MBHB Snippets: Review of Developments in Intellectual Property Law - Volume 12, Issue 1 (Winter 2014): Evolving Data Protection Regimes in the Asia-Pacific Arena and Their Impact on Litigation: Overview of International Policies Governing Cross-Border Data Transfer

by McDonnell Boehnen Hulbert & Berghoff LLP

The worldwide expansion of data privacy laws and regulations has impacts that are being felt with increasing regularity in the litigation arena. Whenever data collections occur within foreign corporations or foreign subsidiaries or offices of U.S. corporations, those entities must consider whether there are laws that govern the entity’s ability to share that data. Specifically, parties that collect and produce material in a litigation must determine whether they must redact private information from data prior to production or whether they must notify data subjects of potential production and allow the data subjects the opportunity to object, among other considerations. Given that the broadest definitions of private data include anything that allows identification of a person,[i] and given the vast quantities of data involved in modern patent litigation, the potential burdens to a producing party can be significant. And given that the penalties for improper disclosure are increasingly severe, a party involved in litigation would do well to fully understand the potential implications of production. No longer should the approach commonly taken in the past of mass collection and production be the norm when data privacy laws are in play.

Much analysis of data privacy issues in recent years has focused on the European Union. However, there have also been significant efforts regarding data protection in the Asia-Pacific region, an area of ever-increasing focus for patent practitioners. This article addresses the role of regional organizations in developing and enforcing policies, laws and regulations throughout the Asia-Pacific arena, and considers the potential impacts of ongoing national and international efforts to protect the right of privacy. A subsequent article will be presented to address specific national implementations of data privacy laws and the implications for litigation involving Asia-Pacific entities.

The Role of Regional Organizations in Protecting Data Privacy

While the idea of an individual right to privacy has distant historical origins, the codification of this right and the generation of laws and regulations to protect that right have increased significantly during the past century. A full treatment of the evolution of the right to privacy is beyond the scope of this article, however, a brief historical background is helpful in setting the stage for a discussion of current legislation.

In 1948, Article 12 of the Universal Declaration of Human Rights specifically identified individual privacy as a fundamental human right.[ii] Since that time, numerous other international covenants and treaties have recognized the fundamental right to privacy, including among others the International Covenant on Civil and Political Rights,[iii] and the Charter of Fundamental Rights of the European Union.[iv] Regional economic organizations worldwide have also enumerated principles addressing the right to privacy, and the various member nations of these organizations have adopted or are in the process of adopting domestic policies and implementing legislation providing for the protection of personal data.

1.      The Organisation for Economic Co-operation and Development (“OECD”)

From its origins in 1960, when it was composed of European nations, the U.S. and Canada, the OECD has expanded its membership to include several Asia-Pacific nations, including Australia, Japan and the Republic of Korea.[v] Although not yet members, OECD also has active partnerships with China, India and Russia.[vi]

The OECD has long recognized the need for protection of private information, and in 1980 introduced guidelines that would serve as a foundation for much of the privacy law implemented in the past 30 years.[vii] The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data set forth eight basic principles governing privacy protection and the flow of personal information: (1) collection of personal data should be limited (the Collection Limitation Principle), (2) personal data should be relevant to the purpose for which it is collected, as well as accurate, complete and up-to-date; (the Data Quality Principle), (3) the purposes for collection of private information should be specified at the time of collection (the Purpose Specification Principle), (4) personal information should not be used for unspecified purposes with the consent of the data subject or by authority of law (the Use Limitation Principle), (5) personal data should be protected from loss and unauthorized disclosure (the Security Safeguards Principle), (6) policies and practices related to personal data, as well as identifying information regarding the data controller, should be readily available (the Openness Principle), (7) individual data subjects should have the right to obtain their own personal data, challenge the retention of such data, and request erasure or correction of their personal data (the Individual Participation Principle), and (8) measures should exist to ensure data controllers comply with the other principles (the Accountability Principle).[viii]

