The APEC or Asia Pacific Economic Cooperation is an economic forum for a group of Pacific Rim countries. It was formed to discuss matters of regional economy, cooperation, trade and investment. By convention, APEC uses the term “member economy” to refer to one of its members.

The current membership of APEC consists of 21 members. It includes most of the countries with a coastline on the Pacific Ocean: Australia, Brunei Darussalam, Canada, Chile, People’s Republic of China, Hong Kong, Indonesia, Japan, South Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, The Philippines, Russia; and Singapore. India and Guam have requested membership in APEC.

APEC Privacy Framework

Adopted in 2005 by the APEC Member Economies, the APEC Privacy Framework (“Framework” or “Privacy Framework” or the “APEC Principles”) promotes a consistent approach to information privacy protection across the APEC Member Economies, while avoiding the creation of unnecessary barriers to information flows. The Framework is intended to provide a practical policy approach to enable accountability in the flow of data, while preventing impediments to trade. It attempts to enable and facilitate regional data transfers in a manner that benefits consumers, businesses and governments.

The Privacy Framework is APEC’s response to the 1995 EU Data Protection Directive. One critical difference, however, is that while the 1995 EU Data Protection Directive is mandatory, and EU Members are required to implement the principles of the Directive into their national legislation, the APEC Privacy Framework, is only a “guidance”. It does not have a mandatory effect. APEC operates on the basis of non-binding commitments, open dialogue and equal respect for the views of all participants. It does not require treaty obligations from its participants. Decisions made within APEC are reached by consensus. Commitments are undertaken on a voluntary basis.

The Privacy Framework provides guidance and direction to businesses in the Member Economies on common privacy issues. It attempts to facilitate responsible information flows, in order to enable trade and e-commerce. The APEC Principles provide guidance to allow the development of appropriate privacy protection, and prevent the creation of unwanted barriers to information flows.

The Framework attempts to follow the core values of the OECD Privacy Guidelines. Its privacy principles and the implementation guidance are focused on the achievement of five main goals:

• To develop appropriate privacy protection for personal information, particularly from the harmful consequences of unwanted intrusion and the misuse of personal information;
• To recognize the free flow of information as being essential for both developed and developing market economies to sustain economic and social growth;
• To enable global organizations that collect, access, use or process data in APEC member economies to develop and implement uniform approaches within their organizations for global access to, and use of, personal information;
• To enable enforcement agencies to fulfill their mandate to protect information privacy; and
• To advance international mechanisms to promote and enforce information privacy and to maintain the continuity of information flows among APEC economies and with their trading partners.

The APEC Framework defines nine privacy principles:

• Preventing Harm
• Notice
• Choice
• Collection Limitation
• Uses of Personal Information
• Access and Correction
• Integrity of Personal Information
• Security Safeguards
• Accountability

Who is Protected; What is Protected

The Privacy Principles are intended to apply to information about natural living persons, and not legal persons. “Personal Information” is defined as information that can be used to identify an individual. It includes information that would not meet this criteria alone, but would identify an individual when put together with other information. The definition covers information held or processed by persons or organizations for themselves, or on behalf of others; for example, as a service provider. However, information collected for personal, family or household purposes is excluded.

Preventing Harm

One of the primary objectives of the Privacy Framework is to prevent misuse of personal information, and consequent harm to individuals. The Preventing Harm Principle provides that “personal information protection should be designed to prevent the misuses of such information”. It proposes that remedies for privacy infringements should be designed to prevent harms resulting from the wrongful collection or misuse of personal information, and should be proportionate to the likelihood and severity of any harm threatened by the collection, use, or transfer of personal information.

Notice

Under the Notice Principle, personal information controllers should provide clear and easily accessible statements about their policies and practices with respect to personal information. In particular, they should provide the following information:

(a) The fact that personal information is being collected;

(b) The purposes for which the information is collected;

(c) The types of persons or organizations to whom the personal information might be disclosed; and

(d) The identity and location of the personal information controller, including information on how to contact them about their practices and handling of personal information, the choices and means the personal information controller offers individuals for limiting the use and disclosure of personal information, and for accessing and correcting their personal information.

