Asia and the Pacific
page looks at legislation, reports and developments in
Given the disparate nature of economies and cultures in
Asia and the Pacific islands it is unsurprising that there's
wide range of legislation (or lack of legislation) and
practice compared to Europe.
Some states have emphasised commitment to the OECD principles
or sought compatibility with the EU Data Protection Directive.
Others have identified personal privacy as inconsistent
with Asian exceptionalism (eg a 'non-Asian' value or a
fundamental impediment to economic growth) or to be disregarded
as undermining the proper ordering of society through
identification and surveillance of all citizens.
Singapore PM Lee Kuan Yew thus stated in 1986 that
am often accused of interfering in the private lives
of citizens. Yet, if I did not, had I not done that,
we wouldn't be here today. And I say without the slightest
remorse, that we wouldn't be here, we would not have
made economic progress, if we had not intervened on
very personal matters - who your neighbor is, how you
live, the noise you make, how you spit, or what language
about policy questions, community expectations, industry
codes and legislation has primarily concerned data collection/handling
by government agencies rather than the private sector.
In particular it has centred on political surveillance
and on questions of censorship,
reflecting public attitudes about civil society and individual
rights, past data collection practices in the private
sectors of emerging economies (eg few comprehensive databases
about consumption) and the priorities of national governments.
At a regional level there have been a number of statements
by bodies such as APEC
(Asia-Pacific Economic Cooperation), in particular the
1995 Seoul Declaration and 1998 Singapore Declaration.
The Seoul Declaration on privacy and the Asia Pacific
Information Infrastructure (APII) identified the importance
of a "free and efficient flow of information"
while "ensuring the protection of intellectual property
rights, privacy and data security".
The 1998 Singapore Declaration on privacy and E-commerce
called for the APEC Telecommunications Working Group (APECTEL)
to consider privacy as a key issue "that will affect
consumer confidence and ability to use electronic commerce
within the APEC region". The bureaucratic shopping
list for that consideration was to embrace
and contributing to international approaches for protecting
the privacy of personal data
identification of the essential elements of a legal
and regulatory framework for electronic commerce
all APEC member economies to remove existing and avoid
the introduction of new legal, regulatory and other
barriers to conducting electronic commerce in the region
the use of best practices on electronic commerce, ie
the development of self-regulation measures by industry.
Collapse of the dot-com bubble,
systemic economic problems in countries such as Malaysia
and '11 September syndrome' have militated against enthusiastic
implementation by the APEC Ministers.
Perspectives are provided by the papers
from the 2000 conference The Rule of Law: Perspectives
from the Pacific Rim, papers in Law, Capitalism
& Power in Asia (London: Routledge 99) edited
by Kanishka Jayasuriya, The Role of Law & Legal
Institutions in Asian Economic Development 1960-95
(New York: Oxford Uni Press) by Katharina Pistor &
Philip Wellons, and studies highlighted in our discussion
of human rights here.
APEC Privacy Principles?
In 2003 the 21 APEC
nations - ranging from Canada through China to Australia
and New Zealand - began formal consultations about development
of an Asia-Pacific privacy standard, along with protocols
for handling data export restriction issues, potentially
the major international privacy development since the
EU data protection directive.
Establishment of a regional standard is contentious. Proponents
have argued that it would promote the development of effective
privacy regimes in APEC nations that currently have little
privacy law (and weak enforcement of that law). It has
however been criticised as potentially weakening existing
regimes, posing potential threats to long term national/regional
privacy enhancement through an emphasis on acceptance
second-rate standard based on some parts of the 20 year
old OECD Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data (1980), particularly
if this is then used to force down the standards of
privacy laws in regional jurisdictions which are already
mid-2003 the Asia-Pacific Privacy Charter Initiative was
launched under the auspices of the Asia-Pacific Privacy
Charter Council (APPCC),
a regional expert group that seeks to
develop independent standards for privacy protection
in the region, in order to influence the enactment of
privacy laws in the region in accordance with those
standards, and the adoption of regional privacy agreements
in accordance with those standards.
for APEC Privacy Principles are discussed in Graham Greenleaf's
2003 APEC Privacy Principles Version 2 - Not quite
so Lite, and NZ wants OECD full strength paper
and Australia's APEC privacy initiative: The pros
and cons of 'OECD Lite' paper
China and the Hong Kong SAR
The Chinese Constitution - like that of the former USSR
- provides limited rights to privacy, notably the declaration
that "the freedom of the person of citizens of the
People’s Republic of China is inviolable" (Article
37) and that
and privacy of correspondence of citizens of the People’s
Republic of China are protected by law. No organization
or individual may, on any ground, infringe on citizens’
freedom of privacy of correspondence, except in cases
where to meet the needs of state security or of criminal
investigation, public security or prosecutorial organs
are permitted to censor correspondence in accordance
with procedures prescribed by law (Article 40)
agencies have taken a broad view of "the needs of
state security" and investigation. There's no general
data protection legislation, few enactments that limit
interference by government agencies and problematical
application of legislation or statements of principle.
