Emerging Information Privacy and Security Policymaking in the Asia-Pacific Region
Total Page:16
File Type:pdf, Size:1020Kb
From PLI’s Course Handbook Tenth Annual Institute on Privacy and Data Security Law #19129
23
INFORMATION PRIVACY IN THE ASIA-PACIFIC REGION AND CANADA: RECENT LEGISLATIVE, REGULATORY AND POLICY DEVELOPMENTS
Jeff Rohlmeier Thomson Reuters
1 INFORMATION PRIVACY IN THE ASIA-PACIFIC REGION AND CANADA: RECENT LEGISLATIVE, REGULATORY AND POLICY DEVELOPMENTS
Presented By:
Jeff Rohlmeier, Global Privacy Compliance Lead, Motorola, Inc.i
AT THE TENTH ANNUAL PLI INSTITUTE ON PRIVACY AND SECURITY LAW
Chicago, Illinois – July 20-21, 2009
INTRODUCTION
Over the course of the last decade, several principal nations (“economies”) in the Asia- Pacific region have developed comprehensive national legislative approaches towards information privacy and security protection. In doing so, Australia, Canada, New Zealand, Japan and the Special Administrative Region of Hong Kong, have relied on variants of the regulatory approaches previously established in the European Union (EU) and elsewhere. Privacy legislation enacted in the Asia-Pacific region and beyond generally reflects the core fair information practice principles of notice/awareness, choice/consent, access/participation, integrity/security and enforcement/redress.ii However, the approaches enacted to date in Asia-Pacific economies are commonly regarded as more flexible – at least from an international data transfers standpoint- than, for example, the traditional “standard-bearer” of international privacy protection, the EU’s 1995 Directive on Data Protection and its “adequacy” requirement.iii
One immediate result of this trend, and the current lack of comprehensive information privacy laws in several other Asia-Pacific economies, is that multinational organizations have enjoyed a certain degree of autonomy in the ways in which they collect, process, store and transfer personal information in the region. However, where some have seen flexibility in this regard, other stakeholders have grown concerned over the lack of consistency in approaches to information privacy and security protection across the region. While certain Asia-Pacific economies have already enacted national privacy laws (as well as more targeted privacy laws, such as those addressing unsolicited commercial e-mail, or “SPAM”), other economies (most notably the People’s Republic of China and the Republic of Korea) are contemplating broad-based legislation of their own. As a result, some have viewed this proliferation of laws, and perhaps a further resulting inconsistency and incompatibility among national approaches, as threatening the ability of multinational organizations to effectively transfer their personal information across borders, both within the Asia-Pacific region and beyond.
2 In late 2004, the member economies of the Asia-Pacific Economic Cooperation forum (APEC) attempted to address this potential lack of consistency and compatibility by endorsing the APEC Privacy Framework, a non-binding arrangement that aims to achieve a consistent approach to information privacy protection across the APEC region, while simultaneously avoiding the creation of unnecessary barriers to information flows. While the twenty-one APEC member economies have officially endorsed the Framework, and while additional steps have recently been undertaken to implement aspects of the agreement, it is currently unclear whether the arrangement will ever be consistently and effectively implemented across the region.
DISCUSSION
NATIONAL APPROACHES TO INFORMATION PRIVACY IN THE ASIA- PACIFIC REGION -
To date, six APEC member economies – Australia, Canada, New Zealand, Japan and Hong Kong, along with the Russian Federation, - have enacted comprehensive national data protection (information privacy and security) laws. A number of additional economies, including the United States, have enacted more targeted legislation that affects certain key sectors or activities, such as the proliferation of unsolicited commercial e-mail (“spam”). Also, it is important to note that several APEC member economies are currently considering the adoption of comprehensive national privacy legislation. The following summarizes the state-of-play across several key Asia-Pacific economies, particularly with regard to national privacy approaches that either have already been adopted or are under consideration:
Australia:
The Privacy Act of 1988 (significantly amended in 2000) promulgates National Privacy Principles addressing the collection, use and disclosure, accuracy, security, management, access, anonymity, and identification of personal information.iv Although the Australian law generally adheres to the commonly accepted core fair information practice principles mentioned previously and authorizes a Privacy Commissioner, along the lines of European data protection authorities, it is somewhat unique in the sense that it also establishes a “co-regulatory” scheme that relies heavily on private sector initiatives towards compliance, including the development of business-generated codes of conduct.
