The Asia-Pacific Economic Cooperation’s Cross-Border Privacy Rules (CBPRs)—endorsed by U.S. President Barack Obama and APEC member economies at an APEC leaders meeting in Hawaii late last year and scheduled to be released later this year—aim to provide a framework to facilitate cross-border data flows by allowing for interoperability through various jurisdictions’ privacy regimes. The framework is voluntary and essentially self-regulated, though to-be-established enforcement authorities will act as the system’s backbone.
The framework is “very much aimed to provide consumers with assurances that when their data is transferred across borders, that those organizations have received an APEC-approved seal that is aimed to provide them with assurances of trust that there is a baseline of privacy protection that is respected,” said APEC Data Privacy Subgroup (DPS) Chair Danièle Chatelois. “You’ve got choice; you’ve got notice; you’ve got access rights, security safeguards. In order to be recognized under the APEC seal, those privacy protections have to be in place.”
The DPS recently gathered in Russia for a meeting its members describe as having been especially productive with the accomplishment of three tasks crucial to the rules’ implementation.
First, the DPS endorsed the document that member economies will use to apply to the system, assuming the economy can demonstrate that its data privacy standards meet baseline requirements on principles such as consent, notice, choice and security.
Second, the DPS endorsed a package of documents that would establish “accountability agents,” private-sector, third-party verifiers tasked with determining the validity of applicants’ privacy regimes and making recommendations on whether the applicant should be accepted into the framework. The CBPRs’ dependence on accountability agents may help to alleviate a common problem plaguing enforcement authorities globally: limited resources. In the case of binding corporate rules (BCRs), for example, companies must work through data protection authorities (DPAs) for assessments and approvals, an expensive and timely process.
New Zealand Assistant Privacy Commissioner Blair Stewart believes that accountability agents will be significant in that they will take some of the strain off of public regulators, noting, “It hasn’t gone operational yet, so it has to be tested. But if it does work, it seems to me it can scale up…based on private-sector flexibility…Public bodies are never going to be able to scale up so successfully given how public bodies are funded. I think it’s a really valuable, useful feature of the APEC system…I think it has a great deal of promise.”
The agents will reassess member companies’ privacy regimes and policies periodically to be sure compliance with CBPRs is maintained year after year—especially as business needs and market forces shift. A built-in dispute resolution mechanism establishes DPAs as “backstop authorities” in cases of noncompliance with CBPR provisions.
To become an accountability agent, an entity must apply to a “joint oversight board” in order to be recognized as such. The board—the DPS’s third tangible success in Moscow—is not only to establish accountability agents but also to suspend agents should a violation occur.
The board is comprised of three member economy representatives and will be responsible—perhaps more importantly at this early stage—for accepting and reviewing member economies’ applications and making recommendations on whether the applicants should be accepted. APEC leaders will then vote based on those recommendations.
U.S. Department of Commerce (DoC) Office of Technology and Electronic Commerce Associate Director Josh Harris, who will chair the Joint Oversight Board for a two-year term, said the impetus for CBPRs is twofold.
“The first is consumer confidence. We want to make sure consumers have a mechanism to understand who they are doing business with and understand what privacy practices and policies a company has in place. That’s really important to continuing the growth of the digital economy,” he said. “The second is to promote interoperability.”
In creating safety provisions to promote consumer confidence in e-commerce, it’s important that thought leaders and regulators take caution not to “inadvertently build up unnecessary barriers against the free flow of information across international borders,” Harris said.
The focus on cross-border interoperability—rather than harmonization—helps resolve a tension persistent in other global frameworks, Stewart noted.
Frameworks aiming to harmonize fail to recognize that “everyone in the world does things differently” and struggle when they aim to achieve goals by asking myriad parties to meet the same standards in exactly the same way, Stewart said. This is especially problematic across economic brackets.
“At the end of the day, when you are looking globally, you’ll never be able to harmonize,” he said. “So probably the interoperability philosophy, at a global level, is more feasible at the moment.”
