Five years of the APEC Privacy Framework: Failure or promise?

The APEC Privacy Framework was developed from 2003, adopted by APEC in 2004 and finalised in 2005. It was intended as a means of improving the standard of information privacy protection throughout the APEC countries of the Asia–Pacific, and of facilitating the trans-border flow of personal information between those countries. In 2007 a number of ‘Pathfinder’ projects for cross-border data transfers were launched under the Framework. In the five years since the process commenced, what has it achieved, and what is it likely to achieve? This paper argues that the APEC Privacy Framework has had many flaws from its inception, including Privacy Principles that are unnecessarily weak, and no meaningful enforcement requirements. Since its adoption in 2004, little attempt has been made to encourage its use as a minimal standard for privacy legislation in developing countries (which might have been useful), and it is having little impact on the significant number of legislative developments now taking place.Instead, the ‘Pathfinder’ projects seem to be developing toward a generalised version of the US ‘Safe Harbor’ scheme. What is known of the Pathfinder projects leaves many questions unanswered, such as what standards for data transfers they aim to implement; whether compliance with all of APEC's own Privacy Principles will be required; and how ‘Accountability Agents’ will be accredited. Consumer input into APEC's privacy processes has been belated and ad-hoc but business influences omnipresent. Despite these flaws, APEC could still play a useful role in the gradual development of higher privacy standards in Asia, provided its priorities are re-oriented. The major developments in Asian privacy protection are likely to come from elsewhere, including other regional groupings, and attractions of standards originating in Europe. The paper concludes with suggestions for other directions.