In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this installment, Alex Wall, CIPP/E, CIPP/US, compares the principles of the APEC Privacy Framework with the principles expressed by the GDPR.
What are the APEC Privacy Framework and the Cross-Border Privacy Rules?
The APEC Privacy Framework is a set of principles and implementation guidelines that were created in order to establish effective privacy protections that avoid barriers to information flows, and ensure continued trade and economic growth in the Asia Pacific Economic Cooperation region of 27 countries. The APEC Privacy Framework set in motion the process of creating the APEC Cross-Border Privacy Rules system.
The CBPR system has now been formally joined by the United States, Canada, Japan and Mexico, with more nations soon to follow. The CBPR program is analogous to the EU-U.S. Privacy Shield in that they both provide a means for self-assessment, compliance review, recognition/acceptance and dispute resolution/enforcement. Both systems require the designation by each country of a data protection authority (the U.S. enforcement authority is the Federal Trade Commission).
The APEC CBPR system requires participating businesses like Apple, Box, HP, IBM, Lynda.com, Merck, Rimini Street, Workday, and Intasect to develop and implement data privacy policies consistent with the APEC Privacy Framework. These policies and practices must be assessed as compliant with the minimum program requirements of the APEC CBPR system by an accountability agent (the only U.S.-based accountability agent is TRUSTe) and be enforceable by law.
Unlike the GDPR, which is a directly applicable regulation, the CBPR system does not displace or change a country’s domestic laws and regulations. Where there are no applicable domestic privacy protection requirements in a country, the CBPR system is intended to provide a minimum level of protection.
The privacy enforcement authorities of a country that takes part in the system should have the ability to take enforcement actions under applicable domestic laws and regulations that have the effect of protecting personal information consistent with the CBPR program requirements.
| APEC Privacy Framework (or CBPRs) | GDPR | |
|---|---|---|
| Purpose | To develop effective privacy protections that avoid barriers to information flows, and ensure continued trade, and economic growth in the APEC region. | To enable to free movement of personal data within the Union while protecting fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. |
| Material scope | Applies to persons or organizations in the public and private sectors who control the collection, holding, processing, use, transfer or disclosure of personal information. | Applies to the processing of personal data wholly or partly by automated means, within the scope of Union law. |
| Territorial scope | Applies to the same extent that the laws of each member country apply. | Applies to processing that takes place in the Union or by a processor who has an establishment in the Union within the context of activities in the Union or to processing activities that are related to the offering of goods and services to (or behavioral monitoring of) data subjects in the Union. |
| Personal information | Personal information means any information about an identified or identifiable individual. (same) | Personal data means any information relating to an identified or identifiable natural person. |
| Data controller | Personal information controller means a person or organization who controls the collection, holding, processing or use of personal information. | Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. |
| Data processors | APEC Privacy Framework and CBPRs do not apply to processors, only controllers. | Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. |
| Publicly available information | The APEC Privacy Framework has limited application to publicly available information. Notice and choice requirements, in particular, often are superfluous where the information is already publicly available, and the personal information controller does not collect the information directly from the individual concerned. | The processing of publicly available information may be permitted for certain certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available. |
| Permitted member country variations (derogations) | Economies implementing the framework at a domestic level may adopt suitable exceptions to scope that suit their particular domestic circumstances. The framework is not intended to impede governmental activities authorized by law when taken to protect national security, public safety, national sovereignty or other public policy. | Member States have discretion in a number of subject areas including: Supervisory Authority; Sanctions; Demonstrating Compliance; Data Protection Officers; Archiving and Research; Third Country Transfers; Sensitive personal data and exceptions; Criminal Convictions; Rights and Remedies; Processing of Children’s Personal Data by Online Services; Freedom of Expression in the Media; Processing of Data; Restrictions; Rules surrounding Churches and Religious Associations. Exceptions to general GDPR applicability also exist for national security, public safety, and police powers. |
| Preventing harm principle | Recognizing the interests of the individual to legitimate expectations of privacy, personal information protection should be designed to prevent the misuse of such information. | Protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data. |
| Notice | Personal information controllers should provide clear and easily accessible statements about their practices and policies with respect to personal information. All reasonably practicable steps shall be taken to ensure that such notice is provided either before or at the time of collection of personal information. Otherwise, such notice should be provided as soon after as is practicable. It may not be appropriate for personal information controllers to provide notice regarding the collection and use of publicly available information. Where personal information is not obtained directly from the individual, but from a third party, it may not be practicable to give notice at or before the time of collection of the information. | If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. The processing of publicly available information may be permitted for certain certain archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, insofar as providing notice is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available. |
