A proposed privacy code for Asia-Pacific cyberlaw

1. Introduction

This paper[2] examines the implications for Australia of the privacy laws of other countries, and international privacy agreements. The recent developments which have the most significant implications are the European Union's 1995 Directive concerning privacy, the recent privacy laws of other Asia-Pacific countries (particularly New Zealand, Hong Kong and Taiwan), and the development of a formal Asia-Pacific Information Infrastructure (APII) as part of the emerging world information infrastructure.

These developments lead me to argue that serious consideration should be given to the development of an Asia-Pacific privacy Convention, and that Australia should play an active part in promoting such a Convention as a cornerstone of the APII.

2. Australia's international privacy obligations

Before examining these more recent developments, there are two existing international sources of general privacy obligations that affect Australia and some other countries of the Asia-Pacific: the OECD Guidelines and the ICCPR. The main other international agreement is the Council of Europe privacy Convention.

2.1. The OECD privacy Guidelines

The Organisation for Economic Cooperation and Development's Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD, Paris, 1981) are a Recommendation by the Council of the OECD[3], adopted in 1980. Recommendations of the Council are not legally binding on member States, whereas Decisions are.

The Guidelines attempt to balance the protection of privacy and individual liberties and the advancement of free flows of personal data through eight privacy principles which, if observed, are supposed to guarantee a free flow of personal information from other OECD countries.

The core of the Guidelines are the eight `Basic Principles of National Application' in Part Two (Principles 7 to 14). These are principles concerning Collection Limitation, Data Quality, Purpose Specification, Use Limitation, Security Safeguards, Openness, Individual Participation and Accountability. They are supplemented by definitions in Guideline 1, and by Guideline 19 concerning the means of enforcement of the Guidelines to be adopted in national legislation.

 All 25 member countries of the OECD have adopted the Guidelines[4] but, outside Europe, only New Zealand and Québec (Canada) have implemented them in full by legislation covering both the public and private sectors.

Australia announced its intention to adhere to the OECD Guidelines in 1984. The 11 Information Privacy Principles in the Privacy Act 1988 (Cth) are intended to implement the OECD's 8 Principles insofar as personal information held by Commonwealth public sector agencies are concerned. The various methods of enforcement of the Principles provided in the Act implement Guideline 19. State and Territory Freedom of Information Acts implement the Individual Participation Guideline in relation to State and Territory public sectors, but not the other Guidelines. Insofar as the private sector is concerned, it would be difficult to argue that the Guidelines have been implemented in any sector except that relating to credit reporting (Privacy Act 1988, Pt IIIA (Cth)).

2.2. The Council of Europe privacy Convention

The Council of Europe's Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (Convention No 108) has been in force since 1985, and by 1994 had been signed by 19 European countries and ratified by 14. Unlike the OECD Guidelines, the Convention is a binding instrument in international law. Breaches of the Convention are dealt with at the diplomatic level by the Council of Ministers. The Convention contains eight Articles which constitute `Basic Principles for Data Protection', and are in many respects similar to those of the OECD Guidelines.

Article 23 of the Convention allows the Committee of Ministers of the Council of Europe to allow States which are not members of the Council of Europe to accede to the Convention, provided that all of the Contracting States entitled to sit on the Committee agree. It is therefore possible in theory for Asia-Pacific countries to become a party to the Convention, but as yet no non-member of the Council of Europe has done so.

2.3. The ICCPR, A17

Various Asia-Pacific countries[5] are parties to the International Covenant on Civil and Political Rights (ICCPR), Article 17 of which provides: `1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour or reputation.; 2. Everyone has the right to protection of the law against such interference or attacks'.

Some ratifications are qualified in respect of A17, such as by Australia's declaration that A17 was accepted without prejudice to `the right to enact and administer laws which, insofar as they authorise action which infringes on a person's privacy, family, home or correspondence, are necessary in a democratic society in the interests of national security, public safety, the economic well-being of the country, the protection of public health or morals, or the protection of the rights and freedoms of others'.

Article 8 of the European Convention on Human Rights (1950) is in very similar terms, and considerable case law by the European Court of Human Rights has elaborated its meaning. The ICCPR is therefore very different from the OECD Guidelines or the European Convention, as it contains only a very general statement of privacy as a right.

 A few Asia-Pacific countries[6] have also acceded to the First Optional Protocol to the ICCPR, thereby agreeing to individuals taking complaints (`communications') that they have breached a provision of the ICCPR to the United Nations Human Rights Committee. The Human Rights Committee is made up of 18 experts from different countries, elected for four year terms by countries that are ICCPR parties. For example, in Toonen v Australia[7] the Committee held that Australia was in breach of A17 because of legislation in an Australian State (Tasmania) which criminalised homosexual conduct in private. The Australian Commonwealth government then legislated to nullify the effect of the Tasmanian legislation (Human Rights (Sexual Conduct) Act 1994 ⁸).

2.4. Sectoral and specific agreements

In addition to these general agreements, there are a number of important more specific international agreements, including OECD Guidelines on Security of Information Systems[9], and a proposed EU Directive on telecommunications privacy[10]. The Council of Europe has also issued numerous influential sectoral recommendations.

3. The European Union privacy Directive

3.1. Introduction

The European Union Council personal data protection Directive has completed its five year passage through the EU legislative process, having been formally adopted by the Council of Ministers on 25 July 1995 (see the European Commission's Press Release in this issue). The Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data is the most important international development in data protection in the last decade. It is important for two principal reasons.

First, it establishes a Europe-wide set of legal principles for privacy protection, to be enacted in all EU member states. EU member states are now allowed three years to amend their laws to conform with the Directive (A 32(1)). Its content therefore represents the most recent international consensus on the desirable content of data protection rights, and may be a valuable model for Asia-Pacific countries. This section gives an overview of this 'privacy content' of the Directive, pointing out how it differs from the 1992 and 1990 versions.

 Second, it prohibits the transfer of personal data from EU countries to any countries which do not have 'adequate' data protection laws, and will therefore place significant international pressure for increased data protection on countries in the Asia-Pacific region and elsewhere, particularly in relation to the private sector. New Hong Kong and Taiwan laws impose similar restrictions on `data exports'. The next section will explain how this 'data export' or 'transborder data flow' aspect of the Directive will work, and the final sections will assess the impact of these developments on Asia-Pacific countries.

 Earlier this year the European Commission said that the Directive 'gives a signal to the EU's trading partners, such as Canada, Japan and the United States, of the importance the EU gives to the protection of the individual's rights in the application of new technological developments'.

The Directive was the subject of substantial lobbying by business interests, particularly the International Chamber of Commerce (ICC), which argued that international privacy laws should be harmonised on the model of the OECD Guidelines and the Council of Europe Convention, rather than the model proposed by the EU[11]. This was not to be.

3.2. History of the Directive

The European Commission's original draft Directive was issued in September 1990[12], and was originally proposed to take effect on 1 January 1993. The European Parliament approved the draft Directive in 1992, subject to the adoption of extensive recommended amendments[13]. In October 1992 the Commission released its Amended Proposal for a Council Directive[14], which was said by the Commission[15] to take into account the comments of the Parliament, the Council of Minister's own Working Group, the views of the European national Data Protection Commissioners and industry submissions.

A Working Party of the Council of Ministers then negotiated for three years to reach a 'common position' on the Amended Proposal[16]. On February 20 1995, the EU's Council of Ministers adopted a 'common position' on the Directive, making significant amendments in the process[17]. The United Kingdom abstained. This `common position' draft Directive went to the European Parliament for a `second reading', which resulted in its approval with minor proposed amendments on 15 June 1995. The Council of Ministers then adopted the Directive on 25 July.

 References are to the completed Directive unless otherwise noted. The original draft will be referred to as the '1990 draft', and the Commission's subsequent amendments will be referred to as 'the 1992 draft'.

3.3. Structure and scope of the Directive

It must be remembered that the Directive is a directive to Member States of the EU to amend their respective laws (where necessary) to comply with the requirements of the Directive. The requirements listed below are phrased in that way in the Directive.

General structure

The two overall objects of the Directive are the protection of information privacy by Member States of the EU (A1(1)), and the prevention of restrictions on free flow of personal information between EU Member States for reasons of privacy protection (A1(2)). The Directive therefore aims to create 'a European zone of free information flow'[18] in relation to personal information, by requiring a uniform minimum standard of privacy protection across the EU.

 The heart of the Directive is a set of information privacy principles set out in Chapter II ('General rules on the lawfulness of the processing of personal data'). The methods by which these are to be enforced in national law and by the EU are set out in Chapters III ('Judicial remedies, liabilities and penalties'), V ('Codes of conduct'), VI ('Supervisory authority and Working Party ...') and VII ('Community implementing measures'). Chapter V deals with prohibitions on transfers of personal data to third countries. Chapter I provides definitions and covers the scope of the Directive. A sixteen page preamble to the Directive provides comments on the objectives behind many of the provisions, and aids therefore interpretation.

