APEC Cross Border Privacy Rules system awaits final component
Nigel Waters attended the APEC DPS meeting in Jakarta as an invited guest. He has previously either formally represented Privacy International or been a part of the Australian delegation. He continues to bring a critical civil society perspective to bear on the APEC privacy work.
The APEC Cross Border Privacy Rules (CBPR) system has moved one step closer to full operation with the acceptance in January 2013 of Mexico as the second participating economy. The United States was accepted in July 2012, and Japan has declared its intention to apply in 2013, with other economies to follow.
The first 2013 meeting of the APEC Data Privacy Subgroup (DPS), held in Jakarta at the end of January, heard that the Joint Oversight Panel (JOP) was also analysing an application by the US privacy seal program TRUSTe to be the first Accountability Agent (AA) in the CBPR system. A Recommendation from the JOP will go soon to member economies with a one month period for comments, although it is likely that any dissent will surface from amongst member economies. In this sense, civil society has an important role to play in finding sympathetic delegations that will at least make the JOP report available for review, within the narrow window for objections. Given the consensus basis of APEC’s decision making processes, it may be unrealistic to expect any member economy to raise objections, unless there are manifest deficiencies either in the AA application or in the JOP analysis. It should be noted that AA recognition will only be granted for one year at a time and member economies would be free to raise concerns about AA performance at any time, which could be taken into account before annual renewal.
The DPS also considered a further paper on the application of the CBPR system to personal information processors (as opposed to controllers). A working group will continue to develop an intake document for processors. While the program requirements will necessarily differ, it was confirmed that processor applications would need to be assessed by an AA in the same way as those from controllers.
A website for the CBPR system, supported by Microsoft, is almost ready for launch and will include portals for the public as well as controllers, accountability agents and governments. A CBPR Glossary is being finalised to assist understanding. It was noted that the Internet Society (ISOC) has donated some staff time to assist the JOP Secretariat, until now staffed mainly by the US Department of Commerce, working with the DPS chair and APEC secretariat. An informal working group was formed to monitor the operation of the CBPR system. The DPS considered proposals from the author representing the civil society perspective with respect to minor process enhancements designed to increase transparency and trust in the CBPR system, and these will be taken into account by the JOP and secretariat.
The Jakarta meeting was preceded by the first formal meeting of an EU-APEC BCR-CBPR working team – the EU being represented by officials from the French, German and EU Data protection authorities. This team has been formed to progress a comparative analysis of the respective requirements, and approval processes, for APEC CBPR and for EU Binding Corporate Rules (BCR). Subject to approval from the EU Article 29 Working Party, the team will continue its work remotely and report back to the next DPS meeting in Sumatra in June.
The DPS also received updates on domestic implementation of the APEC Privacy Framework, including from Singapore on its new Personal Data Protection Act, and from China on a new technical standard. There have been changes to existing laws in Hong Kong, Indonesia, Korea and Chinese Taipei, while Malaysia and the Philippines have yet to bring their privacy laws into effect. New Zealand announced that its amended law had received an ‘adequacy’ assessment from the EU. It was noted that the Individual Action Plans of most member economies, published on the APEC website, are badly out of date and members were encouraged to lodge updated plans.
A proposal for an overall ‘stocktake’ of implementation of the APEC Privacy Framework (not a review of the Framework itself) was accepted for inclusion in the DPS work program for 2013 and 2014. The DPS received reports on events in Vietnam (a symposium on the CBPR system, in August 2012) and Japan (a workshop on the EU data protection reforms, in January 2013) and a workshop on APEC Privacy Enforcement will be held in New Zealand in July 2013. A report was received on capacity building work in Peru and member economies reminded that applications for similar projects are invited.