International - APEC Privacy Framework
The Asia Pacific Economic Cooperation ('APEC') Privacy Framework ('the Framework') sets forth definitions, principles and implementing guidelines in order to promote e-commerce, data flow and privacy protection throughout the APEC region.
The first version of the Framework, published in December 2005, was built upon the Organisation for Economic Co-operation and Development's ('OECD') Guidelines on the Protection of Privacy and Transborder Flows of Personal Data ('the Guidelines'), which were originally published in 1980, while the current working version of the Framework, published in August 2017, was updated in order to mirror some of the concepts introduced by the 2013 updated version of the Guidelines.
Despite its non-binding legal nature, the Framework provided legal ground for the creation of the APEC Cross-Border Privacy Rules ('CBPR') system, and is also the common source for many of the regional privacy laws.
Adherence to the principles established in the APEC Privacy Framework and CBPR system may help organisations in advancing their own compliance programmes, reducing the cost and time required to incorporate EU binding corporate rules, increasing consumer trust and internal efficiency, and lowering the complexity of cross-border data flow policies.
The Framework addresses every person or organisation that processes personal information, in addition to those instructing another person or organisation to process the same. Notably, it does not apply to subjects processing personal information under the instruction of another person or organisation.
Additionally, it excludes individuals using personal information in connection to personal, family or household affairs and provides limited applicability to publicly available information.
The Framework applies to the APEC economies, but provides great flexibility in the implementation of its principles, taking into account social, cultural and other differences among members.
Personal Information: Any information about an identified or identifiable individual. It includes information that would allow a person to be identified if combined with other data.
Personal Information Controller: Every person or organisation that controls the collection, holding, processing, use, disclosure or transfer of personal information, including when instructing another person or organisation to perform said activity.
4. LAWFULNESS, FAIRNESS AND NON-DISCRIMINATION
4.1. Collection and use of personal information
Principle 24 of the Framework states that personal information should be obtained by lawful and fair means; where appropriate, the collection of personal data should require notice to, or consent of, the individual concerned.
Despite not creating specific and restrictive legal grounds for the initial data processing activities, the Framework limits unfair collection and use of personal information even in countries where no specific law against such methods exist.
Principle 26 of the Framework ('the Choice Principle') highlights the need for consent, which should be provided with clear, prominent, easily understandable, accessible and affordable mechanisms.
The Choice Principle outlines that, when the choice is performed electronically or in writing, it should be clearly stated and displayed. In addition, it specifies that consent should be easily understandable and tailored to the particular groups of individuals (i.e. by using different languages or simplified concepts for children).
However, choice may not be practicable or necessary under certain circumstances. For example, it would not be necessary to provide a mechanism to exercise choice when dealing with:
- information made available to the public;
- the processing of business and professional contact information;
- organisational needs while processing employee-related information; or
- circumstances of public interest (i.e. an outbreak of food poisoning).
5. TRANSPARENCY AND FREE ACCESS
Principle 21 of the Framework ensures that individuals are notified of:
- which of their personal information is collected; and
- the purpose for which their personal information is collected.
Controllers are required to provide clear and accessible notices, which must alert individuals of:
- the fact that personal information is being collected;
- the related purposes;
- the persons or organisation to whom information might be disclosed;
- the identity, location and contact information of the controller;
- the choices and means offered by the controller to individuals to limit use and disclosure of personal information.
The notice should be provided before or at the time of collection and may be delivered by different methods, depending on the context (e.g. by posting them on a website, or by placing them into an employee handbook).
Principles 29-31 of the Framework define an individual's right to access their information, which should be provided in a reasonable manner and understandable form. This may be provided at a charge, if not excessive.
6. PURPOSE SPECIFICATION, USE LIMITATION AND SUITABILITY
According to Principle 25 of the Framework, personal information should be used only to fulfil the original purpose of their collection or other related and compatible purposes, unless the controller is able to identify different legal grounds.
The Framework specifically mentions three such possible legal bases:
- necessity to provide a product or service requested by the individual; and
- authority of law or other legal instruments, or any other proclamation and pronouncement possessing legal effect.
Defining whether or not a purpose is compatible with the original purpose of collection should take into account the nature of personal information, the context of collection, the individual’s expectations and the intended use of the information.