 The requirements of the Directive are, for the most part, in very general terms. Article 5 provides that `Member States shall, within the limits of [Chapter II] determine more precisely the circumstances in which the processing of personal data is lawful'. However, specific national implementations pursuant to A5 cannot impose restrictions or prohibitions in relation to exchange of personal information between countries within the EU because of A1(2).

 It is clear from its preamble that the Directive should not be seen as a 'minimum' standard for privacy laws within the EU. It is a standard to be complied with as both the minimum and maximum information privacy protection allowable under EU laws, subject to what the preamble refers to as 'a margin for manoeuvre' left to Member States. The preamble refers to the need to 'approximate' the laws of Member States, to make the protection offered by them 'equivalent', and to reduce 'divergences' between national laws. All this is said to be in order to prevent restrictions on transfer of data between Member States. Many of the Directive's Articles include exceptions to the general privacy protections that constitute the 'general rule' of the Article. These exceptions are just as mandatory as the general rules that they qualify, and national laws which attempted to provide a stricter standard of privacy protection by not recognising or limiting such exceptions would breach the Directive. However, there is room for argument within the language of some Articles which do not make it clear than what is not forbidden is allowed (eg A7 says 'data many be processed only if...', not 'if and only if ...'). The Directive is therefore best seen as a consensus of EU states on the 'desirable' level of privacy protection, not a minimum level. The preamble makes clear, however, that the Directive is considered to exceed the standard of protection required by the Council of Europe data protection Convention[19].

Scope of the Directive

The level of protection is essentially the same in both the public and private sectors, with no formal distinction made between the rules applying in the two sectors[20].

The Directive applies `to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which forms part of a filing system or is intended to form part of a filing system' (A 3.1), a `filing system' being any structured set of personal data (A2(c)[21]). The Working Group's most important decision was that structured manual data will remain in the Directive, despite opposition from the UK, Denmark and Ireland.

 Processing in the course of activities falling outside Community law is exempted (A3.2), including 'processing operations concerning public security, defence, State security (including the economic well-being of the State) and the activities of the State in areas of criminal law'. Processing by a natural person in the course `of a purely personal or household activity' is exempted (A3.2)[22]. Member States are also required to provide exemptions for 'processing carried out solely for journalistic purposes', and where necessary to reconcile freedom of 'artistic or literary expression' with privacy (A9).

3.4. The Directive's 'information privacy principles'

The 'general rules' set out in Chapter II are framed in terms of 'processing' personal data, but are in general terms similar to the information privacy principles found in the OECD Guidelines and the Council of Europe Convention. A rough comparison of the Articles in Chapter II with the titles of the OECD's 8 principles is as follows: Collection limitation principles (A10, A11, parts of A7); Data quality principles (A6); Purpose specification principle (A6); Use limitation principle (A16); Security safeguards principle (A17); Openness principle (A21); Individual participation principle (A12, A14); and Accountability principle (definition of 'controller'). Other articles cover matters not always found in previous sets of principles, such as purpose justification (A7), 'sensitive' data (A8), automated decision-making (A15), and notification (A18, A19, A20).

 The content of these principles is summarised or paraphrased below, emphasising those elements which are unusual.

Data quality requirements

The principle of data quality (A6) requires that personal data must be (a) processed fairly and lawfully; (b) collected for specified, explicit and legitimate purposes and used in a way compatible with those purposes; (c) adequate, relevant and not excessive in relation to those purposes; (d) accurate and, where necessary, kept up to date; and (e) not kept in identified form for longer than is necessary for those purposes.

Legitimate processing

`Processing of personal data' (including collecting, recording, using and communicating it: A2(b)) is only lawful if it comes within one of the following conditions (A7):

 (a) It is with the unambiguous consent of the data subject. Consent is only valid if the data subject receives prior notification of the purposes of collection and any proposed recipients, and may be withdrawn prospectively (A2(g)).

 (b) It is necessary for the performance of a contract with the data subject, or for steps requested by the data subject prior to a contract[23]; or

 (c) It is necessary to comply with a legal obligation to which the controller is subject;

 (d) It is necessary to protect the vital interests of the data subject;

 (e) It is `necessary for the performance of a task in the public interest or carried out in the exercise of public authority vested in the controller or in a third party to whom the data are disclosed' or

 (f) It is 'necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject ...'. Article 7 does not elaborate on how this balancing is to be achieved, but the preamble says that Member States remain free to determine the appropriate balance in relation to use of information for 'legitimate ordinary business activities' and conditions of disclosure for marketing purposes. The Commission commented on the 1992 draft that `[t]his balance-of-interest clause is likely to concern very different types of processing, such as direct-mail marketing and the use of data which are already a matter of public record'[24]. Many of the most contentious privacy decisions are therefore still left to the Member States to make.

 These six very general conditions apply to both public and private sector processing of personal data. Their generality will obviously allow for a variety of specific implementations in national laws.

Use and disclosure - the `finality' principle

The principle of `finality' is that use and disclosure of personal information are limited to the original purposes of collection. The Directive retains[25] a general requirement that data must be used in a way compatible with the purpose of collection (A6(1)(b)), but lays out the above-listed six general grounds for processing (which includes use and disclosure) in A7, which act in part as justifications for exceptions to the principle of finality.

Other rights of data subjects

The other rights of the data subject may be summarised as follows (subject to exceptions not listed here[26]):

 (i) Rights to be informed of the purposes of collection, obligatory nature thereof, intended recipients, and subject rights, at the time of collection (A10). Where information is obtained from someone else other than the data subject, there are similar rights to be informed (A11);

 (ii) Rights to obtain a copy of data about himself or herself, including information about its use; rights to obtain corrections, or erasure or blocking (suppression) of data processed in violation of the Directive; and to have such corrections, erasures or blocking communicated to third parties to whom the data has been disclosed (A12);

 (iii) Rights to object to processing on 'compelling legitimate grounds' (A14(1)), and an opportunity to object to data being used for direct marketing[27] (by various forms of 'opting out'[28]) (A14(2)) .

 (iv) Rights not to be subject to decisions significantly affecting him which are based solely on automated processing intended to evaluate personal aspects relating to an individual[29], except where pursuant to a contract or legislative authority and there are suitable measures to safeguard the data subject's legitimate interests (A15). The subject's right of access must also include a right to know 'the logic involved' in any such automated decisions (A12(1)). It has been claimed that these provisions, which derive from French law, will cause considerable difficulties for US companies[30].

Security

Appropriate security safeguards must be adopted by controllers, and controllers must have significant responsibilities in relation to anyone who processes personal data for them (A17).

Notification

Automated processing operations carried out by private and public sector bodies must be notified in advance to the national supervising authority (A18 - A19). This need not be a licensing system, and exemption from or simplification of notification is allowed for processing which is unlikely to adversely affect people's rights and freedoms, or where the organisation concerned has appointed an independent data protection official (A18(2)). The notified data is to be used so that a register can be kept by the supervisory authority, and may be inspected by any person (A21).

 National laws are to specify 'processing operations likely to present specific risks', so that 'prior checking' of such systems by the supervisory authority can occur (A20). The authority must be notified of such proposed operations by the controller or the data protection official (A20(2)).

 Public registers are exempt from the notification requirements (A21(3)), implying that they are generally subject to the principles.

Special categories

The processing of personal data 'revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership' and health or sex life is generally prohibited (A8(1)), subject to numerous exceptions (A8(2)-(4)). Data concerning offences or 'security measures' can only be kept under official authority (A8(5). Derogations must be notified to the Commission.

3.5. Enforcement of the Directive at national level

Powers of the supervisory authorities

One or more public authorities must be responsible for monitoring the application of the Directive ('supervisory authority') (A28). The supervisory authorities must 'act with complete independence', and must have investigative powers, 'effective powers of intervention' in processing, and powers to take court action where national legislation implementing the Directive is infringed (A28(3)). They must be consulted concerning legislation affecting privacy (A28(2)). They must be able to hear complaints concerning breaches of information privacy (A24(4)), but nothing is specified concerning the remedies available from a supervisory authority.

Individual rights of enforcement

An individual must have rights to seek a judicial remedy for any breach of the national law (A22). There must also be a right to recover compensatory damages (A23), but it appears that this can be provided as either a judicial or administrative remedy. Dissuasive penalties for breach are also required (A24).

The Directive therefore requires both a data protection authority with appropriate powers to supervise the information privacy principles, and individual rights of enforcement independent of those authorities. The enforcement mechanisms it requires are therefore quite strong.

Codes of conduct

Codes of conduct are to be encouraged, and national laws are to make provision for trade associations and other bodies to submit them to the national supervising authorities for opinion as to whether they comply with the national laws (A27). EU-wide draft codes are to be submitted to the EU Working Party (see below) for opinion concerning compliance with the various national laws (A27(3)). Such codes cannot in themselves satisfy the requirements of the Directive: A27(1) states that they are to 'contribute to the proper implementation of the national provisions', and A27(2) states that they are to be measured against such provisions. However, it would seem possible that a legally enforceable code of conduct which implements fully the national legislative provisions could supplant those provisions, as can occur under the New Zealand Privacy Act 1993.

