APEC Privacy Framework · 2017. 10. 31. · 04 APEC PRIVACY FRAMEWORK 7. The Framework is intended...

Information flows are vital to conducting business in aglobal economy. The APEC Privacy Framework promotesa flexible approach to information privacy protectionacross APEC member economies, while avoiding thecreation of unnecessary barriers to information flows.

PRIVACYFRAMEWORK

APEC

ISBN 981-05-4471-5APEC#205-SO-01.2 © 2005 APEC Secretariat

Published by

APEC Secretariat, 35 Heng Mui Keng Terrace, Singapore 119616Tel: (65) 6775 6012 Fax: (65) 6775 6013Email: [email protected] Website: www.apec.org

APEC PRIVACY FRAMEWORK

APEC member economies realize the

enormous potential of electronic

commerce to expand business

opportunities, reduce costs, increase

efficiency, improve the quality of life,

and facilitate the greater participation

of small business in global commerce.

A framework to enable regional data

transfers will benefit consumers,

businesses, and governments.

Ministers have endorsed the APEC

Privacy Framework, recognizing the

importance of the development of

effective privacy protections that

avoid barriers to information flows,

ensure continued trade, and

economic growth in the APEC region.

FOREWORD

part i. preamble 2

part ii. scope 5

part iii. APEC information privacy principles 11

Preventing Harm 11

Notice 12

Collection Limitations 15

Uses of Personal Information 16

Choice 17

Integrity of Personal Information 20

Security Safeguards 21

Access and Correction 22

Accountability 28

part iv. implementation 30

Part A: Domestic Implementation 30

Part B: International Implementation 34

part i. preamble

1. APEC economies recognize the importance of protecting information privacy and

maintaining information flows among economies in the Asia Pacific region and

among their trading partners. As APEC Ministers acknowledged in endorsing the

1998 Blueprint for Action on Electronic Commerce, the potential of electronic

commerce cannot be realized without government and business cooperation “to

develop and implement technologies and policies, which build trust and confidence

in safe, secure and reliable communication, information and delivery systems, and

which address issues including privacy...". The lack of consumer trust and confidence

in the privacy and security of online transactions and information networks is one

element that may prevent member economies from gaining all of the benefits of

electronic commerce. APEC economies realize that a key part of efforts to improve

consumer confidence and ensure the growth of electronic commerce must be

cooperation to balance and promote both effective information privacy protection

and the free flow of information in the Asia Pacific region.

2. Information and communications technologies, including mobile technologies, that

link to the Internet and other information networks have made it possible to collect,

store and access information from anywhere in the world. These technologies offer

great potential for social and economic benefits for business, individuals and

governments, including increased consumer choice, market expansion, productivity,

education and product innovation. However, while these technologies make it easier

and cheaper to collect, link and use large quantities of information, they also often

make these activities undetectable to individuals. Consequently, it can be more

difficult for individuals to retain a measure of control over their personal

information. As a result, individuals have become concerned about the harmful

consequences that may arise from the misuse of their information. Therefore, there

is a need to promote and enforce ethical and trustworthy information practices in

on- and off-line contexts to bolster the confidence of individuals and businesses.

APEC PRIVACY FRAMEWORK02

03

1 The 1980 OECD Guidelines were drafted at a high level that makes them still relevant today. In many ways, the OECD Guidelines representthe international consensus on what constitutes honest and trustworthy treatment of personal information.

3. As both business operations and consumer expectations continue to shift due to

changes in technology and the nature of information flows, businesses and other

organizations require simultaneous input and access to data 24-hours a day in order

to meet customer and societal needs, and to provide efficient and cost-effective

services. Regulatory systems that unnecessarily restrict this flow or place burdens

on it have adverse implications for global business and economies. Therefore, in

promoting and enforcing ethical information practices, there is also a need to develop

systems for protecting information privacy that account for these new realities in

the global environment.

4. APEC economies endorse the principles-based APEC Privacy Framework as an

important tool in encouraging the development of appropriate information privacy

protections and ensuring the free flow of information in the Asia Pacific region.

5. This Framework, which aims at promoting electronic commerce throughout the Asia

Pacific region, is consistent with the core values of the OECD’s 1980 Guidelines on

the Protection of Privacy and Trans-Border Flows of Personal Data (OECD

Guidelines)1, and reaffirms the value of privacy to individuals and to the information

society.