The Notice Principle allows individuals to know not only what information about them is collected, but also the purposes for which it is used. It also enables them to make more informed decisions about interacting with an organization. It provides them with the tools for some control over the use or disclosures of the information, and the quality of the information. It proposes that information should be provided at the time of collection, or before the information is collected. Otherwise, the notice should be provided as soon as is practicable.

Cookies are only mentioned in passing. There is no guidance on the use of cookies. The Framework simply “recognizes” that there are circumstances in which it would not be practical to give notice at or before the time of collection. In some cases, cookies or web beacons, collect information as soon as a prospective customer initiates contact. This happens, for example, for cookies that determine which site the website user was visiting before landing on the current site.

The Notice Principle suggests that there should be an exception for publicly available information such as business cards. The rationale is that notice might not be “appropriate” in the case of collection or use of publicly available information. For example, if an individual gives his or her business card to another person in the context of a business relationship, the individual should not expect that notice regarding the collection and normal use of that information would be provided. Further, if colleagues who work for the same company, as in an individual provided the individual’s business contact information to potential customers, the individual would not have an expectation that notice would be provided regarding the transfer or the expected use of that information. This position is similar to that which is taken by Canada’s PIPEDA privacy law, where business card data are specifically excluded from protection. It conflicts, however, from the more stringent viewpoint in the European Union countries where “all” personal information receives the same level of protection.

Providing Choice

The Choice Principle is in certain aspects similar to that which is found in the 1995 European Data Protection Directive, but it contains substantial carve outs. There are many nuances to the need to obtain consent, or even to the form of consent expected.

Under the Choice Principle, individuals should be provided with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice with respect to the collection, use and disclosure of their personal information. Whether the choice is conveyed electronically, in writing, or by other means, the notice of the customer’s ability to make fundamental decisions with respect to his personal information must be conspicuously displayed and clearly worded. In addition, the mechanism for exercising choice should be accessible and affordable to individuals. What is “easily understandable” may vary from one constituency to the other and should be adapted to the ability or limitations of the individuals in an APEC Member Economy or national group.

Like the Notice Principle, the Choice Principle also stresses that it may not be “appropriate” to provide these choice mechanisms when collecting information that is “publicly available”, such as when collecting a name and address from a public record or a newspaper.

Indeed, there might be situations where consent may clearly be implied, and where it might be superfluous to provide a consent mechanism to exercise choice. This would occur, for example, when business contact information is exchanged in a business context. In this case, it is generally impractical to provide a mechanism to exercise choice. In addition, consent might be implied from the fact that these individuals are in fact exchanging contact information, and are likely to expect that their business information would be used for the related business purposes.

The Official Commentary to the APEC Framework provides an example that is likely to be controversial, given that the European Union members have taken a drastically opposite view. The example deals with the collection of information in the contact of an employment relationship. In the European Union, the view is that employees should not be pressured to agree to the collection of their personal information by the sole existence of their employment relationship. EU Companies have to negotiate with Works Councils on the scope of the collection and uses of employees’ personal information. The APEC Framework, to the contrary, takes the position that it would not be “practicable” for employers to be required to provide a mechanism to exercise choice related to the personal information of their employees when using such information for employment purposes. For example, if an organization has decided to centralize human resources information, that organization should not be required to obtain its employees’ consent before engaging in such an activity.

The APEC view that it may not be “appropriate” to provide these choice mechanisms when collecting information that is “publicly available”, may cause other problems. There is no definition of “publicly available”, which is likely to cause numerous problems. For example, is the fact that I am a patient of Dr. X publicly available information because I walk to the physician’s office, and the parking garage attendant who sees me walk in the door of Dr. X’s office has witnessed my visit? Or is a person’s home address “publicly available” because it is listed in some obscure – but public - real estate records, even though the person lives in a gated community, and there is no direct street access to the dwelling?

