Framework’s flexibility to implement a minimalist approach to privacy compliance that falls very far short of what would be deemed an “adequate level of protection”.’[6]
One might respond, ‘so what?’ Given the past performance of the EU Article 29 Working Party and of the Commission in assessing the adequacy of other countries’ laws, such a result would not be surprising.
A more balanced assessment of the comparative merits of the APEC and EU models is contained in a recent article by Nigel Waters (also referenced in the Connolly article) although it too remains wedded to the adoption of an ‘adequacy assessment process’:
‘If the APEC Framework is to achieve its objective of removing barriers to the cross border flows of personal information, there is no escaping from the need, ultimately, for an ‘adequacy assessment’ mechanism similar to the EU Directive’s Article 29 &31 Committee processes.’[7]
In my view, such deference to the EU is entirely unwarranted. The members of APEC’s drafting committee brought a range of views to the table but nobody argued for anything like the ‘adequacy’ approach of the EU Directive. That is not to necessarily suggest any antagonism to the EU but simply that the task ahead of us was to develop something appropriate to the Asia Pacific region, not Europe. Two of the countries represented in the drafting group, the US and Canada, already had an ‘adequacy’ rating from the European Commission and some others, including Australia, were interested in securing one. There is nothing in the Framework that would affect, one way or the other, a national policy on this matter.
Australia’s attitude to the EU Directive, so far as the previous government was concerned, was made clear by the previous Attorney-General, Daryl Williams, at the International Data Protection and Privacy Commissioners’ Conference in Sydney in September, 2003.[8] While discussions between the European Commission and Australia remain confidential, it is clear from such public statements that the process of assessing ‘adequacy’ is a contentious one. Some of the Commission’s objections on points of detail were founded on interpretations of Australian law that were disputed by Australia’s first law officer, the Attorney-General. Of course, that does not necessarily mean that the European Commission’s view of Australian law was wrong but it is, at the very least, unusual to be told by a foreign agency that the law of your country does not mean what you or your Attorney-General understand it to mean. The use by the Commission of Australian consultants does not remove this problem as it simply transfers a domestic difference to the international arena.
The ALRC’s suggested ancillary use of an ‘adequacy’ assessment process by the Australian Government is likely to involve similarly contentious issues. If the Government accepts this recommendation, it may wish to consider requiring reciprocity.
Although perhaps not unique, the EU approach is unusual in international law. More commonly, states party to an international instrument, while accepting some level of international accountability through reporting arrangements, make their own judgments as to their compliance. An example is provided by the arrangements for observance of the International Covenant on Civil and Political Rights (of which privacy is one).
Having participated in many meetings with the Commission in Brussels, my own view of the EU process is that it is a triumph of form over substance. The list of ‘adequate’ jurisdictions, Argentina, Canada, Guernsey, Isle of Man, Switzerland and the US ‘Safe Harbor Scheme’, illustrates the point. Can anyone seriously suggest that Argentina’s privacy protection is superior to Australia’s or, even more clearly, New Zealand’s? What aspect of ‘US Safe Harbor’ could not be implemented under Australia’s privacy and commercial laws – even with current exceptions? Of course, in the case of the US, size does matter and the ‘Safe Harbor’ scheme would clearly not be recognised in respect of any other country.
Dominance of US business
‘The key motivation for the development of the APEC Privacy Framework appears to stem from US business concerns regarding compliance with the EU Directive, and concerns regarding the potential expansion of the EU approach to other jurisdictions. These concerns coincided with growing interest in the US in the concept of enterprise-wide corporate privacy laws.
Although this is not the sole motivating factor, and many other countries participated in the development of the APEC Privacy Framework, it is unlikely that the Framework would exist without the influence of US business interests.’[9]
Although this may be a reasonable assessment, it is a ‘glass half empty’ argument (assuming US business to be the enemy – an assumption not shared by the author). It suggests a degree of dominance by US business of its own and other governments that is, in my view a slight on the very significant contributions to the Framework by other delegates including in particular those representing Japan, Canada, Hong Kong, Korea, New Zealand and, of course, the US Government itself. The Framework is, after all, an agreement among governments. It would be equally true to say, for example, that the Framework would not exist if it were not for the participation of particular APEC economies such as Japan. The reference to a ‘US/APEC’ approach is unwarranted and completely ignores the fact that nobody got everything they sought and every delegation, including the US, made concessions in order to achieve consensus.
The contention is supported by some statements of a private law firm[10] but, whatever claims may be made by particular private sector organisations, the development of the Framework was undertaken at Australia’s initiative and led by Australia.
Moreover, the assumptions that the US lacks any privacy law and that US business is against regulation are simply false. There are many privacy laws in the US at both State and Federal level and some surveys have shown consumers to be more satisfied with the degree of privacy protection in the US than in Europe. A number of US companies have also called for more legislation. The frequently expressed suspicion that the real purpose of the Framework is to stop the development of national privacy laws is, and always was, nonsense. The Framework deals with domestic, as well as international, implementation and the APEC Data Privacy Sub-Group continues to hear regular progress reports from member economies on the development of their domestic legislation. Interest in privacy law within APEC continues to grow. Of the 21 member economies, 16 are now participating in the Cross-Border Privacy Rules pathfinder project. This indicates a striking level of support for the APEC approach.
While any defence of business, particularly US business, invites charges of naivety from privacy advocates, it is not a matter of ascribing altruistic motives to commercial activities but simply of recognising that all business organisations need to pay close attention to the concerns of their customers. Arguments of this kind generally resolve into claims that people do not value their privacy highly enough and need special interest groups to protect their interests. There may be some validity to this argument but Australian business also needs to recognise its own interests in international privacy protection and to take a more active part in the debate.
As finalised, the APEC Privacy Framework is better than the drafts advanced by any particular delegation, including Australia’s, and deserves to be discussed on its merits with reference to the social and economic context of the region without European spectacles. It was always recognised that its implementation would be difficult and would take time. It is too early to say whether this will lead to some kind of convergence with the EU approach but it seems more likely that the Framework’s utility will lie in its regional focus and that each APEC member will continue to seek its own accommodation with the EU.
Peter Ford is a Visiting Fellow at the ANU College of Law with responsibility for coordinating the law internship program. He has also carried out a number of reviews relating to information sharing in security, law enforcement, privacy and immigration and has provided advice on identity issues.
The author thanks Mr Colin Minihan, Chair of the APEC Privacy Subgroup, for his helpful comments on drafts of this paper.
[1] ‘Asia-Pacific Region at the Privacy Crossroads (2008)‘, Chris Connolly, Galexia
[2] see discussion at https://www.openforum.com.au/content/alrc-report-privacy
[3] Chris Connolly, op.cit. p. 17
[4] ibid. p.20
[5] ibid. p.11
[6] Pounder C ‘Why the APEC Privacy Framework is unlikely to protect privacy’, Out-law.com 15 October, 2007, p.2
[7] Waters N. The Asia Pacific Privacy Initiative – a new route to effective data protection or a Trojan horse for self-regulation, June, 2008, p12
[8] keynote speech by Australian Attorney-General, Daryl Williams, QC at Data Protection and Privacy Commissioners’ Conference, Sydney, 10-12 September, 2003
[9] Chris Connolly, op.cit. p. p. 7
[10] ibid. p. 7
