Asia-Pacific Region at the Privacy Crossroads (2008)

9. Appendix 1 – National Laws

[ Galexia Dots ]

9.1. Australia

The Privacy Act 1988 (Cth) was amended in 2001[58] to include ten National Privacy Principles (NPPs) that apply to parts of the private sector (those that earn more than $3 million annually). The Privacy Act also includes a complaints, audit and enforcement regime.

The privacy regulator is the Office of the Privacy Commissioner.[59] They are a relatively ‘light touch’ regulator with a history of conciliating disputes.

NPP 9 currently prohibits transfers of personal information by an organisation to someone in a foreign country unless one of six conditions (a) – (f) is satisfied. If one of the conditions is satisfied, then the Australian organisation transferring the data may not be liable under the Act for any privacy breaches which may occur subsequently.

The most relevant conditions are (a) and (f):

  • Condition (a) allows transfers to recipients in foreign countries who are subject to substantially similar provisions as the NPPs. This requirement is merely that the organisation holds a ‘reasonable belief’ that the overseas arrangement ‘effectively upholds’ privacy principles substantially similar to those in the Australian Act. There is no objective or expert determination by a government or Privacy Commissioner of which overseas countries have substantially similar laws or obligations.
  • Condition (f) allows the transfer if the organisation has taken reasonable steps to ensure that the information transferred will not be held, used or disclosed by the recipient of the information inconsistently with the National Privacy Principles.

In August 2008 the Australian Law Reform Commission (ALRC) Report 108 – For Your Information: Australian Privacy Law and Practice Report was released. It contained detailed recommendations on Cross-border Data flows.

The ALRC’s recommended approach to accountability under the ‘Cross-border Data Flows’ principle draws on the APEC concept of accountability, but takes it further...The ALRC’s recommended approach provides for an agency or organisation to remain responsible under Australian privacy law in respect of the actions taken by a recipient of personal information outside Australia. Placing responsibility on the agency or organisation transferring the personal information ensures that an individual has the ability to seek redress from someone in Australia if the recipient breaches the individual’s privacy.[60]

However, in introducing a broad accountability requirement as the default protection for cross-border transfers, the ALRC did not recommend the repeal of the other alternative conditions (e.g. consent, substantially similar protection and contractual protection). These will remain in place. The ALRC did recommend some minor improvements:

It should be an exception to the default position of accountability if the agency or organisation transferring the personal information outside Australia reasonably believes that the recipient of the information is subject to a law, binding scheme or contract which effectively upholds privacy protections that are substantially similar to the model UPPs.
The ALRC does not recommend that any change be made to the ‘reasonable belief’ test. It does recommend, however, that the Australian Government should develop and publish a list of laws and binding schemes that effectively uphold principles for fair handling of personal information that are substantially similar to the model UPPs.[61]

These reforms are expected to be implemented in Australia in 2010.

Australia is a member of APEC and chaired the APEC Data Privacy Sub-Group during key stages of the development of the Pathfinder Projects. Australia is also a member of the Pacific Islands Forum.

9.2. Brunei

Brunei is one of the smallest countries in the region. It has no current legislation on privacy.

Brunei is a Member of APEC and attended an APEC privacy capacity building workshop in 2005 – Technical Assistance Seminar: Domestic Implementation of the APEC Privacy Framework.[62] There has been no further participation in APEC.

Brunei is also an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

There are no other relevant developments or plans in Brunei.

9.3. Cambodia

Cambodia has no current legislation on privacy.

Cambodia is not a member of APEC.

Cambodia is an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

There are no other relevant developments or plans in Cambodia.

