Cross Border Privacy Rules Advance at Beijing Meetings
APEC’s Data Privacy Subgroup concluded its 2014 meetings in Beijing, China earlier this week. The Future of Privacy Forum participated in these meetings as a member of the U.S. delegation. The biggest development of the week was Canada’s submission of its Notice of Intent to participate in the Cross Border Privacy Rules (CBPR) system. After a favorable determination by the APEC’s Joint Oversight Panel, Canada will become the fourth country to join the system, along with the United States, Mexico and Japan. In addition, TRUSTe, an APEC-approved Accountability Agent, announced that 14 companies are in the process of seeking certification. Taken together, these developments, along with Mexico’s recent steps toward interoperability have provided promising momentum in the establishment of an international privacy framework.
Still much work remains before the true potential of the system can be fully realized. In July, FPF hosted officials from Privacy Thailand, a University-based consortium that advises the Thai Prime Minister’s office on data privacy and security issues. During their week-long visit, FPF and Privacy Thailand met with representatives from the Department of Commerce, the Federal Trade Commission and the U.S. Department of State to consider Thailand’s accession to the system. FPF will continue work with interested APEC members to provide capacity building assistance.
On August 8, APEC Economies and representatives from the EU’s Article 29 Working Party met to discuss next steps on the jointly developed Common Referential. This document identifies points of commonality between the CBPR system and the EU’s system of Binding Corporate Rules (BCRs). APEC members agreed to take this work forward by developing case studies that demonstrate the practical interoperability of these two systems and a checklist outlining the combined obligations for a company seeking certification under both.
On August 10, APEC Economies agreed to establish a working group to consider the applicability of the APEC Privacy Framework to Big Data. This group will consider, among other things, appropriate administrative and policy safeguards when de-identifying personal information. FPF plans to participate in this working group.
Participants continued the development of a CBPR certification system for data processors. In July, FPF hosted a meeting of this working group to develop the program requirements under this certification. Completion of this project is expected in advance of the next APEC Data Privacy Subgroup meetings in Clark, Philippines in January, 2015.