6. The Framework specifically addresses these foundation concepts, as well as issues

of particular relevance to APEC member economies. Its distinctive approach is to

focus attention on practical and consistent information privacy protection within

this context. In so doing, it balances information privacy with business needs and

commercial interests, and at the same time, accords due recognition to cultural and

other diversities that exist within member economies.


7. The Framework is intended to provide clear guidance and direction to businesses

in APEC economies on common privacy issues and the impact of privacy issues upon

the way legitimate businesses are conducted. It does so by highlighting the reasonable

expectations of the modern consumer that businesses will recognize their privacy

interests in a way that is consistent with the Principles outlined in this Framework.

8. Finally, this Framework on information privacy protection was developed in recognition

of the importance of:

• Developing appropriate privacy protections for personal information, particularly

from the harmful consequences of unwanted intrusions and the misuse of personal

information;

• Recognizing the free flow of information as being essential for both developed

and developing market economies to sustain economic and social growth;

• Enabling global organizations that collect, access, use or process data in APEC

member economies to develop and implement uniform approaches within their

organizations for global access to and use of personal information;

• Enabling enforcement agencies to fulfill their mandate to protect information

privacy; and,

• Advancing international mechanisms to promote and enforce information privacy

and to maintain the continuity of information flows among APEC economies and

with their trading partners.

9. Personal information means anyinformation about an identified oridentifiable individual.

part ii. scope

The purpose of Part II of the APEC Privacy Framework is to make clear the extent ofcoverage of the Principles.

Definitions

9. The Principles have been drafted againsta background in which some economieshave well-established privacy lawsand/or practices while others may beconsidering the issues. Of those withalready settled policies, not all treatpersonal information in exactly the sameway. Some, for example, may drawdistinctions between information thatis readily searchable and otherinformation. Despite these differences,this Framework has been drafted topromote a consistent approach amongthe information privacy regimes of APECeconomies.

This Framework is intended to apply toinformation about natural living persons,not legal persons. The APEC PrivacyFramework appl ies to personalinformation, which is information thatcan be used to identify an individual. It also includes information that wouldnot meet this criteria alone, but when puttogether with other information wouldidentify an individual.

05

10. Personal information controllermeans a person or organizationwho controls the collection, holding,processing or use of personalinformation. It includes a person ororganization who instructs anotherperson or organization to collect,hold, process, use, transfer ordisclose personal information onhis or her behalf, but excludes aperson or organization whoperforms such functions asinstructed by another person ororganization. It also excludes anindividual who collects, holds,processes or uses personalinformation in connection with theindividual’s personal, family orhousehold affairs.

10. The APEC Privacy Framework applies topersons or organizations in the publicand private sectors who control thecollection, holding, processing, use,transfer or disclosure of personalinformation. Individual economies’definitions of personal informationcontroller may vary. However, APECeconomies agree that for the purposesof this Framework, where a person ororganization instructs another person ororganization to collect, hold, use, process,transfer or disclose personal informationon its behalf, the instructing person ororganization is the personal informationcontroller and is responsible for ensuringcompliance with the Principles.

Individuals will often collect, hold anduse personal information for personal,family or household purposes. Forexample, they often keep address booksand phone lists or prepare familynewsletters. The Framework is notintended to apply to such personal, familyor household activities.


11. Publicly available informationmeans personal information aboutan individual that the individualknowingly makes or permits to bemade available to the public, or islegally obtained and accessed from:

a) government records that areavailable to the public;

b) journalistic reports; or

c) information required by law tobe made available to the public.

Application

12. In view of the differences in social,cultural, economic and legalbackgrounds of each membereconomy, there should be flexibilityin implementing these Principles.

11. The APEC Privacy Framework has limitedapplication to publicly availableinformation. Not ice and choicerequirements, in particular, often aresuperfluous where the information isalready publicly available, and thepersonal information controller does notcollect the information directly from theindividual concerned. Publicly availableinformation may be contained ingovernment records that are available tothe public, such as registers of peoplewho are entitled to vote, or in news itemsbroadcast or published by the newsmedia.

12. Although it is not essential for electroniccommerce that all laws and practiceswithin APEC be identical in all respects,including the coverage of personalinformation, compatible approaches toinformation privacy protection amongAPEC economies will greatly facilitateinternational commerce. These Principlesrecognize that fact, but also take intoaccount social, cultural and otherdifferences among economies. They focuson those aspects of privacy protectionthat are of the most importance tointernational commerce.