| Collection limitation | The collection of personal information should be limited to information that is relevant to the purposes of collection and any such information should be obtained by lawful and fair means, and where appropriate, with notice to, or consent of, the individual concerned. | Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. |
| Use limitation | Personal information collected should be used only to fulfill the purposes of collection and other compatible or related purposes except: a) with the consent of the individual whose personal information is collected; b) when necessary to provide a service or product requested by the individual; or, c) by the authority of law and other legal instruments, proclamations and pronouncements of legal effect | Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. |
| Choice and consent | Where appropriate, individuals should be provided with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice in relation to the collection, use and disclosure of their personal information. It may not be appropriate for personal information controllers to provide these mechanisms when collecting publicly available information. | Permits the use of health-related personal data with explicit consent from the subject, unless reliance on consent is prohibited by EU or member state law. "Explicit consent" must meet a higher standard than consent for the processing of other forms of personal data — an individual must be clearly informed of the use of their data and take an affirmative action to demonstrate their consent. Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. |
| Data integrity | Personal information should be accurate, complete and kept up-to-date to the extent necessary for the purposes of use. | Personal data should be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. |
| Security safeguards | Personal information controllers should protect personal information that they hold with appropriate safeguards against risks, such as loss or unauthorized access to personal information, or unauthorized destruction, use, modification or disclosure of information or other misuses. Such safeguards should be proportional to the likelihood and severity of the harm threatened, the sensitivity of the information and the context in which it is held, and should be subject to periodic review and reassessment. | Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. |
| Access and correction | Individuals should be able to obtain from the personal information controller confirmation of whether or not the personal information controller holds personal information about them, and have access to information held about them, challenge the accuracy of information relating to them, have the information rectified, completed, amended or deleted. All of the above rights subject to a balancing of of the burden or expense of compliance, legal or security reasons, the protection of commercial information, the protection of the privacy rights of persons other than the affected individual. | The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and to access to the personal data and information about the processing including: what categories of data are processed, the recipients of the data, and rights to erasure and rectification of the personal data, the right to lodge a complaint with a DPA, the source of the data, whether the data was subject to automated profiling (and if so, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject). |
| Accountability | A personal information controller should be accountable for complying with measures that give effect to the Principles stated above. | The controller shall be responsible for, and be able to demonstrate compliance with, the principles of the processing of personal data under the GDPR. |
| Transfer of personal data to another person or country | When personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles. | When a controller sends data to another party to be processed, they are a processor and therefore must be bound by contract with the controller to protect the personal data. Personal data may only be transferred to third countries where the EU has considered the laws to provide adequate protection or where protected by a binding corporate rules, approved model clauses, binding agreements combined with an approved code of conduct or approved certification. |
| Breach definition | There is no specified definition of breach under the APEC Privacy Framework or CBPRs. | Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. |
| Breach notification | The APEC Privacy Framework does not directly address breach, but the principles support notification. The Cross-Border Privacy Rules (CBPR) to which APEC economies must bind themselves to join, require that member countries impose rules requiring that data controllers contractually protect data by requiring notification to themselves by data processors, agents, contractors or other service providers. The CBPRs do not require that member countries impose mandatory notification of breach to privacy enforcement authorities or data subjects. | The GDPR requires assessment of data incidents and prompt notification of breach to data subjects when there is a high risk to the rights and freedoms of natural persons and, with respect to supervisory authorities, notification when the breach is likely to result in a risk to the rights and freedoms of natural persons. |
| Breach mitigation | (see above) The APEC Privacy Framework requires that appropriate safeguards. The CBPRs require the applicant country to describe how it enforces a requirement to have technical (authentication and access control, encryption, firewalls and intrusion detection, audit logging, monitoring, etc.) and administrative (training, policies, enforcement, etc.) Safeguards. | Notification to data subjects is not required if: the controller has implemented appropriate technical and organisational protection measures, and that those measures were applied to the data affected by the personal data breach, in particular those that render the data unintelligible to any person who is not authorised to access it, such as encryption; or the controller has taken subsequent measures which ensure that the high risk for the rights and freedoms of data subjects is no longer likely to materialise; or it would involve disproportionate effort. In such case, there shall instead be a public communication or similar measure whereby the data subjects are informed in an equally effective manner. |
APEC logo used according to guidelines.