Reach of national laws

Member states are required to apply the national provisions they adopt to processing of personal data in two principal situations (A4): (i) where it is 'carried out in the context of the activities of an establishment of the controller on the territory of a Member State'; and (ii) the controller is not established on the territory of an EU Member State, but makes use of equipment situated in a Member State for purposes of processing (except mere transit). Berthold characterises this as a 'control test' supplemented by a 'processing test'[31].

 Under the control test, a company which carries out activities in an EU Member State (even if it is not based there), but which processes personal data relating to those activities in a non-EU state, will find that its activities are subject to the privacy laws of the EU state.

 Under the processing test, a company based in a non-EU state which merely uses processing facilities in an EU Member State will still find itself bound by the EU state's privacy law. Not surprisingly, Europe cannot be used as a 'data haven' to avoid the reach of privacy laws.

Time limits for national implementation

Member States are required to change their laws to comply with the Directive within three years of it coming its adoption (A 32(1)). A further three years may be allowed in national laws for 'processing already underway' to be brought into conformity (A32(2)). Some rights need not be applied to data held in manual filing systems for twelve years after the national law comes into force, a provision to appease the United Kingdom.

3.6. Supra-national supervision of the Directive

The 'EU-level' supervision of the Directive is distributed between three bodies: the Commission of the EU; a Committee of representatives of EU Member States (and in some circumstances, the EU Council itself); and an advisory Working Party of the national data protection authorities. In the 1995 Directive, significant power has shifted from the Commission to the Committee, with the role of the Working Party remaining unchanged. The role of these various bodies in making decisions concerning the adequacy of protection in third countries is discussed in more detail later.

The EU Commission's role

The Commission is to report to the Council and the Parliament at regular intervals on the implementation of the Directive, with any proposals for amendment. It is also required to examine the application of the Directive to sound and image processing (A33). The Commission is also required to advise the Working Party of what action it has taken concerning its opinions and recommendations (A30(5)), and to negotiate with non-EU countries concerning 'adequate protection' (A25(5)).

 The Commission proposed it should have a rule-making power to adopt such `technical measures' as are necessary to apply the Directive, including drawing up sectoral applications of the Directive (1992 draft A33), but the 1995 Directive does not provide for any delegated legislation.

The Committee of Member States, and the EU Council

Chapter VII ('Community implementing measures') provides for a Committee comprised of representatives of each Member State and chaired by a non-voting Commission representative (A31(1)). The Committee acts by majority, but the votes of each representative are weighted according A148(2) of the Treaty establishing the European Community (A31(2)).

 The EU Commission's main role in the Directive is to submit to this Committee a draft of the 'community implementing measures' it considers should be taken (A31(1)). If the Committee approves the proposed measures, the Commission must then adopt them. If the Committee disapproves, or fails to approve them within the time limit set by the Chairman, then the proposed measures are to be referred to the Council of Ministers of the EU (which is to vote by qualified majority) (A31(2)).

 The types of 'implementing measures' which will be dealt with by this process include decisions on adequacy of third country laws (A25(4)), and proposed authorisations of data transfers (A26(3), (4)).

The Working Party of supervising authorities

There is to be a Working Party on the Protection of Individuals with regard to the Processing of Personal Data composed of representatives of national data protection authorities (one for each EU state), a representative of EU institutions, and a representative of the Commission (A29). It will take decisions by simple majority.

The Working Party's functions include examining issues of uniformity in EU national laws, giving opinions on the level of protection in the EU and in third countries, advising the Commission on any proposed additional measures, and giving opinions on codes of conduct drawn up at community level (A29(1)). It can also, on its own initiative, make recommendations on all matters concerning processing of personal data in the EU (A29(3)). The Commission is required to produce an annual report on the responses it has made to the Working Party's opinions and recommendations (A29(5)), and the Working Party is to publish an annual report concerning the processing of personal data in Europe and in third countries (A29(6)).

 The Parliament recommended the Working Party's expansion into, in effect, a supra-national data protection agency, comprising representatives of business and civil liberties groups as well as national authorities, and with a right to be heard on a wide range of issues and to take various independent initiatives, but this approach has not been adopted.

4. The EU Directive's data export prohibitions

4.1. Introduction - `equivalence' and `adequacy'

The EU Directive on privacy and free flow of personal data is principally significant to Asia-Pacific countries because it prohibits the transfer of personal data from EU countries to any countries which do not have `adequate' data protection laws. It will therefore place significant international pressure for increased data protection on countries in the Asia-Pacific and elsewhere, particularly in relation to the private sector.

The `principle of equivalence', implemented in the OECD data protection Guidelines (A17) and the Council of Europe data protection Convention (A12), and observed in most European national data protection laws, is that a state shall not impose restrictions on the export of personal data to another state which gives substantially equivalent protection to such data as is provided for in the exporting country[32]. The Directive requires all EU Member States to implement a Europe-wide standard of data protection, and then deems that implementation within the allowed 'margin for manoeuvre' is sufficient for the equivalence principle to apply. However, when it comes to states outside the EU, a somewhat different approach is taken to the 'equivalence' issue.

4.2. Exports of personal data from the EU to third countries

Neither the OECD Guidelines nor the Council of Europe Convention require their signatories to impose export restrictions on non-signatory countries, or on countries which do not provide an equivalent degree of protection. They do not contain any positive requirement to restrict exports, but leave this up to the signatory countries. This is where the 1995 Directive is in stark contrast, because it makes it mandatory for EU countries to prohibit the export of personal data to any countries which do not provide `an adequate level of protection'.

 The Directive provides that `Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing may take place only if ... the third country in question ensures an adequate level of protection' (A25(1))[33] (emphasis added). 'Equivalent' protection is not required, only 'adequate' protection[34]

 The Parliament had recommended a far less restrictive approach[35], which would not have made it mandatory for such transfers to be prohibited, merely permissible. The Commission's justification[36] for rejecting this approach was that `Without such a provision [prohibiting exports] the Community's efforts to guarantee a high level of protection for individuals could be nullified by transfers to other countries in which the protection provided is inadequate. There is also the fact that the free movement of data between Member States, which the proposal seeks to establish, will mean that there will have to be common rules on transfer to non-community countries'.

 The Directive is ambiguous as to whether EU countries must allow exports of personal data to countries which do provide 'adequate protection'. Article 25 requires Member States to provide that such transfers 'may take place only if' there is adequate protection, not 'if and only if'. The preamble only says that the 'Directive does not stand in the way' of such transfers, but does not say they must be allowed. On the other hand, A26 seems at first to require EU countries to allow transfers to third countries where there is no adequate level of protection but the A26 conditions concerning the individual transfer have been met, but it is only a derogation from A25 so this may mean little. The better view is probably that the Directive gives no formal guarantees to third countries that data exports from EU countries will be allowed, irrespective of the level of protection they provide.

Remote access to EU personal data from third countries

A25 refers to `transfer ... to a third country', so the question arises of whether it will be possible to access Europe-based databases from non-European locations. The problem is that any such access would necessarily involve such data as is necessary for the screen display on the user's computer to be `transferred' to the user's computer, and would therefore constitute `transfer ... to a third country'. Remote access would therefore have to come within an exception to A25 before it was permissible. The processing would also have to comply with the law of the European country where it took place, applying the processing test[37].

Imports of personal data from third countries into the EU

There are no explicit equivalent restrictions on the import of personal data from a third country into a Member State. A26 only refers to transfers `to' a third country, and not transfers `from' a third country. However, the importing of the data may constitute `collection' and therefore `processing', so that the importer must comply with national laws of the EU state into which the import takes place, applying the processing test[38].

4.3. The meaning of `adequate level of protection'

The Directive now[39] defines 'adequate level of protection' as follows (A26(2)):

 'The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the county of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in those counties.'

 It goes on to state that the Commission may decide that a third country `ensures an adequate level of protection ... by reason of its domestic law or the international commitments it has entered particularly upon conclusion of the negotiations [it has had with the Commission]' (A25(5)).

 Some non-EU European countries are parties to the Council of Europe Convention, and this would almost certainly constitute 'adequate protection'[40]. The Commission was at one time reported to favour an approach whereby non-European countries would sign the Convention (on the invitation of the Council of Europe: A23) and ratify after passing laws `equivalent' to the Convention[41]. The EU Commission would then declare that the country had `adequate' laws, and the third country would be bound under international law by the Convention. It is not known if this approach is still under consideration.

 Although it is not completely clear from A25 whether the requirement of an `adequate level of protection' must be satisfied by a country's overall privacy laws, or whether it is sufficient to prevent the banning of a particular transfer if there is an adequate level of protection in relation to information from that sector (eg credit or insurance information, or criminal records), the better view is that sectoral compliance is possible. The Parliament had recommended that an adequate level of protection need only be provided for `particular categories of specified personal data', and this seems to be the approach taken in the 1992 draft [42]. The references to sectoral legislation and `professional rules' could be seen as supporting this interpretation. Other commentators have reached the conclusion that an `overall country assessment' is not necessary[43].