07

13. The Principles contained in Part III of theAPEC Privacy Framework should beinterpreted as a whole rather thanindividually, as there is a close relationshipamong them. For example, the UsePrinciple is closely related to both theNotice and Choice Principles. Economiesimplementing the Framework at adomestic level may adopt suitableexceptions that suit their particulardomestic circumstances.

Although recognizing the importance ofgovernmental respect for privacy, thisFramework is not intended to impedegovernmental activities authorized by lawwhen taken to protect national security,public safety, national sovereignty or otherpublic policy. Nonetheless, Economiesshould take into consideration the impactof these activities upon the rights,responsibilities and legitimate interestsof individuals and organizations.

13. Exceptions to these Principlescontained in Part III of thisFramework, including thoserelating to national sovereignty,national security, public safety andpublic policy should be:

a) limited and proportional tomeeting the objectives to whichthe exceptions relate; and,

b) (i) made known to the public; or,(ii)in accordance with law.


INFORMATION PRIVACY PRINCIPLES

part iii. APEC information privacy principles

11

I. Preventing Harm

14. Recognizing the interests of theindividual to legitimate expectationsof privacy, personal informationprotection should be designed toprevent the misuse of suchinformation. Further, acknowledgingthe risk that harm may result fromsuch misuse of personal information,specific obligations should takeaccount of such risk, and remedialmeasures should be proportionateto the likelihood and severity of theharm threatened by the collection,use and transfer of personalinformation.

14. The Preventing Harm Principlerecognizes that one of the primaryobjectives of the APEC PrivacyFramework is to prevent misuse ofpersonal information and consequentharm to individuals. Therefore, privacyprotections, including self-regulatoryefforts, education and awarenesscampaigns, laws, regulations, andenforcement mechanisms, should bedesigned to prevent harm to individualsfrom the wrongful collection and misuseof their personal information. Hence,remedies for privacy infringementsshould be designed to prevent harmsresulting from the wrongful collectionor misuse of personal information,and should be proportionate to thelikelihood and severity of any harmthreatened by the collection or use ofpersonal information.

PRINCIPLES COMMENTARY


II. Notice

15. Personal information controllersshould provide clear and easilyaccessible statements about theirpractices and policies with respectto personal information that shouldinclude:

a) the fact that personal informationis being collected;

b) the purposes for which personalinformation is collected;

c) the types of persons or organi-z a t i o n s t o w h o m p e r s o n a linformation might be disclosed;

d) the identity and location oft h e p e r s o n a l i n f o r m a t i o ncontroller, including informationon how to contact them abouttheir practices and handling ofpersonal information;

e) the choices and means thepersonal information controlleroffers individuals for limiting theuse and disclosure of, and foraccessing and correcting, theirpersonal information.

15-17. The Notice Principle is directedtowards ensuring that individualsare able to know what information iscollected about them and for whatpurpose it is to be used. By providingnotice, personal information controllersmay enable an individual to make amore informed decision aboutinteracting with the organization.One common method of compliancewith this Principle is for personalinformation controllers to post noticeson their Web sites. In other situations,placement of notices on intranet sitesor in employee handbooks, for example,may be appropriate.

The requirement in this Principlerelating to when notice should beprovided is based on a consensusamong APEC member economies. APECmember economies agree that goodprivacy practice is to inform relevantindividuals at the time of, or before,information is collected about them.At the same time, the Principle alsorecognizes that there are circumstances

in which it would not be practicable to


13

16. All reasonably practicable stepsshall be taken to ensure that suchnotice is provided either before orat the time of collection of personalinformation. Otherwise, such noticeshould be provided as soon after asis practicable.

17. It may not be appropriate forpersonal information controllers toprovide notice regarding thecollection and use of publiclyavailable information.

give notice at or before the time ofcollection, such as in some cases whereelectronic technology automaticallycollects information when a prospectivecustomer initiates contact, as is oftenthe case with the use of cookies.

Moreover, where personal informationis not obtained directly from theindividual, but from a third party, it maynot be practicable to give notice at orbefore the time of collection of theinformation. For example, when aninsurance company collects employees'information from an employer in orderto provide medical insurance services,it may not be practicable for theinsurance company to give notice at orbefore the time of collection of theemployees' personal information.