In addition, while the Australian law does operate extraterritorially, covering organizations outside Australia when information is transferred overseas for use or processing, it only requires organizations to take “reasonable steps” to ensure that information will be protected, or that organizations “reasonably believe” that the information will be subject to similar protection as applied in the Australian law.v Therefore, the Australian law does not currently impose an EU-style “adequacy” finding prior to exporting personal information from Australia. However, it should be noted that
3 Australia’s Privacy Commissioner has suggested that the trans-border provisions under the Act should be clarified or enhanced.vi The Privacy Commissioner has also proposed several changes to the Privacy Act, including the creation of a new, single set of privacy principles for application to both the public and private sectors and expansion of privacy act coverage to additional sectors, such as telecom and small businesses.vii
In addition, of particular note is the Privacy Commissioner’s call for mandatory notification of major data security breaches by Australian organizations.viii Public calls for data breach notification legislation were given further impetus by an August 2008 report of the Australian Law Reform Commission, which recommended that Australia enact mandatory breach notification legislation, among other reforms to its privacy laws.ix However, it is still unclear whether Australia will actually issue anything beyond the “voluntary” data breach notification guidelines that were promulgated by the Australian Privacy Commissioner in August 2008.x
Finally, Australia has implemented a fairly robust anti-spam law, the SPAM Act of 2003, which regulates commercial e-mail and other types of commercial electronic messages.xi Under the law, “it is illegal to send, or cause to be sent, “unsolicited commercial electronic messages” that have an Australian link. A message has an “Australian link” if it either originates or was commissioned in Australia, or originates overseas but has been sent to an address accessed in Australia”.xii In recent years, Australia has stepped up enforcement of its anti-spam law.xiii Australia has also implemented a Do-Not-Call registry.xiv
Canada:
The principal piece of federal privacy legislation applicable to the private sector in Canada is the Personal Information Protection and Electronic Documents Act (PIPEDA)xv, which received “Royal Assent” in 2000. PIPEDA, which was implemented in three stages beginning in 2001, establishes ten privacy principles generally consistent with the fair information practice principles referenced earlier. Under PIPEDA, Canada’s Privacy Commissioner has broad authority to enforce the legislation. While Canada’s law does not itself establish an “adequacy” requirement along the lines of the European Directive on Data Protection’s requirement pertaining to trans-border data flows, PIPEDA has actually received a finding of “adequacy” from the European Commission.xvi
In 2006, Canada’s Parliament announced that it would conduct a review of PIPEDA. In particular, there had been suggestions that PIPEDA should be amended to provide the Privacy Commissioner with stronger enforcement authority, require organizations to disclose breaches of personal information, and place more controls on trans-border data flows. In May 2007, a House of Commons standing committee issued its review and recommended against certain proposed amendments to PIPEDA, including the suggested strengthening of the law’s trans-border data provisions.xvii
4 However, despite the apparent decision to refrain from making substantive amendments to PIPEDA itself, Canada’s Privacy Commissioner has issued other measures to address specific questions or challenges presented by PIPEDA. In January of 2009, the Privacy Commissioner released new guidelines pertaining to the processing or personal information across international borders.xviii The guidelines clarify that PIPEDA does not prohibit organizations in Canada from transferring personal information to an organization in another jurisdiction for processing. Rather, PIPEDA establishes rules governing transfers for processing.xix
Also, in response to several high profile data security breach incidents involving companies in Canada and elsewhere, Canada’s Privacy Commissioner has issued “voluntary” guidelines aimed at helping organizations take the “right steps” after a privacy breach, including notifying people at risk of harm after their information has been stolen, lost or mistakenly disclosed.xx It is currently unclear whether Canada will eventually enact mandatory breach notification legislation.