Limitation to the Collection of Information

The Collection Limitation Principle provides that information collection should be limited to only that information which is relevant to the purposes of collection. In addition, the information should be obtained by lawful and fair means, and where appropriate with notice to, or consent of, the individual concerned. These requirements are very similar to those found in the 1995 European Union Data Privacy Directive.

In most countries, it would be unlawful, for example, to obtain information by false pretenses – a practice also known as “protecting”. This would be the case, or example, when an organization uses telemarketing calls or email communications to falsely represent itself as another company, in order to deceive individuals and induce them to disclose credit card numbers or bank account information. Even where there are no laws to make this practice illegal, it may be considered at least “unfair".

However, the Framework diverges from the 1995 EU Directive principles, and is much less restrictive, by providing that the notice should be provided and consent given only “where appropriate”. The provision provides great flexibility for interpretation. In addition, this approach recognizes that there are circumstances where providing notice, or obtaining consent would be inappropriate or impossible, such as in the case of a health emergency.

Limitation to the Uses of Personal Information

Like the 1995 EU Data Protection Directive, the APEC Use Limitation Principle limits the use of personal information to fulfilling the purposes of collection and other compatible purposes. Included in accepted purposes are the transfer and disclosure of personal information. There are exceptions to the use limitation: if the individual whose personal information is collected has consented to the additional use; or when necessary to provide a service or product requested by the individual; or when the use is permitted by law or other legal instrument.

Here again, there are similarities with the 1995 EU Data Protection Directive, but more flexibility is granted to the entity that holds the data. For example, in addition to uses for the purpose originally disclosed to the data subject, the organization may use the data for “compatible purposes”. The fundamental criterion in determining whether a purpose is compatible is “whether the extended usage stems from, or in furtherance of” the original purposes. The use of personal information for “compatible or related purpose” would extend, for example, to matters such as the creation and use of a centralized database to manage personnel in an effective or efficient manner, or the processing of employee payrolls by a third party, or the use of information initially collected in a credit application to collect debts later owed to the same organization. This view offers much more flexibility than the similar clause in the 1995 Data Protection Directive.

Access and Correction

In its Access and Correction Principe, the APEC Framework stresses the importance of providing individuals with the ability to access information about them and correct that information. Further, individuals should be able to obtain from the personal information controller confirmation of whether or not the personal information controller holds personal information about them.

More specifically, the Principle would require that individuals receive access to personal information about them collected or used by the organization, within a reasonable time after making the request, and after having provided sufficient proof of their identity. Access is conditioned by security requirements that preclude the provision of direct access to information and will require sufficient proof of identity prior to provision of access.

In addition, the Access and Correction Principle requires that the information should be provided at a charge, if any, that is not excessive, and in a reasonable manner. The ability to access and correct personal information is subject to specific conditions, such as the manner and form in which access would be provided. The term “reasonable” is Omani present. The information must be provided in a “reasonable time”, and in a “reasonable manner”. For example, if a computer was involved in the transaction or request, and the individual’s email address is available, email would be considered “a reasonable manner” to provide information. In addition, the information should be provided in a form that is generally understandable.

Further, individuals should be able to challenge the accuracy of information relating to them and, if possible and as appropriate, have the information rectified, completed, amended or deleted. Nevertheless, the Access and Correction Principle suggests that it may be necessary for organizations to deny claims for access and correction in certain circumstances. These include: situations where claims would constitute an unreasonable expense or burden on the data controller, such as when claims for access are repetitious or vexatious by nature, or where the burden or expense of providing access would be “unreasonable”. What is or not “reasonable” will vary from one situation to another.

Other carve outs include cases where providing the information would constitute a violation of laws or would compromise security; or, where it would be necessary to protect commercial confidential information where disclosure would benefit a competitor in the marketplace, such as a particular computer or modeling program. Thus, under the APEC Framework, organizations may be able to deny or limit access to the extent that it is not practicable to separate the personal information from the confidential commercial information and where granting access would reveal the organization’s own confidential commercial information, or that of another organization.

