Asia-Pacific data privacy laws: model corporate privacy principles

Corporations that operate in and collect or process personal data in  Asia-Pacific countries need to have comprehensive privacy policies addressing these countries’ data privacy laws. Is it possible to create a single policy that achieves such a broad coverage? The answer is yes, but Asia, unlike Europe, does not have broad regional directive requiring member states to enact local data privacy laws conforming to certain principles. Instead, Asia has only the APEC Privacy Framework (2005) that provides voluntary guidance that may inform the passage of local statutes. Therefore, corporations must consider the specifics of each country’s statutes and how these protect local information. Fortunately, Asia privacy laws to date are more similar than dissimilar in the principles they follow. This article will first review the principles of the APEC Privacy Framework and then compare the Asian countries’ privacy laws to those APEC principles. From this, a model set of corporate privacy principles will then be suggested, to provide a single privacy framework that corporations can implement and use for all of the countries throughout the  Asia-Pacific region where they do business.

Asia-Pacific Economic Cooperation (APEC) is a forum for facilitating economic growth, trade, cooperation and investment in the Asia-Pacific region. Its member countries are Australia, Brunei Darussalam, Canada, Chile, People’s Republic of China, Hong Kong, Indonesia, Japan, Republic of Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, the Philippines, Russia, Singapore, Chinese Taipei (Taiwan), Thailand, the U.S. and Vietnam. APEC members have endorsed a framework for the use of personal data based on a single set of principles. The framework encourages “the development of appropriate information privacy protections ensuring the free flow of information in the  Asia-Pacific region.” It is generally consistent with the Organisation for Economic Cooperation and Development’s (OECD) 1980 Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data (collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation and accountability).

:

(P1): To individuals from the wrongful collection and misuse of their personal information.

(P2): The controllers of personal information should provide clear statements about their practices and policies, before or at time of collection.

(P3): Information should be lawfully collected and only if relevant to the purpose of collection.

(P4): The only exceptions to the use of the information being different than the purpose of collection is if consent is given by the individual or to provide a product or service the individual requested, or if required by law.

(P5): The individual should be given a choice on the collection, use and disclosure of their personal information.

Integrity of Personal Information (P6): Data should be accurate, complete and up to date.

(P7): Controls should prevent unauthorized data access, loss, use, modification or disclosure and be proportional to these risks and information sensitivity.

Access and Correction (P8): Individuals should be able to access and correct their personal information, unless the burden of doing so is disproportionate to the risk for legal or corporate compliance reasons or to not compromise another individual’s privacy.

(P9): The information controller is accountable and must ensure personal information transferred to a third party is protected in accordance with these principles.

The table on page 12 maps the privacy laws of the Asia-Pacific countries against the APEC Framework and each other. The numbers refer to the local privacy statute’s designated principles (P) or articles (A) that may be similar to but not necessarily the same as the privacy principles in the APEC Framework. The similarities may exist only at a high level, as each country’s privacy law has its own unique and often subtle detail-level differences.

Of the member states that have privacy laws, the five most developed at this time are in New Zealand, Japan, Australia, Hong Kong SAR and Singapore (although Singapore’s is based on voluntary compliance). South Korea and Taiwan also have well-developed privacy laws, but are limited in application to specific industries or government. Macao SAR has the most recently implemented statute and perhaps the most comprehensive. Many Asian countries find privacy as a constitutional right and then have laws addressing narrower legal aspects. For example, India, Indonesia and Vietnam have privacy provisions in their e-commerce laws (India is not a member of APEC but clearly a major Asian country). Mongolia has had the Law on Personal Secrecy (Privacy Law) since 1995. Other countries in Asia such as Malaysia, the Philippines, and Thailand are expected to enact new privacy legislation soon, but all have been working towards privacy protection for some time. Thailand has had a privacy law since 1997 that applies only to the government, while the Philippines has had model privacy provisions for corporations, and Malaysia’s current legislation is based on a draft from 2001. (As of the submission of this article, Malaysia had just tabled the Personal Data Protection Bill. This bill contains seven privacy principles: general (consent, collection, usage), notice and choice, disclosure, security, retention, data integrity and access.)