 Need there be 'adequate' compliance with each EU Directive requirement, or just most of them? The use of `adequate' suggests that only some partial compliance is required. A related question is whether `adequacy' need only be measured against the principles in the Directive (Chapter II), or is it also to be measured against the types of enforcement measures required by the Directive (including data protection authorities, enforceable rights and damages - see above). The latter is the better view. It would be anomalous for A26(2) to require 'sufficient guarantees' of enforcement if A25 did not. However, it might be expected that there could be adequate protection provided by either individual enforceability or enforcement via a supervising authority.

Mandatory exceptions to the requirement of adequate protection

Instead of leaving it to the Member States to decide which transfers to countries without an adequate level of protection should be permitted (as recommended by the Parliament), the 1995 Directive requires member States to provide that transfers to a third country which does not ensure an adequate level of protection may take place if one of six[44] conditions is satisfied (provisos to A26(1)).

The exceptions are where the transfer:
(i) is with the data subject's unambiguous consent;
(ii) 'is necessary for performance of a contract between the data subject and the controller[45], or the implementation of pre-contractual measures taken in response to the data subject's request' (eg a credit check);
(iii) 'is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party';
(iv) is `necessary on important public interest grounds' or for legal claims; and
(v) `is necessary to protect the vital interests of the data subject'; or
(vi) is from a public register, and in accordance with its terms of operation.

These exceptions are not as broad as they first appear. The reference to `public interest grounds' is not an explicit reference to the public interest of the third country which is importing the data, and could be implemented so as to refer only to the public interest of the European country concerned. There is no exception referring to the vital interests of the recipient of the information, only those of the data subject. Furthermore, the exceptions will be likely to become more precise as they are implemented in national laws (A5). However, they may be broader in some respects than the exceptions found in A8 of the European Convention on Human Rights, which could lead to some interesting decisions.

4.4. Authorisation of particular transfers without `adequate' protection

In addition to these mandatory exceptions, A26(2) now[46] provides that

'... a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection ... where the controller adduces sufficient guarantees with respect to the protection of privacy ... and as regards the exercise of the corresponding rights; such guarantees may in particular result from appropriate contractual clauses'.

 This last clause seems directed, for example, to a situation where a particular company in a third country provides strong contractual guarantees of privacy to its customers, even where there are no enforceable industry codes and the country does not have overall adequate protection. What might otherwise constitute `sufficient guarantees' is not explained.

 A26(2) suggests that contractual provisions between a particular company and its clients, as opposed to a sectoral code, cannot amount to an `adequate level of protection' for A25 purposes. It also reinforces the view that an `adequate level of protection' must be found to exist at least at a sectoral level within a jurisdiction, and cannot be found merely at the level of the operations of a particular company, because the alternative view would make A26(2) redundant. This is not, however, free from doubt[47].

 The Member State must inform the Commission and the other Member States of 'authorisations granted' under A26(2) (A26(3)), rather than 'its proposal to grant authorization' as the 1992 Draft required. If a Member State or the Commission nevertheless does manage to object before the authorisation takes effect, the Commission is required to take `appropriate measures', after referring the matter to the Committee in accordance with A31(2) (A26(3)). Member States must then comply with the Commission's decision, including decisions that certain contractual clauses offer 'sufficient guarantees' (A26(4)).

The meaning of 'sufficient guarantee' - supplier / recipient contracts

Can private contracts between data suppliers and recipients (as distinct from contracts with data subjects) constitute sufficient guarantee'? The US government pushed for maximum recognition for supplier-recipient contracts[48], and the French data protection authority, CNIL, has allowed a number of transfers from France to countries without data protection laws (Italy and Belgium) on condition that such contracts were entered into[49]. The International Chamber of Commerce (ICC) was also promoting such an approach and prepared a model contract[50]. A25 makes no mention of contractual clauses at all, and it seems unlikely that contractual clauses could constitute 'adequate protection', even on a sectoral basis where they are adopted by an industry. A26(2) does not clarify whether its mention of 'contractual clauses' includes supplier-recipient contracts. As there would be no privity of contract with the data subject, and therefore no legal rights enforceable by the data subject, it is doubtful that such contracts could constitute a 'guarantee' for A26(2) purposes.

 Reidenberg, analysing the problems faced by the US private sector in complying with the EU and other privacy standards, identifies weaknesses in a purely contractual solution[51]:

 Individuals may be unable to enforce effectively their protections for the treatment of personal information due to a lack of privity, the need to obtain jurisdiction in a foreign country, or the difficulty establishing foreign law in a local forum. In addition, the terms of the contract are negotiated by the companies themselves with the input of data protection authorities. The exporting company acts, in effect, ast he agent for the individual, though the individuals have no direct representation during the contract negotiations.

 Reidenberg now sees supplier-recipient contracts as only of much value where they are the by-product of an enforceable law in the exporting country, as in the Hong Kong and Québec data export laws discussed below.

The meaning of 'sufficient guarantee' - industry 'codes of conduct'

What role can industry self-regulation through codes of conduct play? Article 27 requires Member States to encourage the development of national and European codes of conduct, but (as discussed above) these cannot be a substitute for legally binding provisions. Voluntary codes of conduct in third countries are unlikely to constitute adequate protection, although it is possible that a scheme run by an industry body which was shown to have enforcement powers might be sufficient to be regarded as 'professional rules' for the purposes of A25(2) (which does not make specific mention of Codes of Conduct). An industry-developed code backed up by legally binding enforcement procedures may well constitute adequate sectoral compliance (the enforcement provisions would be 'rules of law' for A25(2) purposes). Such enforceable codes might also provide 'sufficient guarantees' for A26(2) purposes.

 The Canadian Standards Association (CSA) Technical Committee on Privacy adopted a Model Code for the Protection of Personal Information in September 1995. The Code is based on the OECD Guidelines, and will involve a certification scheme. It is expected to be formally accepted by the Canadian Standards Council (a government body) in early 1996. It is not know at this stage whether the CSA will push for the Code to be adopted by the International Standards Organisation (ISO)[52]. Due to the lack of privacy legislation in the USA, there is considerable private sector interest in the Code in the USA, and it may possibly develop into a North American standard.

It is likely that the CSA privacy Code will prove to be the 'litmus test' of whether the EU's will accept that Codes of Conduct which have no enforceability at law can provide 'sufficient guarantee'. This has strong opponents, particularly within Canada. The President of Québec's data protection authority, Paul-André Comeau, praises the Code as 'a step in the right direction', but says[53] that

 There is a major flaw in the code, stemming from the philosophy of voluntary compliance: the code does not provide for any form of recourse before an impartial judge. It relies essentially on the good will of those concerned. The authors of the code are counting on the use of audits to compensate for this failing.

 He is reported to have concluded by urging European privacy commissioners, and the EU, 'to reject private agreements between European and Canadian industrialists and even to withold recognition of the CSA Model Code as adequate protection, given its voluntary status'[54]. He says that any European acceptance of such a standard will only encourage those in Canada who regard privacy legislation as 'useless and artificial' and unnecessary if the Code suffices for the EU[55]. Federal Canadian Privacy Commissioner Bruce Phillips is advocating the national adoption of the legislation based on Québec's Act. The battle lines are drawn in Canada.

4.5. Implications for countries without 'adequate' laws

Bennett is skeptical about the extent to which data users can rely on A26[56]:

 Clearly, there is sufficient latitude in the directive for North American data users to convince their European counterparts that a combination of contracts and 'professional rules' (ie codes of practice) and security measures affords 'adequate' data protection. But this does anticipate a series of case-by-case battles, and favoured treatment for the larger multinationals that can afford to fight for their interests.

 Companies in countries such as Australia or Canada will have to choose whether to support the development of 'adequate' local privacy laws, or to rely on a transaction by transaction basis on either (i) coming within an A25 mandatory exemption or (ii) convincing a European national authority, or the EU authorities (see below) that they can offer 'sufficient guarantees' for that transaction.

4.6. The mechanisms for decisions concerning `adequate protection'

Decision and notification by a Member State

In the first instance, it is the laws of Member States of the EU that must provide that transfers may only take place to third countries with an adequate level of protection (A25(1)), and it is a decision by an authority in the Member State which prohibits the transfer. Member States must inform the EU Commission where they consider that an importing third country does not ensure an adequate level of protection (and vice versa) (A25(3)). This notification requirement applies even if the data transfer is allowed under an A26(1) exception, or an A26(2) authorisation because of 'sufficient guarantees'.

Decisions by the Committee on adequacy

As explained above in relation to supra-national enforcement of the Directive as a whole, it is the Committee of Member State representatives that decides whether to accept the draft measures proposed by the Commission (A31(2)). The Commission, with the Committee's approval, is therefore able to set a Europe-wide standard for acceptance of transfers to specific third countries[57]. The position is therefore, that Member States make any decisions to prohibit transfers, but the Committee can over-ride such decisions.

