Review of ‘Asian Data Privacy Laws – Trade and Human Rights Perspectives’ by Graham Greenleaf
Review of 'Asian Data Privacy Laws – Trade and Human Rights Perspectives' by Graham Greenleaf,
Oxford, October 2014, nearly 600 pages
Print ISBN-13: 9780199679669
With the recent passing of Singapore’s Lee Kwan Yew, there is renewed attention on the prospects for what some see as his brand of authoritarian corporatist development becoming the model for other Asian countries. But generalisations are often unhelpful. A new book from privacy scholar Professor Graham Greenleaf, Asian Data Privacy Laws – Trade and Human Rights Perspectives, offers many things for many readers, including a framework for robustly comparing the sort of human rights protection Singapore’s privacy law offers with that in other countries.
The result of such a comparison is unexpectedly unflattering for Australians, for the lack of constitutional protections, limited and uncertain common law or equitable remedies for abuse of privacy, and a statutory data protection regime with promise but weakened by loopholes and relatively unused enforcement options, all sounds rather familiar. And some Australians could only dream of Singapore’s reformed doctrine of privity of contract, a twist that could allow Singaporeans to enforce a contract made to benefit their privacy, even if they are not a party – over-zealous Internet data-mongers watch out!
Comparative studies of national data privacy laws, their underlying principles, and what constitutes effective administration of such laws, are still relatively uncommon except for the region around the European Union. Greenleaf’s comprehensive and authoritative survey is the first work to examine data privacy laws across Asia in such detail, with an in-depth analysis of data privacy authorities and their powers in nine Asian countries and a lighter review of 20 more, as well as the international context in which these laws have developed, common themes among them, regional trends and possible futures. Its keenest readers will be academics, regulators and policy-makers in the areas of data protection and privacy law, with legal practitioners in the Asian region and beyond also in line.
But anyone looking to see how the Asian century is manifesting in the area of privacy protection, including many in the technology and communications sector, will also find something of interest among the mass of detail on individual regimes or in the birds-eye view of the historical, cultural and legal context. Robert Gellman, former Chief Counsel to the Government Information Subcommittee in the US House of Representatives, observed that “as good as the national law chapters are, I found the introductory and concluding chapters even better.”
Blair Stewart, New Zealand’s Assistant Privacy Commissioner, noting Professor Greenleaf’s deep roots in the region, recently spelled out why the book was produced: “up to now it has not been easy to get up-to-date and reliable information about the privacy laws in countries as disparate as Vietnam and Indonesia. How, for example, do we differentiate between the regulatory roles of South Korea’s soup of agency acronyms like PIPC, MOSPA, KISA, PIDMC or KCC? How do we find out if there are controls on telemarketing in Singapore or on ID card numbers in Hong Kong or Japan (for your information, controls exist for all of them)? Clearly, a more authoritative source than Wikipedia is needed.”
Part I Asia and international data privacy standards (Chapters 1 – 3) sets out the environment in which data privacy laws exist in Asia, the context and history, and the international standards that affect Asian privacy laws. While a dense and detailed exercise – US practitioner K Royal noted this section was ‘not easy reading’ – it provides the holistic frame that many will have been missing from a casual acquaintance with data protection in Asia, and the foundation on which the second part is built. Gellman notes the impressive breadth and depth of the book, and lauds the standards Greenleaf used to measure each country’s national data protection law starting from this foundation.
Part II National data privacy laws in Asia (chapters 4–16) “reviews the most important national laws with a chapter on each country that describes in detail the country’s legal framework, approach to privacy, relevant constitutional provisions, the substantive provisions of the privacy law, a description of the enforcement measures, and more.” Greenleaf discusses and critiques the laws and their rationale for 28 Asian nations, plus a bit on North Korea (not surprisingly, the shortest and lowest point of the journey). There is more detail on more developed and central participants in the region, like Hong Kong and Malaysia, than on the more peripheral, such as Cambodia or Sri Lanka.
As well as analysis of all specialised data privacy laws in Asian countries, it covers constitutional and treaty protections, and protections in the general civil and criminal law – important in those countries still without specialised legislation.
Part III Regional comparisons, standards, and future developments (chapters 17–20) puts Asian privacy laws into a comparative scheme: sources of protection, scope, principles, liabilities and international dimensions; and then assesses privacy law enforcement. Royal notes, “this is the compelling read for privacy professionals who … take a risk-based approach to priorities” – the crunch issue in which commercial clients will hope readers take a deep interest! In addition, it analyses the international agreements and standards concerning data privacy that are relevant to Asia, including those of the European Union (EU), the Organisation for Economic Co-operation and Development (OECD), and the Asia-Pacific Economic Cooperation (APEC).
Finally, a survey of Asia’s prospects warrants cautious optimism about the future. Greenleaf writes, "In Asia, data privacy laws, or in some cases their enforcement, have not yet caught up with surveillance technologies and practices, but they are necessary, even though (as everywhere) they need to be supplemented with other modes of regulation. There are grounds for optimism, but not overconfidence, that in future they will restore a better balance between the human right of privacy and other interests."
This will no doubt become part of the reference library of a wide array of those engaged with human rights, trade negotiations and privacy law in the Asian region and beyond, assisting the reader to move beyond a passing awareness of a particular privacy law in an isolated example to a wide and deep apprehension of the shape and details of the laws of the region.
Part I: ASIA AND INTERNATIONAL DATA PRIVACY STANDARDS
1: Data Privacy Laws in Asia – Context and History
2: International Structures Affecting Data Privacy in Asia
3: Standards by Which to Assess a Country's Data Privacy Laws
Part II: NATIONAL DATA PRIVACY LAWS IN ASIA
4: Hong Kong SAR – New Life for an Established Law
5: South Korea – The Most Innovative Law
6: Taiwan – A Stronger Law, on a Constitutional Base
7: China – From Warring States to Convergence?
8: Japan – The Illusion of Protection
9: Macau SAR – The 'Euro Model'
10: Singapore: Uncertain Scope, Strong Powers
11: Malaysia: ASEAN's First Data Privacy Law in Force
12: The Philippines & Thailand – ASEAN's Incomplete Comprehensive Laws
13: Vietnam & Indonesia – ASEAN's Sectoral Laws
14: Privacy in the Other Five South-East Asian (ASEAN) States
15: India – Confusion Raj, with Outsourcing
16: Privacy in the Other Seven South Asian (SAARC) States
PART III: COMPARISON STANDARDS, AND FUTURE DEVELOPMENTS
17: Comparing Protections and Principles – an Asian Privacy Standard?
18: Assessing Data Privacy Enforcement in Asia – Alternatives and Evidence
19: International Developments – Future Prospects for Asia
20: Asian Data Privacy Laws: Trajectories, Lessons and Optimism