The OECD revised the privacy guidelines in 2013; however, the guiding principles remain the same.[ix] The 2013 update focuses on the implementation of programs for managing data privacy, including the creation of enforcement authorities and provisions for notifying data subjects of breaches of their personal data. Recognizing the efforts of other organizations and countries throughout the world, the revised OECD guidelines invite non-member countries to work with member countries on the implementation of the guidelines.[x] The commentary on the revised guidelines also specifically recognizes the work of the Asia-Pacific Economic Cooperation (“APEC”; discussed in greater detail below) in creating data privacy programs.[xi]

In the years between the 1980 guidelines and the 2013 update, the OECD continued to develop its privacy practices, and in 2007 adopted a recommendation regarding cross-border co-operation in the enforcement of privacy laws.[xii] In 2011, the OECD reported that the 2007 recommendation had resulted in increased efforts among its member nations to ensure that appropriate protections were given to private data during cross-border transfers.[xiii]

2.      APEC

APEC is an intergovernmental organization with 21 member economies, including the United States, Canada, Mexico, Russia, the People’s Republic of China, Australia, Japan and the Republic of Korea among others.[xiv]

Building on the work of the OECD and the European Union, in 2004, APEC adopted its own set of privacy principles.[xv] The APEC Privacy Framework[xvi] recognized the general applicability of the eight core principles of the 1980 OECD Privacy Guidelines, and proffered its own version of those principles while also expanding upon them. The nine APEC privacy principles largely mirror the OECD Guidelines, but introduce two additional concepts. First and foremost among the APEC principles is preventing harm to the individual data subject, a principle only implicit in the OECD Guidelines.[xvii] The APEC Framework also introduced the principle of individual choice in the collection of personal information.

The Privacy Framework detailed guidelines for international implementation of the principles and called for voluntary implementation of rules enforcing the principles in cross-border transfers of information.[xviii] Thus, in 2007 APEC began work on a set of Cross-Border Privacy Rules (CBPR’s) that would control transfer of private information in APEC member economies.[xix] The CBPRs have four governing elements: (1) self-assessment of privacy policies by organizations, (2) compliance review by an APEC-recognized Accountability Agent, (3) recognition of organizations that are compliant with the privacy framework, and (4) enforcement and dispute resolution mechanisms.[xx] In 2009, APEC again echoed the work of OECD by endorsing its own cross-border privacy enforcement cooperation framework (CPEA), in coordination with the CBPRs.[xxi] In 2011, APEC endorsed an intake questionnaire for those seeking certification,[xxii] and shortly thereafter member economies began officially participating in the CBPR system. As of September 2013, 8 member economies were participants in the CBPR/CPEA system. In August 2013, IBM became the first U.S. company certified under the APEC CBPRs.[xxiii] Since that time, Merck and Yodlee have also become APEC privacy certified.[xxiv]

3.      The Association of Southeast Asian Nations (“ASEAN”)

ASEAN is an intergovernmental organization established in 1967 that currently consists of 10 member states, including Singapore, Thailand, Vietnam and the Philippines.[xxv] While ASEAN currently has no specific data protection policies, the general concept is recognized in the Roadmap for an ASEAN Community 2009-2015.[xxvi] In recent years, the ASEAN communities have been active in implementing national privacy legislation, notwithstanding the lack of an overall set of organizational principles. Since 2010, five ASEAN members (Malaysia, the Philippines, Singapore, Indonesia and Vietnam) have enacted or partially enacted privacy laws.[xxvii]

Implications for International Litigation

While much of the consideration of data privacy laws and regulations remains focused on healthcare and Internet commerce, the evolution of data privacy laws potentially has far-reaching implications with respect to litigation involving entities that are based in the Asia-Pacific region or that have subsidiaries or offices in the Asia-Pacific region from which documents must be collected. Regional organizations continue to develop and implement privacy enforcement regimes and procedures for protection of data privacy during cross-border transfers that litigants would be well-advised to consider before collection and production of documents. Moreover, national implementations of data privacy protections now may come with significant non-compliance penalties. A subsequent article will address some of the more significant country specific implementations of data privacy laws and will discuss ways to ensure compliance during litigation productions.