'Complaints' about adequacy

Even though it is the Committee that makes the decisions, it is still the Commission that must be first convinced to propose action against a third country, so it is important to ask how claims of 'inadequacy' can be brought to the Commission's attention. Member States are obliged to do so in the course of considering transfers to third countries (A25(3)). The Working Party of supervisory authorities is required to produce an annual report which covers the level of protection in third countries, so the Commission would receive official notification that way. As might be expected, the Commission is reported to the likely to initiate its own studies of the laws and codes of the EU's more important non-EU trading partners[58].

 Under the 1992 draft, the Commission could initiate its negotiation process (discussed below) either on the basis of information provided by a Member State, or `on the basis of other information'. This may have left the way open for a form of `complaint' about a third country's laws (either general or sectoral) to be made to the Commission by, for example, national or international organisations of consumer advocates, privacy advocates or civil liberties organisations. This avenue for initiatives by NGOs is not so obviously open under the 1995 Directive, but it remains to be seen what the Commission's practice will be. Another avenue for NGOs would be to seek to have a sympathetic national data protection Commissioner raise the case of a third county's laws before the Working Party.

Commission negotiations with third countries

If the Committee accepts measures proposed by the Commission on the basis of the inadequacy of a third county's laws, only then can the Commission enter into negotiations with the third country 'with a view to remedying the situation' (A25(4))[59].

A political or a legal process?

A Canadian commentator interprets this decision-making process as essentially political rather than legal[60]:

 The implementation of Articles 25 and 26 is likely to be unpredictable and politicized, because the determination of `adequacy' rests, not with the data-protection agencies ... but with the Commission itself. Judgments about adequacy will therefore be susceptible to the vagaries of the European political process and are likely to be confused with the resolution of issues that have nothing to do with data protection. Logrolling may therefore override the more predictable and rational pursuit of a data protection standard.

 Although decisions are more correctly described as being made by the Council and the Commission, not just `the Commission', this may strengthen Bennett's point, as national political interests are even more directly represented on the Council.

 It is too early to know whether Bennett's fears are justified, but it is difficult to avoid the conclusion that the nature of the process means that there is likely to be a great deal of uncertainty for data users in non-EU countries which do not have an unambiguously `adequate' level of data protection.

5. Implications of data export restrictions for the Asia-Pacific

5.1. Existing national data export restrictions in Europe - examples

Since the Swedish Data Act (1973), national data protection legislation has now been enacted in twenty European countries. All European data protection Acts contain provisions by which their national data protection agency has authority to restrict `exports' of personal data[61].

For example, s12 of the United Kingdom Data Protection Act 1984 provides that where data is to be transferred to a State which is not a party to the European Convention, the Data Protection Registrar may issue a Transfer Prohibition Notice if he is satisfied that the transfer is likely to lead to a contravention of the data protection principles in the United Kingdom Act because the other country does not have adequate data protection laws. The Registrar cannot prevent the transfer of personal data to any State which is bound by the Council of Europe Convention unless he is satisfied that it is intended to be transferred to another country where there is likely to be a contravention of the data protection principles. The Registrar issued the first Transfer Prohibition Notice in 1990 (see below).

 Some countries go further, specifying that an `export licence' must be obtained for the exporting of any personal data coming within the legislation (Iceland, Portugal), or that this must occur for specified categories of personal data (Austria, Belgium, Denmark, Finland, Norway, Spain and Sweden)[62]. A few countries also require licences for the import of personal data, not merely compliance with national laws.

 A survey by Vassilaki[63] of the enforcement of data export restrictions by European data protection agencies summarises over 30 cases where proposed transfers have been prohibited or only allowed if conditions were observed. The authorities who have imposed the bulk of the restrictions are those of France, Germany, Austria, and Sweden, but restrictions imposed by the UK and Norway are also noted. However, the cases summarised are only a sample, as in Austria alone there were 40 cases where restrictions were imposed from 1987-89, and the Swedish authority considered over 100 transfer applications from 1982-1992.

Examples of enforcement

A few examples follow, illustrative of the range of contexts in which restrictions have been imposed[64]. References to countries imposing prohibitions are to their national data protection authorities. Unless noted otherwise, the reason for the prohibition was that the recipient country did not have a data protection law covering the sector in question.

 * Employees - France required Fiat France to obtain contractual guarantees of privacy protection (based on observance of the French legislation and the Council of Europe Convention) from Fiat Italy before employee data could be transferred to Italy (1989). Similar restrictions were imposed on another company's transfers to Switzerland (1990). France imposed greater restrictions on a North American cosmetics multinational, only allowing it to transfer coded forms of employee names to Belgium to effect salary processing (1990). Germany has blocked transfers of `sensitive' staff data unless there is employee consent (1989). A US-based multinational was prevented from transferring all its German data processing to the USA, and had to set up a subsidiary company in Germany to process German employee data (1989).

 * Medical treatment - France prohibited French doctors from transferring patient names to a European centre for cancer research and treatment, located in Belgium, so as to obtain results of medical tests, until strict software security measures were implemented and transfers were only by coded versions of names (1989).

* Product research - Data on clinical testing of pharmaceutical products could only be transferred from Sweden to the Belgium and the USA on the basis of the informed consent of the individuals concerned and subject to security and anonymity of reports conditions (1989).

 * Direct marketing - The UK prohibited the export of personal data to a mail order company which operated from the USA. There was evidence that the company had breached UK consumer protection laws, and had been prosecuted under similar US laws (1990). Germany prohibited mailing lists being transferred to the former East Germany (1991). Sweden has refused all but one application for transfers to other countries for direct marketing purposes.

* Telecommunications - French telecommunications operators are not allowed to tell operators in another state the identity of a calling party, in case it is wrongly disclosed (1990).

 * Airlines - An airline under Swedish law was not allowed to deliver personal data to US Customs without first warning passengers of the inadequacies of US data protection laws, and therefore obtaining informed consent (1991).

 * Financial services - Norway refused to allow a credit bureau's files to be relocated to its head office in Sweden, as Swedish credit reporting law was not as strong as that in Norway (1990). Austria prohibited a transfer of credit information from an Austrian finance company to a German credit bureau because a vague contractual clause did not comprise the necessary `express' consent for data export (1990). SWIFT in Belgium has been required to give contractual guarantees that transfers of data from Austria will observe Austrian data protection law (1992). Plans to transfer details of German clients to a French financial company were stopped after German objections.

 * Data processing bureaus - A German data processing bureau was prevented from carrying out its processing in the UK, due to inadequacies in UK law (under negotiation 1993).

 * Religion - France required contractual guarantees of adherence to French law before Mormon genealogical records could be transferred to Utah.

 * Gambling `blacklists' - Germany prohibited transfers of data on persons excluded from gambling by German casino corporations to an Austrian casino corporation because Austrian law did not apply to manual data. The corporations subsequently signed a data protection contract (1991).

 * Social Security - Germany would not allow Italian Social Security authorities online access to German registers of migrant workers, even though German Social Security authorities had such access to Italian files.

 * Immigration - Sweden refused to allow transfer to Italian authorities of a list of Italian permanent residents of Sweden, for purposes of issuing passports (1990).

 * Archives - France refused to allow files concerning Spanish civil war refugees to be provided to Spanish archives authorities (1986). It was necessary to extract anonymous data in France and only transfer that to Spain.

The implications of European enforcement

Whatever view is taken of the reasonableness of these restrictions, there is no doubt that European countries are already taking a serious approach to the enforcement of data export restrictions in national laws, even though (in most countries) the imposition of such restrictions is not mandatory but at the discretion of the national authority.

The EU data protection Directive will make such enforcement mandatory, and can be expected to increase the number of enforced restrictions against Asia-Pacific countries.

5.2. Which Asia-Pacific laws provide 'adequate protection' for the EU Directive?

Comprehensive `adequacy'

There are only four jurisdictions in the Asia-Pacific region which could mount a convincing argument that they have existing privacy laws covering the whole of their private and public sectors which provide 'adequate' privacy protection in terms of the EU Directive, so that no EU country could justifiably prohibit transfers of personal data to them. These are:

 * New Zealand[65] - Privacy Act 1993;

 * Québec - Act respecting the protection of personal information in the private sector; 1993 and Act respecting access to documents held by public bodies and the protection of personal information, 1993;

 * Hong Kong[66] - Personal Data (Privacy) Ordinance, 1995; and

* Taiwan[67] -Computer-Processed Personal Data Protection Law, 1995.

Each of these laws provides a set of rights which (at the very least) are equivalent to the Principles in the OECD Guidelines, and are enforceable against the public and private sectors.

 The Australian Cabinet decided on 1 December 1995 to extend the Privacy Act 1988 (Cth) to the private sector, and to take an approach to codes of conduct influenced by the New Zealand Act[68]. With a Federal election pending in Australia, the future of such legislation is unlikely to be known until after the election[69].

