Galexia

Asia-Pacific Region at the Privacy Crossroads (2008)

6. Emergence of a global privacy norm?

In establishing legislation to govern privacy issues relating to electronic data, the most prominent legal instruments remain the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data of 1980,[36] the EU Data Protection Directive of 1995,[37] and the APEC Privacy Framework of 2005.[38]

Of these instruments, an argument can be made that the EU approach to privacy protection is rapidly becoming the global norm. In the list of ‘advanced economies’ developed by the International Monetary Fund (IMF), 29 of the 31 economies have privacy legislation that is broadly aligned with the EU approach. Only the US and Singapore have a different approach to the protection of privacy (and even in the US many companies have joined the US Safe Harbour regime established to ensure compliance with the EU Directive).

The following Table summarises the privacy approach taken by the 31 Advanced Economies recognised by the IMF.[39] Advanced Economies are modern market economies that have a high level of GDP per capita, but excludes countries that rely predominantly on a single source of income (e.g. oil reliant economies such as Brunei and Saudi Arabia).


Country

Privacy Law

Coverage

EU Directive – Adequacy

1

Australia

The Privacy Act 1988

Comprehensive legislation

Awaiting assessment. Unlikely to be assessed as adequate while current exemptions for small business and employees remain in place. The Australian Law Reform Commission has recommended the removal of both exemptions.

2

Austria

Federal Act concerning the Protection of Personal Data 2000, (Datenschutzgesetz 2000 - DSG 2000)

Comprehensive legislation

EU Member

3

Belgium

Law of December 8, 1992 on Privacy Protection in relation to the Processing of Personal Data as modified by the law of December 11, 1998 implementing Directive 95/46/EC

Comprehensive legislation

EU Member

4

Canada

Personal Information Protection and Electronic Documents Act 2000 (PIPEDA)

Comprehensive legislation

Assessed as Adequate by EU on 20 December 2001[40]

5

Cyprus


Processing of Personal Data (Protection of the Individual) Law 138(I) 2001

Comprehensive legislation

EU Member

6

Denmark

Act on Processing of Personal Data (Act No. 429) 2000

Comprehensive legislation

EU Member

7

Finland

Personal Data Act (523/1999)

Comprehensive legislation

EU Member

8

France

Law 2004-801 of 6 August 2004 modifying law 78-17 of 6 January 1978 relating to the Protection of Data Subjects as Regards the Processing of Personal Data

Comprehensive legislation

EU Member

9

Germany

Federal Data Protection Act 2001 (Bundesdatenschutzgesetz - BDSG)

Comprehensive legislation

EU Member

10

Greece

Law 2472/1997 on the Protection of Individuals with regard to the Processing of Personal Data

Comprehensive legislation

EU Member

11

Hong Kong SAR

Personal Data (Privacy) Ordinance 1995

Comprehensive legislation

Unlikely to be assessed as adequate until trans-border data provisions come into force.

12

Iceland

Act on the Protection and Processing of Personal Data, No. 77/2000

Comprehensive legislation

European Free Trade Association (EFTA) Member

13

Ireland

Data Protection Act 1988

Comprehensive legislation

EU Member

14

Israel

The Protection of Privacy Law 5741-1981, 1011 Laws of the State of Israel 128

Comprehensive legislation

Reforming laws as part of the EU assessment process. Likely to be assessed as adequate before 2010.

15

Italy

Italian Personal Data Protection Code (Legislative Decree no. 196 of 30 June 2003)

Comprehensive legislation

EU Member

16

Japan

Personal Information Protection Law 2003

Comprehensive legislation

Awaiting assessment. May be some concerns regarding adequacy of access to data provisions and exemption for small record holdings.

17

Korea

Act on the Protection of Personal Information Maintained by Public Agencies 1999

Act on Promotion of Information and Communications Network Utilization and Information Protection 2001

Partial legislation covering the government and parts of the private sector.

Proposed law reform in Korea may result in comprehensive private sector coverage, increasing prospects of an adequacy assessment.

18

Luxembourg

Law of 2 August 2002 on the Protection of Persons with regard to the Processing of Personal Data

Comprehensive legislation

EU Member

19

Malta

Data Protection Act 2001 (Act XXVI of 2001)

Comprehensive legislation

EU Member

20

Netherlands

Personal Data Protection Act 2000 (Wet bescherming persoonsgegevens)

Comprehensive legislation

EU Member

21

New Zealand

The Privacy Act 1993

Comprehensive legislation

May be assessed as adequate once trans-border data provisions are strengthened. New Zealand commitment to amending law and seeking EU Adequacy assessment by 2011.

22

Norway

Personal Data Act 2000

Comprehensive legislation

European Free Trade Association (EFTA) Member

23

Portugal

Act on the Protection of Personal Data (Law 67/98 of 26 October), (Lei da protecçao de dados pessoais)

Comprehensive legislation

EU Member

24

Singapore




25

Slovenia

Personal Data Protection Act 1999

Comprehensive legislation

EU Member

26

Spain

Organic law 15/99 of 13 December 1999 on the Protection of Personal Data, (Ley Orgánica 15/1999, de 13 de diciembre de Protección de Datos de Carácter Personal)

Comprehensive legislation

EU Member

27

Sweden

Personal Data Act 1998

Comprehensive legislation

EU Member

28

Switzerland

Federal Law on Data Protection 1992

Comprehensive legislation

Assessed as Adequate by EU on 26 July 2000[41]

29

Taiwan

Computer-Processed Personal Data Protection Law 1995

Partial legislation (covering some industry)

Proposed law reform in Taiwan may result in comprehensive private sector coverage, increasing prospects of an adequacy assessment.

30

United Kingdom

Data Protection Act 1998

Comprehensive legislation

EU Member

31

United States

International Safe Harbor Principles

Partial legislation (covering the public sector and some private sector organisations)

Safe Harbour regime covers US businesses who opt-in. Assessed as Adequate (for those businesses who comply) by EU on 26 July 2000.[42]

 

The Table shows that, at least for modern advanced economies, a clear global norm has developed for privacy protection, based on comprehensive legislation with conditions for the transfer of personal information to third countries. Singapore finds itself in perhaps an uncomfortable position as the only advanced economy on the list to have no privacy legislation at all.


[36] OECD Guidelines; refer to footnote 17.

[37] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 24 October 1995,
<http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML>.

[38] APEC Privacy Framework; refer to footnote 3.

[39] International Monetary Fund, World Economic Outlook 2008: Country Composition of WEO Groups, April 2008, <http://www.imf.org/external/pubs/ft/weo/2008/01/weodata/groups.htm>.

[40] Commission Decision 2002/2/EC of 20.12.2001 on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act, Official Journal L 2/13, 4 January.2002,
<http://eur-lex.europa.eu/LexUriServ/site/en/oj/2002/l_002/l_00220020104en00130016.pdf>.

[41] Commission Decision 2005/518/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland, Official Journal L 215/1, 25 August 2000,
<http://eur-lex.europa.eu/LexUriServ/site/en/oj/2000/l_215/l_21520000825en00010003.pdf>.

[42] Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, Official Journal L 215/7, 25 August 2000,
<http://eur-lex.europa.eu/LexUriServ/site/en/oj/2000/l_215/l_21520000825en00070047.pdf>.