As noted by papers in Concepts of Privacy in China
(Leiden: EJ Brill 2002) edited by Bonnie McDougall, there's
no systematic historical or sociological study of notions
of privacy in China. Much academic writing has centred
on questions of censorship
and political surveillance, for example Developments
in Online Privacy Regulations & an Assessment of Privacy
Practices in China (PDF)
by May Lwin & Luh Lan, Open Networks, Closed Regimes:
The Impact of the Internet on Authoritarian Rule
(Washington: Carnegie Endowment 2003) by Shanthi Kalathil
& Taylor Boas or Lokman Tsui's 2001 MA thesis (PDF)
on Internet in China: Big Mama Is Watching You (Internet
Control & the Chinese Government).
It's clear however that simplistic accounts about innately
negative social attitudes are inadequate. A perspective
on the development of a Western-style data protection
regime is provided by Randall Peerenboom's China's
Long March toward Rule of Law (Cambridge: Cambridge
Uni Press 2002), Stanley Lubman's Bird in a Cage: Legal
Reform in China after Mao (Stanford: Stanford Uni
Press 1999) and Human Rights in Contemporary China
(New York: Columbia Uni Press 1986) edited by R Randle
Hong Kong was the first part of the region to enact legislation
based on the EU Directive, with a Personal Data (Privacy)
Ordinance covering the public and public sectors (here)
and a Code on Access to Information (here).
The statutory Privacy Commissioner (PCO)
is currently engaged in work of particular importance
regarding privacy aspects of identity cards and health
There is a discussion of the Hong Kong regime in Hong
Kong Data Privacy Law: Territorial Regulation in a Borderless
World (Hong Kong: Sweet & Maxwell 2002) by Mark
Berthold & Raymond Wacks,
Data Privacy Law in Hong Kong - A Professional Guide
(Hong Kong: FT Law & Tax Asia Pacific 1997) by the
same authors and The Annotated Ordinances of Hong Kong:
Personal Data (Privacy Ordinance) (Singapore: Butterworths
Asia 1999) by Mark Berthold.
The latter's papers on the HK legislation include
Kong's Data Privacy Proposals (in Privacy Law &
Policy Reporter, 1994 part 1 here
and part 2 here),
Hong Kong's Personal Data (Privacy) Ordinance 1995
(in Privacy Law & Policy Reporter, 1995
and Regulating surveillance: Hong Kong's proposals
(in Privacy Law & Policy Reporter, 1996 part
and part 2 here).
Privacy Commissioner's site
features information of interest to Australian readers.
The HK Legislative Council's consideration of law and
practice is also of interest, in particular the 140 page
consultation paper Regulating Surveillance and the
Interception of Communications (txt)
Across the straits the 1994 Taiwanese Constitution articulates
a restricted right of privacy, ie that "The people
shall have freedom of privacy of correspondence".
That has been extended through legislation such as the
1995 Computer-Processed Personal Data Protection Law
concerning the collection and use by government agencies
and some private sector bodies of personally identifiable
information. The 1995 law requires that "collection
or utilization of personal data shall respect the rights
and interests of the principal and such personal data
shall be handled in accordance with the principles of
honesty and credibility so as not to exceed the scope
of the specific purpose", with an in principle right
of data access, correction and deletion. Data flows to
countries without privacy legislation can be prohibited.
There is no general data protection or privacy law in
Singapore, where the government is recurrently criticised
for surveillance of political opposition groups and orginary
Some protection is provided through e-commerce legislation,
in particular the the Electronic Transactions Act
National Computer Board (Amendment) Act and the
Computer Misuse (Amendment) Act (CMA).
In 1998 the government's National Internet Advisory Committee
released an E-Commerce Code for the Protection of Personal
Information and Communications of Consumers of Internet
Commerce that embraces industry bodies. It limits
collection and unauthorised disclosure of personal information;
consumers have some rights regarding the restriction of
data transfers and data correction/deletion.
Malaysia's federal Constitution (like that of Australia)
does not specifically recognize a right to privacy and
there's been little progress in the development of a comprehensive
regime for the protection of personal data collected/handled
by the private and public sectors, despite proposals for
a Personal Data Protection Act as part of the
ambitious National Electronic Commerce Master Plan.
