Speech by Karen Curtis, Privacy Commissioner, to the APEC Data Privacy Pathfinder Seminar - Information Workshop for Australian Stakeholders, Sydney, 6 February 2008. 

Introduction

Thank you for attending this seminar today. It is great to see so many familiar faces of those of you who have been involved in this process from the beginning or at least for a long time! And of course, it's wonderful to see new faces perhaps representing new perspectives as we embark on an important year for the implementation of the APEC Pathfinder projects.

I also thank Colin Minihan for inviting me to speak about the regulator perspective on the APEC Pathfinder. I will not take too much of our valuable time together as this seminar is really about discussion and hearing from stakeholders.

My task, as I see it, is to fill you in on where the Pathfinder is at, from my perspective as Privacy Commissioner and to introduce some of the projects that we are developing.

Putting good intentions into practice

From my viewpoint, we are entering the crucial phase with the Pathfinder, and with the APEC Privacy Framework more broadly, of putting theory into practice. As with many projects of this magnitude, the challenge comes with converting words into actions.

If you read the preamble to the APEC Privacy Framework, you are immediately struck by the plethora of abstract nouns:

cooperation, confidence, communication, consequences, trust, system, approach, expectations, productivity, implications. (Not to mention the most obvious one: privacy.  How many of us have wrestled with this slippery term?!)

Now throw in a few abstract noun phrases:

information economy, ethical information practices, consumer choice, market expansion, electronic commerce, product innovation, societal needs ... the list goes on.

Needless to say, these words are useful! They describe our beliefs, plans and objectives. But how do we bridge the gap (some might say gulf!) from abstract nouns to practice?

The Pathfinder and the importance of practical tools

Well, we develop a plan - a ''pathfinder' - which begins to replace abstract nouns with concrete ones.

Many of the projects in the Pathfinder Implementation Work Plan aim to develop practical documents and tools to move us forward in the implementation of the APEC Privacy Framework.

For example:

Project One is to develop self-assessment guidance material to help organisations in the development of their cross-border privacy rules. Projects Two and Eight are to deliver guidelines for various aspects of the cross-border privacy rules system. Project Five is to develop a directory of data protection authorities. Projects Six and Seven aim to develop templates for practical forms and documents.

I'm pleased that we are at the point where we can channel our good intentions, our energies, and our belief in respect for privacy, into the development of practical tools to move that much closer to establishing cross-border privacy protection in the Asia Pacific region.

My role in the APEC Pathfinder so far

It has been a huge effort by many to just to get to this point, and each year I am seeing my own and my Office's input and investment in the APEC process increase.

Deputy Privacy Commissioner Timothy Pilgrim has been a member of the Electronic Commerce Steering Group for three years since the Framework was agreed in late 2004.

In 2007, as Australia was the host economy, I was able to participate in the meetings of the APEC Data Privacy Subgroup and introduce the Asia Pacific Privacy Authorities Forum (known as APPA) and the Privacy Advisory Committee to the work of the Subgroup.

It is great to see the continuing engagement of Privacy Advisory Committee members here today with the attendance of Suzanne Pigdon, Joan Sheedy and Robin Banks.

For those of you who don't know, the Privacy Advisory Committee is a Committee established by the Privacy Act to provide strategic advice to the Privacy Commissioner from a range of perspectives.

And APPA is a cooperative forum of privacy authorities from the Asia Pacific Region which includes my Office, the state privacy authorities of Australia, and the privacy authorities of New Zealand, Hong Kong, Korea, Canada and the Canadian province of British Columbia.

In September 2007, our role in APEC and in the Pathfinder expanded again when we agreed to take the lead on three of the nine Pathfinder projects. So in 2008 our work is cut out for us!

Pathfinder Projects

The three Pathfinder projects that my Office is working on are Projects Five, Six and Seven and I'd like to spend a few moments now going over these with you.

The Pathfinder projects that I have volunteered to lead are all projects that aim to foster cooperation between data protection authorities.  This reflects what I see as being the role of regulators in the implementation of the APEC Privacy Framework.

As Privacy Commissioner I am particularly interested in projects that cultivate close working relationships between privacy regulators as this will strengthen the fabric of privacy protection, and redress for privacy invasion, in our region.

At this point we are at planning stage with these projects and are exploring the issues in more depth.

Project Five

Project Five is to establish and maintain a directory of data protection authorities. The purpose of this directory is to assist data protection authorities to locate appropriate counterparts in the event of cross-border privacy complaint-handling.

Some of the key questions about this directory that we need to address are:

• - What contact information will be collected?
• - How will appropriate authorities be identified, particularly in economies that do not have a specific data protection authority or have more than one?
• - Where will the directory be held and who will have access?
• - How will the directory be maintained and updated?

Project Six

Project Six is to develop template documentation (such as a Memorandum of Understanding (MOU) or letters of commitment) which provides for cooperative arrangements between relevant enforcement authorities.

The goal is that these agreements, once in place, will enable the exchange of information between data protection authorities and therefore increase and promote cross-border cooperation in investigation and enforcement.

As many of you would know, my Office has an MOU with the New Zealand Office of the Privacy Commissioner and we are interested in using this as a starting point for the development of a template. What we need to do is consider how this MOU could be adapted to form a template that meets the needs of authorities participating in the APEC Privacy Framework.

The APEC Privacy Framework sets out some of the key aspects that cooperative arrangements, between privacy regulators, should cover. These include how to [paraphrased]:

• - notify the designated public authorities in other Member Economies of privacy investigations in those economies
• - share information necessary for cooperation on cross-border privacy investigations
• - provide investigative assistance in privacy enforcement cases
• - prioritise cases for cooperation with public authorities in other economies if the infringement is severe
• - maintain the appropriate level of confidentiality in respect of information exchanged under the cooperative arrangements.[1]

These are some of the issues we will need to consider as we develop the template.