9.4. China

In China, rapid economic growth and the benefits of globalisation have come hand in hand with a number of privacy issues which citizens are facing in daily life. National concerns have stemmed from the growing number of reports alleging the selling of personal information to call centres and service providers, as well as the abuse of other readily available personal information (such as the details given in application forms).[63] This exploitation of personal information has resulted in unwelcome phone calls, identity theft and a growing push for legislated privacy law.[64]

Some limited ‘freedom and privacy of correspondence’ exists in the Chinese constitution as a fundamental right,[65] but there is no consolidated national data protection legislation at this stage. Some minor specific privacy provisions appear in Chinese regulation of spam and ID cards.[66]

In 2003 the State Council’s Informatization Office (SCITO) began drafting information laws.[67] While the submission of the initial draft in 2005 did not lead to implementation, it operated as a foundation for the drafting of Data Protection Laws in 2007.[68] The law is now being developed under the new Ministry of Industry and Information Technology. The draft legislation is currently the subject of further stakeholder consultation and expert advice.[69]

The development of Data Protection Laws is being driven and supported by the EU-China Information Society Project (EUCISP), who held a workshop on 14 June 2007. The Workshop unveiled a report on Personal Data Protection in Europe and China: What Lessons to be Learned.[70] The report, through an analysis of the successes and failings of EU Data Protection measures, proposes twenty recommendations for Chinese policy-makers.

A key consideration in China is whether its remarkable growth as an economic powerhouse can be sustained without the implementation of modern laws:

The relevance for China is obvious: only if China establishes a reliable and robust personal data protection regime will it ensure that trade relationships with the EU (but also with most other countries of the Western hemisphere) can continue to develop. Personal data can easily be called the most valuable resource of the early 21st century. Any responsible country will seek to treat these data with the care they deserve. If for no other reason, the Chinese government’s work on a personal data protection law and policy deserves all possible support.[71]

To date, china’s draft legislation has been closely aligned with the EU Data Protection Directive.[72] Although their expert advisers have suggested that they should not import some of the more bureaucratic provisions in the Directive:

Recommendation: Do not require registration – The requirement to register personal data processing centrally has proven administratively burdensome and to add little value and should not be adopted.[73]

China is likely to explicitly seek an EU assessment regarding the adequacy of their laws:

The concept of ‘adequacy’ that the EU Data Protection Directive defines is important to the Chinese, and European regulators will expect significant clarification of the enforcement mechanism as a crucial part of any adequacy assessment for China.[74]

Early drafts of the Chinese legislation also include conditions for the cross-border transfer of data:

Grounds for restrictions are that state security or other significant state interests may be involved, where China has duties under international law, where other laws restrict transfers, and where the recipient country or area does not give ‘sufficient’ legal protection. The agency in charge of information resources of the State Council will determine which countries or areas come within this last category.[75]

Like many countries in the region, China receives input, funding and advice from both European[76] and US experts[77] on its privacy legislation. China is a member of both ASEM and APEC. While it would appear that China’s draft legislation is closely aligned with the EU approach at this stage, the region awaits the final outcome with interest.

9.5. Hong Kong

Hong Kong has established comprehensive privacy legislation for the private sector in the Personal Data (Privacy) Ordinance 1995.[78] The legislation is broadly aligned with the EU Data Protection Directive, although the Data Protection Principles are significantly shorter and simpler. Hong Kong has not introduced any registration requirements for businesses.

Section 33 of the Hong Kong Personal Data (Privacy) Ordinance 1995, is not currently in force. Once implemented, section 33(2) will forbid onward transfer of personal data outside of Hong Kong, unless, one of the stipulated situations apply. The conditions are similar to those in the Australian Act (NPP 9) with one significant difference. The Hong Kong provision allows the Privacy Commissioner[79] to designate a jurisdiction with substantially similar privacy laws to Hong Kong’s Ordinance.

As Section 33 is not yet in force and there are not yet any designated jurisdictions, much reliance can be placed on condition (b), that the organisation reasonably believes that the privacy laws of the recipient’s country are substantially similar to Hong Kong’s Ordinance.

Hong Kong is a member of APEC.

