Asia-Pacific Region at the Privacy Crossroads (2008)

3. The EU approach

The key components of the approach established by the EU Data Protection Directive are that privacy regulation is comprehensive (covering the public sector and the entire private sector) and that regulation is contained in enforceable legislation. Typically the legislation will also establish an independent regulator.

Privacy legislation in the Asia-Pacific region (including the four draft bills) is closely aligned with the overall EU approach, with some minor exceptions. Legislation in Korea and Taiwan is not yet ‘comprehensive’ in that it only covers parts of the private sector. Also, legislation in Japan and Taiwan establishes multiple sectoral regulators, rather than a single independent regulator.

A further key element of the EU approach is that the legislation will place some conditions on the export of data to a party in a third country. These conditions vary in the Asia-Pacific region, but they are present in Australia, Japan, Korea, Macau, New Zealand and Taiwan. The Hong Kong legislation includes conditions, but these are not yet in force. All of the four countries with draft legislation include conditions in their drafts.

The general approach in the region is to allow the transfer of data to a third country that provides adequate protection. If the transfer is to a country without adequate protection, the legislation will still allow it to proceed subject to alternative conditions (such as explicit consent or protection via contract).

Note that in Japan and New Zealand the condition for transfer is that the original organisation remains responsible for the protection of privacy even where the information is transferred to a party in a third country (backed at least in Japan by an enforcement and penalty regime). This approach is similar to Canada (which was assessed as adequate by the EU in 2001).

The EU Directive is itself the subject of ongoing criticism and review. Key concerns include:

  • There is a strong emphasis in the Directive on registration requirements such as notification (Articles 18 and 19) and publication (Article 21) – these can be overly bureaucratic and may distract attention and resources from managing privacy risks in more effective ways. The registration requirements appear to deliver little benefit and require considerable expenditure – they are the cause of significant concerns regarding compliance costs and are not present in privacy regulation in most other jurisdictions;
  • The distinction between data controllers and data processors in the Directive is confusing and does not represent modern information practices; and
  • The Directive does not cover law enforcement and security activities in an integrated way, resulting in a trend towards far reaching exemptions for law enforcement purposes without detailed justification.

In developing legislation in the Asia-Pacific region it has been common practice to ignore the more bureaucratic elements of the EU Directive. For example, the European experts advising China on their privacy legislation have specifically advised China not to include the registration requirements (Articles 18, 19 and 21) in their draft – noting that they are burdensome and expensive.[7] They also submit that these Articles are not required for the EU test of adequacy. Indeed, the EU assessed Canada’s legislation as adequate despite the absence of registration requirements in Canada.[8]

Similarly, the development of draft privacy legislation in the Philippines began with a Bill that included registration requirements, but these are not expected to appear in the final legislation. Currently there are no jurisdictions in the Asia-Pacific region that repeat the registration requirements in the EU Directive.[9]

The result is that the Asia-Pacific region is free to accept the positive aspects of the EU approach while avoiding some of the more bureaucratic and expensive registration elements of the EU Directive.

[7] Sutton G, Xinbao Z, Hart T, Personal Data Protection in Europe and China: What lessons to be Learned?, EU-China Information Society Project, November 2007, <>.

[8] Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act (notified under document number C(2001) 4539), Canada, <>

[9] Privacy legislation in Taiwan does contain some minor registration requirements for businesses. These requirements are the subject of proposed reforms in Taiwan.