[i] For example, the 2013 OECD Privacy Guidelines define personal data as “any information relating to an identified or identifiable individual (data subject).” Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013) [C(80)58/FINAL, as amended on 11 July 2013 by C(2013)79], at Chapter 1, Annex, Definition 1b. Similarly, the APEC Privacy Framework defines personal information as “any information about an identified or identifiable individual.” APEC Privacy Framework, APEC#205-SO-01.2 (2005), at 5 ¶ 9.

[ii] UN General Assembly, Universal Declaration of Human Rights, 10 December 1948, 217 A (III), at Article 12.

[iii] UN General Assembly, International Covenant on Civil and Political Rights, 16 December 1966, United Nations, Treaty Series, vol. 999, at p. 171, Article 17.

[iv] See, e.g., European Union: Council of the European Union, Charter of Fundamental Rights of the European Union (2007/C 303/01), 14 December 2007, C 303/1, at Articles 7 and 8.

[v] See OECD's listing of Members and partners, available at http://www.oecd.org/about/membersandpartners/.

[vi] Id.

[vii] Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013) [C(80)58/FINAL].

[viii] Id. at Part 2.

[ix] Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013) [C(80)58/FINAL, as amended on 11 July 2013 by C(2013)79].

[x] Id. at Chapter 1.

[xi] Id. at Chapter 2.

[xii] Recommendation of the Council on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy [C(2007)67].

[xiii] OECD Report on the Implementation of the OECD Recommendation on Cross-border Co-operation in the Enforcement of Laws Protecting Privacy, 2011, OECD Digital Economy Papers, No. 178, OECD Publishing, available at http://dx.doi.org/10.1787/5kgdpm9wg9xs-en.

[xiv] See APEC listing of Member Economies, available at http://www.apec.org/About-Us/About-APEC/Member-Economies.aspx.

[xv] While the Framework was formally adopted in 2004, work on the Framework continued resulting in a complete formal document in 2005.

[xvi] APEC Privacy Framework, APEC#205-SO-01.2 (2005), available at http://publications.apec.org/publication-detail.php?pub_id=390.

[xvii] Id. at Part III, APEC Information Privacy Principles, Section I, ¶ 14.

[xviii] Id. at Part IV, Guidance on Int’l Implementation, Section III, ¶¶ 46-48.

[xix] APEC Cross-Border Privacy Rules System: Policies, Rules and Guidelines, available at http://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/CBPR/CBPR-PoliciesRulesGuidelines.ashx. The CBPRs are similar in nature to the Binding Corporate Rules used by the European Union to assess compliance with European Data Privacy directives and regulations.

[xx] Id. at 4.

[xxi] APEC Cooperation Arrangement for Cross-Border Privacy Enforcement, 2010/SOM1/ECSG/DPS/013, available at http://aimp.apec.org/Documents/2010/ECSG/DPS1/10_ecsg_dps1_013.pdf.

[xxii] 2011 CTI Report to Ministers, APEC#211-CT-01.5, at Appendix 6.

[xxiii] See The Cross Border Privacy Rules System: Promoting consumer privacy and economic growth across the APEC region, 5 September 2013, available at http://www.apec.org/Press/Features/2013/0903_cbpr.aspx.

[xxiv] See TRUSTe APEC Privacy web page, available at http://www.truste.com/products-and-services/enterprise-privacy/apec-accountability.

[xxv] See listing of ASEAN Member States, available at http://www.aseansec.org/asean-member-states/.

[xxvi] Roadmap for an ASEAN Community 2009-15 at 63, Section B-6 (“E-commerce”), available at http://www.aseansec.org/wp-content/uploads/2013/07/RoadmapASEANCommunity.pdf.

[xxvii] See, e.g., Review of e-commerce legislation harmonization in the Association of Southeast Asian Nations, UNCTAD/DTL/STICT/2013/1 at x-xi, available at http://unctad.org/en/PublicationsLibrary/dtlstict2013d1_en.pdf.


Written by:

McDonnell Boehnen Hulbert & Berghoff LLP

McDonnell Boehnen Hulbert & Berghoff LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.