The APEC Cross Border Privacy Rules system: A Civil Society perspective
The following statement was made to the APEC Data Privacy Subgroup meeting on 24 June 2013, in Medan, Sumatra, by Nigel Waters, attending the meeting as an invited guest. At previous meetings Mr Waters has represented Privacy International, but due to difficulties in obtaining guest status for PI (or other privacy or consumer NGOs) he has attended the last two meetings in an individual capacity. In the absence of a formal multi-stakeholder mechanism, he seeks to bring the perspective of international civil society to bear in the APEC privacy work.
“The most significant development since the last DPS meeting has been the approval of TRUSTe as an Accountability Agent (AA) under the CBPR system. It is unfortunate that it was left to civil society volunteers to question the JOP assessment of the TRUSTe application for recognition as an AA. We are pleased that a number of economies took up some elements of our critique. This appears to have led to some specific modifications to the application (and consequently to the JOP’s report) but also to many assurances about future changes and TRUSTe practices, which the JOP has taken on trust. We consider that the changes and assurances (even if subsequently delivered) fail to address the most serious criticisms, and we cannot understand how the JOP, and member economies, can be satisfied that the application met the recognition criteria.
International civil society believes that approval of TRUSTe as an Accountability Agent has seriously undermined the credibility of the CBPR system. It is a very unfortunate precedent, setting a low bar for other applicants for AA recognition both in the US and in other economies. The TRUSTe model, in association with an enforcement arrangement based on Trade practices law rather than mandatory privacy principles, means that compliance with the CBPR system in the US will essentially rely on self-assessment, with minimal pro-active oversight or independent checks. Any prospective market for effective private sector Accountability Agents has been undercut by a largely token certification program from an organisation with a questionable track record.
This development needs to be seen in the context of intensive lobbying by business interests, aided by some governments, to weaken privacy and data protection laws around the world, not least through reviews of the key international privacy instruments – the OECD Guidelines, the Council of Europe Convention 108 and the EU Directive and proposed Regulation. At stake is the ability of privacy laws to do any more than require ‘good housekeeping’ of personal data. The critical role of current laws in challenging the legitimacy of some business models and practices is under threat. Business interests seek to ensure that privacy laws do not limit their ability to use personal data for secondary commercial purposes without express consent, and to move data around the world unconstrained by the absence of strong privacy protection in some jurisdictions. The campaign for ‘interoperability’ needs to be recognised for what it is – an attempt to gain mutual recognition of different privacy protection regimes with a very low ‘floor’ or entry threshold.
These efforts to shift the balance in privacy protection away from individual control towards business interests, so far successful in the APEC CBPR system, stand in stark contrast to the steady growth of strong domestic privacy laws around the world, including in APEC – at the last count, 93 jurisdictions with laws applying to the private sector . Countries continue to adopt privacy laws because of the clear evidence that they are essential for long term trust in electronic commerce, which is a shared goal. The CBPR system could, if redirected, contribute to this trend rather than undermine it. Civil society will continue to closely monitor the direction of the system, and of APEC privacy implementation more generally, and will continue to urge APEC members to raise rather than weaken standards of privacy protection.”