APEC Privacy Framework: Facilitating Business and Protecting Consumers Across the Asia-Pacific
Malcolm Crompton and Peter Ford, who consulted with APEC's Electronic Commerce Steering Group to draft the APEC Privacy Framework, explain why the APEC Privacy Framework is so important.
Under what context was the APEC Privacy Framework developed?
There is widespread recognition that a widely accepted and practical international standard of privacy protection is needed if e-commerce is to flourish.
In 1998, when endorsing the 1998 Blueprint for Action on Electronic Commerce, APEC Ministers acknowledged that the potential of electronic commerce cannot be realized without government and business cooperation "to develop and implement technologies and policies, which build trust and confidence in safe, secure and reliable communication, information and delivery systems, and which address issues including privacy...". The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element that may prevent member economies from gaining all of the benefits of electronic commerce.
Following workshops in Mexico in 2002 and Thailand in 2003, APEC Ministers endorsed the need to develop APEC data privacy principles. These principles are designed to help APEC economies to develop privacy laws and regulations that achieve a balance between effective privacy protection and the continuity of cross-border information flows, thus promoting electronic commerce.
What are the global implications for the Privacy Framework?
The Framework has been drafted with the social conditions of APEC economies in mind and should take its place with other international instruments of this type without any suggestion of displacing them. Hence the APEC Privacy Framework incorporates a set of data protection principles that will be familiar to any multinational business that deals with personal data. However, the Framework also breaks new ground by moving away from the current dominant model that relies on the quarantining of personal data within a nation or region in order to protect individual rights. The Framework's recognition that such quarantining can only be marginally effective in a highly globalized and networked age is of great significance for both international business and consumers.
By shifting the emphasis from quarantine to enforcement at all points in the "data chain", the Framework has the potential to both ease the burden of regulatory compliance for businesses and to enhance real-world consumer data protection.
Why is the Framework important to the public?
Privacy is as important to the public as it is to e-commerce. Indeed, the two are totally inter twined. If the public do not trust e commerce, including for what it may do to personal information about them, then e commerce will not reach its full potential.
As more and more personal information is collected used and disclosed, an increasing proportion will flow across borders. This occurs for many reasons, including business process outsourcing; goods or services being sourced in another economy; or the growing need by law enforcement and national security officials for greater cooperation between governments and their agencies.
The public expect that the protection of their personal information not be compromised by such developments. The level of protection should remain the same whether personal information about individuals stays in the home economy or moves or is accessed somewhere else, no more; no less.
Why is the Framework important to business and to government?
E-commerce is important to business and to government. It's in both of their interests to encourage the development of the information economy, which will only reach its full potential if privacy is effectively protected internationally.
APEC Ministers recognized this in 2003 when they stated that the objective of the Framework was to "achieve a balance between effective privacy protection and the continuity of cross-border information flows, thus promoting electronic commerce".
This objective operates at two levels - domestically and internationally. For economies that do not have in place a privacy framework but wish to introduce one, the APEC principles offer a 'boiler plate' starting point. Just as importantly, the global response to concerns about privacy protection has been a plethora of privacy laws around the world that while similar, are sufficiently different from each other that compliance is becoming a considerable burden.
Economies that do not see a domestic need to introduce a privacy framework have concluded that lack of such a framework is potentially an impediment to them offering safe processing of personal information as an export offering.
What do the nine principles of the Framework represent?
The Framework was not developed in a vacuum but in the light of the 1980 OECD Guidelines and the changes that have occurred in the environment since that time. More principles were considered but these represent the consensus.
The generally accepted approach to a privacy framework is to provide guidance to each step in an 'information life cycle', as epitomized in the OECD framework and many others. Thus privacy principles address the collection of personal information (limiting collection to that relevant for the job on hand, collecting by lawful and fair means etc), storing personal information (keeping it secure, accurate, up to date), using and disclosing it (limiting it to the purpose for which it was collected unless further consent is obtained), ageing the data, letting individuals obtain access to information held about them and have errors corrected, etc.
Will the framework and principles protect people's privacy and make their online transactions easier?
There is ample evidence that consumers have low levels of trust in many forms of online commerce. They have good reason to do so. At present, if personal information about them is misused outside the economy in which they live, the process of obtaining redress is difficult, time consuming and expensive. This can limit their willingness to do business except with very trusted international brands like large airlines or big international hotel chains.
A simple, enforceable framework that is comparable across borders will help address this concern for consumers.
