Asia-Pacific Region at the Privacy Crossroads (2008)
5. Other regional opportunities
- 5.1. ASEAN Harmonisation
- 5.2. Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
- 5.3. Asia Pacific Privacy Authorities (APPA)
Most countries in the Asia-Pacific belong to at least one of the three key regional organisations – APEC, ASEAN and the Pacific Islands Forum. Many countries also participate in specific regional meetings such as the East Asia Summit and the Asia-Europe Meeting (ASEM). There may be opportunities outside the APEC Privacy Framework for the development of privacy protection in the region.
5.1. ASEAN Harmonisation
The Association of South East Asian Nations (ASEAN) has recognised that the absence of harmonised data protection legal infrastructure has the potential to become a barrier to cross-border trade and investment. Significant business opportunities in business process outsourcing may gravitate to jurisdictions with privacy protection that meet these requirements.
ASEAN has committed to the establishment of an integrated ASEAN Economic Community (AEC) by 2015. A significant target within this commitment is the development of a harmonised legal infrastructure for E-Commerce, as set out in the Roadmap for Integration of e-ASEAN Sector.
The Strategic Schedule for ASEAN Economic Community contains the following specific target:
Adopt the best practices / guidelines on other cyber law issues (i.e. data protection, consumer protection, Intellectual Property, ISP liability, etc.) to support regional e-commerce activities (2010-2013).
As part of this plan, ASEAN may need to provide advice to Member Countries on the merits of the EU approach and the US/APEC approach to data protection.
This plan may sound ambitious to outsiders, but ASEAN has a successful track record in implementing harmonised legal infrastructure in this field. For example, the ASEAN Australia Development Cooperation Program (AADCP) – Electronic Commerce project helped ASEAN to implement harmonised e-commerce laws in eight Member Countries and draft laws in the remaining two Member Countries in just five years.
5.2. Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data
Another potential tool for privacy protection in the region is the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.. Although this is a European instrument it is open for signature by non-European countries. In 2008 the Convention’s Consultative Committee recommended that non-member states, with data protection legislation should be allowed to accede to the Convention.
Commentator Graham Greenleaf has noted some potential benefits of this approach for countries in the Asia-Pacific:
- Signing by one or more countries would encourage other Asia-Pacific countries to develop their laws and enforcement to the Convention standard;
- The Convention sets a standard higher than APEC, for example the Convention requires comprehensive laws and an independent authority;
- The Convention also requires data export limitations, including an ‘adequacy’ test (although this is contained in the additional protocol to the Convention, which raises further complexities regarding implementation).
Again, this approach appears ambitious. But there are some precedents in the region. Although countries in the Asia-Pacific region have traditionally been slow to sign international instruments, there appears to be an exception for e-commerce related laws.
The Council of Europe Convention on Cybercrime has been adopted outside the EU, including adoption in the region by Japan. The Philippines are listed as an official observer to the Convention on Cybercrime and there is considerable interest in signing Convention on Cybercrime in Australia and Indonesia.
Similarly, the UN Convention on the use of electronic communications in international contracts only came into force in late 2006, but it has already been signed by China, Korea, the Philippines and Singapore.
Signing the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data could be an interesting alternative to achieving a regional standard of protection, although it does appear a ‘long-shot’ at this stage.
5.3. Asia Pacific Privacy Authorities (APPA)
Asia Pacific Privacy Authorities (APPA) is a regional forum for privacy regulators to meet and exchange ideas about privacy regulation, new technologies and the management of privacy enquiries and complaints. Members include national privacy regulators from Australia, Canada, Hong Kong, Korea, Macau, New Zealand and several smaller domestic privacy agencies.
APPA is growing in importance as a regional privacy body and attracting new members. However, it is primarily a forum for the discussion of administrative issues between existing privacy regulators, and does not play a significant role in the promotion of new privacy regulation.
 ASEAN Secretariat, Strategic Schedule for ASEAN Economic Community, 2007, <http://www.aseansec.org/21161.pdf>. For an overview of responses to this target, see Connolly C, Australian and regional regulatory responses to the key challenges of consumer protection in electronic commerce, March 2008, <http://www.galexia.com/public/research/articles/research_articles-art51.html>.
 For an analysis of key issues in achieving regional harmonisation of data protection laws, see Connolly C, Practical Issues in Achieving Regional Privacy Compliance, presentation to the First Technical Assistance Seminar on the International Implementation of the APEC Privacy Framework, January 2007, <http://www.galexia.com/public/research/assets/apec_seminar_galexia_20070118.pdf>.
 Galexia, Harmonisation of E-Commerce Legal Infrastructure in ASEAN, April 2008, <http://www.galexia.com/public/research/articles/research_articles-art53.html>.
 Connolly C, Harmonizing Cyber Legislation At The Regional Level: The Case Of ASEAN, in United Nations Conference on Trade and Development, Information Economy Report 2007–2008, February 2008, <http://www.unctad.org/Templates/WebFlyer.asp?intItemID=4462&%3Blang=1>.
 Council of Europe, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, CETS 108, signed 28 January 1981, entered into force 1 October 1985, <http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm>.
 Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data [ETS No. 108], Abridged report of the 24th meeting (Strasbourg, 13-14 March 2008), CM2008(81), 15 May 2008, <https://wcd.coe.int/ViewDoc.jsp?Ref=CM(2008)81>.
 Council of Europe, Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows, CETS 181, signed 8 November 2001, entered into force 1 July 2004, <http://conventions.coe.int/Treaty/en/Treaties/Html/181.htm>.
 Greenleaf G, Asia-Pacific developments in information privacy law and its interpretation, 30 March 2008, <http://law.bepress.com/cgi/viewcontent.cgi?article=1007&context=unswwps>. See also Greenleaf G, Asia-Pacific developments in information privacy law and its interpretation, presentation to the Privacy Issues Forum, 30 March 2008, <http://www.privacy.org.nz/assets/Files/74942725.ppt>.
 Council of Europe, Convention on Cybercrime, CETS 185, signed 23 November 2001, entered into force 1 July 2004, <http://conventions.coe.int/Treaty/en/Treaties/Html/185.htm>.
 Ravindra P, UN Convention on the use of Electronic Communications in International Contracts to come into force, July 2006, <http://www.galexia.com/public/research/articles/research_articles-art41.html>.