Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Asia-Pacific privacy forum meets in Hong Kong [1998] PLBIRp 7; (1998) 44 Privacy Laws and Business International Report 10

Asia Pacific Privacy Forum meets in Hong Kong

Edited report by Stephen Lau & Nigel Waters

PRIVACY COMMISSIONER STEPHEN LAU hosted a meeting of a new Asia Pacific Forum on Privacy and Personal Data Protection on the 13th and 14th of April in Hong Kong.

Also attending the meeting were Privacy Commissioners Bruce Phillips (Canada), Dr. David Flaherty

(British Columbia, Canada), Moira

Scollay (Australia), and Bruce Slane

(New Zealand) as well as representa- tives from Japan, South Korea and Singapore. A number of guests attended specific sessions.

Bruce Slane outlined the objec- tives of the forum – to provide opportunities for an exchange of views; to debate some of the privacy issues that delegates were facing in their jurisdictions and to encourage other Asia Pacific countries to address privacy issues.

COUNTRY REPORTS

Points of particular interest were:

Canada

Following the January 1998 Federal Electronic Commerce Task Force dis- cussion paper The Protection of Personal Information, a draft bill for regulating the private sector is expect- ed later this year.

The Government has also legislat- ed for the use of DNA evidence in law enforcement, for example, to allow the police to collect and retain DNA samples.

Hong Kong Special

Administrative Region (SAR)

In Hong Kong, a total of 15,973 enquiries and 305 complaint cases had been received by the Privacy Com- missioner by the end of March 1998.

The Privacy Commissioner’s Office

(PCO) has so far issued two codes of practice – on consumer credit and on personal identifiers; and guide- lines on transborder data flows, cold calling, Internet privacy and human resources.

There have been eight cases where the Privacy Commissioner found a breach of the law, but where the Secretary for Justice had decided not to prosecute. These cases served to arouse public awareness on privacy, and sent a clear message to the public that the PCO would take action against any organisations contraven- ing the Privacy Ordinance.

Japan

Japan has implemented various meas- ures on the protection of personal data. There is legislation to protect highly confidential information in specific sectors such as personal credit data, medical care and lawsuits.

In a joint government / business initiative, a system of granting privacy-protection marks was intro- duced from 1st April 1998. This includes the establishment by the Ministry of International Trade and Industry (MITI), in February 1998, of a Supervisory Authority for the Protection of Personal Data to mon- itor the granting of privacy-protection marks to businesses by the Japan Information Processing Development Center (JIPDEC), and to monitor compliance with privacy standards.

Singapore

Singapore has no data protection law, and currently relies on the law of contract, the law of confidence and statutory prohibitions to provide data protection.

A policy group, chaired by the Attorney General, is examining the impact of the EU Directive to see if Singapore could rely on the EU’s exemptions to facilitate data flow. The group is also considering whether a data protection regime is needed, and if so, whether legislation or codes of practice should be adopted. The Singapore government has a one stop shop service concept, which shares a common pool of relevant data.

South Korea

In 1996, the Korean government announced a plan to introduce ‘elec- tronic resident cards’ by 1998. The envisaged resident card would contain

41 items of personal information about the holder, and would function as a driver’s certificate, medical insur- ance card, national pension certificate, seal, fingerprints and resident register. The plan was later withdrawn due to strong opposition from various social groups claiming that it consti- tuted an intrusion into the privacy of individuals.

New Zealand

Key points in the current review of the Privacy Act, being undertaken by the Privacy Commissioner, include:

• In spite of a claim by data users of high compliance costs, the review is finding little evidence of significant costs.

• There are concerns about the lack of

‘plain English’ in the Privacy Act.

• Because of the increasing workload of the Privacy Commissioner’s Office, the possibility of giving the Privacy Commissioner discretion to refuse investigation of trivial complaints was being explored.

• The need to ensure adequacy under the EU Directive – particularly in relation to transborder transfers.

• Support for some controls on the administration of public registers through the Public Register Privacy Principles in the Act.

THE EU DIRECTIVE

Dr Ulf Brü hann from DGXV of the European Commission presented a paper entitled The EU Data Protec- tion Directive and its Impact on flows of Personal Data between the Euro- pean Union and the Asia Pacific Region. According to Dr Brü hann, European experience has shown that a general framework of rules which are legally binding, together with a supervisory authority, is the most effective way of providing a clear and stable regulatory framework for busi- ness together with the necessary safeguards for individual rights. It is wrong to conceive of such a legal framework as bureaucratic and bad for business. Many data protection obligations, for example, to keep data accurate and up to date, are consistent with good, sensible data management. In the new and poten- tially enormous market for electronic commerce services, consumer anxiety about the absence of effective protec- tion of their privacy on-line is now seen as a major barrier to its growth. The possibility of an international data protection and privacy standard is being examined by a working group of the International Standards Organisation (ISO).The EU is now having exploratory talks with the United States of America, and the initial view is that the self-regulation approach being developed in the US did not appear to meet the “adequate protection” test. Subject to availabili- ty of resources, the EU is willing to assist any trading partners to develop appropriate laws or bilateral agree- ments to promote data protection.

Nigel Waters reported on the project he is involved in for the European Union on testing a methodology for assessing adequacy of data protection in third countries.

A VIEW FROM THE UNITED STATES Russell Pipe of the Global Infor- mation Infrastructure Commission presented his views on Elements of Effective Self-Regulation for Protection of Privacy. Key points included the following:

• Data privacy has become an issue in the context of electronic commerce.

• The EU Directive on Data Pro- tection has motivated the USA to consider the protection of privacy.

• Unlike the European approach, the Clinton Administration appears to support private sector efforts to implement self-regulatory regimes to protect privacy.

• The private sector in the USA claimed privacy was a new issue which should not be rushed.

• The US Congress appeared to favour self-regulation and was not keen to introduce any new legislation on privacy.

• In the absence of legislation and the establishment of an enforcement authority, the “contractual” approach of self-regulation could be an “empty shell” and might not meet the adequa- cy test of the EU directive.

THE ROLE OF INTERNATIONAL STANDARDS

Elizabeth Longworth, who represents

New Zealand on the International

Standards Organisation’s COPOLCO

(Consumer Policy Committee) Working Group on Privacy explained the current ISO initiative. The working group’s task was “to advise the Technical Management Board on the desirability and practicality of ISO undertaking the development of International Standards relevant to the protection of personal informa- tion, and, if so, to recommend a future course of action.” The group had reported to the Technical Management Board in January 1998, but also requested an extension until June 1998.

Ms Longworth appealed for support for the development of an ISO standard. She acknowledged, however, that there was a great deal of scepticism about the need for such a standard, particularly from those who take the view that voluntary codes cannot work, and that legislation, together with an enforcement author- ity, is necessary.

TELECOMMUNICATIONS PRIVACY Dr Alexander Dix, the Deputy Data Protection Commissioner for Berlin, gave a presentation on data protection issues in telecommunications. The topic was discussed in more detail at a meeting of the International Com- missioners’ Working Party which followed the Forum.

This edited report was originally written for the Privacy Law and Policy Reporter, Australia, and is published here with permission of Associate Editor, Nigel Waters. Stephen Lau, Privacy Commissioner of Hong Kong, Tel: +852 2827 2827, e-mail: pco@pco.org.hk

Nigel Waters, Associate Editor of Privacy Law and Policy Reporter, Australia, Tel: +61 2 9810 8013,

e-mail: watersn@zip.com.au