The importance of practical privacy protection has been uppermost in the Electronic Commerce Steering Group's consideration of the Framework. Easier online transactions are something for business to work on but the Framework should assist by recognizing the imperatives of electronic commerce.
In order to have an impact, the principles must be implemented, including ways of ensuring that 'accountability follows the data' in a way that is effective and simple for individuals to gain redress when mistakes happen. This will require cooperation between regulators in individual economies or some other mechanism such as a trust mark process that can operate across borders in an effective way. When this happens, individuals in APEC economies will notice the difference - they will have nothing more to worry about when information about them is moved to or accessed in participating economies than if the information stayed within their own economy.
Given the individual privacy protections, how will the Privacy Framework help business?
E-commerce is still in its early stages and effective privacy protection is a prerequisite to it reaching its full potential, with consequent benefits to individuals, business, and economies.
The second potential benefit for business is a more homogeneous approach to enforcing privacy principles between economies. As noted earlier, compliance with a plethora of privacy principles is becoming a compliance nightmare for businesses that operate in more than one economy. The idea expressed in APEC privacy principle 9 is that 'accountability follows the data', in other words the protection does not either drop off or increase with the movement of the personal information between economies.
Some examples illustrate the benefit to business.
Different economies have different rules about when personal information can be used for direct marketing. The 'home' economy in which the consumer resides may have rules that allow direct marketing for purposes related to the original purpose of collecting the personal information (e.g. to offer an upgrade of service or to offer to replace an out-dated item) but require consent to use the information for marketing that is not related to the original purpose of collection (for example to market an entirely unrelated product range). Under the APEC privacy framework, this is the set of rules that would apply to the personal information, wherever it happened to be in economies participating in the APEC framework, even if the other economies might require consent for any direct marketing for personal information originally collected in those other economies.
Another very important example is access by individuals to information collected about them. Some economies allow a very broad right of access while other economies allow access under much more limited circumstances. If the 'home' economy allowed restricted rights of access, then those are the rules that apply to the information even if it moves to another participating APEC economy. Importantly, the opposite applies too - transferring the data to another economy also does not reduce the original right of access either.
How will economies go about implementing the Privacy Framework? Where is it most needed? How will it improve the business environment there? What progress remains for all economies to implement it?
The Framework will have effect in those economies which implement it and to the extent that they implement it. The ball is in their court. APEC's 'pathfinder' procedure allows for flexibility and a staged approach in implementation.
Implementation measures will vary as between economies and the steps that are required in any particular economy can only be determined by that economy. Some assistance in domestic and international implementation has been provided and more may be available if required.
Against this background, economies are still working through this part of implementing the framework. In all likelihood, though, some economies will take the lead in implementing the framework. Some economies like Hong Kong, Japan, Korea, Canada, Australia, and New Zealand have broad based privacy frameworks in place while the US has a number of sectoral approaches in place and also uses its general consumer protection law to protect privacy. These economies are also likely to take the lead in implementing the APEC Privacy Framework. Other economies will take longer for various reasons.
Business and consumers will need to be aware of this gradual change. It will not be a 'big bang'.
How will the Framework be introduced to member economies, business and to the public at large? How will people be informed about the Framework?
The framework does not mandate any particular method of domestic implementation. Thus the Framework is designed to accommodate whatever method a member economy believes is appropriate to its circumstances. These may include "legislative, administrative, industry self-regulatory or a combination of these methods under which rights can be exercised."
The Framework urges member economies to work with relevant non-government stakeholders in implementing the Principles, including representatives of the consumer and business communities, as well as privacy advocacy groups. Finally, member economies are urged to implement programs to educate consumers about their rights under data protection instruments, and to assist personal data controllers in understanding their obligations under those instruments.
The two implementation seminars organized by APEC in 2005 recognized these points and were aimed at helping key players in economies consider ways in which they could implement the framework at the domestic and international level.
Technical Assistance Seminar on Implementation of APEC Privacy Framework: Domestic Implementation Issues, Hong Kong, June 2005
Technical Assistance Seminar on Implementation of APEC Privacy Framework: International Implementation Issues, Gyeongju, September 2005
Malcolm Crompton is Managing Director of Information Integrity Solutions and was federal privacy commissioner of Australia 1999 2004. Mr. Ford is a consultant on privacy and security. He was a senior Government official in the Attorney General's Department of Australia before retiring recently. He also chaired the ECSG Privacy Working Group and was instrumental in drafting the APEC Privacy Framework.