Additionally, there are situations inwhich it would not be necessary toprovide notice, such as in the collectionand use of publicly availableinformation, or of business contactinformation and other professionalinformation that identifies an individual



in his or her professional capacity in abusiness context. For example, if anindividual gives his or her business cardto another individual in the context ofa business relationship, the individualwould not expect that notice would beprovided regarding the collection andnormal use of that information.

Further, if colleagues who work for thesame company as the individual, wereto provide the individual's businesscontact information to potentialcustomers of that company, theindividual would not have anexpectation that notice would beprovided regarding the transfer or theexpected use of that information.


III. Collection Limitation

18. The collection of personal informationshould be limited to information thatis relevant to the purposes of collectionand any such information should beobtained by lawful and fair means, andwhere appropriate, with notice to,or consent of, the individual concerned.

15

18. This Principle limits collection ofinformation by reference to thepurposes for which it is collected.The collection of the information shouldbe relevant to such purposes, andproportionality to the fulfillment of suchpurposes may be a factor in determiningwhat is relevant.

This Principle also provides thatcollection methods must be lawful andfair. So, for example, obtaining personalinformation under false pretenses(e.g., where an organization usestelemarketing calls, print advertising, oremail to fraudulently misrepresent itselfas another company in order to deceiveconsumers and induce them to disclosetheir credit card numbers, bank accountinformation or other sensitive personalinformation) may in many economiesbe considered unlawful. Therefore, evenin those economies where there is noexplicit law against these specificmethods, they may be considered anunfair means of collection.



The Principle also recognizes that thereare circumstances where providingnotice to, or obtaining consent of,individuals would be inappropriate.For example, in a situation where thereis an outbreak of food poisoning, itwould be appropriate for the relevanthealth authorities to collect the personalinformation of patrons from restaurantswithout providing notice to or obtainingthe consent of individuals in order totell them about the potential health risk.

19. The Use Principle limits the use ofpersonal information to fulfilling thepurposes of collection and othercompatible or related purposes. For thepurposes of this Principle, "uses ofpersonal information" includes thetransfer or disclosure of personalinformation.

Application of this Principle requiresconsideration of the nature of theinformation, the context of collectionand the intended use of the information.The fundamental cr i ter ion in

IV. Uses of Personal Information

19. Personal information collected shouldbe used only to fulfill the purposes ofcollection and other compatible orrelated purposes except:

a) with the consent of the individualwhose personal information iscollected;

b) when necessary to provide a serviceo r p r o d u c t r e q u e s t e d b y t h eindividual; or,


c) by the authority of law and otherlegal instruments, proclamationsand pronouncements of legal effect.

V. Choice

20. Where appropriate, individuals shouldbe provided with clear, prominent,easily understandable, accessible andaffordable mechanisms to exercisechoice in relation to the collection, useand disclosure of their personalinformation. It may not be appropriatefor personal information controllers toprovide these mechanisms whencollecting publicly available information.

17

determining whether a purpose iscompatible with or related to the statedpurposes is whether the extended usagestems from or is in furtherance of suchpurposes. The use of personalinformation for "compatible or relatedpurposes" would extend, for example,to matters such as the creation and useof a centralized database to managepersonnel in an effective and efficientmanner; the processing of employeepayrolls by a third party; or, the use ofinformation collected by an organizationfor the purpose of granting credit for thesubsequent purpose of collecting debtowed to that organization.

20. The general purpose of the ChoicePrinciple is to ensure that individualsare provided with choice in relation tocollection, use, transfer and disclosureof their personal information. Whetherthe choice is conveyed electronically, inwriting or by other means, notice of suchchoice should be clearly worded anddisplayed clearly and conspicuously.By the same token, the mechanisms for



exercising choice should be accessibleand affordable to individuals. Ease ofaccess and convenience are factors thatshould be taken into account.

Where an organization providesinformation on available mechanismsfor exercising choice that is specificallytailored to individuals in an APECmember economy or national group,this may require that the informationbe conveyed in an "easily understandable"or particular way appropriate tomembers of that group (e.g., in aparticular language). However if thecommunication is not directed to anyparticular economy or national groupother than the one where theorganization is located, this requirementwill not apply.

This Principle also recognizes, throughthe introductory words "whereappropriate", that there are certainsituations where consent may be clearlyimplied or where it would not benecessary to provide a mechanism toexercise choice.


