The worldwide expansion of data privacy laws and regulations has impacts that are being felt with increasing regularity in the litigation arena. Whenever data collections occur within foreign corporations or foreign subsidiaries or offices of U.S. corporations, those entities must consider whether there are laws that govern the entity’s ability to share that data. Specifically, parties that collect and produce material in a litigation must determine whether they must redact private information from data prior to production or whether they must notify data subjects of potential production and allow the data subjects the opportunity to object, among other considerations. Given that the broadest definitions of private data include anything that allows identification of a person,[i] and given the vast quantities of data involved in modern patent litigation, the potential burdens to a producing party can be significant. And given that the penalties for improper disclosure are increasingly severe, a party involved in litigation would do well to fully understand the potential implications of production. No longer should the approach commonly taken in the past of mass collection and production be the norm when data privacy laws are in play.
Much analysis of data privacy issues in recent years has focused on the European Union. However, there have also been significant efforts regarding data protection in the Asia-Pacific region, an area of ever-increasing focus for patent practitioners. This article addresses the role of regional organizations in developing and enforcing policies, laws and regulations throughout the Asia-Pacific arena, and considers the potential impacts of ongoing national and international efforts to protect the right of privacy. A subsequent article will be presented to address specific national implementations of data privacy laws and the implications for litigation involving Asia-Pacific entities.
The Role of Regional Organizations in Protecting Data Privacy
While the idea of an individual right to privacy has distant historical origins, the codification of this right and the generation of laws and regulations to protect that right have increased significantly during the past century. A full treatment of the evolution of the right to privacy is beyond the scope of this article, however, a brief historical background is helpful in setting the stage for a discussion of current legislation.
In 1948, Article 12 of the Universal Declaration of Human Rights specifically identified individual privacy as a fundamental human right.[ii] Since that time, numerous other international covenants and treaties have recognized the fundamental right to privacy, including among others the International Covenant on Civil and Political Rights,[iii] and the Charter of Fundamental Rights of the European Union.[iv] Regional economic organizations worldwide have also enumerated principles addressing the right to privacy, and the various member nations of these organizations have adopted or are in the process of adopting domestic policies and implementing legislation providing for the protection of personal data.
1. The Organisation for Economic Co-operation and Development (“OECD”)
From its origins in 1960, when it was composed of European nations, the U.S. and Canada, the OECD has expanded its membership to include several Asia-Pacific nations, including Australia, Japan and the Republic of Korea.[v] Although not yet members, OECD also has active partnerships with China, India and Russia.[vi]
The OECD has long recognized the need for protection of private information, and in 1980 introduced guidelines that would serve as a foundation for much of the privacy law implemented in the past 30 years.[vii] The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data set forth eight basic principles governing privacy protection and the flow of personal information: (1) collection of personal data should be limited (the Collection Limitation Principle), (2) personal data should be relevant to the purpose for which it is collected, as well as accurate, complete and up-to-date; (the Data Quality Principle), (3) the purposes for collection of private information should be specified at the time of collection (the Purpose Specification Principle), (4) personal information should not be used for unspecified purposes with the consent of the data subject or by authority of law (the Use Limitation Principle), (5) personal data should be protected from loss and unauthorized disclosure (the Security Safeguards Principle), (6) policies and practices related to personal data, as well as identifying information regarding the data controller, should be readily available (the Openness Principle), (7) individual data subjects should have the right to obtain their own personal data, challenge the retention of such data, and request erasure or correction of their personal data (the Individual Participation Principle), and (8) measures should exist to ensure data controllers comply with the other principles (the Accountability Principle).[viii]
The OECD revised the privacy guidelines in 2013; however, the guiding principles remain the same.[ix] The 2013 update focuses on the implementation of programs for managing data privacy, including the creation of enforcement authorities and provisions for notifying data subjects of breaches of their personal data. Recognizing the efforts of other organizations and countries throughout the world, the revised OECD guidelines invite non-member countries to work with member countries on the implementation of the guidelines.[x] The commentary on the revised guidelines also specifically recognizes the work of the Asia-Pacific Economic Cooperation (“APEC”; discussed in greater detail below) in creating data privacy programs.[xi]
In the years between the 1980 guidelines and the 2013 update, the OECD continued to develop its privacy practices, and in 2007 adopted a recommendation regarding cross-border co-operation in the enforcement of privacy laws.[xii] In 2011, the OECD reported that the 2007 recommendation had resulted in increased efforts among its member nations to ensure that appropriate protections were given to private data during cross-border transfers.[xiii]
APEC is an intergovernmental organization with 21 member economies, including the United States, Canada, Mexico, Russia, the People’s Republic of China, Australia, Japan and the Republic of Korea among others.[xiv]
Building on the work of the OECD and the European Union, in 2004, APEC adopted its own set of privacy principles.[xv] The APEC Privacy Framework[xvi] recognized the general applicability of the eight core principles of the 1980 OECD Privacy Guidelines, and proffered its own version of those principles while also expanding upon them. The nine APEC privacy principles largely mirror the OECD Guidelines, but introduce two additional concepts. First and foremost among the APEC principles is preventing harm to the individual data subject, a principle only implicit in the OECD Guidelines.[xvii] The APEC Framework also introduced the principle of individual choice in the collection of personal information.
