From January 30 to February 3, 2015, the APEC Data Privacy Subgroup (“DPS”) and its parent committee, the Electronic Commerce Steering Group (“ECSG”), met in Subic Bay, Philippines, for another round of negotiations and meetings. The Centre for Information Policy Leadership at Hunton & Williams participated as part of the U.S. delegation. The principal focus of the meetings was implementing the APEC Cross-Border Privacy Rules (“CBPR”) system, developing a corollary APEC recognition mechanism for information processors, related work relevant to cross-border interoperability, and updating the APEC Privacy Framework. The following is a summary of highlights and outcomes from the meetings.
APEC Privacy Recognition for Processors
After finalizing the CBPR system for personal information controllers in 2011, the APEC DPS and ECSG also endorsed a corollary certification system for personal information processors, called the “APEC Privacy Recognition for Processors” or “PRP.” Subject to official approval by the ECSG’s parent committee, this development rounds out APEC’s privacy certification scheme to cover the entire personal information ecosystem comprising the activities of both information controllers and processors.
According to the explanatory document for the PRP program requirements, the PRP “helps personal information processors…demonstrate their ability to provide effective implementation of a personal information controller’s…privacy obligations related to the processing of personal information.” In addition, the PRP “also helps controllers identify qualified and accountable processors,” and assists small or medium-sized processors “not known outside of their economy to become part of a global data processing network.” The program requirements are designed to ensure that processing is consistent with “applicable controller requirements for processing under the CBPR System.” Processors seeking recognition under the PRP will be assessed against the PRP program requirements by an APEC-recognized third party certifier or Accountability Agent (“AA”).
To operationalize the PRP, APEC will work toward integrating the PRP system into the existing CBPR governance structure over the next few months.
Updates on the Implementation and Expansion of the CBPR System for Controllers
The three APEC economies currently participating in the CBPR system, the United States, Mexico and Japan, likely will be joined by Canada later this month. Other APEC economies continue to prepare to join the CBPR system, including through various capacity building initiatives.
TRUSTe, which is the only APEC-recognized AA to date, has been re-approved under APEC’s annual re-approval process. APEC CBPR participants are awaiting the decisions of Mexico and Japan (and soon Canada) regarding the identity of their domestic AAs.
So far, 10 companies have received their CBPR certification from TRUSTe. More than 10 additional companies are in the certification process.
A major focus of the discussions were the steps APEC needs to take to ensure the long-term financial sustainability of the CBPR’s governance and operations infrastructure as more APEC economies join the system and more companies seek CBPR (and soon PRP) certification.
APEC/EU Cooperation Toward Interoperability
After releasing the so-called Referential in March 2014, a jointly developed mapping document comparing APEC CBPR to the EU Binding Corporate Rules (“BCR”) system, APEC officials and representatives of the Article 29 Working Party continued their collaboration on this subject through the BCR/CBPR joint working group. After the last meetings in August 2014 in Beijing, the collaboration focused on case studies by several companies that sought or are in the process of seeking certification or approval under both the CBPR and BCR systems. The case studies explored the usefulness of the Referential and how companies can leverage their prior work to seek approval in one system to gain approval in the other system. The ultimate goal of the case studies is to identify possible ways to simplify and streamline the dual certification/approval processes under the CBPR and BCR systems.
During an informal working day at the APEC meetings, companies involved in the case studies presented their findings. They and other participants made suggestions on how the dual certification/approval process could be improved in the future. The suggestions ranged from the development of common application documents for both systems, agreed lists of required supporting documentation and proof-points that applicants must provide, to the development of a process for conveying such documents and other relevant information between the APEC AAs and the EU authorities responsible for approving BCR applications.
By way of a next step, the members of the BCR/CBPR working group will present options for future work to the Article 29 Working Party for formal consideration.
10-Year Stocktake of APEC Privacy Framework
APEC will continue its process of reviewing the APEC Privacy Framework (“Framework”) to identify areas that require updating in light of the technological and marketplace developments that have occurred since the Framework was completed in 2005. The starting point will be an examination of the OECD’s 2013 updates of its privacy guidelines, but the APEC update could go beyond the OECD’s updates, where appropriate.
The plan is to update the preface and facing-page commentary of the Framework but not the APEC Privacy Principles themselves. Key preliminary recommendations for updating the Framework include (1) elaborating on the “accountability” principle by including the concept and the elements of a privacy management program; (2) addressing breach notification; (3) addressing interoperability with privacy frameworks outside of APEC; and (4) providing guidance on what factors to consider when balancing trade considerations and restrictions on cross-border data transfers for privacy reasons.
U.S. to Chair ECSG
Christopher Hoff from the U.S. Department of Commerce’s International Trade Administration was elected to be the Chair of the APEC ECSG.
Next Meeting
The next round of meetings will be held in the Philippines in August 2015.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code