The only other possible source of comprehensive `adequate' data protection would be the general law of each country. In the case of Australia, New Zealand, Canada and the USA, this is a differing mix of common law (including in some cases a limited privacy tort), equity (including the law of breach of confidence), administrative law, criminal law, constitutional rights, and legislative bills of rights. While these rights can be substantial[70], it is difficult to see the cumulative effect of such rights in any of these jurisdictions even approaching the specific set of rights set out in the EU Directive.

Sectoral `adequacy'

Otherwise, such privacy legislation as does exist in the Asia-Pacific could only constitute 'adequate protection' for specific sectors, if at all. For example, Australia's Privacy Act 1988 would provide adequate protection in relation to any information held by Federal Government agencies, and in relation to credit reporting (Part IIIA), but there is no other legislation which would provide adequate protection in relation to information held by State government agencies, or the rest of the private sector. Similarly, in Canada, some Acts such as British Columbia's Freedom of Information and Protection of Privacy Act would constitute adequate protection in relation to that Province's public sector records, but there is no legislation providing adequate protection for the whole of the private sector. It is likely that Japan's Personal Data Protection Act 1988 would provide adequate protection for its public sector, and the 1994 Korean law may also do so. Other legislation covers only specific parts of the private sector, such as Singapore's Banking Act s47 and Malaysia's Banking and Financial Institutions Act 1989, Pt XIII, which cover the banking sector.

In relation to the United States, a draft report under preparation by two US academics for the EU Commission is reported[71] to argue that US laws as a whole do not provide 'adequate protection', not even on a sectoral basis (in most cases), so that any transfers of personal data to the USA will have to be considered in relation to the specific organisations involved (ie as authorisations under A26(2)). One of the authors of the report, in a study of the inadequacy of `targeted' (sub-sectoral) US laws in the private sector, indicates his pessimistic conclusions[72]:

 Because key standards of transparency, finality and enforcement are often ignored by targeted standards in the United States, the scrutiny on a micro-level of international data processing increases the prospect that European regulators will restrict more data flows if the US private sector does not augment existing standards.

The overall picture in the Asia-Pacific

The effectiveness of codes of conduct to provide adequate protection is still contentious, but is unlikely to be a panacea.

 While the argument sketched above requires more analysis than is possible here, it suggests that all but four jurisdictions in the Asia-Pacific are vulnerable to restrictions on transfers of personal data from countries in the European Union, at least insofar as the majority of their private sector organisations are concerned.

As we will now see, there is also likely to be an increase in restrictions of transfers of personal data within the Asia-Pacific.

5.3. Data export prohibitions in the Asia-Pacific

Until recently, the privacy laws of Asia-Pacific countries did not yet contain data export restrictions. At best, provisions in laws such as the Privacy Acts in Australia and New Zealand dealing with secondary use and disclosure of personal information could have the incidental effect of prohibiting disclosures outside the jurisdiction simply because there were no legitimate users of the information outside the jurisdiction, but never because of the inadequacy of the laws in the recipient's jurisdiction.

 This has now changed, with the privacy laws of Québec, Hong Kong and Taiwan all imposing such restrictions.

Québec's data export law

In Québec's Act respecting the protection of personal information in the private sector; 1993, s17 provides that persons carrying on an enterprise in Québec who communicate outside Québec information relating to persons residing in Québec must take `all reasonable steps to ensure' (i) that information is not used for purposes not relevant to the object of the file, or communicated to third persons without the consent of the persons concerned (unless situations similar to exceptions in s18 apply); and (ii) in the case of lists of named persons (`nominative lists'), the persons concerned have a `valid opportunity' to refuse to allow their names to be used for commercial or philanthropic marketing, and can have their details deleted (with some exceptions in ss 22 and 23). These requirements also apply where a Québec enterprise entrusts a person outside Québec with holding, using or communicating the information on the enterprise's behalf (eg an off-shore processing bureau, or a regional headquarters).

The Québec limitation is therefore limited to ensuring that the `finality' principle is observed in relation to exported data, and does not require that the recipient observe other principles such as subject access and correction rights, or adequate security.

 The Québec restriction also applies to other Canadian provinces (`outside Québec'), a matter of considerable interest to other federations like Australia. It is therefore likely that the Québec law will increase the pressure on other Canadian provinces (or the Canadian federal government) to enact comprehensive privacy laws.

Hong Kong's data export law

Since July 1995, Hong Kong's Personal Data (Privacy) Ordinance 1995 prohibits the export of personal information from Hong Kong unless the information will receive similar protection in the importing country to that which it is given under Hong Kong law, or certain exceptions apply (s33). The approach taken in the Hong Kong law is to prohibit the data user from transferring personal data to a place outside Hong Kong (including to other parts of China) unless one of the following conditions apply:

(a) the place has been specified (by the Commissioner) by a Gazette notice to have laws which are substantially similar to, or serve the same purpose as, the HK law; or
(b) the user has reasonable grounds for believing that the place has such laws; or
(c) the data subject has consented in writing to the transfer; or
(d) the user has reasonable grounds for believing that the transfer is to mitigate adverse action against the data subject, who would have consented to it if it was practicable to obtain their consent; or
(e) the data are covered by an exemption from data protection principle 3 under Part VIII (`domestic purposes', `security', `crime prevention', `health', reporting news, and some others); or
(f) `the user has taken all reasonable precautions and exercised all due diligence' to ensure that the data will not be dealt with in any manner in that place which, if it had occurred in Hong Kong, would contravene the Ordinance.

 Breach of s33 can result in an enforcement notice by the Commissioner (s50), or an action for compensation for any damage, including injury to feelings (s66).

 The s33 restriction applies not only to personal data which has (prior to export) been collected, held, processed or used in Hong Kong, but also to data which `is controlled by a data user whose principal place of business is in Hong Kong'. Such a `Hong Kong business' cannot therefore set up an `offshore' personal data processing operation to avoid the law, even in relation to data that has never entered Hong Kong. For example, if a Hong Kong business controls data being processed by its Singapore office or processing bureau, there cannot be data transfers between the Singapore office and Australia unless there is compliance with s33[73] .

Taiwan's data export law

International transmissions by public organisations must be `in accordance with relevant laws and ordinances' (A 9). In relation to private sector organisations, the government authority in charge of the particular sector in which a business falls may issue restrictions on particular transfers (A 24), for four reasons:

(i) to protect Taiwan's national interests;
(ii) where specially provided for in an international treaty or agreement;
(iii) `Where the receiving country lacks proper laws and / or ordinances to adequately protect personal data and where there are apprehensions of injury to the rights and interests of a concerned party'; and
(iv) `To indirectly transmit to and use from a third country personal information so as to evade control of this law'.

 The third reason is similar to the EU's requirement for `adequate protection'. The fourth reason is novel, as it explicitly allows prohibition of transfers to countries with `adequate' laws, if this is a sham to allow further transmission to a country without adequate laws. `Dirty data havens', beware!

 Enforcement Rules (regulations) under the Act are yet to be promulgated. Business organisations in Taiwan have made submissions requesting more certainty in the international transfer provisions, possibly in the form of a regulation naming countries with `adequate' laws - in which list they suggest Australia and the USA, for reasons best known to themselves!

Closing the EU `loophole'

Otherwise comprehensive laws (such as the New Zealand law) could be seen from the EU perspective to have a `loophole' in that there is nothing specific in them to stop data which is imported from Europe being `re-exported' to some other jurisdiction where no adequate privacy protection applies. Section 33 of the Hong Kong Ordinance closes this loophole, intentionally[74]. In contrast, Québec's s17 does not apply to data which has been imported into Québec (say, from the EU) about persons residing outside Québec, so it does not `close the loophole'.

Export restrictions within the Asia-Pacific

Now that export restrictions are arising in the laws of other Asia-Pacific countries, then there will be barriers to the free flow of personal information within the Asia-Pacific (ie within APII), not only between the EU and the Asia-Pacific. With the enactment of the Hong Kong law, one such set of barriers already exist. If different personal data export restrictions arise in different Asia-Pacific countries, as is already occurring, there will be significant impediments to the development of electronic services and trade within the region. Such inconsistencies between European countries was one of the main factors leading to the EU privacy Directive.

Two models for data export restrictions - `prohibition order' and `breach'

Two main approaches to data export restrictions are apparent from the European and recent Asia-Pacific laws. The first approach, exemplified by s12 of the UK Data Protection Act, and by the Taiwan Act, and also embodied in the EU Directive, imposes no export restrictions on data users unless and until a data protection authority issues some type of export prohibition order, either in relation to a particular transfer, or in relation to a particular foreign country as a whole.

 The second approach, exemplified by the Hong Kong and Québec laws, imposes an obligation on any data user who proposes to export personal data to ensure that there is some form of adequate protection in the jurisdiction of the recipient, and makes it a breach of the law by the data user to fail to do so, for which the data subject can take proceedings to obtain compensation or other remedies. The two approaches can be combined, as they are in the Hong Kong Act.

