APEC cross border privacy rules - ready to party but will anyone come?
The second 2011 meeting of the APEC Privacy Subgroup took place in San Francisco in mid September, and finalised the package of documents that comprise the Cross Border Privacy Rules (CBPR) system. Endorsed by the parent Electronic Commerce Steering Group (ECSG), these will now go forward for ratification by Ministers in Hawaii in November, and subsequent implementation. The Subgroup’s 2012 Work Plan envisages establishment of the Joint Oversight Panel (JoP), commencement of recognition of Accountability Agents (AAs), and facilitating participation by economies in the CBPR system. Implicitly, it is also expected that recognised AAs will start to certify applicant businesses as meeting the CBPR programme requirements. The work plan also includes development of the website that will list participating businesses, recognised AAs and Privacy Enforcement Authorities (PEAs), and further promotion and explanation of the system.
It remains to be seen which economies will agree to put resources into the JoP – a minimum of 3 economies need to join the JoP although others will be needed since a member cannot be involved in assessment/recommendation of its own economy’s participation in the CBPR system. Economies will then need to apply to participate. One useful change made at the San Francisco meeting was to add a requirement for the JoP to report on how an applicant economy meets the conditions of participation – in previous drafts of the JoP Charter an economy could simply declare itself compliant, with no peer assessment. But the APEC mode of operation – always by consensus, does not lend itself to economies judging each other, so it seems unlikely that any economy would be rejected
It remains uncertain which economies will apply for participation – those with existing privacy laws and PEAs may see no need, given their existing requirements for cross border data transfers. They may in any case may be unwilling to nominate Accountability Agents, given that their PEAs already perform some AA functions, but typically (e.g. in Australia, New Zealand, Canada, Hong Kong and Korea) without the requirement for application by and certification of businesses (‘notification’ in EU language) that is part of the CBPR programme requirements. One of the ironic outcomes of the CBPR system is that participating businesses will actually face a more onerous application process, and bureaucratic requirements, than they do in those APEC member economies with privacy laws, and arguably even than they do in EU member states, whose ‘notification’ regimes the APEC initiative was designed to avoid replicating. However, if the CBPR certification process and subsequent monitoring are carried out in good faith (a big ‘if’), then the result could be a higher level of proactive compliance with privacy rules than most regimes have managed to achieve to date.
The Subgroup, and its parent ECSG, agreed to propose a five year $500,000 project, commencing in 2012, to support the implementation of the CBPR system, including administrative assistance to member economies, and separate symposia are proposed in the Philippines in December 2011 and in Vietnam in September 2012 to promote elements of the system.
The suggestion from the March meeting of alternative ways of meeting the CBPR programme requirements was taken further in a further paper on Interoperability drafted by the International Chamber of Commerce (ICC). This paper even more clearly states a case for businesses that are already subject to other regulatory requirements (such as banking and financial services in the US) to be recognised as compliant with the APEC Privacy Framework Principles, without having to go through the processes established for the CBPR system. This would involve another role for the JoP in assessing and recommending other regulatory schemes, which seems likely to be beyond either the competence of the JoP as it is to be established or its resources. Some economies expressed reservations about this proposal, and the paper was simply noted, with further work to be done on Interoperability. There is a separate strand of work on mapping the procedures of existing trustmark or seal programmes against the CBPR programme requirements, which would seem to be a more realistic option, although it will raise similar issues of quality control and transparency.
The business case for organisations to seek certification under the CBPR system remains elusive, particularly in the absence of any detail about likely charges by AAs.
The San Francisco meetings also heard reports of developments in member economies, once again revealing a continuing trend towards domestic privacy legislation influenced as much by EU Directive and other instruments as by the APEC Privacy Framework.
It is encouraging to see participation in APEC processes by more NGOs – the Electronic Frontiers Foundation (EFF), Center for Democracy and Technology (CDT) and the Internet Society (ISOC), as well as Privacy International, attended some or all of the San Francisco meetings. There was also a representative of the International Privacy Commissioners Conference, who explained the EU’s system of Binding Corporate Rules, which has some similarities with the CBPR system (and which is suggested in the ICC’s Interoperability paper as one of the other schemes that could potentially be recognised as implementing the APEC Principles). There has not been a clear understanding of the APEC initiative in Europe and improved liaison will help to remedy this communication gap.
While the finalisation of the CBPR system documentation package clarifies the APEC intentions, it remains uncertain whether, or how, the system will be implemented over the next few years. Those who have been sceptical of the value of the APEC privacy work, and its underlying motives, have no reason to be any more (or less) concerned following the San Francisco meetings. However, vigilance will be needed to ensure that economies with existing privacy laws do not legislate to accept participation in APEC CBPR system as sufficient to meet domestic privacy obligations where these are currently stronger or more specific than the APEC principles.
The 2012 host of APEC is Russia, although dates and venues for the expected meetings of the ECSG and Data Privacy Subgroup have yet to be announced. After several years, the Australian government representative has stood down as chair of the Subgroup, and has been replaced by a Canadian, with the US providing both vice-chair and administrative support, confirming that APEC privacy work remains a US led initiative.
*Nigel Waters represents Privacy International at meetings of the APEC Data Privacy Subgroup.