Nor is it clear whether Canada will enact national anti-spam legislation. However, there have been recent calls for such legislation by consumer and privacy groups and an anti- spam bill has recently been introduced in the Canadian Senate.xxi Meanwhile, Canada has been working to implement and enforce its Do-Not-Call registry, which went live in 2009.xxii
In addition to the federal privacy regime, most Canadian provinces have enacted privacy legislation applicable to the private sector and have established regulatory authorities charged with enforcing such legislation. The privacy laws and regulators in British Columbiaxxiii, Ontario,xxiv and Quebec are particularly noteworthy due to both the scope of their legislation as well as the prolific natures of their respective regulatory authorities.xxv
China, People’s Republic of (PRC):
China has yet to enact comprehensive national information privacy legislation. However, Article 40 of the PRC Constitution does provide for the “freedom and privacy of correspondence of the citizen”.xxvi
In addition, China’s State Council Informatization Trade Office (SCITO) has indicated that it plans to introduce privacy legislation in the near future. It has been said that the law would apply to both the private and public sector and would cover both online and offline data. However, few additional details are available. SCITO has not announced any recent timeframe for introduction of the legislation and eventual passage. It is also unclear how enforcement of the law would occur, whether a national data protection authority would be established, and whether the law would address data transfers from China. However, it is known that SCITO and other Chinese Government stakeholders have been analyzing the European Union’s approach to comprehensive/omnibus privacy data protection legislation.xxvii
5 Since China is becoming increasingly important as a commercial hub and center for information flows in the region, some have speculated that China’s push for privacy legislation may be partially motivated by its desire to retain foreign direct investment in the country and to assuage any external concerns regarding the privacy and security of personal information that is outsourced to China. Indeed, the desire to address international privacy and security concerns associated with the outsourcing and off- shoring of data services to burgeoning Asia-Pacific economies has served as the impetus for neighboring countries, such as Korea, the Philippines, Singapore and other nations, including India, to also consider information privacy and security legislation. xxviii
Even despite national privacy legislation, China has begun to address privacy protection on several local levels. In particular, the provinces of Guangdong and Shanxi have recently enacted privacy ordinances. There have also been several sector-specific initiatives to establish limited data protections.
Finally, China has enacted a law targeting the proliferation of spam e-mail. The Measures for Administration of E-Mail Services on the Internet, enacted in March 2007, regulates commercial e-mail communications and requires senders to acquire prior-opt in consent from recipients.xxix China brought its first action against a spammer under the law several months later.xxx In 2008, the Internet Society of China reported that China’s anti-spam campaign had met with much success.xxxi
Hong Kong, Special Administrative Region of:
In 1997, Hong Kong became a Special Administrative Region of the PRC. However, the territory retains its own privacy law, the Personal Data (Privacy) Ordinance, which was enacted in 1996.xxxii The Privacy Ordinance establishes six principles to regulate the collection, use, accuracy and security of personal information. Under the law, data subjects are allowed the right to access, correct or erase personal information and a complaint and enforcement procedure is established under the auspices of the Privacy Commissioner for Personal Data. In 2008, Hong Kong’s Privacy Commissioner, which is one of the most prolific data protection authorities in the Asia-Pacific region, renewed his call for additional powers and regulatory reforms.xxxiii
With respect to exports of personal information from Hong Kong, Section 33 of the Ordinance, which governs trans-border data-flows, has been enacted, but not placed into effect. No further timetable for enforcement of Section 33 has been provided.xxxiv
On June 1, 2007, Hong Kong’s Unsolicited Electronic Messages Ordinance, which regulates the sending of unsolicited electronic messages, became law. Phase I of the Ordinance, which came into force in June 2007, is comprised of several prohibitions that, if violated, could lead to fines and imprisonment. Phase II, which entered into force in December 2007, regulates the content and nature of commercial e-mail and provides for the establishment of ‘‘do-not-call’’ registries for certain classes of electronic addresses (i.e., telephone and fax numbers).xxxv
6 Japan:
In May 2005, Japan’s Personal Information Protection Law went into effect.xxxvi The law applies to any company with offices in Japan that holds personal data on 5,000 or more individuals and sets forth a number of requirements for organizations handling personal data. Under the law, organizations must establish a corporate privacy officer and it imposes penalties/fines on the managers of data handlers who do not comply with the law.
