Differences in General Principles of APEC Privacy Framework and GDPR

1. Introduction

The importance of privacy has increased due to the significant increase in data processing methods and activities along with rapid technological developments and globalisation. As a result, many countries and regions have adopted privacy laws to ensure harmony for the protection of the personal data of individuals.

In the EU region, the European Commission introduced the General Data Protection Regulation (“GDPR”) to harmonise data privacy laws across all the Member States and meet the needs for modern data protection rules in the digital age. It was entered into force on 25 May 2018.  The GDPR, as a “regulation”, is a binding legislative act that must be applied across the EU without any transposition into national law [1].

In the Asia-Pacific Region, the APEC Privacy Framework (“Framework”) was adopted in 2005 by the Asia-Pacific Economic Cooperation Organization (“APEC”), which was established in 1989 to support economic development cooperation, trade, and investment in the region. This Framework includes a set of principles and guidelines aiming to develop adequate privacy protections that avoid barriers to information flow and ensure continued trade and economic growth in the APEC region.

APEC has 21 member countries.[2] The APEC Privacy Framework is a guide for the member countries on how to handle and transfer personal information to any third party. Based on this Framework, the member countries are free to regulate their own laws and decide to what extent they will apply the provisions of this Framework.

2. General Differences between the APEC Privacy Framework and GDPR

Both regulations aim to protect personal data and privacy. However, there are some fundamental differences between them, such as their application areas and approach bases:

1- Geographical Scope: The GDPR applies to all organisations operating in the European Union, regardless of where the data is processed. The APEC Privacy Framework applies to organisations within the Asia-Pacific Economic Cooperation region.

2- Obligations of Organizations: The GDPR imposes several obligations on organisations, such as appointing a Data Protection Officer and conducting impact assessment analysis for high-risk processing activities. The APEC Privacy Framework does not impose these obligations. However, APEC requires organisations to implement appropriate confidentiality measures and have accountability mechanisms.

3- Enforcement: The GDPR has robust enforcement mechanisms, including the power to impose hefty fines for the price of non-compliance. The APEC Privacy Framework is advisory to member countries, with no enforcement mechanisms.

4- Approach Difference: APEC Privacy Framework and the GDPR are based on the need to protect personal data. However, their approaches differ according to their underlying needs and priorities. For example, APEC's objective of protecting informational privacy arises in promoting trade and investment rather than primarily in protecting fundamental human rights, as in the European Union. In this context, the GDPR is primarily individual-based and places a strong emphasis on the rights and freedoms of individuals concerning their data. On the other hand, the APEC Privacy Framework is primarily economy-based, emphasising promoting economic growth and trade in the Asia-Pacific region while taking care to protect personal data.

3. Differences in Privacy Principles

(a) Preventing Harm

Preventing harm principle is a specific principle for the APEC Privacy Framework. The APEC Privacy Framework defines the “preventing harm” principle as follows:

“Recognizing the interests of the individual to legitimate expectations of privacy, personal information protection should be designed to prevent the misuse of such information. Further, acknowledging the risk that harm may result from such misuse of personal information, specific obligations should take account of such risk, and remedial measures should be proportionate to the likelihood and severity of the harm threatened by the collection, use and transfer of personal information” (Part 2/14).

The Preventing Harm Principle is introduced to prevent the misuse of personal information and consequent harm to individuals. Therefore, laws, regulations, enforcement mechanisms, as well as education and awareness campaigns should be designed to prevent harm to individuals from the wrongful collection and misuse of their personal information.

However, the APEC Privacy Framework does not define “harm”; therefore, it is unclear what should be done and when it must be done to prevent such “harm”. Unlike the APEC Privacy Framework, we believe the GDPR outlines more clear standards to protect the fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data.

(b) Notice

The notice principle of the APEC Privacy Framework resembles the notice provisions of the GDPR. It requires controllers to provide clear and easily accessible statements about their practices and policies with respect to personal information. According to both regulations, all reasonably practicable steps shall be taken to ensure that such notice is provided either before or at the time of the collection of personal information. If this is not possible, the APEC Privacy Framework states that such notice should be provided as soon as practicable. However, the GDPR presents more details on how the controller must comply with their notice requirements in different cases, such as giving notice in case of obtaining personal data from third-party sources (Article 14/3) or exceptions for such notice requirements (Articles 13/1 and 14/5).

(c) Collection Limitation

According to the APEC Privacy Framework, the collection of personal information should be limited to information that is relevant to the purposes of collection, and any such information should be obtained by lawful and fair means, and where appropriate, with notice to, or consent of, the individual concerned.

According to the GDPR, the collection of personal data is limited to the purpose. Personal data shall be collected for specified, explicit, and legitimate purposes. Personal data is not further processed in a manner that is incompatible with those purposes (purpose limitation). In addition to the purpose limitation principle, the GDPR also has the data minimisation principle: “Personal data shall be adequate relevant and limited to what is necessary in relation to the purposes for which they are processed” (Article 5(1)(c))

''What is necessary'' means the minimum amount of personal data the controller needs to fulfil its purposes. However, the APEC Privacy Framework does not emphasise the term ''what is necessary'' as the GDPR.

