In 2005, Asia-Pacific Economic Cooperation (APEC), a forum for 21 countries in the Pacific Rim that works to establish free trade in the region, published a Privacy Framework to promote the “development of effective privacy protections that avoid barriers to information flows, ensure continued trade, and economic growth in the APEC region.”

Access the complete APEC Privacy Framework here.

APEC members include China, the United States, Australia, Russia, Canada, and Mexico, along with many smaller economies in the Pacific Rim. The APEC Privacy Framework took over a decade to produce, but created a wide ranging agreement that Google’s Global Privacy Counsel lauded as “the most promising foundation on which to build” a worldwide data privacy initiative.

But what does the APEC Privacy Framework actually protect? And most importantly, is it legally binding?

What information is protected by the APEC Privacy Framework, and how?

The APEC Privacy Framework lays out nine “principles” that make up the bulk of its substance. These principles are:

• Preventing Harm
• Notice
• Collection Limitations
• Uses of Personal Information
• Choice
• Integrity of Personal Information
• Security Safeguards
• Access and Correction
• Accountability

These principles apply to “personal information” processed by a “personal information controller.” The definitions are a bit circular, as “personal information controller” means “a person or organization who controls the collection, holding, processing or use of personal information.” “Personal information” means “any information about an identified or identifiable individual.”

These principles are broad and have the potential to be interpreted differently by the different APEC member states. For instance, under the Preventing Harm principle, personal information should be protected to avoid violating a person’s “legitimate expectation of privacy.” Expectations of privacy can vary widely from town to town, much less country to country.

This does not mean the entire initiative is without teeth. The notice and choice principles, for example, clearly state that information controllers should provide notice to all users whose data is collected, and should give users opt-in or opt-out choices. These provisions, at the very least, require more transparency.

Finally, there are two major weaknesses in the APEC Privacy Framework, one being the option for member states to exclude “publically available information” from protection. This varies greatly from the EU, where information in the public domain can be protected by privacy laws like its “right to be forgotten” law.

The second major weakness is the lack of a general “data retention policy” requirement. This is a bit of a misnomer: what the Framework really lacks is a requirement that controllers delete personal data when they no longer need to keep that data. Therefore, the only way for a user to get its data destroyed is to request deletion under the Access principle, which provides a huge loophole for controllers if “the burden or expense of doing so would be unreasonable or disproportionate to the risks to individual privacy,”

All told, the APEC Privacy Framework is a great start in getting some level of international consensus when it comes to data privacy. However, its substantial weaknesses highlight just how hard it is to reach agreement on the international stage, particularly when developing and non-democratic nations are involved.

Is the APEC Privacy Framework legally binding, and on whom?

The guidelines laid out in the APEC Privacy Framework are just that: guidelines. In themselves they do not carry any legal power. The guidelines were agreed upon by the APEC member states, but it is up to each individual country to establish their own domestic and international policies pursuant to the guidelines.

This, of course, requires a willingness to do so. China, for example, has made it clear that it will not be drafting new laws pursuant to the Framework any time soon. While the effectiveness of the Framework has been contested since its publication, it at the very least provides a baseline level of awareness for users with data in the APEC member states.

Data Privacy Attorneys

Because the APEC Privacy Framework is so vague, and its adoption by the APEC member states is as unclear as it is varied, anyone wondering how safe their data is within one of the member states should consult with an expert Internet Attorney. Further, the APEC Privacy Framework is just one agreement covering one region: The United States, the United Kingdom, and the EU (among other regions) have their own, different data privacy agreements. If you need help navigating this complex area of the law, give Revision Legal a call at 855-473-8474.