Mainland China has no single statute for data privacy, but it does have a number of constitutional protections for personal dignity and privacy of correspondence and civil statutes covering privacy of personality and reputation. It also has privacy regulations related to the management of computer information networks, criminal privacy sanctions and provincial consumer protection regulations. A comprehensive data protection law has been in development for the last several years, most recently based on an “experts” version, which included the principles of lawfulness, protection of rights, balancing of interests, information quality, information security, and duties. This may or may not be the basis for any ultimate legislation in China.

New Zealand was the first country in the region to have a full privacy statute, the Privacy Act of 1993. Revisions are currently being considered to protect cross-border movement of data and align its rules with the EU’s data protection regimen. The 12 current principles are:

(P1): Must be for a lawful purpose related to the function of the information collector (called an “agency”) and be necessary.

(P2): Information should be collected directly from the individual, unless the individual consents, will not be prejudiced, will not be identified or if already publicly available or for legal or other governmental reasons.

(P3): The information collector should provide the individual certain information, including purpose, recipients, access and correction before collecting, unless any of the exemptions from Principle 2 apply.

(P4): Must not be unlawful, unfair, or unreasonably intrusive to the individual’s personal affairs.

(P5): Security safeguards must be in place to prevent against loss or unauthorized access, use or modification.

(P6): An individual must be able to access his/her personal information.

(P7): An individual may request, and the agency may on its own initiative or upon request, correct information or, if it will not correct the information, attach a statement to the information of correction sought.

(P8): The agency should ensure the information is accurate, up to date, and complete before use.

(P9): The agency is not to retain personal information longer than needed for the purpose for which it was collected.

(P10): To the purpose for which it was collected, unless the individual consents, will be not prejudiced, will not be identified, is already publicly available or for legal or other governmental reasons.

(P11): To those for the purpose for which it was collected or to the individual, unless the individual consents, will be not prejudiced, will not be identified or for legal or other governmental reasons.

(P12): Agencies must ensure that they do not assign identifiers unless necessary and only for an individual with a clearly established identification.

The Japanese Act on the Protection of Personal Information of 2003 protects the rights and interests of individuals and their personal data held by businesses. The basic rules are set forth in the following articles:

(A15):  The business handling personal information has to specify the purpose and scope of use.

(A16): The business cannot go beyond the scope of the purpose of utilization without the consent of the individual, except if necessary for personal safety, public health or children’s welfare, or when pursuant to law.

(A17): The business must obtain personal information by lawful and non-deceptive means.

(A18): The business must notify the individual when the information is acquired or its purpose changed, except when it is clear from the circumstances or for the safety or other rights of the individual, a third party or the business, or if compromising compliance with the law.

(A19): The personal data (personal information in a database) must be kept accurate and up to date.

(A20): The business has to implement proper security controls to prevent loss, leakage or destruction of the personal data.

(A21): The business has to exercise appropriate supervision over its employees who handle personal data.

(A22): The business has to exercise appropriate supervision over its third-party delegates who handle personal data.

Restriction of Provision to a Third Party (A23): Personal data cannot be provided to third parties, except if the individual consents or for the individual’s safety, children’s welfare, public health or compliance with laws, or when the individual can opt-out. Outsourcing personal data that achieves the purpose (e.g. payroll outsourcing) is not to a third party.

(A24): The business must notify the individual of certain information, including the purpose of utilization.

(A25): The business must disclose a person’s data if requested by the individual, unless it may affect the personal safety or rights of the individual, third parties or the business, or violate any laws. The individual must be notified of any refusal.

(A26): The individual may request changes to his/her personal data to correct it, and the business must make such changes

(A27): When an individual requests termination of use of improperly collected or transferred data, the business must do so unless burdensome.

(A28): The business has to explain its refusal to not honor requests by an individual concerning his/her personal data.

The Federal Privacy Act of 1988 (as revised and applied to private businesses in 2001) specifies 10 National Privacy Principles (NPPs) that apply to most businesses and healthcare providers. The states and territories also have privacy laws. The NPPs are:

(P1): Information must be collected only from the individual (or from a third party if individual is notified), must be necessary to the organization’s functions, done in a lawful and fair manner and must give notice to the individual.