9.6. Indonesia

Indonesia is a member of APEC, but is not an active participant in the APEC Privacy Pathfinder Projects. Indonesia is also a member of ASEAN and has committed to the development of harmonised data protection legislation by 2015.

There is currently no comprehensive privacy legislation in Indonesia, although their umbrella e-commerce law does contain a privacy commitment – this requires subsequent detailed regulations. Privacy may not be a high priority area in Indonesia compared with current issues such as digital copyright and online content regulation.

The Law on Information and Electronic Transactions[80] is an ambitious piece of umbrella legislation covering e-government, electronic contracting, privacy, cybercrime, digital copyright and other cyberlaw issues in a single omnibus Law. The legislation contains a single, brief provision on privacy:

Article 26
(1) The utilization of any information by means of electronic media relating to data about private right of anyone shall be carried out with the approval of the person concerned unless otherwise stipulated by the statutory regulation.
(2) Any person whose rights are violated in the manner detailed in paragraph (1) is entitled to compensation for any loss as explained within this legislation.

The provision necessitates consent for any electronic use of personal data, by the person whom the data relates to, except in cases where statutory legislation negates this requirement.

The privacy measures afforded by Article 26 of the Law on Information and Electronic Transactions are a small step on the road to a more secure e-commerce environment. The provision echoes elements of the various international instruments. While a fuller implementation of privacy legislation in the future may be a goal of the Indonesian legislature, Article 26 provides a foundation for the protection of individuals’ privacy rights.

Indonesia is an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

9.7. Japan

The Act on the Protection of Personal Information 2003[81] is a very comprehensive piece of privacy legislation with detailed rules on almost every aspect of personal information management. The Act is supplemented by Guidelines issued by relevant government agencies – there are more than 35 in place.[82] There is no single privacy regulator in Japan. Instead, other government regulators are responsible for policing privacy compliance in particular industries.[83]

Article 23.1 of the Act on the Protection of Personal Information 2003 sets out a general prohibition on the transfer of personal data to any third party without the prior consent of the data subject.

Article 23.4 of the Act allows the sharing of information in certain circumstances. Article 23.4(1) covers the situation where personal data is entrusted to another person or entity such as a data-processing company or an outsourced company handling payroll. To the extent necessary to achieve the purpose of use of that personal data, the entity may transfer the data without obtaining the consent of the data subject.

However, under Article 22, organisations are responsible for the supervision of such delegates for proper handling of personal data. For example, the Guideline for Personal Information Protection in the Financial Services Sector requires that the entity must enter into an agreement setting out the responsibilities of such delegates to protect the personal data.

In addition to the legislation, many Japanese companies participate in a voluntary privacy trustmark scheme that indicates compliance with a local standard: JIS Q 15001.[84] However, the trustmark appears to be only used by domestic Japanese firms: ‘Companies eligible to receive certification for PrivacyMark are private enterprises based in Japan’.[85]

Japan is a member of APEC.

9.8. Korea

South Korea’s privacy law is contained in the Act on the Protection of Personal Information Maintained by Public Agencies 1999[86] for Government and the Act on Promotion of Information and Communication Network Utilization and Information Protection 2001[87] for the private sector. This second Act only applies to the information and telecommunications industries that are providers of information and communications services such as common carriers, Internet service providers and other intermediaries, such as content providers. The Act also covers specific offline service providers such as travel agencies, airlines, hotels, and educational institutes.

However, there is a significant push for reform of privacy law in Korea. During 2007 three bills were awaiting debate at Korea’s Government Administration and Home Affairs Committee. The Ministry of Information and Communication has also drafted a revised version of the current Act. The revised draft takes into account the unique characteristics of the IT sector as well as the rising demand for stronger personal information protection. The draft also improves upon the existing law and addresses the issues that were raised during enforcement of the law.[88]

The current privacy regulator is the Ministry of Information and Communication as they provide guidance for any services provided via websites or information technology. The key regulator is the Korea Information Security Agency (KISA), although complaints handling is complemented by the work of the Personal Information Dispute Mediation Committee (PICO).[89]

Article 54 is relevant to the transfer of personal data to other jurisdictions. It prevents the entity from entering into an international contract that might violate the information protection provisions. In effect, this is requiring that any transborder data flow to another jurisdiction must only occur where there is the same or higher protection for data as that set out under the Act.

