APEC developments, March 2012
The APEC Data Privacy Subgroup (DPS) commenced a new five year work programme at a meeting in Moscow in February 2012. This follows the commitment by APEC Leaders in late 2011 to the Cross Border Privacy Rules (CBPR) system as one way implementing the APEC Data Privacy Framework.
The Joint Oversight Panel was formed at the DPS meeting in Moscow and comprises members from the US (chair), Chinese Taipei and Mexico, with the chair of the DPS (from Canada) as alternate – who will be needed if and when any of the other three economies apply for participation.
The DPS endorsed template documentation for members applying to participate in the CBPR system, and discussed ways to reconcile the requirements with different domestic enforcement regimes. There is a clear tension between a desire for flexibility and interoperability on the one hand, and recognition on the other that clear demonstrations of effective compliance and enforcement are essential to the integrity and credibility of the CBPR System. Discussion also highlighted the need for enforcement both of Accountability Agent certification processes and of actual compliance wth programme rules by participating businesses, since it is the latter which will deliver privacy protection for consumers.
The DPS also endorsed further documentation concerning recognition of Accountability Agents (AAs). In due course, recognised AAs will start to certify applicant businesses as meeting the CBPR programme requirements, but commencement of this process in any member economy seems some way off. Development of the website that will list participants was recognised as a priority and work on this will take place before the next meeting, led by the US and Canada.
The French DPA – the CNIL – continues to work with the US, and now also with the International Chamber of Commerce (ICC), on potential interoperability of the CBPR system with the EU’s Binding Corporate Rules (BCR) mechanism. Wider issues of interoperability between different regulatory frameworks were discussed at the high level US-EU meeting on privacy and data protection held in Washington DC on 19 March.
The DPS continues to work on a version of the CBPR system for data processors wishing to voluntarily demonstrate their compliance with programme standards.
The APEC DPS work programme includes various capacity building activities, and the US government is also separately funding assistance for economies to build capacity specifically to participate in the CBPR system.
The Cross Border Privacy Enforcement Cooperation Arrangement (CPEA), designed to support the CBPR system but also potentially playing a wider role, now has 20 members including 15 sectoral Japanese agencies, although it remains unclear how referrals will work in practice in cases involving Japan. There is still no evidence of practical outcomes from the CPEA or even of any actual casework.
The next Data Privacy Subgroup meeting (and associated workshop) is in Kazan, Russia, in late May 2012.
You can find all previous updates on APEC meetings here.
*Nigel Waters represents Privacy International at most meetings of the APEC Data Privacy Subgroup, but did not attend the Moscow meeting in January 2012.