(P2): Personal information must not be used for a secondary purpose unless the individual consents; it is not sensitive and for direct marketing within specific limitations (e.g. opt out); if health statistical information; to prevent threats to personal or public health or safety, or when pursuant to law.

(P3): The organization must ensure that data collected is accurate, complete, and up-to-date.

(P4): The organization must use reasonable steps to avoid loss or unauthorized access, modification or disclosure of data and to destroy or de-indentify personal information that it is no longer using.

(P5): The organization must openly state how it manages, collects, uses, and discloses personal information, what type and for what purpose it has the information.

(P6): The organization must provide an individual access to the information, except if negatively impacting health, safety, the execution of laws or litigation. It must take reasonable steps to make information more accurate when requested to do so and provide the reasons for not doing so.

(P7): The organization must not use the identifier of another agency or disclose such information.

(P8): Individuals can choose to not identify themselves when entering transactions with an organization.

(P9): Personal information can be sent to a foreign country only if the recipient follows similar privacy principles, if consent is obtained or for performance of a contract that individual is party to or is in their interest.

(P10): Sensitive information must not be collected, unless consent is given, is required by law or for a legal claim or the person has serious health issues and cannot consent by themselves, or for certain statistical research.

The Personal Data (Privacy) Ordinance of 1995 sets out six Data Protection Principles, plus limits on automated reporting, direct marketing and external data transfers (not yet started).

(P1): Data should be collected in a lawful purpose and manner, directly related to the purpose of collection, and notice of specified information should be given to the individual.

(P2): Steps should be taken to ensure data is accurate and not kept any longer than necessary.

(P3): Data must be used for purposes directly related to collection, unless consent is obtained from the individual.

(P4): Steps must prevent unauthorized access, use or loss.

(P5): Data user has to make available information about his/her policies and procedures, the information held and main purposes thereof.

(P6): Individual has a right to access and correct his/her data.

As of August 2009, Hong Kong sought comment on an additional 12 proposed principles. Many of these deal with penalties or enforcement, but the following are more substantive.

(Proposal 1): Limits on the handling of sensitive personal data.

Regulation of Data Processors and Subcontractors (Proposal 2): Either through statue or contract, data processors/subcontractors must follow the same rules as initial data users.

(Proposal 3): Individuals must be notified on loss or leakage of their personal data. This is initially intended to be voluntary.

The Model Data Protection Code for the Private Sector is a voluntary privacy framework which has ten model principles:

(P1): Any data transferred to a third party for processing must adhere to these principles and the organization must implement appropriate policies and procedures to maintain accountability.

(P2): The purpose for which the data is collected must be documented and communicated to the individual before collection.

(P3): Collection, use and disclosure of personal data requires the advanced, voluntary consent of the individual, except in cases such as where it is not possible and clearly benefits the individual, where the personal or public health or safety is impacted or when required or allowed by law. Consent may be withdrawn at any time.

(P4): Collection is limited to data collected by fair and legal means needed for the purpose of processing, except if consent or for health or safety.

(P5):  Without consent or other stated exceptions, data must not be used or disclosed to a third party for other purposes and will only be retained as long as necessary to fulfill the purpose under which it was collected.

(P6): Personal data should be accurate, complete and up to date and collected directly from the individual.

(P7): Appropriate controls must protect personal data from unauthorized access, modification, disclosure or loss, including during authorized destruction of data.

(P8): Organizations should disclose their policies and procedures about managing personal data.

(P9): An individual should have the ability to access his personal data and request corrections thereof and organizations must notify the individual if they refuse to make such corrections and state the reasons why, if not a valid exception.

(P10): Organization must have people and processes for dealing with complaints and investigate all complaints.

The Act on Promotion of Information and Communication Network Utilization and Information Protection of 2001 protects the personal information of consumers held by certain industries. The number of industries subject to this law is in the process of being greatly expanded by the government. The key privacy articles in the local law are:

(A22): User consent in advance is required to gather personal information, and the collector must provide certain details to the user.

(A23): Only information related to the proposed services should be collected, not sensitive data.

