Recent developments at the forum for Asia-Pacific Economic Cooperation (APEC)
Nigel Waters has previously represented Privacy International at APEC Data Privacy Subgroup meetings, on one occasion with PI having official guest status, otherwise indirectly through membership of the Australian delegation. On this occasion, expenses were paid by USAid for participation in the technical assistance seminar, and this allowed attendance at the other meetings.
Cross border privacy rules
As a reminder, or for newcomers, the cross border privacy rules (CBPR) system is one prospective means for international implementation of the APEC Privacy Framework, expressly recognised in the Part of the Framework providing guidance for international implementation. It is intended to provide mutual recognition between participating APEC economies of each other’s mechanisms for certification of a business’s ‘privacy rules’, by an accredited accountability agent, as being compliant with the principles in the APEC Privacy Framework, with a guarantee of ‘backstop’ enforcement by a public sector enforcement authority able to enforce a privacy law (which may be a sectoral or general consumer protection law). This would be a ‘minimum’ standard, and in no way derogate from the obligations of a business that is either exporting or importing personal data to comply with any applicable domestic law.
The Hiroshima meetings confirmed that slow progress is being made on establishing the cross border privacy rules (CBPR) system, which has been the main focus of the Subgroup’s work for the last few years. In my view there remains considerable confusion and uncertainty about how the system is supposed to work, with no agreement yet even on consistent terminology and foundation concepts. A common glossary is to be developed to ensure consistent use of terms such as accountability agent, enforcement authority, certification and accreditation.
It is becoming clearer that the system requires a number of roles to be played within each economy as a condition of participation in the CBPR system, but that there is intended to be considerable discretion and flexibility in who performs these roles. For example, accountability agent roles include certification of applicant businesses, monitoring of compliance, dispute resolution (complaint handling) and enforcement. While some accountability agents, such as some larger trustmark or seal schemes, may play all of these roles, others, such as law or accounting firms or smaller trustmark schemes, may only provide certification and limited monitoring roles, with other bodies, such as industry ombudsman schemes or a public sector agency, providing dispute resolution and enforcement. However, in order for an accountability agent to be accredited under the CBPR scheme, it would have to demonstrate who would play the other necessary roles, and by what process.
Another useful clarification is that the scope of the ‘rules’ to be certified for any business would be defined and often quite limited. For example, many of the businesses likely to apply that are members of existing trustmark schemes would be seeking certification for their on-line commerce or even for a particular website. Others would be seeking certification for specific business processing services that they wish to market to foreign clients. While this will reduce the risk of an economy’s participation in the CBPR scheme being misrepresented as somehow meaning that it has comprehensive privacy protection, there remains the risk that consumers will be misled into thinking that claims by a business that it is APEC certified for a particular business activity applies more generally to its other business activities.
Another area of confusion is the extent to which APEC-compliant businesses will be subject to the CBPR system in relation to personal information that never crosses borders. While it has been regularly claimed that the system is only seeking to regulate cross border data transfers, it has also been recognised that in practice, businesses will not be able to distinguish between domestic and foreign transactions. For instance, a business that is APEC-certified for an e-commerce website could not realistically say that its ‘rules’ (CBPR) only applied to foreign customers, and the relevant domestic accountability agent and enforcement authority would be unlikely to accept any attempt to do so. This means that in practice the benefits of the CBPR privacy protections (in any economy without any applicable privacy laws) would apply to domestic customers as well.
Cross border enforcement
APEC agreed last year on a Cross Border Privacy Enforcement Cooperation Arrangement, and this was welcomed by Civil Society as providing a mechanism for cooperation on privacy complaints not just under the prospective CBPR system but also under existing domestic privacy laws.
The Sub-Group established an implementation working group led by the United States, with Australia, Canada and New Zealand also participating. The Sub-Group decided that the Administrator function will, in the establishment phase, be shared by the APEC Secretariat and a number of Privacy Enforcement Agencies. The United States and New Zealand expressed interest in sharing the Administrator role, subject to final domestic approval, and at the ECSG meeting Australia stated their willingness to join them. The Sub-Group recognised the importance of commencing the Cooperation Arrangement as soon as possible, and agreed that it should be fully operational before the next Sub-Group meeting in September 2010. In subsequent discussions of the working group Australia, New Zealand and the United States have confirmed their willingness to participate as joint administrators with the APEC Secretariat.
It is very disappointing that it has taken so long to establish the Administrator, given that the functions to be performed are minimal. However the ‘stalemate’ appears now to have been broken and enforcement agencies can now hopefully sign up, and start formal cooperation, in the near future.
It was suggested that a mutual cooperation agreement between accountability agents would be useful, and the members of the Asia Pacific Trustmark Alliance in Japan, Vietnam, Chinese Taipei, the USA and Mexico are considering this.
The self-completion questionnaire to be completed by applicant businesses and submitted to accountability agents for assessment and certification (Project 1) was finalised at the meetings, subject to editing for consistency of language etc. Agreement on the wording of the questions, and relevant references to exemptions and qualifications, has necessarily required some interpretation of the APEC Privacy Principles and the accompanying commentary. The process has highlighted the fact that the APEC Framework and its principles are not detailed enough to provide operational level ‘rules’ against which compliance can be assessed. The Project 1 questionnaire, and other documents being developed for the CBPR system, are to some extent performing this role, and therefore need to be assessed critically by all stakeholders – but particularly by Civil Society – to ensure that they have not given any significant ground from the already imperfect Principles.