In July 2008, the Korean Cabinet agreed to expand and enhance Korea’s data protection laws:

The Korean government... would take measures for heightened privacy protection to address public concerns over the illegal use of personal information. The government will expand its budget for the protection of personal data and enforce tougher privacy rules on companies, under the plan announced at the Cabinet meeting involving the Ministry of Public Administration and Security, the Ministry of Knowledge Economy, the Korea Communications Commission and the National Intelligence Service and Prime Minister Han Seung-soo... The government will draw up a data protection bill during the second half of this year, including prohibiting firms from obtaining customer data except in certain cases.[90]

Korea is a member of APEC.

9.9. Laos

Laos is a small developing country and remains on the UN list of least developed countries. Laos has no current legislation on privacy.

Laos is not a member of APEC.

Laos is an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

There are no other relevant developments or plans in Laos.

9.10. Macau

Macau is now a Special Administrative Region of China, however it maintains its own suite of commercial laws.

Macau has comprehensive privacy legislation in the form of the Personal Data Protection Act (2005).[91] The regulator is the Office for Personal Data Protection.[92]

Article 19 of the Act contains principles relevant to the cross-border transfer of personal data.

Article 19-1 – The transfer of personal data to a destination outside the MSAR may only take place subject to compliance with this Act and provided the legal system in the destination to which they are transferred ensures an adequate level of protection.

Macau is not a member of APEC or any other regional organisation. The Macau Office for Personal Data Protection has been participating in meetings of the Asia Pacific Privacy Authorities (APPA).

9.11. Malaysia

Increasing understanding of the risks associated with personal data in Malaysia has seen a push for a Data Protection Act and after a long and complex history,[93] Malaysia’s Personal Data Protection Bill is now in the final stages of drafting.[94] The Bill is expected to be subject to a further round of stakeholder consultation in late 2008.[95] Some stakeholders are encouraging Malaysia to enact legislation that meets the standards of the EU Directive.[96]

The Bill provides ambitious, comprehensive privacy protection:

The personal data protection law is envisaged to be a world class leading edge cyberlaw that provides for higher level of personal data protection... and to promote Malaysia as a preferred trading partner that provides international standards of personal data protection.[97]

There are also proposals in Malaysia to establish both a Privacy Commissioner and a Personal Data Protection Tribunal (to hear appeals from decisions of the Commissioner). Malaysia has looked at all options, including the EU and APEC approaches in drafting their legislation.[98]

Malaysia is an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

9.12. Myanmar

Myanmar is a relatively isolated country with a large population. It has surprisingly advanced laws in many areas of e-commerce but there is no current legislation on privacy.

Myanmar is not a member of APEC.

Myanmar is an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

There are no other relevant developments or plans in Myanmar.

9.13. New Zealand

New Zealand has comprehensive privacy legislation – the Privacy Act 1993 – regulated by an independent Privacy Commissioner. There is an expectation that New Zealand may be assessed as adequate by the EU once trans-border data provisions in the legislation are strengthened.[99]

New Zealand itself is committed to amending the legislation and seeking an EU Adequacy assessment by 2011:

The Privacy Act [will be] amended to harmonise with EU requirements for transborder transfers of personal data, in order to strengthen New Zealand’s case for ‘white list’ status under the EU Directive.[100]

Principle 10 of the Act currently extends the application of the information principles to information held overseas:

10 Application of principles to information held overseas
(1) For the purposes of principle 5 and principles 8 to 11, information held by an agency includes information that is held outside New Zealand by that agency, where that information has been transferred out of New Zealand by that agency or any other agency.