(A24): Personal information should not be used without consent unless it is de-indentified.

(A25): If the processing is delegated, the information provider must so notify the user and still remain liable for any work done.

(A26): Users must be notified if personal data is obtained in a business transfer and the new corporation becomes responsible for the data.

(A27): This person is responsible for protecting user data and handling complaints.

(A28): The provider must take the requisite technical and administrative steps to protect the personal information.

(A29): Service providers can destroy the data after they have completed the purpose for which it was gathered.

(A30): The user may withdraw his/her consent at any time and the provider must then appropriately destroy the personal information. The use may also request that his/her personal information be corrected, and the provider must do so.

The Computer-Processed Personal Data Protection Law of 1995 protects the processing of personal data in certain kinds of industries. The key privacy articles in this law are:

(A6/A18): Collection and use must be in good faith and not in excess of the scope necessary, and for a particular purpose and based on consent, contract or in the public domain or for research not impacting the individual.

(A12): By the individual unless an exception applies.

(A13): Personal data must be accurately maintained and be corrected if the user requests and should be deleted when purpose is complete.

(A15): Must occur within a fixed time limit.

(A17): Staff must be appointed to prevent personal data from being stolen, altered, destroyed, or disclosed.

(A19-A21): Companies must be registered to collect and process personal data and provide certain information about it, such as the purpose, scope, retention period, collection methods and safety plans, and publish this in newspapers.

(A23): Use beyond the specific purpose is allowed only with the individual’s consent, for personal or public health or safety or injury to the rights of third parties.

(A24): May be restricted if the receiving country does not adequately protect the personal data.

The Personal Data Protection Act of 2005 protects the processing of personal data. The significant privacy articles, many unique to Asia (as they are based on Portuguese law), are:

(A5): Personal data must be collected for a specific, legitimate purpose; kept accurate; processed lawfully and in good faith, and retained no longer than necessary

(A6): Personal data may be processed only with consent or if for contractual, legal compliance or public interest reasons.

(A7): Is prohibited, unless consent is obtained, it is required by law or for legal claims of individual, for medical treatment or in public interest,

(A9): Requires approval from statute or a public authority.

: The individual has the following rights:

(A10): About the data controller, the purpose of the processing, rights of access and other information.

(A11): To know which information is being processed, notification of any information that requires rectification and then blocking or rectification thereof.

(A12): At any time to use of a person’s data about him/her, including for use in direct marketing and for use by third parties.

(A13): The individual can choose not to be subject if the decision was based solely on the automated processing of data evaluating personal aspects of him/her, unless allowed by law or contract.

(A15): The controller must take appropriate measures to ensure the personal data against unlawful access or loss, including transmission over networks. This also applies to any third party who is performing the processing for the controller.

(A16): Controllers of sensitive data must ensure physical security and control media access, personal data input, use and access and data transmission, and separate personal and sensitive data and encrypt transmissions.

(A18): Controllers are bound by secrecy, even after functions end.

(A19-A20): Must be only to jurisdictions with appropriate levels of protection, unless consent is given or for performance of a contract, in the public interest or the vital interests of the individual.

To create a single corporate privacy policy that addresses all of the current privacy laws in Asia, the following 20 privacy principles must be included. In addition, proposed local Asian law revisions and selected provisions in use elsewhere (e.g. the EU and U.S.) have been included to anticipate the need for such provisions and create a comprehensive list

The number of privacy laws in Asia is large and getting larger, with a number of new statutes or revisions expected in 2010. As this article has shown, the differences between the current Asian privacy laws are far fewer than the similarities, as most countries adopt the same key core principles, with the biggest differences in covered entities and enforcement of the statutes. That is not to say that new or revised domestic laws in the region will follow the same rules, but trade with Europe and the Americas and their existing privacy regimes may provide a guide to the limits of any future changes. Additionally, the results from the APEC Privacy Sub-group’s Pathfinder projects may provide additional guidance on new principles. In any case, this is a very dynamic area of the law, and corporate privacy officers and counsel will need to frequently revisit their privacy policies to ensure that their corporations stay in compliance with the changing privacy rules in all the Asian countries where they do business.