Perhaps unsurprisingly, given statements by Prime Minister
Mahathir, government spokespeople generally characterize
privacy safeguards as a cost of doing business rather
than a public good and as an impediment to the proper
policing of society. In practice provisions in the Communications
& Multimedia Act 1998 restricting telecommunications
interception appear to be ignored or overridden by the
Internal Security Act and the Computer Crime
Act of 1997. The 1998 exposure draft of the Personal
Data Protection Bill was replaced by a weaker Bill
in 2001, which did not proceed. A view is provided in
the 2007 E-Data Privacy and the Personal Data Protection
Bill of Malaysia (PDF)
by Sarabdeen Jawahitha, Mohamed Ishak & Mohamed Mazahir.
An overview of developments in Malaysia is provided by
Privacy and Data Protection: A Comparative Analysis
with Special Reference to the Malaysian Proposed Law
(London: Sweet & Maxwell) by Abu Bakar Munir & Mohammad
South Korea's Constitution provides explicit protection
of privacy, notably Article 17 "The privacy of no
citizen may be infringed", Article 16 "All citizens
are free from intrusion into their place of residence"
and Article 18 "The privacy of correspondence of
no citizen shall be infringed". The Republic has
adopted the OECD Guidelines.
That's been reflected in legislation such as the 1994
Act on the Protection of Personal Information Managed
by Public Agencies, 1995 Act Relating to Use
and Protection of Credit Information, 1996 Act
on Disclosure of Information by Public Agencies and
1999 Basic Act on Electronic Commerce, which
underpins a government Cyber Privacy Center and guidelines
to give effect to requirements that
traders shall not use, nor provide to any third party,
the personal information collected through electronic
commerce beyond the alleged purpose for collection thereof
without prior consent of the person of such information
or except as specifically provided in any other law.
Data holders have a duty of security. Individuals have
rights of access, data correction and deletion.
In practice implementation of the legislation has been
uneven, with poor practice by government agencies and
private sector bodies. A 1989 Supreme Court ruling identified
a constitutional right to data protection "as an
aspect of the right of freedom of expression ... specific
implementing legislation to define the contours of the
right was not a prerequisite to its enforcement".
Extracting personal information from government (and more
so from business) has been difficult and there's evidence
of large-scale surveillance by a variety of agencies.
Prior to May 2003, Japan did not have a comprehensive
national privacy/data protection regime.
The 1946 Constitution enshrines "Freedom of assembly
and association as well as speech, press and all other
forms of expression are guaranteed". The 1988 Act
for the Protection of Computer Processed Personal Data
Held by Administrative Organs and 1990 Protection
of Computer Processed Personal Data Act (based on
the OECD Guidelines) provide partial regulation of some
national government agencies.
Provincial/municipal government agencies are in theory
covered by local privacy protection regulations. Low uptake
of data processing by government agencies means that much
information is not held/generated in digital formats and
thus falls outside the legislation.
The national government has emphasised self-regulation
by the private sector, especially regarding privacy aspects
of electronic commerce, with a series of aspirational
guidelines from the Ministry of International Trade &
Industry (MITI) and other agencies. A suite of legislation
passed in May 2003 established some general restrictions
on the use and sharing of personal data, also giving individuals
the right to obtain information collected by some private
Thailand's 1997 Constitution seeks to protect a "person's
family rights, dignity, reputation or the right of privacy",
indicating that "the assertion or circulation of
a statement or picture in any manner whatsoever to the
public, which violates or affects a person’s family
rights, dignity, reputation or the right of privacy, shall
not be made except for the case which is beneficial to
the public" and that "Persons have the freedom
to communication with one another by lawful means".
Legislation and administrative directions under the Constitution
have primarily concerned data handled by government agencies,
rather than the private sector, for example the 1997 Official
Information Act establishing a code of practice for
personal information systems maintained by agencies.
India's 1950 Constitution does not provide express recognition
of a right to privacy but successive Supreme Court rulings
have identified an implicit right under Article 21 of
the Constitution (ie the broad "No person shall be
deprived of his life or personal liberty except according
to procedure established by law") and that access
to government information is an essential part of the
fundamental right to freedom of speech and expression.
There is currently no general national data protection
law; protection is provided on an uneven basis through
sectoral enactments such as the 1993 Public Financial
Institutions Act and licensing of ISPs under national
telecommunications legislation. Legislation and practice
at the state level varies considerably. In 2004 for example
consumer groups noted that mobile phone companies will
contact a subscriber's most frequently called numbers
to complain if that subscriber misses a payment.
other parts of Asia and the Pacific
Among the Mekong delta states, Micronesia and most of
Polynesia data protection is either not on the government
agenda or is something used by agencies to protect themselves
from intrusions by citizens.
next page (US