The steps needed to ensure adequacy for New Zealand have been described as ‘minor’.[101]

New Zealand is a member of APEC and has been an active participant in several APEC Privacy Pathfinder Projects. New Zealand is also a member of the Pacific Islands Forum.

9.14. Pacific Islands

The Pacific Islands Forum is a regional organisation comprising Australia, the Cook Islands, Micronesia, Fiji, Kiribati, the Marshall Islands, Nauru, New Zealand, Niue, Palau, Papua New Guinea, Samoa, the Solomon Islands, Tonga, Tuvalu, and Vanuatu. Associate members are New Caledonia and French Polynesia. Observers are Tokelau and Timor-Leste (East Timor).

There are no comprehensive privacy laws in any of the smaller jurisdictions at this stage (excluding Australia and New Zealand), but they have a cyberlaw harmonisation project that may incorporate privacy law in the future.[102]

The Wellington Declaration[103] (made by the Pacific Island Forum Information and Communications Technologies Ministerial Meeting 30 March 2006, Wellington, New Zealand) established some priority areas of concern including identifying assistance for capacity building for regulatory infrastructure. A Workshop on Principles of Cyber Legislation for Pacific Island Countries in 2007 included data protection in the list of ICT laws requiring harmonisation.

The current priority in the region is the development of anti-spam legislation – with new legislation in place or drafted for Cook Islands, Niue, Samoa, Tonga and Vanuatu.[104]

It is Important not to underestimate the privacy protection that exists in some of the small Pacific nations, or to assume that protections are non existent, as some minor privacy law provisions exist in the constitutions and/or common law of individual member countries, and there is some local case law on the invasion of privacy.[105]

Vanuatu is the only country with any specific privacy legislation. The Vanuatu Electronic Transactions Act 2000[106] contains the following section on data protection:

25 (1) The Minister may make orders prescribing standards for the processing of personal data, whether or not the personal data originates inside Vanuatu.
(2) The regulations may provide for the following:
(a) the voluntary registration and de-registration to the standards by data controllers and data processors;
(b) the establishment of a register that is available for public inspection showing particulars of data controllers and data processors who have registered or de-registered to the standards and the dates thereof and the countries in respect of which the registration applies;
(c) the application of the standards to those countries specified in the regulations;
(d) different standards to be applied in respect of personal data originating from different countries.

At the time of writing no orders have been made under this Section.

9.15. Philippines

The Philippines is in the process of developing comprehensive privacy legislation. Several Bills are currently before their Parliament and these are expected to be combined into a final draft Bill in the near future. The legislation aims to:

Establish fair practices in the collection, recording, organization, storage, updating or modification, retrieval, consultation, use, consolidation, dissemination by any means, merging, linking, blocking, erasure or destruction of personal data of natural persons and to penalise the unauthorised processing and disclosure thereof.[107]

The early drafts of the legislation were ‘influenced by the structure and the language of the EU Directive and the UK’s Data Protection Act of 1998’.[108] However, efforts are currently being made to ensure that some of the more bureaucratic registration requirements in the EU Directive are not imported into the Philippines legislation.

The Philippines is a member of APEC and has been attending some APEC Privacy Framework meetings.

The Philippines is an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

9.16. Singapore

Singapore is yet to enact data protection legislation, although a voluntary, industry-based self regulatory model code exists. The Model Data Protection Code[109] was developed by the InfoComm Development Authority[110] and is based on OECD data protection guidelines.[111] The Model Code is designed to be adopted by businesses in their own data protection policies.

In the absence of specific legislation, the Model Data Protection Code for the Private Sector represents best privacy practice in Singapore. It is unlikely that Singapore would be assessed as adequate by the EU, although this issue is the subject of some interest to Singapore businesses.[112]

The Model Code applies to any private sector organisation that collects and installs personal data in electronic form, online or offline, using the Internet or any other electronic media.