The Government of Japan has issued a series of regulations that give further effect to the basic law. For example, a set of guidelines issued by the Ministry of Economy Trade and Industry (METI) pertains to data security requirements and further regulations deal with such issues as employee data and radio-frequency identification (RFID) technology.xxxvii In February 2008, the Government of Japan issued new guidelines intended to further clarify certain aspects of the Personal Information Protection Law. In particular, the 2008 guidelines seek to compel data controllers to establish better oversight of its data processors and outsourced relationships.
However, there are apparently several unresolved issues under the Japanese law. In particular, it is unclear how enforcement of the basic law and its implementing regulations is intended to occur over the long-term. Will Japan decide at some point to set up a national data protection authority? Will enforcement instead continue to occur primarily through ministries such as METI? Also, will Japan decide to apply its law extraterritorially? These are all issues that may require further clarification from Japanese regulators.
Finally, Japan has enacted at least two laws that relate to spam e-mail. The more prominent of the two, the Anti-Spam Law, established three basic requirements: 1) requirement to honor opt-out requests; 2) labeling requirements; and 3) prohibition against sending email using programs that generate fictitious e-mail addresses.xxxviii In June 2008, the Government of Japan overhauled its existing spam laws and issued a “New Anti-SPAM Law”, which was scheduled to go into effect by December 2008. Most importantly, the New Anti-SPAM Law appears to abandon the opt-out approach allowed under the previous legislation and instead adopts an opt-in requirement that would effectively ban many forms of unsolicited commercial e-mail.xxxix
Korea, Republic of:
Korea currently does not have a privacy law that applies across all industry sectors, but the government does regulate a few key areas. For example, in 2000, Korea’s Act on the Promotion of Information and Communications Network Utilization and Data Protection (PICNU) entered into effect. PICNU applies to providers of information communications services and certain offline services. xl
7 In recent years, Korean legislators and at least one ministry have indicated that Korea is considering the adoption of broad-based privacy legislation that would apply to all industry sectors. For example, during 2005, at least three privacy bills were before the National Assembly. However, few details exist concerning the exact content of these proposed laws or any legislative timeframe associated with them. In particular, stakeholders will need to know how any legislation would address the issue of consent (opt-in or opt-out regime?); whether the legislation would apply extraterritorially (an “adequacy” requirement or similar?); and how it would be enforced (via a national data protection authority?).xli
With respect to its fight against spam e-mail, several Korean consumer protection and e- commerce laws address unsolicited commercial e-mail and related fraudulent activities.xlii Also, the government of Korea has recently pursued a number of actions that may have resulted in an overall reduction in the overall rate of spam generated in the country. Nevertheless, Korea apparently still ranks among the world’s most prolific sources of spam e-mail.xliii
Singapore:
Singapore has traditionally supported self-regulatory solutions to information privacy and security protection. In 2002, Singapore’s National Trust Council launched a public consultation exercise on the possible development of a voluntary model privacy code and the government has generally refrained from the adoption of legislation targeting data protection. However, there is some reason to believe that Singapore’s policy may be changing. In 2006, the government established an inter-ministerial committee to investigate whether Singapore should adopt privacy legislation.xliv In January 2009, Singapore’s Minister for Information, Communication and the Arts reported that the committee’s review of possible data protection laws was still on-going.xlv