19

As is specified in the Principle, APECmember economies agree that in manysituations it would not be necessary orpracticable to provide a mechanism toexercise choice when collecting publiclyavailable information. For example, itwould not be necessary to provide amechanism to exercise choice toindividuals when collecting their nameand address from a public record or anewspaper.

In addition to situations involvingpublicly available information, APECmember economies also agreed that inspecific and limited circumstances itwould not be necessary or practicableto provide a mechanism to exercisechoice when collecting, using,transferring or disclosing other types ofinformation. For example, whenbusiness contact information or otherprofessional information that identifiesan individual in his or her professionalcapacity is being exchanged in abusiness context it is generallyimpractical or unnecessary to providea mechanism to exercise choice, as in


VI. Integrity of Personal Information

21. Personal information should beaccurate, complete and kept up-to-dateto the extent necessary for the purposesof use.


these circumstances individuals wouldexpect that their information be used inthis way.

Further, in certain situations, it wouldnot be practicable for employers to besubject to requirements to provide amechanism to exercise choice relatedto the personal information of theiremployees when using such informationfor employment purposes. For example,if an organization has decided tocentralize human resources information,that organization should not be requiredto provide a mechanism to exercisechoice to its employees before engagingin such an activity.

21. This Principle recognizes that a personalinformation controller is obliged tomaintain the accuracy and completenessof records and keep them up to date.Making decisions about individualsbased on inaccurate, incomplete or outof date information may not be in theinterests of individuals or organizations.This Principle also recognizes that these


VII.Security Safeguards

22. Personal information controllersshould protect personal informationthat they hold with appropriatesafeguards against risks, such as lossor unauthorized access to personalinformation, or unauthorizeddestruction, use, modification ordisclosure of information or othermisuses. Such safeguards should beproportional to the likelihood andseverity of the harm threatened, thesensitivity of the information and thecontext in which it is held, and shouldbe subject to periodic review andreassessment.

21

obligations are only required to theextent necessary for the purposes ofuse.

22. This Principle recognizes thatindividuals who entrust theirinformation to another are entitled toexpect that their information beprotected with reasonable securitysafeguards.



23-25. The ability to access and correctpersonal information, while generallyregarded as a central aspect of privacyprotection, is not an absolute right.This Principle includes specificconditions for what would beconsidered reasonable in theprovision of access, includingconditions related to timing, fees, andthe manner and form in which accesswould be provided. What is to beconsidered reasonable in each ofthese areas will vary from onesituation to another depending oncircumstances, such as the nature ofthe information processing activity.Access will also be conditioned bysecurity requirements that precludethe provision of direct access toinformation and will require sufficientproof of identity prior to provision ofaccess.

A c c e s s m u s t b e p r o v i d e d i na reasonable manner and form.A reasonable manner should includethe normal methods of interactionbetween o r g a n i z a t i o n s a n d

VIII. Access and Correction

23. Individuals should be able to:

a) o b t a i n f r o m t h e p e r s o n a linformation controller confirmationof whether or not the personalinformation controller holdspersonal information about them;

b) have communicated to them, afterhaving provided sufficient proof oftheir identity, personal informationabout them;

i. within a reasonable time;ii. at a charge, if any, that is not

excessive;iii. in a reasonable manner;iv. in a form that is generally

understandable; and,

c) c h a l l e n g e t h e a c c u r a c y o finformation relating to them and, ifpossible and as appropriate, havethe information rectified, completed,amended or deleted.


23

individuals. For example, if a computerwas involved in the transaction orrequest, and the individual's emailaddress is available, email would beconsidered "a reasonable manner" toprovide information. Organizations thathave transacted with an individual mayreasonably be expected to answerrequests in a form that is similar to whathas been used in prior exchanges withsaid individual or in the form that isused and available within theorganization, but should not beunderstood to require separatelanguage translation or conversion ofcode into text.

Both the copy of personal informationsupplied by an organization in responseto an access request and anyexplanation of codes used by theorganization should be readilycomprehensible. This obligation doesnot extend to the conversion of computerlanguage (e.g. machine-readableinstructions, source codes or objectcodes) into text. However, where a coderepresents a particular meaning, the

24. Such access and opportunity forcorrection should be provided exceptwhere:

(i) the burden or expense of doingso would be unreasonable ordisproportionate to the risks tothe individual's privacy in thecase in question;

(ii) the information should not bedisclosed due to legal or securityreasons or to protect confidentialcommercial information; or

(iii) the information privacy of personsother than the individual wouldbe violated.



personal information controller shallexplain the meaning of that code to theindividual. For example, if the personalinformation held by the organizationincludes the age range of the individual,and that is represented by a particularcode (e.g., "1" means 18-25 years old, "2"means "26-35 years old, etc.), then whenproviding the individual with such acode, the organization shall explain tothe individual what age range that coderepresents.