1.4 The Model Code applies to any personal data which are processed or controlled by the organisation, regardless of whether the data are transferred out of Singapore. The Model Code applies in favour of all persons, whether resident in Singapore or not, whose data are or have been processed by the organisation.

It is important to note that the Model Code was always intended to be an interim measure on a longer path towards comprehensive legislation:

As an interim measure, voluntary data protection guidelines for the private sector (such as the Model Code) should be given official recognition and adherence invited on a voluntary basis. The exercise will have an educative and harmonising function and should facilitate the introduction of legislation, should Parliament decide in the future to legislate.[113]

In 2006-2007 privacy legislation was the subject of an inter-agency committee study.[114] In 2008, there have been discussions of a new commitment to privacy legislation in Singapore – based on a sectoral approach similar to that used in Japan.

Singapore is a member of APEC. Singapore is not currently participating in any APEC Privacy Pathfinder Projects, but is hosting the meetings of the Data Privacy Sub Group in 2009.

Singapore is an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

Singapore also has a small TrustMark scheme.[115] However, this is a generic e-commerce scheme and does not include specific privacy requirements beyond a requirement to publish a privacy policy on a website.[116]

9.17. Taiwan

Taiwan has complex privacy legislation in place – the Computer-Processed Personal Data Protection Law 1995 (‘the PDP law’)[117] regulates the ‘computerized processing of personal data’. At present eight categories of non-government organisations (‘non-public institution’) are governed by it, including those in finance or securities.

The PDP Law requires certain private sector organisations to register their activities with a relevant regulator. Companies who register are bound by the privacy legislation but receive some generous waivers for communications with clients.

There is no central agency responsible for enforcement of the PDP Law. Enforcement is handled by the relevant government authority for the sector concerned.

There have been some high profile privacy breaches in Taiwan in relation to lost/stolen credit card data. Privacy issues are reasonably high on the agenda as a result of these breaches.

Under Article 24 of the PDP Law, the relevant authority for the sector may issue restrictions on particular transborder transfers for any of the four circumstances set out in the Article. Article 24(3) specifies the circumstance similar to the EU's requirement for ´adequate protection'. That is, where the receiving country lacks proper laws and / or ordinances to adequately protect personal data and where there are apprehensions of injury to the rights and interests of a concerned party.

Taiwan is currently undertaking substantial reform of privacy legislation.

Taiwan is an APEC member and an active participant in several APEC Privacy Pathfinder Projects.

9.18. Thailand

Thailand has a draft Privacy Act that strives to protect an individual’s personal information while balancing this with the development of information technology and the promotion of Thailand’s ICT policy. The draft data protection law is based on eight principles: consent, notice, purpose specification, use limitation, accuracy, access, security and enforcement.[118]

Businesses have been encouraging Thailand to develop privacy legislation in order to ‘seize BPO opportunities’.[119] Thailand is in the final stages of consultation on its draft privacy legislation, under the direction of the Council of State. The general approach taken in the draft legislation is closely aligned with the EU Directive.[120]

Thailand is an APEC member. Thailand is also an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

9.19. Vietnam

Vietnam does not have comprehensive privacy legislation, but it does have a short privacy section in their e-commerce legislation that could serve as a foundation for more detailed legislation in the future. Article 46 of the Law on E-Transactions covers information confidentiality in e-transactions:

1. Agencies, organizations and individuals shall have the right to select security measures in accordance with the provisions of the law when conducting e-transactions.
2. Agencies, organizations and individuals must not use, provide or disclose information on private and personal affairs or information of other agencies, organizations and/or individuals which is accessible by them or under their control in e-transactions without the latter's consents, unless otherwise provided for by law.

