Last month Google's Global Privacy Counsel Peter Fleischer
endorsed the Privacy Framework published by the
Asia-Pacific Economic Community (APEC) in 2005, describing it as
"the most promising foundation on which to build."
"Surely, if privacy principles can be agreed upon within the 21
APEC member economies, a similar set of principles could be applied
on a global scale," wrote Peter Fleischer in the search giant's
Public Policy Blog.
But privacy expert Dr Chris Pounder of Pinsent Masons, the law
firm behind OUT-LAW.COM, has analysed the APEC rules and found that
they are not only significantly more lax than those in operation in
Europe, they are so broadly defined that they cannot operate as a
standard at all.
"The Framework's principles were drafted in order to get
agreements between diplomats – and diplomatic agreements tend to
fudge important issues," wrote Dr Pounder in his analysis. "The
result is that the principles are ambiguous as to their effect and
are capable of a vast number of interpretations and
implementations."
That ambiguity means that even on its own terms, as a proposed
basis for harmonising the privacy laws of a large number of
countries, the guidelines fail because they allow too much room for
countries to differ, said Pounder.
There are also specific problems with the rules, according to
Pounder. "There is a requirement to establish an enforcement
mechanism, but this can be very low key," he wrote. He also notes
that there is no requirement to establish a Privacy Commissioner to
oversee compliance.
European privacy laws say that a person must be told that their
data is being collected at the point of that collection. The APEC
rules are more lax, though, and even allow for notice to be given
after data has been collected.
"The procedures that deliver a data subject with a notice could
become separate from procedures that collect personal data from a
data subject," argued Pounder.
While stricter data protection regimes ban the use of collected
data for purposes other than those for which it was gathered, the
APEC rules allow data to be shared for "compatible or related
purposes", which Pounder said gave collectors of data more room to
share data.
One aspect of the guidelines that could be highly relevant to
search engine companies such as Google is the fact that there are
no rules about data retention. The guidelines do not mandate the
deletion of data after it has stopped being useful, or after a
certain time.
Google has been mired in controversy this year, as have all the
major search engines, over its policies of keeping information that
can be used to connect particular searches with particular
individuals for a period of time.
European data protection officials have said that even Google's
concession that it will delete that information after 18 months
does not go far enough, and the company has faced criticism from a
number of European data protection authorities.
In all, Pounder said, the APEC guidelines are not specific
enough to provide a solid basis for worldwide data protection.
"If this clarity or detail fails to materialise, then the APEC
Privacy Framework might still become a global standard," said
Pounder. "However, it will be a standard that is at risk of
describing a global privacy fig leaf, and one which has, in the
long term, the potential to undermine the international transfer of
personal data between APEC's economies, if data subjects lose trust
in the protection it affords."
"The Privacy Framework is an important step forward – however,
acknowledging that some countries are making a step forward, has to
be accompanied with the recognition that the Framework could allow
the taking of steps in the opposite direction," he said.
In a separate development, an international grouping of data
protection authorities has agreed to participate in the creation of
another global privacy standard. The body has resolved to lend its
support to standards being developed by the International
Organisation for Standardisation (ISO).
"While the development of privacy-related standards under the
auspices of a security-oriented group is not an ideal solution for
the data protection and privacy community, it is the structure that
ISO has adopted, at least for the time being," said a statement
from the International Conference of Data Protection and Privacy
Commissioners.
"Responding to this approach from the standards community by
becoming more actively involved in the standards development
process is an essential step in order to ensure the development of
privacy-respecting standards," it said.
The
proposal for more active involvement was made by Canada's
Privacy Commissioner and backed by data protection authorities from
Belgium, Berlin, Ontario, Spain and Switzerland.
