'Major Changes in Asia Pacific Data Privacy Laws: 2011 Survey' by Greenleaf in 113(1) Privacy Laws & Business International Report (2011) 5-14 argues that
Nearly a quarter of a century after data privacy laws (or as the Europeans say, ‘data protection’) first appeared in Asia and the Pacific, 2011 was a watershed year, with dramatic developments in the expansion of data protection laws in Asia. This article surveys data privacy legislation developments across Asia (from Japan to Pakistan, and from Mongolia to Indonesia), plus Australasia and the Pacific. The highlights of these new developments are new data privacy laws in South Korea, Taiwan, Malaysia and India, privacy protections in Vietnam’s new consumer law, and reform proposals in Singapore, Hong Kong, Australia and New Zealand. Legislative action seems to parallel the accelerating scale of threats to privacy, typified by massive data breaches in country after country, but the causal relationship is beyond the scope of this article. The article analyses these development, and the state of play in other countries of the regions, by sub-regions, in order of where the most dramatic recent developments have taken place: South Asia; North Asia; Indo-China; Australasia and the Pacific. The emphasis is on developments over the last 18 months, but background on previous data privacy laws is provided.'Privacy Enforcement Strengthens in Australia & New Zealand' by Greenleaf & Katrine Evans in 115 Privacy Laws & Business International Report (2012) is described as
the first of a series surveying recent Asian and Australasian examples of significant enforcement of data privacy laws. If there are current examples of where privacy laws are achieving significant outcomes in a country, this should make us cautious of the oft-voiced suspicion that ‘privacy laws don't achieve anything’. On the other hand, if such examples are lacking, this raises serious questions. The main sources for such examples are court and tribunal decisions, and the databases of complaint summaries, and annual reports, of data protection authorities.
By ‘significant examples of privacy enforcement actions’ what we mean is as follows. Firstly, the action results from complaints to an independent authority, actions before any Court or Tribunal, or 'own motion' actions by an authority responding to a specific situation. General investigations or reform proposals by authorities are not included. Secondly, the authorities concerned could be Data Protection Authorities (DPAs) or Privacy Commissioners but they could also be telecommunications regulators, financial regulators, government agencies and so on. Independent industry self-regulatory bodies could be included. Thirdly, the result is a significant remedy for an individual or a group of people; or a significant change in (or confirmation of) the interpretation of the law with potential remedial benefits; or a significant change in business or government practices.
At present there are well-established data privacy laws covering most aspects of the private sector in nine jurisdictions in Asia and Australasia. This article covers New Zealand and the three Australian jurisdictions. ...
This survey of recent enforcement examples in New Zealand and Australia makes it clear that significant examples of enforcement of privacy laws continue to occur in all four jurisdictions considered, and some examples show the strengthening of particular remedies. However, the mechanisms through which significant enforcement arises differs a great deal between jurisdictions. In these Australasian examples they include complainant-initiated injunctions, both awards of damages and mediations by Privacy Commissioners, orders by quasi-judicial Tribunals, and suppression orders by Tribunals. One overall factor shared by all four Australia and New Zealand jurisdictions is that payments of financial compensation to complainants are possible and do occur. A comprehensive assessment of enforcement effectiveness would also require statistical information to be considered. Such analysis of enforcement of privacy laws and its effectiveness (covering examples, statistics and mechanisms) is an important aspect of privacy research which is not yet fully developed.We might disagree with the upbeat assessment of the two authors. As with the previously noted article, tabulation needs to be integrated with evaluation if it's to go beyond triumphalist reporting. Compensation payments do occur, but are those payments commensurate with the scale of injury, do they deter future malpractice and are breaches of privacy indeed being consistently punished.
One response might be that the answer to those three questions is clearly No. Greenleaf elsewhere appears to have concerns regarding the efficacy of some mechanisms.
Greenleaf's 'Do Not Dismiss ‘Adequacy’: European Data Privacy Standards are Entrenched' in 114 Privacy Laws & Business International Report (2011) 16‐18 comments that
The ‘adequacy’ mechanism in the EU data protection Directive, and perceptions of it, have been one (but only one) of the means by which the influence of European data privacy standards have been felt outside Europe. The EU’s ‘border control’ approach is to require member states to limit data exports unless ‘adequate protection’ can be demonstrated at the receiving end (EU Directive Articles 25, 26). There are now 81 jurisdictions in the world with data privacy laws, excluding those only covering the public sector (Greenleaf, 2011b), so there are 53 theoretical candidates for adequacy findings. However, the EU has only made adequacy decisions in relation to nine jurisdictions as a whole (Andorra, Argentina, Canada, Switzerland, Faroe Islands, Guernsey, Israel, Isle of Man, and Jersey), some of which are of relatively little economic or political significance.
‘Adequacy’ certainly has its critics, and many criticisms, theoretical and practical, have substance. But this article argues that we should not be too hasty, and outlines a number of reasons why ‘adequacy’ is now so entrenched in legal systems across the world that it will not be easy to remove. The list of countries considered adequate is expanding slowly: Uruguay and New Zealand will soon be added to the list. Despite the slow pace of the EU in making and publicising assessments, the desire to eventually obtain an ‘adequacy’ finding from the EU, or in a more amorphous form, to have one’s law regarded as of the highest international standard (that the EU Directive is considered by many to embody) has been a significant influence on the development of laws outside Europe. Consideration of the 29 African, Latin American, Asian, Australasian, and other jurisdictions with data privacy laws suggests that the EU Directive is the most significant overall influence on the content of data privacy laws outside Europe, and that its influence is gradually strengthening.
As a result, ‘adequacy’ has stopped being a primarily EU concept. Outside Europe, ‘border control’ data export limitations are found in almost all (25/29) data privacy laws in all regions, though their strength varies a great deal, and they are not yet in force in the laws of Malaysia and Hong Kong. Non-EU/EEA European countries also have data export limitations in their law because of the Additional Protocol to Council of Europe Convention 108. So anyone who wishes to criticise the EU for wanting to ‘impose its standards on the rest of the world’ had better level the same accusation at the rest of the world.
There is also, as yet, little indication that the current revisions of the Directive or the Convention will result in Europe abandoning its ‘border control’ approach. The future for European privacy standards, including the ‘border control’ principle of ‘adequacy’ is far more positive than the criticisms they receive might lead us to believe. Attempts to replace the adequacy concept with some notion of ‘accountability’ that abandons ‘border control’, not only goes against the likely direction of reforms of the Directive, but would also involve changing the Council of Europe Convention Additional Protocol, and all non-EU/EEA laws, and almost all data privacy laws outside Europe as well. The inertia that exists against such change occurring is considerable. Like it or loath it, adequacy may be here to stay.