Further work is needed to develop a version of the self-certification questionnaire tailored to the circumstances of business process service providers (data processors), for whom only a subset of the APEC privacy principles will be relevant. The Subgroup also agreed to look further into interactive on-line delivery of the questionnaire, which could simplify the process both for applicants and for accountability agents.
The questionnaire provides for applications from groups of subsidiary companies and ‘affiliates’, although it will need to be clear whether in the case of affiliates this will mean that any separate legal entities are held separately accountable.
The accreditation criteria for private sector accountability agents (Project 2a) were not finalised as they need further work in relation the ‘Independence’ criteria and to accommodate applications by organisations that may wish to be accredited for some, but not all, of the accountability agent roles. The independence discussion is critical – some private sector bodies feel that they can meet the spirit but not the letter of the current criteria, and the Subgroup has agreed to consider if they can be reworded while retaining the essential elements of independence – including transparency, impartiality and absence of conflicts of interest. Several of the privacy regulators appear to share Civil Society concerns that there must be no significant weakening of the independence criteria.
Further work is also needed on a version of the accreditation criteria for public sector accountability agents (Project 2b), and this also involves clarification of the relationship between accountability agents and enforcement authorities, as some public sector bodies may play both of these roles (in which case there will need to be safeguards against conflicts, such as inappropriate access to certification applications in the course of a complaint investigation).
Both the Cross Border Cooperation Arrangement and the Accountability Agent accreditation criteria include detailed requirements for publication of anonymised case studies and statistical reporting, both of which should ensure a high level of transparency, so that the performance of the CBPR system can be judged.
The development of a governance framework (Project 8) is the major outstanding area of work and many of the remaining uncertainties about the CBPR system can only be resolved once this is done and agreement reached on who will provide the necessary infrastructure. The Joint Oversight Panel currently proposed is estimated to require a minimum of 2 full time staff and significant running costs, and it is not yet clear where the necessary resources will come from. It would be a new departure for the APEC Secretariat to take on this role and yet this seems the only practical solution. A related issue is the extent to which the system will allow for cost recovery from certified businesses, generating a revenue stream for private sector accountability agents, a portion of which could be ‘levied’ to support the central infrastructure.
Outstanding questions for the governance project include who will sign an economy up to the CBPR system – governments or individual enforcement authorities? (Ministers will collectively approve the overall system, but member economies will need to make a separate decision to sign up). Relationships between the various players in the system need to be clarified.
The other Pathfinder projects are either complete (Projects 5-7 – the Cross Border Privacy Enforcement Cooperation Arrangement and related matters) or are contingent on other projects - Project 3 can proceed now that Project 1 questionnaire is finalised, Project 4 requires someone to take on the website development for the directory of compliant organisations, and the Project 9 testing of the system will re-commence once all the necessary components are in place.
Civil Society is particularly interested in another part of the Privacy Subgroup’s work programme which relates to domestic implementation of the APEC Privacy Framework, and capacity building to that end. 14 of the 21 APEC economies have tabled Individual Action Plans outlining the steps they have taken, and these are now public on the APEC website. But 11 of the 13 have not been updated since 2006 (the commendable exceptions being Chinese Taipei and the Philippines, both of which lodged updates in 2009).
The main capacity building activity has been a technical assistance project funded by USAid and APEC involving the Philippines, Indonesia and Vietnam, which helped those economies assess the state of their existing regulatory environment and consider options for compliance with the APEC Privacy Framework. Results of this project were presented at the Informal Workshop. From a Civil Society perspective it is unfortunate that the external consultants involved in this project have a stronger commitment to the CBPR system than to development of domestic legislation. It is therefore unsurprising that both Indonesia and Vietnam seem to have concluded that either no or minimal changes to domestic law is necessary to support participation in the CBPR system, but nonetheless both are likely to designate a public sector agency as their accountability agent. The Philippines, while seeking to accommodate the CBPR system with private sector accountability agents in the short term with marginal regulatory changes, appears not to have been diverted from its intention to enact a comprehensive privacy law, although this has now been delayed by the forthcoming national elections. It is paradoxical however that the draft Philippines law relies on a version of the weak APEC ‘accountability’ principle to control cross-border transfers, meaning that if it is enacted, there will be no incentive for businesses in the Philippines to develop cross-border privacy rules and have them subjected to accountability agent scrutiny. (The same is true of the draft Malaysian privacy law, which was not mentioned at the meetings). Thus, while civil society would prefer strong domestic legislation to adoption of the CBPR scheme alone, there is a risk that a minimalist implementation of the APEC Principles in domestic law could be a worse outcome than a robust implementation of the CPBR scheme, at least in relation to cross border data transfers.
The US delegation, with support from the International Chamber of Commerce (ICC), proposed a new working group to conduct ‘fact-finding’ research on sectoral privacy regulation. The project proposal suggests that this might be aimed at identifying sectoral laws which are a barrier to the operation of the CBPR system. This rang alarm bells not only with Civil Society but also with some privacy regulators, resuscitating previous fears that the APEC initiative might lead to pressure to weaken existing domestic privacy regulation (despite regular protestations that this is not intended).