(d) Access and Correction

With respect to access to and correction of personal information, the APEC Privacy Framework specifies that individuals should be able to obtain from the controller a confirmation of whether or not the controller holds personal information about them, and have access to information held about them, challenge the accuracy of information relating to them, have the information rectified, completed, amended or deleted.

However, the Framework introduces some exemptions for such access or correction request. Controllers may reject such request in case:

• the cost is found to be excessive by comparing the cost arising from the access request and the risk arising from the processing of the personal data of the individual;
• a trade secret will be exposed with such request; or
• Such request may cause a security risk.

According to the GDPR, the data subject has the right to learn from the controller whether or not his/her personal data are being processed, and, where that is the case, access to the personal data and the following information:

• the purposes of the processing;
• the categories of personal data processed;
• the recipients or categories of recipients to whom the personal data have been or will be disclosed;
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
• the right to lodge a complaint with a supervisory authority;
• where the personal data are not collected from the data subject, any available information as to their source;
• (the existence of automated decision-making, including profiling.

According to the GDPR, if the data controller considers that a request is manifestly unfounded or excessive, the controller may request a reasonable fee to deal with the request or may reject the request.

Given the above considerations, the Framework’s exemptions seem much more broader regulated than those in the GDPR.

(e) Transfer of personal data to another person or country

According to the APEC Privacy Framework, in case of any transfer of personal information to another person, organisation, or country, the controller must obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that such recipient will protect the information consistently with the principles under the Framework.

The GDPR imposes stricter conditions regarding cross-border data transfer. Personal data may only be transferred to third countries where the European Union has considered the laws to provide adequate protection or where protected by binding corporate rules, standard contractual clauses or approved model clauses, or applying a code of conduct or approved certification.

(f) Consent/Choice

According to the GDPR, consent must be freely given, specific, informed and unambiguous. “Freely given” means giving individuals a genuine choice and control over how their personal data can be used. Explicit consent means that the data subject must give an express statement of consent, for instance, in a written statement.[3]

Instead of “consent”, the APEC Privacy Framework uses the ''choice principle'': “Where appropriate, individuals should be provided with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice in relation to the collection, use and disclosure of their personal information. It may not be appropriate for personal information controllers to provide these mechanisms when collecting publicly available information.”[4]

The phrase “where appropriate” should be noted. It means that controllers are likely to have no obligation to provide this mechanism if the circumstances are not appropriate. The Framework states that “there are certain situations where consent may be clearly implied or where it would not be necessary to provide a mechanism to exercise choice.”

In this regard, the Framework does not require controllers to present this mechanism to exercise choice when collecting publicly available information. (e.g., controllers are not required to present a choice to data subjects when collecting their name and address from a public record or a newspaper.)

(g) Data Integrity

The principle of data integrity is regulated similarly in both texts. Personal data/personal information must be current, accurate and complete.

(h) Security Safeguards (Breach)

The APEC Privacy Framework has no specific definition for “breach”. Conversely, the GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”.

In addition, the APEC Privacy Framework does not bring any data breach notification requirement for the member countries. On the other hand, the GDPR mandates data controllers and processors to notify data protection authorities of any data breach that imposes any risk to the rights and freedoms of natural persons and notify data subjects of any data breach that is likely to result in a high risk to the rights and freedoms of natural persons.

4. Conclusion

In light of the preceding, the APEC Privacy Framework seems incapable of setting clear standards regarding data processing activities and security. Furthermore, the principles unique to the APEC Privacy Framework are not sufficiently detailed. The reason why the APEC Privacy Framework does not come up to GDPR standards might be the commercial concerns of the APEC.

Compared to the GDPR, this Framework does not settle adequate mechanisms to provide effective protection yet. In this regard, the APEC Privacy Framework serves more as a guide and a model for the member countries.[5]

References

1. https://europa.eu/european-union/law/legal-acts_en

2. https://iapp.org/news/a/gdpr-matchup-the-apec-privacy-framework-and-cross-border-privacy-rules/

3. https://en.wikipedia.org/wiki/Asia-Pacific_Economic_Cooperation

4. European Data Protection Board, Guidelines 05/2020 on Consent Under Regulation 2016/679, Adopted on 4 May 2020

5. Dr. Elif KÜZECİ, Kişisel Verilerin Korunması, On İki Levha Publications, September 2021

[1] https://europa.eu/european-union/law/legal-acts_en (Date of Access: 10.02.2023) (Date of Access: 12.11.2021)

[2] https://en.wikipedia.org/wiki/Asia-Pacific_Economic_Cooperation (Date of Access: 10.02.2023)

[3] European Data Protection Board, Guidelines 05/2020 on consent under Regulation 2016/679, Adopted on 4 May 2020, page: 20

[4] https://www.apec.org/publications/2005/12/apec-privacy-framework (Date of Access: 10.02.2023)

[5] Dr. Elif KÜZECİ, Kişisel Verilerin Korunması, On İki Levha Publications, September 2021,Page:171