In addition, the Law on Information technology stipulate that more detailed regulations regarding information protection in the environment such as regulations on collection, process, use, storage and provision of personal information, may be developed in the future (Articles 21 and 22).[121]

Vietnam is also considering the development of a trust-mark scheme, and has made specific references to the APEC Privacy framework in relation to their trust-mark proposal.[122]

Vietnam is an ASEAN Member Country and shares a commitment to harmonised data protection laws in ASEAN by 2015.

[58] Privacy Amendment (Private Sector) Act 2000 (Cth), <>.

[59] <>

[60] ALRC Report 108, chapter 31; refer to footnote 20.

[61] ALRC Report 108, paragraphs 31.136–31.137; refer to footnote 20.

[62] Greenleaf G, A Tentative Start For Implementation Of APEC’s Privacy Framework, 2005, <>.

[63] Xu M, Chinese netizens want law to protect their personal information, 28 November 2007, <>.

[64] Xinhua News Agency, Lawmaker Urges Legislation to Curb Rampant Privacy Infringement, 6 March 2005, <>.

[65] Article 40, Constitution of the People’s Republic of China 1982 (China), <>.

[66] Kim Y, Data Security, Privacy in Asia – Countries Need to Cooperate for Better Legal Context, 2007, <>.

[67] People’s Daily Online, China to legislate for protection of personal information, 25 January 2005, <>.

[68] China Economic Net, Law on personal info ‘next year’, 6 August 2007, <>.

[69] China View, New law expected to protect privacy, 6 August 2007,
<>; see also Zhe Z, Law on personal info ‘next year’, China Daily, 6 August 2007, <>.

[70] EU-China Information Society Project, Research Final Workshop: ‘Personal Data Protection’, 20 June 2007,
<[email protected]>.

[71] Sutton G, Xinbao Z, Hart T, Personal Data Protection in Europe and China: What lessons to be Learned?, EU-China Information Society Project, November 2007, <>; see also Robertson S, Privacy and outsourcing to China, January 2008, <>.

[72] Greenleaf G, China proposes Personal Information Protection Act, Privacy Laws & Business International Newsletter, February 2008, issue 91.

[73] Sutton G, Xinbao Z, Hart T, Personal Data Protection in Europe and China: What lessons to be Learned?; refer to footnote 71.

[74] Treacy B and Abrams M, A privacy law for China?, Complinet, 29 May 2008, <>.

[75] Greenleaf G, China proposes Personal Information Protection Act; refer to footnote 72.

[76] Sutton G, Legislating for data protection in China,, 4 October 2007, <>.

[77] The Centre for Information Policy Leadership, China Privacy Governance, Hunton & Williams LLP, June 2007, <>.

[78] Personal Data (Privacy) Ordinance 1995 (Hong Kong), <>.

[79] <>

[80] Galexia, Indonesian Parliament passes e-commerce law, March 2008, <>.

[81] Act on the Protection of Personal Information 2003 (Japan), <>.

[82] Ponazecki J, Levison D, World Data Protection Report – Japan: Personal information privacy update, BNA International, December 2007, <>.

[83] Miyashita H, A Japanese Culture of Privacy, Technical Assistance Seminar on International Implementation of the APEC Privacy Framework, 18 February 2008, <>.

[84] Japan Information Processing Development Corporation, PrivacyMark System, 1 August 2008, <>.

[85] <>

[86] Act on the Protection of Personal Information Maintained by Public Agencies 1999 (Korea), < ACT ON THE PROTECTION OF PERSONAL INFORMATION MAINTAINGED BY PUBLIC AGENCIES.doc>.

[87] Act on Promotion of Information and Communications Network Utilization and Information Protection 2001 (Korea) <>.

[88] National Internet Development Agency of Korea, Korea Internet White Paper 2006, 21 July 2006, page 78, <>.

[89] Greenleaf G, A Tentative Start For Implementation Of APEC’s Privacy Framework; refer to footnote 62.

[90] Sojung Y, Gov’t to enhance privacy protection,, 23 July 2007, <>.

[91] Personal Data Protection Act (Act 8/2005) (Macau) <>.

