From January 30 to February 3, 2015, the APEC Data Privacy Subgroup (“DPS”) and its parent committee, the Electronic Commerce Steering Group (“ECSG”), met in Subic Bay, Philippines, for another round of negotiations and meetings. The Centre for Information Policy Leadership at Hunton & Williams participated as part of the U.S. delegation. The principal focus of the meetings was implementing the APEC Cross-Border Privacy Rules (“CBPR”) system, developing a corollary APEC recognition mechanism for information processors, related work relevant to cross-border interoperability, and updating the APEC Privacy Framework. The following is a summary of highlights and outcomes from the meetings.
APEC Privacy Recognition for Processors
After finalizing the CBPR system for personal information controllers in 2011, the APEC DPS and ECSG also endorsed a corollary certification system for personal information processors, called the “APEC Privacy Recognition for Processors” or “PRP.” Subject to official approval by the ECSG’s parent committee, this development rounds out APEC’s privacy certification scheme to cover the entire personal information ecosystem comprising the activities of both information controllers and processors.
According to the explanatory document for the PRP program requirements, the PRP “helps personal information processors…demonstrate their ability to provide effective implementation of a personal information controller’s…privacy obligations related to the processing of personal information.” In addition, the PRP “also helps controllers identify qualified and accountable processors,” and assists small or medium-sized processors “not known outside of their economy to become part of a global data processing network.” The program requirements are designed to ensure that processing is consistent with “applicable controller requirements for processing under the CBPR System.” Processors seeking recognition under the PRP will be assessed against the PRP program requirements by an APEC-recognized third-party certifier or Accountability Agent (“AA”).
To operationalize the PRP, APEC will work toward integrating the PRP system into the existing CBPR governance structure over the next few months.
Updates on the Implementation and Expansion of the CBPR System for Controllers
The three APEC economies currently participating in the CBPR system, the United States, Mexico and Japan, likely will be joined by Canada later this month. Other APEC economies continue to prepare to join the CBPR system, including through various capacity building initiatives.
TRUSTe, which is the only APEC-recognized AA to date, has been re-approved under APEC’s annual re-approval process. APEC CBPR participants are awaiting the decisions of Mexico and Japan (and soon Canada) regarding the identity of their domestic AAs.
So far, 10 companies have received their CBPR certification from TRUSTe. More than 10 additional companies are in the certification process.
A major focus of the discussions were the steps APEC needs to take to ensure the long-term financial sustainability of the CBPR’s governance and operations infrastructure as more APEC economies join the system and more companies seek CBPR (and soon PRP) certification.
APEC/EU Cooperation Toward Interoperability
After releasing the so-called Referential in March 2014, a jointly developed mapping document comparing APEC CBPR to the EU Binding Corporate Rules (“BCR”) system, APEC officials and representatives of the Article 29 Working Party continued their collaboration on this subject through the BCR/CBPR joint working group. After the last meetings in August 2014 in Beijing, the collaboration focused on case studies by several companies that sought or are in the process of seeking certification or approval under both the CBPR and BCR systems. The case studies explored the usefulness of the Referential and how companies can leverage their prior work to seek approval in one system to gain approval in the other system. The ultimate goal of the case studies is to identify possible ways to simplify and streamline the dual certification/approval processes under the CBPR and BCR systems.
During an informal working day at the APEC meetings, companies involved in the case studies presented their findings. They and other participants made suggestions on how the dual certification/approval process could be improved in the future. The suggestions ranged from the development of common application documents for both systems, agreed lists of required supporting documentation and proof-points that applicants must provide, to the development of a process for conveying such documents and other relevant information between the APEC AAs and the EU authorities responsible for approving BCR applications.
By way of a next step, the members of the BCR/CBPR working group will present options for future work to the Article 29 Working Party for formal consideration.
10-Year Stocktake of APEC Privacy Framework
APEC will continue its process of reviewing the APEC Privacy Framework (“Framework”) to identify areas that require updating in light of the technological and marketplace developments that have occurred since the Framework was completed in 2005. The starting point will be an examination of the OECD’s 2013 updates of its privacy guidelines, but the APEC update could go beyond the OECD’s updates, where appropriate.
The plan is to update the preface and facing-page commentary of the Framework but not the APEC Privacy Principles themselves. Key preliminary recommendations for updating the Framework include (1) elaborating on the “accountability” principle by including the concept and the elements of a privacy management program; (2) addressing breach notification; (3) addressing interoperability with privacy frameworks outside of APEC; and (4) providing guidance on what factors to consider when balancing trade considerations and restrictions on cross-border data transfers for privacy reasons.
U.S. to Chair ECSG
Christopher Hoff from the U.S. Department of Commerce’s International Trade Administration was elected to be the Chair of the APEC ECSG.
The next round of meetings will be held in the Philippines in August 2015.