The Privacy Framework detailed guidelines for international implementation of the principles and called for voluntary implementation of rules enforcing the principles in cross-border transfers of information.[xviii] Thus, in 2007 APEC began work on a set of Cross-Border Privacy Rules (CBPR’s) that would control transfer of private information in APEC member economies.[xix] The CBPRs have four governing elements: (1) self-assessment of privacy policies by organizations, (2) compliance review by an APEC-recognized Accountability Agent, (3) recognition of organizations that are compliant with the privacy framework, and (4) enforcement and dispute resolution mechanisms.[xx] In 2009, APEC again echoed the work of OECD by endorsing its own cross-border privacy enforcement cooperation framework (CPEA), in coordination with the CBPRs.[xxi] In 2011, APEC endorsed an intake questionnaire for those seeking certification,[xxii] and shortly thereafter member economies began officially participating in the CBPR system. As of September 2013, 8 member economies were participants in the CBPR/CPEA system. In August 2013, IBM became the first U.S. company certified under the APEC CBPRs.[xxiii] Since that time, Merck and Yodlee have also become APEC privacy certified.[xxiv]
3. The Association of Southeast Asian Nations (“ASEAN”)
ASEAN is an intergovernmental organization established in 1967 that currently consists of 10 member states, including Singapore, Thailand, Vietnam and the Philippines.[xxv] While ASEAN currently has no specific data protection policies, the general concept is recognized in the Roadmap for an ASEAN Community 2009-2015.[xxvi] In recent years, the ASEAN communities have been active in implementing national privacy legislation, notwithstanding the lack of an overall set of organizational principles. Since 2010, five ASEAN members (Malaysia, the Philippines, Singapore, Indonesia and Vietnam) have enacted or partially enacted privacy laws.[xxvii]
Implications for International Litigation
While much of the consideration of data privacy laws and regulations remains focused on healthcare and Internet commerce, the evolution of data privacy laws potentially has far-reaching implications with respect to litigation involving entities that are based in the Asia-Pacific region or that have subsidiaries or offices in the Asia-Pacific region from which documents must be collected. Regional organizations continue to develop and implement privacy enforcement regimes and procedures for protection of data privacy during cross-border transfers that litigants would be well-advised to consider before collection and production of documents. Moreover, national implementations of data privacy protections now may come with significant non-compliance penalties. A subsequent article will address some of the more significant country specific implementations of data privacy laws and will discuss ways to ensure compliance during litigation productions.
[i] For example, the 2013 OECD Privacy Guidelines define personal data as “any information relating to an identified or identifiable individual (data subject).” Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013) [C(80)58/FINAL, as amended on 11 July 2013 by C(2013)79], at Chapter 1, Annex, Definition 1b. Similarly, the APEC Privacy Framework defines personal information as “any information about an identified or identifiable individual.” APEC Privacy Framework, APEC#205-SO-01.2 (2005), at 5 ¶ 9.
[ii] UN General Assembly, Universal Declaration of Human Rights, 10 December 1948, 217 A (III), at Article 12.
[iii] UN General Assembly, International Covenant on Civil and Political Rights, 16 December 1966, United Nations, Treaty Series, vol. 999, at p. 171, Article 17.
[iv] See, e.g., European Union: Council of the European Union, Charter of Fundamental Rights of the European Union (2007/C 303/01), 14 December 2007, C 303/1, at Articles 7 and 8.
[v] See OECD's listing of Members and partners, available at http://www.oecd.org/about/membersandpartners/.
[vii] Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013) [C(80)58/FINAL].
[ix] Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013) [C(80)58/FINAL, as amended on 11 July 2013 by C(2013)79].
[xii] Recommendation of the Council on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy [C(2007)67].
[xiii] OECD Report on the Implementation of the OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, 2011, OECD Digital Economy Papers, No. 178, OECD Publishing, available at http://dx.doi.org/10.1787/5kgdpm9wg9xs-en.
[xiv] See APEC listing of Member Economies, available at http://www.apec.org/About-Us/About-APEC/Member-Economies.aspx.
[xv] While the Framework was formally adopted in 2004, work on the Framework continued resulting in a complete formal document in 2005.
[xvi] APEC Privacy Framework, APEC#205-SO-01.2 (2005), available at http://publications.apec.org/publication-detail.php?pub_id=390.
[xvii] Id. at Part III, APEC Information Privacy Principles, Section I, ¶ 14.
[xviii] Id. at Part IV, Guidance on Int’l Implementation, Section III, ¶¶ 46-48.
[xix] APEC Cross-Border Privacy Rules System: Policies, Rules and Guidelines, available at http://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/CBPR/CBPR-PoliciesRulesGuidelines.ashx. The CBPRs are similar in nature to the Binding Corporate Rules used by the European Union to assess compliance with European Data Privacy directives and regulations.
[xxi] APEC Cooperation Arrangement for Cross-Border Privacy Enforcement, 2010/SOM1/ECSG/DPS/013, available at http://aimp.apec.org/Documents/2010/ECSG/DPS1/10_ecsg_dps1_013.pdf.
[xxii] 2011 CTI Report to Ministers, APEC#211-CT-01.5, at Appendix 6.
[xxiii] See The Cross Border Privacy Rules System: Promoting consumer privacy and economic growth across the APEC region, 5 September 2013, available at http://www.apec.org/Press/Features/2013/0903_cbpr.aspx.
[xxiv] See TRUSTe APEC Privacy web page, available at http://www.truste.com/products-and-services/enterprise-privacy/apec-accountability.
[xxv] See listing of ASEAN Member States, available at http://www.aseansec.org/asean-member-states/.
[xxvi] Roadmap for an ASEAN Community 2009-15 at 63, Section B-6 (“E-commerce”), available at http://www.aseansec.org/wp-content/uploads/2013/07/RoadmapASEANCommunity.pdf.
[xxvii] See, e.g., Review of e-commerce legislation harmonization in the Association of Southeast Asian Nations, UNCTAD/DTL/STICT/2013/1 at x-xi, available at http://unctad.org/en/PublicationsLibrary/dtlstict2013d1_en.pdf.