[92] <>

[93] Jawahitha S, Ishak M and Mazahir M, E-Data Privacy and the Personal Data Protection Bill of Malaysia, Centre for Cyberlaw, Faculty of Management, 2007, <>.

[94] The Star, Act to keep personal data private, 6 November 2007, <>.

[95] The New Straits Times, After 10 years in limbo, your privacy remains at stake, 13 January 2008, <>.

[96] Human Rights Committee, HRC Responds: Consult stakeholders on the proposed Data Protection Bill, The Malaysian Bar, 16 July 2008, <>.

[97] Minister of Energy, Communications & Multimedia (Malaysia), Presentation of Personal Data Protection Bill to Participants of the Asian Personal Data Privacy Forum (Hong Kong), 27 March 2001, <>.

[98] Bernama, Ministry Finalising Draft of Personal Data Protection Bill, 5 November 2007, <>.

[99] Office of the Privacy Commissioner (NZ), International Transfers of Personal Data: Candidate for Adequacy – The New Zealand Case, 8 July 2001, <>.

[100] Office of the Privacy Commission (NZ), Statement of Intent 2008/09, 2008, page 16, <>.

[101] Slane H, Human Rights in Foreign Policy, Office of the Privacy Commissioner (NZ), 6 September 2000, <>.

[102] Pacific Islands Forum Secretariat, Pacific Regional Digital Strategy, November 2006, <>.

[103] Forum Information and Communications Technologies Ministerial Meeting, Wellington Declaration, 30 March 2006, <>.

[104] Galexia, DBCDE – Strengthening Span Legislation, Enforcement and Cooperation Regimes in the Pacific project, October 2007, <>.

[105] See for example Mauricio v Phoenix of Micronesia Inc [1998] FMSC 23; 8 FSM Intrm. 411 (Pon. 1998), 3 August 1998, <> and Nethon v Mobil Oil Micronesia, Inc. [1994] FMSC 22; 6 FSM Intrm. 451 (Chk. 1994), 11 July 1994, <>.

[106] Electronic Transactions Act (No. 24 of 2000) (Vanuatu) <>.

[107] Stakeholders are currently consulting on the version of the Bill located at: <!.pdf>.

[108] See Parlade C, Privacy and Data Protection in the Philippines, Privacy Laws and Business International 2008 (forthcoming).

[109] TrustSG, Model Data Protection Code, 2003, <>.

[110] <>

[111] Organisation for Economic Co-operation and Development, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, 1980, <,3343,en_2649_34255_1815186_1_1_1_1,00.html>.

[112] Lehdonvirta V, European Union Data Protection Directive: Adequacy of Data Protection in Singapore, 2004, Singapore Journal of Legal Studies, pages 511-546, <>.

[113]The National Internet Advisory Committee Legal Subcommittee, Report On A Model Data Protection Code For the Private Sector, 2002, <>.

[114] Wong M, Committee reviewing data protection regime in Singapore, Channel NewsAsia, 16 February 2006, <>.

[115] <>

[116] TrustSG, Self Assessment for Merchants, 2005, <>.

[117] Computer-Processed Personal Data Protection Law 1995 (Taiwan), <>.

[118] Privacy International, Privacy and Human Rights 2006 – Kingdom of Thailand, 18 December 2007, <[347]=x-347-559484>.

[119] Bangkok Post, We need data privacy act to attract BPO, 7 February 2007, <>.

[120] Raksirivorakul W, Introducing Thailand’s Data Protection Law, Mayer Brown, 26 June 2008, <>.

[121] Hoang Minh D, Data Privacy and Data Protection in E-Commerce In Vietnam, Technical Assistance Seminar on International Implementation of the APEC Privacy Framework (Lima, Peru), 18 February 2008, <>.

[122] Vietnam Business Finance, Data privacy poses obstacle to e-commerce development, 30 March 2008, <>.