 The first approach is likely to be driven by data protection authorities, whereas the second is more under the control of the data subject. Reidenberg sees data export laws such as that of Québec as the key to a `reconceptualised' `contract model' of providing adequate protection[75], in which the data subject's interests are directly protected by the data subject's rights under the law of the exporting country, whereas `the implementation of standards for foreign treatment of personal information becomes a private contractual matter between the exporter and the recipient'[76]. This is a useful analysis, but it overstates the centrality of an exporter-recipient contract, for the simple reason that in some cases industry codes of conduct, professional rules or other sources of law may be basis on which the exporter concludes that the recipient's jurisdiction provides `adequate' protection.

5.4. Do the OECD Guidelines protect against export prohibitions?

The OECD's Guidelines contain four principles concerning freedom of, and legitimate restrictions on, `transborder flows of personal data' (Principles 15-18). In 1985 the Ministers of the OECD Member countries adopted a Declaration on Transborder Data Flows agreeing to undertake further joint work on EXPORT issues.

 The OECD's 4 Principles concerning trans-border data flows

 15. Member countries shall take into consideration the implications for other Member countries of domestic processing and re-export of personal data.

16. Member countries should take all reasonable and appropriate steps to ensure that transborder flows of personal data, including transit through a Member country, are uninterrupted and secure.

 17. A member country should refrain from restricting transborder flows of personal data between itself and another Member country except where the latter does not yet substantially observe these Guidelines or where the re-export of such data would circumvent its domestic privacy legislation. A Member country may also impose restrictions in respect of certain categories of personal data for which its domestic privacy legislation includes specific regulations in view of the nature of those data and for which the other member country provides no equivalent protection.

 18. Member countries should avoid developing laws, policies and practices in the name of the protection of privacy and individual liberties, which would create obstacles to transborder flows of personal data that would exceed requirements for such protection.

 The main thrust of these OECD Principles is that member countries should avoid restrictions on the free flow of personal data between themselves, with three exceptions in Guideline 17.

The first exception in Guideline 17 is where the other member country (such as Australia) `does not yet substantially observe these Guidelines' (including the Principles of domestic application). The OECD Guidelines apply to both the public and private sectors.

The position in relation to Australia's compliance with the OECD Guidelines is much the same as with the discussion above concerning the `adequacy' of Australian laws and the EU Directive. The Privacy Act 1988 (Cth) substantially implements the Guidelines in respect of the Commonwealth public sector. State and Territory Freedom of Information Acts implement the subject access and correction Guidelines in relation to their public sectors. However, Australia's current lack of privacy laws in the private sector makes it difficult to argue that it complies with the Guidelines in any private sector area except that of credit reporting. The proposed extension of the Privacy Act will change this.

 Therefore, the Guidelines do not provide at present provide protection against the imposition of data export restrictions by other OECD countries against Australia.

Once Australia does implement private sector privacy legislation to the level required by the OECD Guidelines, it could argue that any data export restrictions imposed by EU countries (virtually all of which are OECD members) must not exceed the requirements of Guidelines 17 and 18. The OECD Guidelines could then help to protect Australia against implementation of any European data export restrictions, whether flowing from the EU Directive or otherwise, if such restrictions required a level of `adequacy' of Australian laws exceeding that required by OECD Guidelines 7-14 (`Basic Principles of National Application'). In other words, Australia could argue that OECD Guidelines 7-14 define the maximum content of `adequacy' that European OECD members may impose without breaching OECD Guideline 18. It is also important to note that the OECD Guidelines provide the only guarantee of free flow of personal data, as the EU Directive imposes no obligation on EU countries to allow exports to non-EU countries which have `adequate' laws, it only protects them from restrictions by other EU countries if they do so, and prohibits them from allowing exports to countries without `adequate' laws.

 The second exception to OECD Guideline 17 is `where the re-export of such data would circumvent its domestic privacy legislation'. This exception appears to envisage restrictions on exports to countries which do not prevent further re-export to third countries which do not have laws which comply with the OECD Guidelines. Neither the Privacy Act nor other Australian legislation imposes any special restrictions on the export of personal data from Australia (or its import into Australia). The implications of this exception are that (i) any EU country could require Australia to have data export limitations in Australian law before permitting exports to Australia, without breaching the OECD Guidelines; and (ii) Australia would not breach the OECD Guidelines by refusing data exports to other countries which did not have a reciprocal provision.

 The third exception in Guideline 17 allows additional restrictions to be imposed in relation to `sensitive' data.

The requirement in Guideline 15 that trans-border data flows `including transit through a Member country, are uninterrupted and secure' may be addressed in part by such legislation as the Telecommunications (Interception) Act 1979.

6. Towards an Asia-Pacific information privacy Convention?

The Asia-Pacific region is the world's most advanced region in the use of information technology outside of Western Europe, with North Asia being the most rapidly developing part of the region. The growing maturity of information technology in the countries of the Asia-Pacific means that the protection of privacy is increasingly finding its way onto national and international agendas in the region. This part argues that an issue on the regional agenda should be the need for a multilateral agreement on information privacy between Asia-Pacific countries.

6.1. The Asia-Pacific Information Infrastructure (APII) and privacy

The Second Senior Officials Meeting on Telecommunications and Information Industry, held on May 29-30 1995 in Seoul between the ministers responsible for telecommunications and information industries in the APEC member countries to review progress in the development of the Asia-Pacific Information Infrastructure (APII), is the first Asia-Pacific meeting to consider privacy issues as a matter of regional significance.

The Seoul Declaration for the APII states that one of the five Objectives of the APII is 'to promote free and efficient flow of information'. However, it also declares that one of the ten Core Principles of APII is 'ensuring the protection of intellectual property rights, privacy and data security'. The Seoul Declaration therefore suggests that the protection of privacy is seen as a means, or perhaps a necessary pre-condition, for the achievement of ultimate ends such as regional free flow of information. This approach, where the desirability of free flow of information, including personal information, is at least in part responsible for a recognition of the necessity for the establishment of standards of privacy protection, has characterised all international agreements which focus on privacy protection.

 The Joint Statement following the meeting includes as specific items of cooperation a number of items which could involve greater dissemination of personal information, including development of global markets for services, testing of information sharing, 'initiatives to make government information more widely available via electronic means' and 'promotion of EDI'. No specific privacy-related initiatives were announced.

 The fact that privacy is part of the APII agenda suggests that this is an opportune time to consider the need for greater privacy protection in the Asia-Pacific region, and the means by which such protection may be realised.

6.2. Strengthening local privacy laws

As a consequence of the Asia-Pacific's advanced use of information technology, there is already more development of privacy laws in the Asia-Pacific (in North America, Australasia, and North Asia) than in any region outside Europe. Stronger laws for the protection of privacy can be seen as a natural consequence of the development of advanced information-based economies, an aspect of the protection of human rights that parallels technological development. Nevertheless, such privacy laws as there are in the Asia-Pacific are often not comprehensive in their coverage, particularly in the private sector. The first requirement for privacy protection in the region is therefore the extension and strengthening of national laws.

Failure to do this will increase the risk that advanced use of information technology will result in authoritarian or overly manipulative use of such technology by governments and business. Such abuses in North America, Europe and Australasia have been documented in many recent works[77]. Protection of human rights is the first and most important reason for strong privacy laws.

 The second reason for strengthening national privacy laws is, of course, to avoid restrictions on exports of personal data from Europe as a result of the EU data protection Directive, or as a result of export restrictions in regional laws. The reasons for developing information privacy laws in the Asia-Pacific therefore stem from at least two sources: (i) a recognition of information privacy as an aspect of human rights deserving of legal protection; and (ii) a desire to avoid unnecessary limitations on the international free flow of personal information.

6.3. The need for a regional agreement

The strengthening of national laws in the Asia-Pacific region may, however, be an inadequate response. Restrictions on the export of personal data are increasing within the Asia-Pacific, threatening the free flow of information within the region, as recognised in the Seoul Declaration for the APII. Such restrictions may be quite reasonable and understandable at a national level. A New Zealander could reasonably object to his or her medical records being held and processed in Australia, where they are largely unprotected, as a means of avoiding the strict controls of New Zealand's Health Information Privacy Code 1994 ⁷⁸. A Hong Kong resident could object to his or her financial data being held or processed in Japan or the USA, where it might not have the same protection as in Hong Kong.

 One means of dealing with such non-tariff trade barriers is an international agreement to guarantee free flow of personal information between the States which are parties to it, provided that each State provides an agreed minimum level of privacy protection in its laws, the approach taken in the OECD Guidelines, the Council of Europe Convention, and most recently in the EU Directive.

6.4. Can existing international agreements provide a vehicle?

If such an agreement is needed in the Asia-Pacific, are any of the existing agreements a suitable vehicle?