Where individual requests access to hisor her information, that informationshould be provided in the language inwhich it is currently held. Whereinformation is held in a languagedifferent to the language of originalcollection, and if the individual requeststhe information be provided in thatoriginal language, an organizationshould supply the information in theoriginal language if the individual paysthe cost of translation.

The details of the procedures by whichthe ability to access and correct

25. If a request under (a) or (b) or achallenge under (c) is denied, theindividual should be provided withreasons why and be able to challengesuch denial.


25

information is provided may differdepending on the nature of theinformation and other interests. For thisreason, in certain circumstances, it maybe impossible, impracticable orunnecessary to change, suppress ordelete records.

Consistent with the fundamental natureof access, organizations should alwaysmake good faith efforts to provideaccess. For example, where certaininformation needs to be protected andcan be readily separated from otherinformation subject to an access request,the organization should redact theprotected information and makeavailable the other information.However, in some situations, it may benecessary for organizations to denyclaims for access and correction, andthis Principle sets out the conditionsthat must be met in order for suchdenials to be considered acceptable,which include: situations where claimswould constitute an unreasonableexpense or burden on the personalinformation controller, such as when



claims for access are repetitious orvexatious by nature; cases whereproviding the information wouldconstitute a violation of laws or wouldcompromise security; or, incidenceswhere it would be necessary in order toprotect commercial confidentialinformation that an organization hastaken steps to protect from disclosure,where disclosure would benefi ta competitor in the marketplace, suchas a particular computer or modelingprogram.

"Confidential commercial information"is information that an organization hastaken steps to protect from disclosure,where such disclosure would facilitatea competitor in the market to use orexploit the information against thebusiness interest of the organizationcausing significant financial loss.The particular computer program orbusiness process an organization uses,such as a modeling program, or thedetails of that program or businessp ro cess m ay b e c o n f i d e n t i a l


27


commercial information. Whereconfidential commercial informationcan be readily separated from otherinformation subject to an accessrequest, the organization should redactt h e c o n f i d e n t i a l c o m m e r c i a linformation and make available thenon-confidential information, to theextent that such information constitutespersonal information of the individualconcerned. Organizations may deny orlimit access to the extent that it is notpracticable to separate the personalinformation from the confidentialcommercial information and wheregranting access would reveal theorganization's own confidentialcommercial information as definedabove, or where it would reveal theconfidential commercial informationof another organization that is subjectto an obligation of confidentiality.

When an organization denies a requestfor access, for the reasons specifiedabove, such an organization shouldprovide the individual with anexplanation as to why it has made that


determination and information on howto challenge that denial. An organizationwould not be expected to provide anexplanation, however, in cases wheresuch disclosure would violate a lawor judicial order.

26. Efficient and cost effective businessmodels often require informationtransfers between different types oforganizations in different locations withvarying relationships. When transferringinformation, personal informationcontrollers should be accountable forensuring that the recipient will protectthe information consistently with thesePrinciples when not obtaining consent.Thus, information controllers shouldtake reasonable steps to ensure theinformation is protected, in accordancewith these Principles, after it istransferred. However, there are certainsituations where such due diligence maybe impractical or impossible, forexample, when there is no on-goingrelationship between the personal


IX. Accountability

26. A personal information controllershould be accountable for complyingwith measures that give effect to thePrinciples stated above. When personalinformation is to be transferred toanother person or organization,w h e t h e r d o m e s t i c a l l y o rinternationally, the personalinformation controller should obtainthe consent of the individual orexercise due diligence and takereasonable steps to ensure that therecipient person or organization willprotect the information consistentlywith these Principles.

information controller and the thirdp a r t y t o w h o m t h e i n fo r m a t i o nis disclosed. In these types ofcircumstances, personal informationcontrollers may choose to use othermeans, such as obtaining consent, toassure that the information is beingprotected consistently with thesePrinciples. However, in cases wheredisclosures are required by domesticlaw, the personal information controllerwould be relieved of any due diligenceor consent obligations.

