Independence of data privacy authorities (Part II): Asia-Pacific experience

Abstract

Part I of this article in [2012] 28 CLSR 3-13 analysed the views of learned commentators on what constitutes the ‘independence’ of data protection authorities (DPAs). It concluded that a more satisfactory answer needed to be found in the international instruments on data privacy and on human rights bodies, their implementation and judicial interpretation, and in the standards that have been proposed and implemented by DPAs themselves. It found that only the OECD and APEC privacy agreements did not require a DPA (and therefore had no standards for its independence). Thirteen factors were identified as elements of ‘independence’ across these instruments and standards, five of which were more commonly found than others.Part II of this article considers how criteria for independence of DPAs have been implemented in those jurisdictions in the Asia-Pacific with data privacy laws (Australia, Hong Kong SAR, India, Japan, Macau SAR, Malaysia, South Korea, Taiwan, and Thailand, plus five Australian States and Territories). It finds seven of the elements of independence found in international instruments and standards are often found in these jurisdictions, and some others are found occasionally. It argues that the jurisdictions in the Asia-Pacific whose data privacy laws include an independent DPA provide a better level of privacy protection than those whose laws do not include a DPA, based on conclusions about effectiveness in other studies. However, regional experience does not yet tell us much about the most desirable structure for a DPA.