On the anti-spam front, the government has been similarly active. In 2006, the country brought one of the first actions against an SMS spammer. In April 2007, Singapore’s Parliament passed the Spam Control Act. The law adopts a U.S.-like opt-out model that seeks to regulate spam, rather than ban it. The text and legislative history of the law indicates that Singapore looked to the Australian Spam law of 2003 and the U.S. CAN- SPAM Act for guidance.xlvi
THE APEC PRIVACY FRAMEWORK –
In November 2004, the Ministers of the twenty-one APEC member economies, including the United States Secretary of State, formally endorsed the APEC Privacy Framework.xlvii The framework is intended to promote a consistent approach to information privacy protection across APEC member economies, while also avoiding the creation of unnecessary barriers to information flows.xlviii During the primary negotiation phase of
8 the framework (2002-2004), a core group of APEC member economies took the lead in drafting the agreement. Those lead economies included the United States, Canada, Australia and Hong Kong, though other economies (including Mexico, Japan and Korea) participated, to varying degrees, in the full set of discussions.
The APEC Framework is based on the Organization for Economic Cooperation and Development's (OECD) 1980 Privacy Guidelines and, like its predecessor, the APEC Framework is focused on four primary goals:
To develop appropriate privacy protections for personal information; To prevent the creation of unnecessary barriers to information flows; To enable multinational businesses to implement uniform approaches to the collection, use, and processing of data; and
To facilitate both domestic and international efforts to promote and enforce information privacy protections.xlix
The framework itself promulgates nine core privacy principles, including:
Preventing Harm Integrity of Personal Information; Notice; Security Safeguards; Collection Limitations; Access and Correction; Uses of Personal Information; Accountability; and
Choice.l
It is important to note that the privacy framework, like most other APEC agreements, does not currently have the force of a treaty and, therefore, should be considered a voluntary, cooperative arrangement. This fact begs the question of whether member economies will necessarily feel compelled to implement the framework in an effective or meaningful fashion within their economies.
In an effort to encourage both domestic and international (regional) adherence to the Framework, APEC’s Electronic Commerce Steering Group (ECSG) has embarked on a long-term implementation work-plan. To encourage domestic (national) implementation of the framework, the ECSG has focused on:
Maximizing the benefits of privacy protections and information flows; Giving effect to the APEC Privacy Framework; Educating and publicizing domestic privacy protections; Furthering cooperation between public and private sectors;
9 Providing for appropriate remedies in situations where privacy protections are violated; and
Developing a mechanism for reporting domestic implementation of the APEC Privacy Framework.li
The ECSG’s international (regional) implementation plan includes the following components:
Information sharing among member economies; Cross-border cooperation in investigation and enforcement; and
Cooperative development of cross-border privacy rules.lii
To facilitate further discussion on these objectives, the ECSG has sponsored several implementation workshops (e.g., Hong Kong in 2005; Korea in 2005; Australia and Canada in 2007; and Peru in 2008).