29


part iv. implementation

27. Part IV provides guidance to Member Economies on implementing the APEC PrivacyFramework. Section A focuses on those measures Member Economies should considerin implementing the Framework domestically, while Section B sets out APEC-widearrangements for the implementation of the Framework's cross-border elements.

A. GUIDANCE FOR DOMESTIC IMPLEMENTATION

I. Maximizing Benefits of Privacy Protections and Information Flows

28. Economies should have regard to the following basic concept in considering theadoption of measures designed for domestic implementation of the APEC PrivacyFramework:

29. Recognizing the interests of economies in maximizing the economic and socialbenefits available to their citizens and businesses, personal information should becollected, held, processed, used, transferred, and disclosed in a manner that protectsindividual information privacy and allows them to realize the benefits of informationflows within and across borders.

30. Consequently, as part of establishing or reviewing their privacy protections, MemberEconomies, consistent with the APEC Privacy Framework and any existing domesticprivacy protections, should take all reasonable and appropriate steps to identifyand remove unnecessary barriers to information flows and avoid the creation of anysuch barriers.


II. Giving Effect to the APEC Privacy Framework

31. There are several options for giving effect to the Framework and securing privacyprotections for individuals including legislative, administrative, industry self-regulatory or a combination of these methods under which rights can be exercisedunder the Framework. In addition, Member Economies should consider taking stepsto establish access point(s) or mechanisms to provide information generally aboutthe privacy protections within its jurisdiction. In practice, the Framework is meantto be implemented in a flexible manner that can accommodate various methods ofimplementation, including through central authorities, multi-agency enforcementbodies, a network of designated industry bodies, or a combination of the above, asMember Economies deem appropriate.

32. As set forth in Paragraph 31, the means of giving effect to the Framework may differbetween Member Economies, and it may be appropriate for individual economiesto determine that different APEC Privacy Principles may call for different means ofimplementation. Whatever approach is adopted in a particular circumstance, theoverall goal should be to develop compatibility of approaches in privacy protectionsin the APEC region that is respectful of requirements of individual economies.

33. APEC economies are encouraged to adopt non-discriminatory practices in protectingindividuals from privacy protection violations occurring in that Member Economy'sjurisdiction.

34. Discussions with domestic law enforcement, security, public health, and otheragencies are important to identify ways to strengthen privacy without creatingobstacles to national security, public safety, and other public policy missions.

31

III. Educating and publicising domestic privacy protections

35. For all Member Economies, in particular those Member Economies in earlier stagesof development of their domestic approaches to privacy protections, the Frameworkis intended to provide guidance in developing their approaches.

36. For the Framework to be of practical effect, it must be known and accessible.Accordingly, Member Economies should:

a) publicise the privacy protections it provides to individuals;

b) educate personal information controllers about the Member Economy's privacyprotections; and,

c) educate individuals about how they can report violations and how remedies can bepursued.

IV. Cooperation between the Public and Private Sectors

37. Active participation of non-governmental entities will help ensure that the full benefitsof the APEC Privacy Framework can be realized. Accordingly, Member Economies shouldengage in a dialogue with relevant private sector groups, including privacy groups andthose representing consumers and industry, to obtain input on privacy protection issuesand cooperation in furthering the Framework's objectives. Furthermore, especially inthe economies where they have not established privacy protection regimes in theirdomestic jurisdiction, Member Economies should pay ample attention to whether privatesector's opinions are reflected in developing privacy protections. In particular, MemberEconomies should seek the cooperation of non-governmental entities in public educationand encourage their referral of complaints to privacy enforcement agencies, as well astheir continuing cooperation in the investigation of those complaints.


V. Providing for appropriate remedies in situations where privacy protections are violated

38. A Member Economy's system of privacy protections should include an appropriate arrayof remedies for privacy protection violations, which could include redress, the ability tostop a violation from continuing, and other remedies. In determining the range ofremedies for privacy protection violations, a number of factors should be taken intoaccount by a Member Economy including:

a) the particular system in that Member Economy for providing privacy protections (e.g.,legislative enforcement powers, which may include rights of individuals to pursuelegal action, industry self-regulation, or a combination of systems); and

b) the importance of having a range of remedies commensurate with the extent of theactual or potential harm to individuals resulting from such violations.

