APEC Cross-Border Privacy Rules system nearly in place, but doubts remain

News & Analysis
APEC Cross-Border Privacy Rules system nearly in place, but doubts remain

APEC privacy activity has passed another milestone with the acceptance in July 2012 of the USA as the first economy to formally join the cross border privacy rules (CBPR) system. The CBPR Joint Oversight Panel (JOP), with the Canadian chair of the Data Privacy Subgroup (DPS) standing in for the US member in accordance with the ‘no conflict of interest’ provisions, accepted the US government application, which nominated the Federal Trade Commission (FTC) as the privacy enforcement authority and the FTC Act (15 USC 45) as the privacy law required by the CBPR protocols.

Civil society NGOs have expressed concern about the lack of transparency of the CBPR processes, about the absence of any opportunity for stakeholders to review the US case for membership, and about the unfortunate timing of announcements, with a media release from the US government preceding any official statement from APEC by several days. Technically, the process complied with all the requirements, reflecting the nature of APEC, which does not provide for peer judgements of any economy’s laws or institutions by other members.

The Subgroup has agreed to consider process changes to improve transparency of future applications. The relevant information on the APEC website has significantly improved in the last few months, and there  are now links to both the US ‘notice of intent’ and the ‘findings report’ by the JOP. These explain how the US government believes that the FTC Act provides for enforcement, by the FTC, of the APEC privacy principles as they are implemented in the CBPR system. Many privacy advocates will question whether prohibitions of ‘unfair or deceptive’ conduct in general consumer protection laws can effectively carry the burden of enforcement of the full set of privacy principles, in contrast to purpose designed data protection laws.
Despite the acceptance of the USA into the CBPR system, US businesses will not be able to take advantage of the system to legitimise data transfer to and from other countries until two other milestones are reached. 

Firstly, at least one US organisation will have to be accepted as an Accountability Agent (AA) to play the role of certifying businesses as complying with the CBPR program requirements, monitoring compliance, and dealing with complaints. The recognition criteria for AAs are detailed and quite onerous, and the process for approval of an AA application are more rigorous than for the application by member economies to participate. There will be more notice of and information about applications – at least to member economies and hopefully more publicly – and an opportunity for objections. The US government has invited applications from aspiring AAs, and it is expected that at least the TRUSTe trustmark body will be applying, and will have its application put forward by the US government for approval by APEC. From a civil society perspective, there remain serious question marks as to whether TRUSTe, and other commercial trustmark schemes around the world, will be able to meet the AA recognition criteria. It is hoped that those member economies with specific privacy laws, and their well established privacy enforcement authorities, will ensure that Accountability Agents that do not meet the required standards are not approved. If they are, the integrity of the whole CBPR system and wider APEC Privacy Framework, compared to other international privacy instruments, laws and enforcement mechanisms will be called into question.

Secondly, other APEC member economies will need to formally join the CBPR system, with recognition of their laws, one or more privacy enforcement authorities and one or more Accountability Agents. It is understood that several economies are preparing for the first stages, but it will be some time before there will be the minimum of two fully participating jurisdictions necessary to bring the system to life.

The APEC Data Privacy Subgroup is now well into its new five year work programme at with a further Russian-hosted meeting in Kazan in May 2012 , and agendas being drawn up for the 2013 meetings in Indonesia. APEC Ministers mentioned the CBPR system in their recent statement from meetings in Vladivostok:

We welcome the APEC work to fulfill the 2011 APEC Leaders’ commitment to implement the Cross Border Privacy Rules (CBPR) System in order to reduce barriers to information flows, enhance consumer privacy, and promote interoperability across regional data privacy regimes. We look forward to implementation of the CBPR, including through discussion on the issues of comparability and potential interoperability between the European Union Binding Corporate Rules and APEC CBPR System.” 

This sums up the primary objective of the Data Privacy Subgroup. It remains the case that the US government, working closely with primarily US business interests, is the principal sponsor and US sources provide the bulk of the resources for the work of the Subgroup, for the CBPR JOP, and for associated capacity building activities. These workshops, and the open seminars which normally precede Subgroup meetings, have been focused on promoting the CBPR system as the main way of implementing the APEC Privacy Framework. Discussions on interoperability between APEC CBPR and EU BCRs continue between the US government and the French Data Protection Authority CNIL. Further work also continues on the place of data processors in the CBPR system.  Microsoft is assisting with the development of the website that will support the system.

Some of the seven member economies which have privacy enforcement authorities which are members of the Cross Border Privacy Enforcement Cooperation Arrangement (CPEA), (designed to support the CBPR system but also potentially playing a wider role), continue to emphasise the importance of this side of the implementation of the APEC Privacy Framework, but there is still little evidence to date of practical outcomes from the CPEA.

Another part of the Privacy Subgroup’s continuing charter is to encourage the domestic implementation of the Framework in member economies. Many of the APEC economies that have been developing data protection and privacy laws have continued to adopt the main common features of the existing laws in Europe and elsewhere. These typically include cross border data transfer provisions, which in many cases do not accommodate the APEC CBPR system as neatly as the architects of the system might have hoped. From a civil society perspective, it is re-assuring that many countries still see the need for strong enforceable privacy laws, and have not simply accepted the low-impact APEC model as offering sufficient protection on its own.  

Nigel Waters has represented Privacy International at most meetings of the APEC Data Privacy Subgroup since 2006, but was not able to attend the Russian meetings in 2012. He follows the work of the Subgroup through its papers, periodic teleconferences and email exchanges.