The system, which aims to eventually see every APEC member economy sign on, recognizes that local privacy requirements will still exist. It does not aim to negate those rules, noted Markus Heyder, counsel for international consumer protection at the U.S. Federal Trade Commission (FTC).
“Companies are always responsible for local privacy requirements that may or may not be different,” Heyder said, “but overall, we think this will streamline data flows and make privacy protection more efficient for companies…and will therefore have better results for consumers.”
Looking forward, the DoC’s Harris says the DPS is working on a number of bilateral initiatives and is speaking with representatives from government and industry globally. It recently met with the French data protection authority to discuss how similarities between Europe’s BCRs and APEC’s CBPRs could potentially be leveraged. In addition, the DPS has been looking at a potential joint project between the U.S. and China, examining the ways in which a CBPR certification may help Chinese tea manufacturers to reach a more international base.
Heyder says companies should feel incentivized to enroll in the program not only because it promotes e-commerce and international data flows but because, from the FTC’s perspective as an enforcer, participants that can demonstrate they’ve worked toward compliance would likely have an easier time when it comes to enforcement decisions.
”There’s a stronger recognition now that companies need to be able to show regulators that they are trying to comply with the appropriate privacy protections, either under applicable laws or self-regulatory programs,” Heyder said. “While it’s not a safe harbor from law enforcement, it’s definitely a factor in making law enforcement decisions and where to deploy a law enforcement resource.”
At the 2012 IAPP Privacy Summit in Washington, DC, FTC Commissioner Edith Ramirez, Hewlett-Packard’s Scott Taylor, CIPP/US, and TRUSTe’s John Tomaszewski discussed the rules’ ongoing development. Indeed, Taylor said, the CBPR system gives his company some comfort in its ability to move data throughout very divergent countries.
“Very quickly, it’s doing things to help organizations partner together or organizations providing services and handling data to be recognized by other companies and uphold some level of standard,” he said.
Chatelois says she’s very confident in the practical application of CBPRs in the near future.
“The system we’re developing is aimed to achieve concrete results,” she said. While APEC “does not necessarily work in the abstract policy realm…The objective of this is very much geared to implementing it and rolling it out and adopting it and having member economies participate.”
The framework is “very much aimed to provide consumers with assurances that when their data is transferred across borders, that those organizations have received an APEC-approved seal that is aimed to provide them with assurances of trust that there is a baseline of privacy protection that is respected,” said APEC Data Privacy Subgroup (DPS) Chair Danièle Chatelois. “You’ve got choice; you’ve got notice; you’ve got access rights, security safeguards. In order to be recognized under the APEC seal, those privacy protections have to be in place.”
The DPS recently gathered in Russia for a meeting its members describe as having been especially productive with the accomplishment of three tasks crucial to the rules’ implementation.
First, the DPS endorsed the document that member economies will use to apply to the system, assuming the economy can demonstrate that its data privacy standards meet baseline requirements on principles such as consent, notice, choice and security.
Second, the DPS endorsed a package of documents that would establish “accountability agents,” private-sector, third-party verifiers tasked with determining the validity of applicants’ privacy regimes and making recommendations on whether the applicant should be accepted into the framework. The CBPRs’ dependence on accountability agents may help to alleviate a common problem plaguing enforcement authorities globally: limited resources. In the case of binding corporate rules (BCRs), for example, companies must work through data protection authorities (DPAs) for assessments and approvals, an expensive and timely process.
New Zealand Assistant Privacy Commissioner Blair Stewart believes that accountability agents will be significant in that they will take some of the strain off of public regulators, noting, “It hasn’t gone operational yet, so it has to be tested. But if it does work, it seems to me it can scale up…based on private-sector flexibility…Public bodies are never going to be able to scale up so successfully given how public bodies are funded. I think it’s a really valuable, useful feature of the APEC system…I think it has a great deal of promise.”