The Framework recommends that an organization that denies a request for access should explain why it has made that determination and provide information on how to challenge that denial. This would not be required, however, where such disclosure would violate a law or judicial order.

Integrity of Personal Information

Personal databases are frequently used to make decisions about individuals. Making decisions based on erroneous information is not in the best interest of the organization or the individuals themselves. The Framework recognizes that personal information, when maintained and used by organization, should be accurate and complete. The organization that is the custodian of the information should keep the record up-to-date to the extent necessary for the purposes of the use.

Security

Personal information collected or processed by data controllers and data processors should be protected with appropriate security measures. The APEC Security Principle recommends that organizations that collect or process personal information should use appropriate safeguards against loss or unauthorized access, use, modification, disclosure, destruction or other misuses. Such safeguards should be proportional to the likelihood and severity of the harm threatened, the sensitivity of the information and the context in which it is held. In addition, the security policies and procedures should be subject to periodic review and reassessment.

Accountability

The Accountability Principle is the APEC’s response to the EU’s prohibition of transborder transfers to countries that do not offer an adequate level of protection. It states that a personal information controller should be “accountable” for complying with measures that give effect to the APEC Privacy Principles. This accountability requires that when personal information is to be transferred, domestically or internationally, to a third party, the data controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with the Privacy Principles.

There is an exception to the consent / due diligence requirement when applicable local law requires certain disclosures. In this case, the organization holding the data to be transferred to a third party would be relieved of any due diligence or consent obligations.

Thus when there are no exceptions offered by a provision in the domestic legislation, organizations would have several options when transferring information to a third party within the country or abroad. These options include:

• Obtaining the data subject’s consent to the transfer
• Conduct due diligence before the transfer and monitor performance after the transfer to ensure that the recipient continues to offer the rights and protection recommended by the APEC Principles.

These two alternatives are somewhat similar to the exceptions in Article 26 of the 1995 EU Data Protection Directive. Under the APEC Framework, however, there is no requirement for approval of a data transfer agreement, or for the inclusion of specific mandatory clauses. As a result, compliance would be much easier than under the regime set forth by the 1995 EU Data Protection Directive, as implemented in the national data protection laws of the EU Member States.

The Commentary to the APEC Framework notes that in certain situations, due diligence may be impractical or impossible, for example, when there is no on-going relationship between the personal information controller and the third party to whom the information is disclosed. In these types of circumstances, it is recommended that personal information controllers use other means to assure that the information is being protected consistently with the APEC Principles.

Enforcement

The APEC Framework encourages the Member Economies to implement an appropriate array of remedies for privacy protection violations, which could include redress, the ability to stop violation from continuing, and other remedies. In determining the range of remedies, Member Economies are invited to take into account a number of factors. These include the particular system that is used in the specific Member Economy for providing privacy protection, such as legislative enforcement powers, the right for individuals to pursue legal actions, industry self-regulations, or a combination of systems. In addition, the importance of having a range of remedies commensurate with the extent of the actual or potential harm to individuals resulting from such violations should also be taken into account when designing the remedies for privacy violations.

Conclusion

While there are numerous similarities between the APEC Privacy Framework and the principles outlined in the 105 EU Data Protection Directives, the APEC Framework takes in general a more lenient view to the types of restrictions and conditions that should surround the collection, use and disclosure of personal information. This discrepancy and the fact that the APEC Framework is only a recommendation and not a mandatory set of principles makes addressing privacy in the Asia Pacific area even more complex than it is in the European region, because the APEC Framework does not achieve the uniformity or “substantial similarity” that is being created in the European Union and the European Economic Area with respect to the different privacy and data protection regimes. These numerous discrepancies will continue to make the management of a global privacy program a challenging task for global companies.