Project Seven

Project Seven is to develop a template for a cross-border complaint handling form. This form will ensure basic categories of information are provided to data protection authorities to assist them in determining the most appropriate course of action in a given case.

This project is made somewhat easier by having a precedent, that being the ''OECD Request for Assistance Form'. For this project we intend to do a close analysis of this document to assess what aspects would apply equally to APEC.

How these projects mesh with the objectives of the Pathfinder

These projects have been developed in line with the main objectives of the Pathfinder, in particular with the objectives of:

• - producing practical documents and procedures to underpin cross-border privacy rules and
• - developing and supporting consultative processes between regulators, responsible agencies, lawmaking bodies, industry, third party solution providers, consumer and privacy representatives.

Consultation

And that final point is where you come in!

Critical to the success of the Pathfinder is the input and participation of a wide variety of stakeholders in the various Pathfinder projects.  This is why seminars like this are so important. Not only do they encourage discussion and exchange of ideas, but they also give the process of implementing the Pathfinder some momentum.

I look forward to hear your views on the Pathfinder projects a bit later.

I will also seek the input of APPA members. As I mentioned, I have already sought to involve APPA in the work of the Data Privacy Subgroup. I intend to continue to draw on the valuable experience and knowledge of APPA members in the development of these projects.

APPA meets twice a year, so this forum will provide a good opportunity to keep regulators in the region up-to-date and involved in the Pathfinder.

I am also interested in working with representatives from OECD. The OECD was in attendance at the June seminar and meetings of APEC's Data Privacy Subgroup in Cairns and we are keen to draw on its work in fostering cross-border cooperation on privacy.

As I mentioned, Project Seven - the development of a template for a cross-border complaint handling form - will draw upon the OECD's ''Request for Assistance' form.

Also, our counterparts in the OECD have been collating a list of contact details for data protection authorities to aid in cross border cooperation which parallels Project Five of the Pathfinder Work Plan and the development of a directory of data protection authorities.  Again we will draw on their work. 

The Pathfinder and Australia's privacy regime

The Pathfinder and the Draft Pathfinder Implementation Work Plan are useful documents which direct and focus our energies with regard to the APEC Privacy Framework.

However, there is still a lot of thinking to be done on how we make the APEC Privacy Framework work in our Economy. The Framework's guidance on international implementation outlines APEC's commitment to support the development by organisations of cross-border privacy rules which adhere to the APEC Privacy Principles.[2]

How that cross-border privacy rules system might work in practice is partly addressed by the Pathfinder Implementation Work Plan and partly in the hands of individual Member Economies. Under the ''Choice of Approach' Model it is up to each economy to come up with how compliance with cross-border privacy rules will be assessed and enforced.

In Australia, we of course already have privacy laws in place. So the challenge for us is figuring out how our national privacy laws can work in concert with the APEC Privacy Framework.

From a practical perspective, our greatest challenge lies with how the adoption of the APEC Privacy Principles by Australian businesses would work with compliance with the existing law.

Effectively, for Australian businesses signing up to the APEC Privacy Principles and cross-border privacy rules it would mean those businesses would have a dual standard to meet - that is, their obligations under our domestic privacy regime and their obligations under the APEC Privacy Framework.

Of course, the APEC Privacy Framework and Australia's Privacy Act are not at loggerheads by any means. The Privacy Principles in each are both based on the OECD's 1980 Guidelines.[3]

So the challenge is less about having two conflicting standards to meet, and more about how Australian businesses can assess how their compliance with the National Privacy Principles might also meet the requirements of the APEC privacy principles.

So from my perspective, to move forward, we need to determine a way for Australian businesses to implement the APEC Framework through the development of cross-border privacy rules in a way that ensures that both business and individuals have a clear understanding of their obligations and rights, and privacy protection is not diminished.

ALRC review of privacy

The Australian Law Reform Commission's (ALRC) review of privacy has provided an opportunity to assess our domestic privacy regime in an international context. 

In particular, the review has allowed us to re-assess the scope and content of the trans-border data flow principle in the Privacy Act.  

Our general view as outlined in our submissions to the ALRC, is that the principle could be simplified so that it is easier for organisations sending information overseas to understand and meet their obligations, and for individuals to know and understand their rights.

Indeed, we have suggested in our most recent submission that my Office play a role in clarifying the application of the trans-border data flow principle by developing guidance material.

We have also suggested that the principle should apply to agencies as well as organisations. National governments around the world increasingly interact and cooperate in a number of different areas and therefore subject to some exceptions it is desirable that personal information handled by government agencies be subject to the same level of protection when transferred overseas as that handled by business.

Of course, you will be hearing more about options for the regulation of trans-border data flows from Professor Les McCrimmon in just a moment.

Conclusion

2008 promises to be a big year for my Office. This year marks the 20th anniversary of the Privacy Act, and it is also the year that the ALRC will deliver its report on its review of privacy.  A lot has changed in 20 years and the ALRC's review offers a timely opportunity to assess the effectiveness of our domestic privacy regime.

So, as we turn inwards to determine the best outcome for our domestic privacy laws, in 2008 we will also be ''looking outwards' to advance implementation of the APEC Privacy Framework in our region. 

Sometimes work of this nature can take time. The Pathfinder projects require the input and collaboration of many different economies and stakeholders.

However, with enthusiasm, energy and dedication we can generate the momentum to realise the objectives of the APEC Privacy Framework and (to use a number of abstract nouns!) encourage a global community in which privacy is valued, respected and protected. 

Thank you.

[1] See APEC Privacy Framework, paragraph 45, p 35.

[2] APEC Privacy Framework, Part iv, paragraphs 46-48, p36.

[3] OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data, 1980.