The agents will reassess member companies’ privacy regimes and policies periodically to be sure compliance with CBPRs is maintained year after year—especially as business needs and market forces shift. A built-in dispute resolution mechanism establishes DPAs as “backstop authorities” in cases of noncompliance with CBPR provisions.
To become an accountability agent, an entity must apply to a “joint oversight board” in order to be recognized as such. The board—the DPS’s third tangible success in Moscow—is not only to establish accountability agents but also to suspend agents should a violation occur.
The board is comprised of three member economy representatives and will be responsible—perhaps more importantly at this early stage—for accepting and reviewing member economies’ applications and making recommendations on whether the applicants should be accepted. APEC leaders will then vote based on those recommendations.
U.S. Department of Commerce (DoC) Office of Technology and Electronic Commerce Associate Director Josh Harris, who will chair the Joint Oversight Board for a two-year term, said the impetus for CBPRs is twofold.
“The first is consumer confidence. We want to make sure consumers have a mechanism to understand who they are doing business with and understand what privacy practices and policies a company has in place. That’s really important to continuing the growth of the digital economy,” he said. “The second is to promote interoperability.”
In creating safety provisions to promote consumer confidence in e-commerce, it’s important that thought leaders and regulators take caution not to “inadvertently build up unnecessary barriers against the free flow of information across international borders,” Harris said.
The focus on cross-border interoperability—rather than harmonization—helps resolve a tension persistent in other global frameworks, Stewart noted.
Frameworks aiming to harmonize fail to recognize that “everyone in the world does things differently” and struggle when they aim to achieve goals by asking myriad parties to meet the same standards in exactly the same way, Stewart said. This is especially problematic across economic brackets.
“At the end of the day, when you are looking globally, you’ll never be able to harmonize,” he said. “So probably the interoperability philosophy, at a global level, is more feasible at the moment.”
The system, which aims to eventually see every APEC member economy sign on, recognizes that local privacy requirements will still exist. It does not aim to negate those rules, noted Markus Heyder, counsel for international consumer protection at the U.S. Federal Trade Commission (FTC).
“Companies are always responsible for local privacy requirements that may or may not be different,” Heyder said, “but overall, we think this will streamline data flows and make privacy protection more efficient for companies…and will therefore have better results for consumers.”
Looking forward, the DoC’s Harris says the DPS is working on a number of bilateral initiatives and is speaking with representatives from government and industry globally. It recently met with the French data protection authority to discuss how similarities between Europe’s BCRs and APEC’s CBPRs could potentially be leveraged. In addition, the DPS has been looking at a potential joint project between the U.S. and China, examining the ways in which a CBPR certification may help Chinese tea manufacturers to reach a more international base.
Heyder says companies should feel incentivized to enroll in the program not only because it promotes e-commerce and international data flows but because, from the FTC’s perspective as an enforcer, participants that can demonstrate they’ve worked toward compliance would likely have an easier time when it comes to enforcement decisions.
”There’s a stronger recognition now that companies need to be able to show regulators that they are trying to comply with the appropriate privacy protections, either under applicable laws or self-regulatory programs,” Heyder said. “While it’s not a safe harbor from law enforcement, it’s definitely a factor in making law enforcement decisions and where to deploy a law enforcement resource.”
At the 2012 IAPP Privacy Summit in Washington, DC, FTC Commissioner Edith Ramirez, Hewlett-Packard’s Scott Taylor, CIPP/US, and TRUSTe’s John Tomaszewski discussed the rules’ ongoing development. Indeed, Taylor said, the CBPR system gives his company some comfort in its ability to move data throughout very divergent countries.
“Very quickly, it’s doing things to help organizations partner together or organizations providing services and handling data to be recognized by other companies and uphold some level of standard,” he said.
Chatelois says she’s very confident in the practical application of CBPRs in the near future.
“The system we’re developing is aimed to achieve concrete results,” she said. While APEC “does not necessarily work in the abstract policy realm…The objective of this is very much geared to implementing it and rolling it out and adopting it and having member economies participate.”