Cross-Border Privacy Rules:
Of all of the components of the international implementation plan, the Cross-Border Privacy Rules Project (CBPR) may be gaining the most traction. In early 2007, the U.S. Delegation to the ECSG provided an overview of “The Four Point Approach to Implementation of APEC Cross Border Privacy Rules.” This document was circulated on behalf of the Cross Border Rules Study Group (consisting of representatives from Australia, Canada, Hong Kong, Japan, Korea, Mexico Singapore, United States and representatives from the International Chamber of Commerce) for discussion purposes at the ECSG’s Data Privacy Subgroup Meeting. The Four Step Approach for the CBPR concept envisioned:
The use of questionnaires to allow companies to voluntarily map their privacy practices against the APEC Privacy Principles; The designation of an entity (public or private) within each economy to collect and certify these questionnaires – companies certified would be deemed compliant with the APEC Privacy Framework; The publication of an APEC-wide list of compliant companies; and The application of dispute resolution and enforcement mechanisms within each economy.liii
In late 2007, the CBPR concept was given further momentum with the establishment of a “Pathfinder” project, which is APEC terminology for setting specific initiatives and road- testing them among those economies who are ready to participate. The APEC CBPR Pathfinder sets out nine projects that may be pursued:
10 CBPR self-assessment guidance for organizations; Guidelines for trust-marks participating in a CBPR system; Compliance review of an organization’s CBPRs; Directory of compliant organizations; Data Protection Authority and Privacy Contact Officer Directory; Template Enforcement Cooperation Arrangements; Template cross-border compliant handling form; Guidelines and procedures for responsive regulation in a CBPR system; and CBPR international implementation pilot project.
In 2008, APEC ECSG finalized its Data Privacy Pathfinder Work Plan.liv Also in 2008, the member economies continued to plan the testing phase of the CBPR concept. In particular, the United States delegation signified that, in 2009, it would lead work with public and private sector participants to create hypothetical cross-border data transfer scenarios intended to “inform the testing process itself”.lv In February 2009, the ECSG indicated that the APEC CBPR System may be ready for endorsement by APEC Ministers when they meet towards the end of 2009.lvi
CONCLUSION
Recent legislative, regulatory and policy developments indicate that information privacy and security protection is very much an evolving concept in the Asia-Pacific region. As economies continue to implement and enforce their existing information privacy and security regimes, and as additional economies seek to adopt further legal and regulatory data protections, organizations doing business in the region will need to adapt their information management practices accordingly. Moreover, organizations will need to develop a compliance strategy (or strategies) suitable to address the sheer diversity of national approaches, both within the Asia-Pacific and beyond.
As national policymaking continues to evolve, it is also likely that much attention will continue to be placed on the viability of the APEC Privacy Framework, and in particular its Cross Border Privacy Rules concept, as a means of achieving greater consistency and compatibility among national approaches. However, given the non-binding/cooperative nature of the agreement, stakeholders will need to await the outcomes of APEC’s work- plan for the framework and, in particular, learn whether the individual member economies will choose to implement the framework in a meaningful or effective fashion.
