Privacy & Information Security Law Blog

On May 26, 2012, the United States government submitted its request to participate in the APEC Cross-Border Privacy Rules (“CBPRs”) system. The CBPRs system was endorsed by APEC leaders in November 2011. The protocol requires a participating economy to submit:

• A letter of intent to participate;
• Confirmation that a privacy enforcement agency in the economy is a participant in the Cross-Border Privacy Enforcement Arrangement;
• Notice that the economy intends to make use of at least one APEC-recognized accountability agency; and
• A description of the domestic laws and other legal mechanisms to give effect to the enforcement activities related to the activities of the accountability agent, which also must include an enforcement map.

The request, which was filed by the U.S. Department of Commerce with a supporting annex prepared by the Federal Trade Commission, will be reviewed by APEC’s Joint Oversight Panel. For purposes of the review, the U.S. will recuse itself from the panel (which also includes Mexico and Chinese Taipei), and will be replaced by the first alternate, Canada. Once the request to participate is approved, it is anticipated that at least one U.S. accountability agent will file for certification by the Joint Oversight Panel.

There are indications that a number of other economies will make requests for participation in the CBPRs system program. Vietnam will be holding an APEC “Symposium on Trustmark Participation in the Cross-Border Privacy Rules System” this summer to conduct capacity building in the Asia-Pacific region. The Data Privacy Subgroup also will continue to explore interoperability with other accountability-based governance systems for global data transfers (such as binding corporate rules).

The U.S.’s request followed the adoption of the Joint Oversight Panel protocols by APEC’s Data Privacy Subgroup on May 26, 2012, in Kazan, Russia. The Data Privacy Subgroup also considered mechanisms to qualify data processors for CBPR certification. A proposal will be drafted by a working group this summer and submitted to the first Data Privacy Subgroup meeting in 2013 in Indonesia. The Centre for Information Policy Leadership at Hunton & Williams LLP is facilitating this work.

We will post the relevant documents when they are made available.

Update:  On July 26, 2012, acting U.S. Secretary of Commerce Rebecca Blank announced that APEC’s Joint Oversight Panel approved the United States’ request to participate in the APEC Cross-Border Privacy Rules System. The panel also approved the Federal Trade Commission’s participation as the system’s first privacy enforcement authority.