VI. Mechanism for Reporting Domestic Implementation of the APEC Privacy Framework

39. Member economies should make known to APEC domestic implementation of theFramework through the completion of and periodic updates to the Individual ActionPlan (IAP) on Information Privacy.

33

B. GUIDANCE FOR INTERNATIONAL IMPLEMENTATION

In addressing the international implementation of the APEC Privacy Framework, andconsistent with the provisions of Part A, Member Economies should consider the followingpoints relating to the protection of the privacy of personal information:

I. Information sharing among Member Economies

40. Member Economies are encouraged to share and exchange information, surveys andresearch in respect of matters that have a significant impact on privacy protection.

41. In furthering the objectives of paragraphs 35 and 36, Member Economies are encouragedto educate one another in issues related to privacy protection and to share and exchangeinformation on promotional, educational and training programs for the purpose of raisingpublic awareness and enhancing understanding of the importance of privacy protectionand compliance with relevant laws and regulations.

42. Member Economies are encouraged to share experiences on various techniques ininvestigating violations of privacy protections and regulatory strategies in resolvingdisputes involving such violations including, for instance, complaints handling andalternative dispute resolution mechanisms.

43. Member Economies should designate and make known to the other Member Economiesthe public authorities within their own jurisdictions that will be responsible for facilitatingcross-border cooperation and information sharing between economies in connectionwith privacy protection.


II Cross-border Cooperation in Investigation and Enforcement

44. Developing cooperative arrangements: Taking into consideration existing internationalarrangements and existing or developing self-regulatory approaches (including thosereferenced in Part B. III., below), and to the extent permitted by domestic law and policy,Member Economies should consider developing cooperative arrangements and proceduresto facilitate cross-border cooperation in the enforcement of privacy laws. Such cooperativearrangements may take the form of bilateral or multilateral arrangements. This paragraphis to be construed with regard to the right of Member Economies to decline or limitcooperation on particular investigations or matters on the ground that compliance witha request for cooperation would be inconsistent with domestic laws, policies or priorities,or on the ground of resource constraints, or based on the absence of a mutual interestin the investigations in question.

45. In civil enforcement of privacy laws, cooperative cross-border arrangements may includethe following aspects:

a) mechanisms for promptly, systematically and efficiently notifying designated publicauthorities in other Member Economies of investigations or privacy enforcementcases that target unlawful conduct or the resulting harm to individuals in thoseeconomies;

b) mechanisms for effectively sharing information necessary for successful cooperationin cross-border privacy investigation and enforcement cases;

c) mechanisms for investigative assistance in privacy enforcement cases;

d) mechanisms to prioritize cases for cooperation with public authorities in othereconomies based on the severity of the unlawful infringements of personal informationprivacy, the actual or potential harm involved, as well as other relevant considerations;

e) steps to maintain the appropriate level of confidentiality in respect of informationexchanged under the cooperative arrangements.

35

III. Cooperative Development of Cross-border Privacy Rules

46. Member Economies will endeavor to support the development and recognition oracceptance of organizations' cross-border privacy rules across the APEC region, recognizingthat organizations would still be responsible for complying with the local data protectionrequirements, as well as with all applicable laws. Such cross-border privacy rules shouldadhere to the APEC Privacy Principles.

47. To give effect to such cross-border privacy rules, Member Economies will endeavor towork with appropriate stakeholders to develop frameworks or mechanisms for the mutualrecognition or acceptance of such cross-border privacy rules between and among theeconomies.

48. Member Economies should endeavor to ensure that such cross-border privacy rules andrecognition or acceptance mechanisms facilitate responsible and accountable cross-border data transfers and effective privacy protections without creating unnecessarybarriers to cross-border information flows, including unnecessary administrative andbureaucratic burdens for businesses and consumers.


ISBN 981-05-4471-5APEC#205-SO-01.2 © 2005 APEC Secretariat

Published by

APEC Secretariat, 35 Heng Mui Keng Terrace, Singapore 119616Tel: (65) 6775 6012 Fax: (65) 6775 6013Email: [email protected] Website: www.apec.org

APEC Privacy Framework · 2017. 10. 31. · 04 APEC PRIVACY FRAMEWORK 7. The Framework is intended...

Documents

Transcript of APEC Privacy Framework · 2017. 10. 31. · 04 APEC PRIVACY FRAMEWORK 7. The Framework is intended...