11 i The views expressed herein are those of the author and do not necessarily represent the views of Motorola, Inc. or its subsidiaries and affiliated companies. ii As described by the United States Federal Trade Commission, at http://www.ftc.gov/reports/privacy3/fairinfo.htm. iii Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, available at http://europa.eu.int/comm/justice_home/fsj/privacy/law/index_en.htm. iv Privacy Act 1988 (Cth), which incorporates the amendments made to it by the Privacy Amendment (Private Sector) Act 2000 (Cth), available at http://privacy.gov.au/act/index.html. v Id. vi Chapter 13 of the Submission by the Office of the Privacy Commissioner to the Australian Law Reform Commission’s Review of Privacy – Issues Paper 31, March 8, 2007, available at http://www.privacy.gov.au/publications/submissions/alrc/c13.html. vii “Come Clean on Privacy”, Australian IT, March 8, 2007, available at http://australianit.news.com.au/articles/0,7204,21346163%5E15331%5E%5Enbv%5E15306-15318,00.html. The full Submission to the Australian Law Reform Commission's Review of Privacy - Issues Paper 31 is available at http://www.privacy.gov.au/publications/alrc280207.html. viii Media Release dated January 30, 2008, available at http://www.privacy.gov.au/news/media/2008_01.html. ix For Your Information: Australian Privacy Law and Practice (ALRC 108), Issued by the Australian law Reform Commission, August 11, 2008. Text available at http://www.alrc.gov.au/media/2008/mr11108.html. x Guide To Handling Personal Information Security Breaches, issued by the Office of the Australian Privacy Commissioner, August 2008. Text available at http://www.privacy.gov.au/publications/breach_guide.doc. xi SPAM Act of 2003, available at http://www.comlaw.gov.au/ComLaw/Legislation/ActCompilation1.nsf/current/bytitle/7C84FF3ED0D0FC13CA256FE7008 3B9A1?OpenDocument&mostrecent=1. xii Australian Communications and Media Authority’s (ACMA) online guide to combating spam, available at http://www.acma.gov.au/WEB/STANDARD//pc=PC_2008. xiii “Optus Cops $110,000 Spam Fine After Talks Break Down”, iT News, 14 January 2009, available at http://www.itnews.com.au/News/92775,optus-cops-110000-spam-fine-after-talks-break-down.aspx. xiv https://www.donotcall.gov.au/. xv Personal Information Protection & Electronic Documents Act (PIPEDA), English language version at: http://www.privcom.gc.ca/legislation/02_06_01_e.asp. xvi All such findings of “adequacy” may be accessed via the European Commission’s website at http://ec.europa.eu/justice_home/fsj/privacy/thridcountries/index_en.htm. xvii Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA), published by Canada’s House of Commons Standing Committee on Access to Information, Privacy and Ethics, May 2007, available at http://cmte.parl.gc.ca/cmte/CommitteePublication.aspx?COM=10473&Lang=1&SourceId=204322. xviii Guidelines for Processing Personal Data Across Borders, Issued by the Office of the Privacy Commissioner of Canada, January 2009, text available at http://www.privcom.gc.ca/information/guide/2009/gl_dab_090127_e.asp. xix Id. xx The full text of the “Key Steps for Organizations in Responding to Privacy Breaches”, as promulgated by the Office of the Privacy Commissioner of Canada, may be located at http://www.privcom.gc.ca/information/guide/2007/gl_070801_02_e.asp. xxi “Stiff Fines, Jail Terms Prescribed for ‘Spammers’ In ‘Long Overdue’ Canadian Bill”, itbusiness.ca, February 17, 2009, available at http://www.itbusiness.ca/it/client/en/home/News.asp?id=52047. xxii Canada’s National Do-Not-Call List is located at https://www.lnnte-dncl.gc.ca/. xxiii For further information on British Columbia’s privacy law and regulator, please visit http://www.oipcbc.org/. xxiv For further information on Ontario’s privacy law and regulator, please visit http://www.ipc.on.ca/. xxv For further information on Quebec’s privacy law and regulator, please visit http://www.cai.gouv.qc.ca/index-en.html. xxvi Constitution of the People’s Republic of China, available at http://english.people.com.cn/constitution/constitution.html. xxvii Activity Summary of the EU-China Information Society Project’s Workshop on personal Data protection on EU and China, 12 December 2007; Text available at http://www.eu-china-infso.org/Regulation/regulation095030@2008-01- 10.html. xxviii Assessment based on participation of the author, while an employee of the U.S. Department of Commerce, in discussions with international counterparts, as well as follow-up discussions with former Department of Commerce and inter-agency colleagues, 2001-2008. xxix Decree No.38 of the Ministry of Information Industry of the People's Republic of China, Promulgating the Measures for Administration of E-mail Service on Internet, available at