Malcolm Crompton and Peter Ford


The Asia-Pacific Economic Cooperation forum comprises 21 economies around the Pacific Ocean, including very significant economies such as the United States, Canada, China, Japan, South Korea, Australia and others. APEC Ministers have endorsed an APEC Privacy Framework.

The Framework is a different document from the EU Privacy Directive. While the Framework is likely to be compared to the EU Privacy Directive, the Framework has key differences in Principles 1 and 9.

APEC Principle 1 extends the concept of Proportionality that permeates a lot of thinking in the design of EU frameworks. It particular, it extends the concept of proportionality of redress ("let the punishment fit the crime") so that it also gives guidance to regulators in focusing their activities. To put it another way, the principle is nothing more than an explicit recognition of the reality that most organizations, regulators or otherwise, have limited resources at their disposal and have to prioritize. The key will be to ensure an appropriately broad approach to the concept of "harm," in particular ensuring it extends beyond immediate harm measurable only in financial terms.

Principle 9, though, is the most important difference between the APEC Privacy Framework and the EU Directive. In effect, the APEC Privacy Framework is saying that "accountability should follow the data." Once an organization has collected personal information, it remains accountable for the protection of that data — even if it changes hands or moves from one jurisdiction to another. The Directive instead focuses on border controls — in particular, whether the data moving from one jurisdiction which has "adequate" data protection to another that has "adequate" protection.

This paper records the first steps in implementing the Framework, which took the form of two implementation seminars.  



The adoption by APEC Ministers of Part A of an APEC Privacy Framework in November 2004 was a significant milestone in international privacy policy development. A staged approach to the development of privacy protection regimes, and a culture of continuous improvement and innovation, is implicit in the language and structure of the Framework itself.

It is worth noting the terms in which Ministers endorsed the Framework in 2004:

˜Recognizing the importance of the development of effective privacy protections, which avoid barriers to information flows, to continued trade and economic growth in the APEC region, Ministers endorsed the APEC Privacy Framework and the Future Work Agenda on International Implementation of the APEC Privacy Framework."

Two points should be made about this statement.

First, it clearly locates APEC privacy policy within the context of electronic-commerce policy and a perceived need to avoid constructing barriers to information flows.
Secondly, Ministers endorsed a continuing program of work to implement the Framework. In partial fulfilment of this goal, the Electronic Commerce Steering Group of APEC carried out two seminars in 2005, the first, dealing with domestic implementation, in Hong Kong in June and the second, dealing with international implementation, in Gyeongju, South Korea, in September.


First seminar — Domestic Implementation
Some 90 delegates represented 15 APEC economies at the seminar.

The conference was hosted by the Hong Kong Privacy Commissioner's Office and the papers are available at: www.pco.org.hk/english/infocentre/apec_ecsg1_2.html. The focus of this first seminar was on applying the general language of the APEC Privacy Framework, whether through legislation or other means, by APEC economies. It was recognized at the outset that some economies have had privacy protection in place for several years while the subject is new to others.

Mapping the Environment
The Preamble to the Framework notes Ministers' endorsement of APEC's 1998 Blueprint for Action on Electronic Commerce and their references to the need to "build trust and confidence in safe, secure and reliable communication, information and delivery systems, and which address issues including privacy... ." References to aspects of globalization, the core values of the OECD's 1980 Privacy Guidelines, and for the need to consider law enforcement imperatives also are included.

The seminar began with a survey of the environmental changes affecting privacy policy that have occurred in recent years. Two particular changes that were noted were the potential benefits offered to both business and consumers by the growth of electronic commerce and the new global security environment following the events of Sept. 11, 2001. Discussion of the Privacy Principles was introduced through a general overview from the perspective of policymaking, regulation and business practices. An intensive workshop on particular hypothetical cases based on actual experience drew from the collective experience of those economies with privacy regimes. They dealt with issues of general concern to APEC economies such as direct marketing, the security of, and access to, records of personal information, the collection of personal information, the disclosure of personal information in public emergencies, the refusal of services where such refusal is related to privacy issues, remedies for privacy breaches and the interplay between privacy and law enforcement.

The need to hold discussions with relevant bodies about implementation of the Framework, including law enforcement and security agencies, is referred to in Part IV (Part A — Guidance for Domestic Implementation).

Ways of undertaking consultation on the domestic implementation of the Privacy Principles were outlined and analyzed in detail. For example, it was noted that, while it is important to maintain transparency, in some particular circumstances it might be more appropriate to hold closed meetings to receive confidential information.

Australia's domestic consultation was highlighted as an example of the kind of steps that policy-makers may wish to consider.

Public/Private Cooperation
The Framework exhorts economies to engage in dialogue between the public and private sectors. Attendees learned about Thailand's experience of the cooperation between public and private sectors, and the work of the Global Business Dialogue and other businesses that supported government initiatives.

Educating and Publicizing
The Framework emphasizes the need to seek the cooperation of non-government entities, to notify individuals of their rights and to educate personal information controllers and individuals.

Attendees heard details of the Hong Kong Privacy Commissioner's measures to promote effectiveness, efficiency and ethics in public education and to measure the results. Businesses and regulators discussed their efforts to develop short privacy notices to advise consumers of their rights. Consumer representatives spoke of the need to ensure that tools to promote privacy are "consumer friendly."