7. DATA MINIMISATION, STORAGE LIMITATION AND ACCURACY
According to Principle 24 of the Framework, the collection of personal information should be limited by, and proportionate to, the extent of the relevant purpose. Equally, Principle 27 of the Framework requires controllers to maintain accurate, complete and up-to-date personal information. No specific provision on storage limitation exists, but the aforementioned principles should regulate and consequently limit the retention periods of personal information.
8. SECURITY AND PREVENTION
The Framework requires controllers to protect personal information with appropriate safeguards, listing events that are likely to create risks for the individuals, such as:
- unauthorised access;
- unauthorised destruction, use, modification; and
- unauthorised disclosure.
Such safeguards should be periodically reviewed and should be proportional to:
- the likelihood and severity of the harm threatened;
- the sensitivity of the information; and
- the context in which the information is held.
9. ACCOUNTABILITY AND RECORDKEEPING
The personal information controller is ultimately responsible for ensuring the appropriate safeguards, even when instructing another organisation or person to carry on a processing of its behalf. To ensure accountability, controllers are encouraged to create and maintain a privacy management programme in order to demonstrate effective protection of personal information.
While privacy management programmes should be regulated by domestic law, the Framework indicates that such programmes should implement certain features. Specifically, privacy management programmes should:
- be tailored to the structure of the controller and the volume and sensitivity of personal information;
- provide safeguards that take into account the potential harm and risks to individuals;
- implement Internal oversight, inquiry and incidents mechanisms;
- have accountable and trained personnel appointed to be in charge of managing the programme; and
- be regularly monitored and updated.
In addition, controllers should demonstrate compliance with their privacy management programme to Privacy Enforcement Authorities or other relevant entities, such as the 'accountability agent' designated under the APEC CBPR system.
When personal information has to be transferred to another person or organisation, the controller should either:
- obtain the consent of the individuals; or
- exercise due diligence and take reasonable steps to ensure that the recipient person or organisation will protect the information consistently with the principles of the Framework.
Such requirements do not apply when the transfer is required by domestic law.
The Framework does not contain specific provisions related to recordkeeping.
10. DATA PROTECTION OFFICER
The Framework does not introduce any specific figure comparable to the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') data protection officer. However, the Framework does recommend that controllers designate trained personnel in charge of managing the internal privacy programme.
11. DATA SUBJECT RIGHTS
The Framework lays down three basic rights in relation to data subjects:
- the right to be informed;
- the right to access; and
- the right to rectify.
These rights are subject to certain exceptions.
11.2. Right to be informed
The Framework provides that individuals have the right to obtain confirmation of whether or not the controller possesses personal information about them.
11.3. Right to access
The Framework also provides that individuals have the right to receive personal information about them held by the controller:
- within a reasonable time;
- at a proportionate charge;
- in a reasonable manner; and
- in an understandable form.
11.4. Right to rectify
Finally, the Framework grants individuals the right to challenge the accuracy of any personal information related to them, as well as to have such information rectified, completed, amended or deleted.
These rights are subject to exception in cases where:
- unreasonable or disproportionate burden or expense would be incurred by their exercise, relative to the risks to the individual's privacy;
- the provision of such information should be prohibited for security reasons or to protect commercial confidentiality; or
- the privacy of third parties would be violated by the provision of such information.
If the individual request is rejected, the controller should provide an adequate explanation to the individual.
12. CROSS-BORDER DATA TRANSFER AND LOCALISATION
The Framework encourages Member States to refrain from restricting free flow of personal information, when:
- the recipient Country has laws and/or regulations to implement the Framework principles; or
- the controller has put in place effective mechanism and enforcement measures to ensure a consistent level of protection of personal information.
Notably, the Framework provided the legal ground for the implementation of the APEC CBPR system, which is intended to provide a minimum and common level of protection among participating countries and to simplify the flow of personal information.
13. INCIDENT AND BREACH
Privacy management programmes should contain mechanisms for internal oversight and response to inquiries and incidents.
The Framework encourages the establishment of Privacy Enforcement Authorities.
The Privacy Enforcement Authorities should have the following duties:
- enforcing privacy legislation;
- conducting investigations;
- pursuing enforcement measures;
- monitoring and assessing privacy management programmes;
- auditing individuals’ complaints and requests; and
- co-operate with cross-border authorities for investigative purposes.