http://english.mofcom.gov.cn/aarticle/policyrelease/gazettee/200604/20060401873019.html. xxx “Chinese Company Fined in SPAM Case”, InfoWorld, available at http://www.infoworld.nl/idgns/bericht.phtml? id=002570DE00740E18482571D200107C59. xxxi “China Registers Unprecedented Success in Internet SPAM Crackdown”, Anti-SPAM Center of the Internet Society of China”, January 28, 2008, available at http://english.anti-spam.cn/newsinfo.php?id=7611. xxxii Hong Kong Personal Data (Privacy) Ordinance, available at http://www.pco.org.hk/english/ordinance/ordfull.html. xxxiii “Privacy Law Push as Nude Pictures Saga Takes on Blackmail Twists”, The Standard, February 20, 2008, available at http://www.thestandard.com.hk/news_detail.asp?pp_cat=11&art_id=61802&sid=17670754&con_type=1. xxxiv Hong Kong Personal Data (Privacy) Ordinance, available at http://www.pco.org.hk/english/ordinance/section_41.html xxxv For additional information on Hong Kong’s Unsolicited Electronic Messages Ordinance, please visit http://www.ofta.gov.hk/en/uem/main.html. xxxvi Act on the Protection of Personal Information, available at http://www5.cao.go.jp/seikatsu/kojin/foreign/act.pdf. xxxvii For an analysis of the planned regulatory scheme, please see “What You Need to Know About Japan’s New Law Concerning the Protection of Personal Information”, Morrison & Foerster, April 2005, available at http://www.mofo.com/news/updates/files/update02019.html. xxxviii For an analysis of Japan’s anti-spam regime, please see “Nuts and Bolts of Complying with Japan's Anti-Spam Laws”, Morrison & Foerster, September 2005, available at http://www.mofo.com/news/updates/files/update02077.html. xxxix For more information, please see “Japanese New Anti-SPAM Law”, Morrison & Foerster, July 2008, at http://www.mofo.com/news/updates/bulletins/14219.html. xl Additional information on Korean privacy law can be located at http://www.cyberprivacy.or.kr/privacy.html. xli Assessment based on participation of the author, while an employee of the U.S. Department of Commerce, in discussions with Government of Republic of Korea counterparts, as well as follow-up discussions former Department of Commerce and inter-agency colleagues, 2005-2008. xlii For more information on Korea’s legislative backdrop pertaining to consumer protection in the context of e-commerce, please visit http://eng.ftc.go.kr/legislation/statues/consumerprotection.jsp. xliii “Rejected E-mails Enabled China to Overtake U.S. In Spam Generation”, SPAMfighter News, February 22, 2009; available at http://www.spamfighter.com/News-11884-Rejected-E-mails-Enabled-China-Overtake-US-in-Spam- Generation.htm. xliv “Committee Reviewing Data Protection Regime in Singapore”, Channel NewsAsia, February 14, 2006, available at http://www.channelnewsasia.com/stories/singaporelocalnews/view/193144/1/.html. xlv “S’pore’s Data Protection Enforcement Needs Bite”, by Vivian Yeo, ZDNet Asia, February 3, 2009; located at http://www.zdnetasia.com/insight/specialreports/singapore/0,3800007710,62050547,00.htm. xlvi The text of Singapore’s Spam Control Act of 2007 is located at http://www.parliament.gov.sg/Publications/070006.pdf. xlvii APEC Privacy Framework, available at http://www.apec.org/apec/news___media/2005_media_releases/161105_kor_minsapproveapecprivacyframewrk.html xlviii Id. xlix APEC Media Release, November 20, 2004, available at http://www.apec.org/apec/news___media/2004_media_releases/201104_apecminsendorseprivacyfrmwk.html. l APEC Privacy Framework, available at http://www.apec.org/apec/news___media/2005_media_releases/161105_kor_minsapproveapecprivacyframewrk.html. li Id. lii Id. liii Source: February 9, 2007 U.S. Department of Commerce staff session to debrief industry and other stakeholders on the outcomes of the January, 2007 Asia Pacific Economic Cooperation (APEC) Electronic Commerce Steering Group (ECSG) meetings. liv APEC Data Privacy Pathfinder Projects Implementation Work Plan; Issued at Lima, Peru, 24 February, 2009; text available at http://aimp.apec.org/Documents/2008/ECSG/ECSG1/08_ecsg1_024.doc. lv Report on Outcomes from the 18th APEC Electronic Commerce Steering Group; Issued at Lima, Peru; August 16, 2008. lvi APEC Daily News Update, February 23, 2009; available at http://www.apec.org/apec/daily_news_update/230209_sg_somi.html.