The OECD Guidelines are not an appropriate vehicle, mainly because many Asia-Pacific countries are not OECD members[79], because the Guidelines do not provide any method of enforcement of the minimum standards they propose, and possibly because the content of those standards reflects an understanding of privacy protection that is a decade old.

Although it is theoretically possible for non-European countries to become parties to the European data protection Convention, it has not yet happened, and membership of a European agreement is not an appropriate approach to developing the building blocks of the APII. First, the content of the Convention is of the same vintage as the OECD Guidelines, and secondly it is inappropriate for the Asia-Pacific to simply adopt a European model wholesale without adapting it to regional views and conditions.

There is no mechanism by which non-EU countries can become 'parties' to the EU Directive, so it is not relevant as a vehicle for implementation. Nor is the ICCPR suitable, for reasons such as it is too general in its terms; it cannot be used to provide any guarantee of free flow of information; and most countries in the region have not yet acceded to the optional protocol.

6.5. Elements of an Asia-Pacific information privacy Convention

It seems, therefore, that it is worth considering whether the best approach would be to develop an Asia-Pacific information privacy convention that reflects regional needs. What could be the mechanism for its development, the nature of the agreement, the content or its privacy standards, and its means of compliance? An alternative approach to the existing international agreements is to ask `what can we learn from them in fashioning a new agreement for the Asia-Pacific?'

Mechanism for development

The most promising mechanism for development would seem to be the APII structure within APEC, because privacy protection is most likely to be taken seriously as a condition of the development of the regional information infrastructure (as the Seoul Declaration indicates), and also because it will provide a regional solution. APEC is the broadest regional grouping relevant to the discussion, and the one with most momentum at present. Privacy is already part of the APII agenda.

Nature of the agreement

Existing international privacy agreements involve two elements, and these would also be present in any Asia-Pacific agreement.

 First, there is an agreement between the State parties to implement in their domestic law privacy protections of a certain standard. The crucial question here is whether these standards are phrased as minimum or `required maximum' standards.

Minimum standards must be implemented in the domestic law of a State that wishes to obtain the protection of the agreement against data export prohibitions. A State is still free to impose higher standards on the processing of data within its own jurisdiction provided it does not prevent data exports to countries which only observe the lower `international' standard. The OECD Guidelines and the Council of Europe Convention are of this type.

 `Required maximum' standards are required to be implemented in each State's domestic law, but may not be exceeded, subject to an allowed degree of latitude and any exceptions in the agreement. Such standards help to ensure that businesses and other organisations operating at a regional level (such as across Europe) can apply the same privacy policies in all jurisdictions. the international agreement would have to be altered in order for the standards to be raised. It has been argued above that the EU Directive is probably of this second type.

 An Asia-Pacific agreement should only be a minimum standards agreement, at least at its inception. There is a far greater level of homogeneity in economic conditions and in attitudes toward privacy (and individual liberties generally) in Europe than there is in the Asia-Pacific. It is quite likely that countries will have very differing views about the desirable or acceptable level of privacy protection to be provided by domestic law. It is likely to be much less difficult to reach an agreement about the minimum level of privacy protection that should be provided in one country before another country is prevented from restricting exports of personal data to it, as countries are still free to disagree about whether a higher level of protection should be provided locally.

From a privacy perspective, requiring privacy protection to be limited to `common denominator' standards is undesirable where that denominator is likely to be low. In contrast, there will be considerable advantages for some time to come in each country in the region learning from successful privacy protection `experiments' in other countries, such as Hong Kong and Australia have already learnt from the New Zealand experience.

 The second element is, of course, an agreement between the State parties not to prohibit the export of personal data from their jurisdictions to those of any other party which provides the minimum standard of protection in its law. Exceptions such as those found in OECD Guideline 17 also require consideration.

When an agreement comes into force

As with many international agreements, there would be a need to specify how many States must ratify the agreement before it comes into force. The Council of Europe privacy Convention of 1980 came into force in October 1985, once five member States of the Council of Europe ratified it (A 22(2)), although 18 States have now done so[80].

 If a similar standard was applied for an Asia-Pacific Convention to come into force, it is likely that it would come into force fairly quickly. New Zealand, and possibly Australia, would be in a position to ratify immediately.

The relationship of the People's Republic of China to Hong Kong and to Taiwan complicates the position of two jurisdictions which would otherwise be able to sign such an agreement forthwith. The Council of Europe privacy Convention allows States to accede to the Convention with a `territorial clause' specifying to which of its territories the Convention will apply, and some similar flexibility may be needed in an Asia-Pacific Convention. It is possible that a federation like Canada might be able to ratify only in respect of some Provinces, such as Québec, at the outset.

Content of privacy standards

Insofar as content is concerned, the OECD Guidelines are one obvious starting point, particularly as they are not solely European. On the other hand, Chapter II of the EU draft Directive represents the current thinking of the European nations on desirable standards of privacy protection, and is therefore a valuable starting point for discussion, particularly because adoption of a similar approach will facilitate the free flow of personal information in both directions between Europe and the Asia-Pacific.

However, the EU Directive and the OECD Guidelines should only be a starting point for developing a set of information privacy principles appropriate to Asia-Pacific countries. A privacy advocate might regard both sets of principles as too weak and reflecting thinking which is being overtaken by new technologies[81], but might nevertheless be willing to settle for a relatively low minimum international standard so as to encourage the spread of privacy laws in the region. Trade interests may accept a higher standard than they would regard as ideal if this will guarantee free flow of information from certain countries with high local privacy standards. The details are a matter of relatively unpredictable political negotiation.

 If the content of an Asia-Pacific Convention approximated either the OECD Guidelines or the EU Directive, it seems very likely that this would be regarded as 'adequate protection' by the EU, particularly in light of the reference to 'international commitments' in A25(5) of the EU Directive.

Compliance mechanisms

Compliance mechanisms present more of a problem, because the Asia-Pacific region does not have, and is not likely to develop (at least in the short term), regional adjudicative and enforcement mechanisms on the same model as the European Commission and Council or the European Court of Human Rights. Other new mechanisms will need to be developed within the APII framework, possibly including a Committee of Ministers of the parties to the Convention, and, like in the EU Directive, an Advisory Committee of Privacy Commissioners[82].

 One related factor that needs to be borne in mind is that adoption of the Optional Protocol to the ICCPR by Asia-Pacific countries could provide a parallel mechanism by which regional States could allow an international complaints mechanism (the UN Human Rights Committee) to adjudicate on the adequacy of their privacy protections. This would allow individuals, not only States, to have privacy rights under international law, and would providing some parallel to the role of the European Court of Human Rights. However, the ICCPR seems unlikely to play a significant role in APEC's deliberations.

Conclusion - Wishful thinking, or Australia's opportunity?

An Asia-Pacific privacy Convention is achievable. A reasonable level of privacy protection should be one of the pre-conditions for free flow of personal information in the region. The development of an APII may be retarded if consumers, businesses and government cannot use international networks with some confidence that the privacy of transferred information will be respected. Restrictions on data exports are already developing and can be expected to multiply. A Convention need only prescribe the minimum necessary standards to guarantee free flow of personal information. It need only be ratified by a small number of States before coming into force, yet have the capacity to act as a catalyst for both the development of privacy laws in the region, and the free flow of information necessary for the development of an APII.

 The next APII Ministerial meeting will be held in Australia in September 1996. If Australia used the opportunity it has as host of the meeting to present a draft regional privacy Convention for APEC's consideration, this would be a concrete step in developing the building blocks of the Asia-Pacific Information Infrastructure.

Appendix -Taiwan's new privacy law

Taiwan's Computer-Processed Personal Data Protection Law[83] was passed by the Legislative Yuan on 12 July 1995, and is stated to be part of the government's objective of turning Taiwan into a regional operations centre for companies in the Asia-Pacific.

 The Act includes two sets of information privacy rules, one for `public institutions', and the other for all `non-public institutions'. All private sector organisations are covered if they collect or process by computer personal data. The information privacy rules are very similar to those found in the OECD guidelines, EU Directive and many national laws. In relation to each of the public and private sectors, articles of the law cover specification of system purposes, collection limitations, use limitations (`use' being defined to include disclosure), openness (registration and publication of system details), individual access, correction rights, accuracy obligations, and an obligation to appoint a data controller. Unlicensed businesses cannot be involved in the collection or use of personal information.

 The enforcement provisions seem quite strong. Individuals can obtain compensation for breach of the information privacy rules, including for damage to reputation. Where public institutions are involved, the only defences are `acts of god, accidents, or other causes of force majeure', whereas with the private sector the defendant may prove `that it has no intention or fault'. Complaints are made to the supervising authority for the particular sector, as there is no single `privacy authority' under the Act. Sixty five professional institutions have been appointed to act as infringement verification institutions. Numerous criminal offences are also included (Chapter 5). The Ministry of Justice is responsible for overall coordination (A 41). There is provision for audits of private organisations (A 25). Organisations generally have one year to obtain any registrations or permissions under the law (A 42).

http://www.ascusc.org/jcmc/vol2/issue1/asiapac.html