The Asian Status with respect to the observance of the OECD Guidelines and the EU Directive (cont.)

OECD Openness Principle

There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

Hong Kong: Data Protection Principle 5 requires that all practical steps shall be taken to ensure a person can access and ascertain a data user's policies and practices in relation to personal data, be informed of the kinds of personal data held, and the main purposes personal data are used by a data user. Data Protection Principle 1 also requires at the time of data collection, the data subject be informed of his access rights and the name and address of the individual (data controller) to whom such requests may be made

Observation: General conformance.

Taiwan: Article 10 requires government agencies and non-government agencies to gazette or publicly announce details including the purpose of personal data systems, the scope and classification of personal data held, name and address of agency or person responsible for data access and correction requests.

Observation: General conformance.

Japan: Article 8(1) requires the co-ordinating authority, the Management & Coordination Agency, to "make public in the official gazette at least once a year" details of personal data files held by data users, such details including the file holding purposes, record items, data transferees, and the name and location of the organisation which accepts data access and correction requests.

Observation: General conformance.

OECD Individual Participation Principle

An individual should have the right: (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him; (b) to have communicated to him, data relating to him (i) within a reasonable time; (ii) at a charge, if any, that is not excessive; (iii) in a reasonable manner; and (iv) in a form that is readily intelligible to him; (c) to be given reasons if a request made under sub-paragraphs (a) and (b) is denied, and to be able to challenge such denial; and (d) to challenge data relating to him and, if the challenge is successful, to have the data erased, rectified, completed or amended.

Hong Kong: The requirements of this OECD principle are almost verbatim contained in the Data Protection Principle 6 of the Hong Kong law. The request must be responded within 40 days from the date of the request.

Observation: General conformance.

Taiwan: The rights of the data subject are specified in the law, including request for review, request to make copies and correction, and request to discontinue processing (Article 4). The request should be "handled" within 30 days (Article 15). A service fee may be prescribed by the data user (Articles 16 and 26). Denial of the data subject's right or failure to response within 30 days by the data user could be challenged by the data subject through petitioning the agencies' supervisory authorities (Articles 31 and 32).

Observation: General conformance, though there is no qualification to the level of service fee to be charged; and there is no provision on the "intelligible format" of data to be supplied in response to an access request; however the right to "request to discontinue processing personal data" goes beyond this OECD principle.

Japan: Article 13(1) endows access rights to the data subject which requires a response from the data user within 30 days from the request date [Article 15(1)]. The data subject is required to pay fees "in accordance with the provision of cabinet order" [Article 16(1)] plus postage for mailing [Article 16(2)]. Denial of access request requires the data user to provide reasons for such denial in writing [Article 14(2)]. The data subject can complain to the "head" of the data user "concerning use, providing or disclosure of the processed data, or applications for correction etc." (Article 20).

Observation: General conformance, though there is no provision of the "intelligible format" of data supplied in response to an access request, and no qualification on the level of fee charges.

OECD Accountability Principle

A data controller should be accountable for conforming with measures which give effect to the principles stated above.

Hong Kong: The Hong Kong Ordinance (Article 4) requires a data user not to do an act, or engage in a practice, that contravenes the data protection principles unless the act or practice is exempted from such principles under this Ordinance. Data users who breach the provisions in the Ordinance commit an offence and are liable on conviction to a fine and/or imprisonment up to 2 years. Furthermore, an individual who suffers damage by reason of a contravention of a requirement under the Ordinance by a data user is entitled to compensation from that data user for that damage, which includes injury to feelings.

Observation: General conformance.

Taiwan: The law, through Articles 27 - 41, prescribes a whole range of damages, compensation and penalties including imprisonment for a wide spectrum of infringement of rights, improper profiteering, unlawful gains etc.

Observation: General conformance.

Japan: Article 21 requires the "head" of a data user to submit, if requested by the Management and Coordination Agency (MCA), "materials and to give explanation with regard to the operation of functions concerning computer processing etc. of the personal data handled" by the data user. The MCA may also "give an opinion to the Prime Minister" or the heads of the data user "with regard to dealing with computer processed personal data" in order to achieve the purpose of this law (Article 22).

Observation: Apart from administrative accountability, there are no provision for penalties for non-compliance of the law by the data users nor compensation to the data subjects for infringement of their rights. However, data subjects seeking data access "by deceit or other unjust means shall be liable to a correctional fees of not more than 100,000 yen" (Article 25).

European Union Directive

Adopted by the Council in July 1995, the European Union Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data is another milestone in the global initiative towards the protection of personal data. While enshrining a set of data protection principles as in the OECD guidelines, it goes beyond the OECD guidelines in a number of significant aspects, including the specifications of desirable standards requirements for a legal and administrative framework for member countries, coverage of both public and private sectors without differentiating distinction, operational areas where exemptions applied with regard to the data protection principles etc. Apart from the harmonisation of privacy laws in member countries, the prohibition of the transfer of personal data from member countries to other countries which do not have adequate data protection laws could have a far reaching impact on bilateral relationship in trade and commerce between the member countries and other countries.

A number of significant requirements of the Directive are selected for discussion viz-a-viz the data protection law in Hong Kong, Taiwan and Japan:

• scope coverage
• personal data filing systems
• purpose specification
• sensitive data
• supervisory authority
• transborder data flow
• automated processing which poses risks to individual's rights and freedom
• codes of conduct
• notification and registration

EU Directive- Scope Coverage

The Directive covers both the public and private sectors with no distinction in the rules governing both sectors.

Hong Kong: Article 3 states that the law "binds the Government".

Observation: General conformance. The public sector is covered by the law by virtue of Article 3. The private sector is included by virtue of the common law system in that the private sector needs to conform with all laws unless its specific exclusion is explicitly provisioned in a law.

Taiwan: The law covers "Government agencies at the central government or local government level"; as well as "non-government agencies" which explicitly include "credit search businesses", and "groups or individuals whose major line of business is to collect or process personal data by computers", "hospital, schools, telecommunication, financial, securities, insurance and mass communications industries", and "other businesses groups or individuals designated by the Ministry of Justice".

Observation: General conformance in terms of coverage as all public sector is covered as well the most obvious industries in the private sector, together with the authority to include other private sector entities as the government sees fit. However, there are differences in treatment for the two sectors.

Japan: The law only applies to "national administrative organs" (federal agencies), though "local government and public corporations shall take into account the national measures under the provisions of this Act, and strive to take necessary actions to secure proper dealing with personal data" (Articles 26 and 27).

Observation: Partial conformance. The law does not cover the private sector.