The Framework urges economies to adopt an appropriate array of remedies for privacy violations. There was a discussion of the effectiveness of particular remedies with an emphasis on the experiences of economies with privacy regimes, particularly Korea with its focus on Alternative Dispute Resolution, and the United States, with its detailed legislation in specific areas of commerce.

The Framework briefly provides for economies to prepare "Individual Action Plans" for reporting purposes.

It was noted that the Framework provides a structure for reporting. There were brief outlines offered on the experience of Mexico and the Philippines in developing privacy law in the context of electronic commerce.

Second seminar — International Implementation
Fifteen economies were represented by about fifty delegates. The Korean Institute for Electronic Commerce and other government agencies hosted the seminar. The papers are available at: www.apec.org/content/apec/ documents_reports/electronic_commerce_steering_group/2005.html#SEM.

Identifying the Problems
The seminar commenced with a "hypothetical" devised to highlight the difficulties of applying privacy principles in an environment in which business transactions involve several economies. The sessions that followed analyzed the problems in applying the principles in this environment. The issues were further explored in a series of case studies dealing with direct marketing, the collection of personal information, the operation of international call centers the uses of personal information, alternative dispute resolution and the difficulties in opting-out of the receipt of promotional material.

It soon became clear that the regulatory mechanisms required for the protection of privacy in an international context need further development.

From the perspective of some regulators, chief among the problems was the perceived lack of authority to cooperate with their counterparts in other economies. From the perspective of business, a major concern was the need for regulators to consider that, in the context of electronic commerce, customer service may involve the storage of data simultaneously in a number of countries as well as the need to access it from business centers in different countries over an extended period. These developments may make the idea of limiting point-to-point data flows obsolete. It would be difficult to even track the movement of data — let alone regulate it.

Scoping Solutions
The themes that emerged were based on a generally accepted conclusion that accountability mechanisms were more effective in international privacy protection than cross-border restrictions.

The first theme focused on the need to reach out to all stakeholders to improve awareness and understanding of the APEC Privacy Framework in both business and wider civil society circles. Some outreach is already under way through the International Association of Privacy Professionals and other bodies. Possible new activities might include education and training programs, the provision of new resource materials, continued regional workshops, seminars and opportunities for interchange of ideas and expertise. The second theme addressed the issue of cooperation between regulators for the purposes of information sharing, investigation and enforcement. The use of Memoranda of Understanding and existing cooperative arrangements also might prove useful against the background of the Framework.

The third theme involved the development of mechanisms to apply the APEC Privacy Principles to regional cross-border transfers of information. Some particular objectives relevant to this aspect are:

  • Facilitating accountable transfers of information so as to maximize the benefits to business and the consumer;
  • Enabling consumers to seek redress locally and easily through cooperative arrangements between regulators; and
  • Allowing businesses to use information as needed for its purposes consistent with the APEC Privacy Principles and local legal requirements.

Consolidation of data processing into global systems carries many advantages but it also presents a number of challenges for the management of privacy practices. The need to comply with different legal systems is addressed through an internal governance framework, but the need for the framework arises out of modern business practices. Complex issues of accountability arise from variations in standards among economies.

This is an important point. The more that internal governance frameworks and processes can be demonstrated to be effective, the less the work that will be expected of regulators and the simpler compliance will become. Indeed, implementation of the Framework in businesses with strong internal-governance frameworks could be built on internal-governance procedures supported by strong external assurance, for example, through independent audit, with formal regulation an approach of last resort. While this approach may not be appropriate for all businesses, it may be an excellent way of demonstrating the impact of the Framework at an early stage.

Indeed, failures of internal governance in the APEC region over the last year have led to calls for increased regulation that likely will result in some consequences. Responsible business can show that this need not be necessary, but it will have to lead by strong example.


The second seminar in particular worked on surfacing the implications of ensuring that "accountability follows the data" effectively and explored options for doing so. Seminar participants made a very promising start in addressing these issues.

They also discovered that there is still work to be done, to assure individuals that their data is safe even if it moves around the region outside their own economy — all while not making it too difficult for businesses to operate. Within current legal frameworks, effective and more explicit cooperation between regulators is almost certainly the key.

The next steps are likely to include further seminars to help economies address implementation issues. APEC already has allocated funding for another seminar hosted by Vietnam.

Importantly, though, work will have to start soon on putting in place actual measures to ensure that "accountability does follow the data." Privacy authorities attending the second seminar indicated that they were willing to look at establishing cooperative arrangements to meet this goal, for example on how to address consumer complaints that involve more than one economy. Hopefully, significant progress will have been made through 2006 on this front. With the increasing interest in business-process outsourcing and increasing consumer concern about the security and privacy of personal information in at least some economies such as the U.S., doing nothing is unacceptable.

Malcolm Crompton and Peter Ford are consultants to the Electronic Commerce Steering Group of APEC for the two privacy implementation seminars APEC commissioned in 2005. Crompton also is Managing Director of Information Integrity Solutions Pty Ltd, www.iispartners.com. Ford formerly chaired the APEC Privacy Sub-Group and is now a privacy and security consultant based in Canberra, Australia. He can be reached at pford@pcug.org.au.



If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»