Developments in International Organisations What's up in APEC?

Developments in International Organisations What’s up in APEC?

Blair Stewart Assistant Privacy Commissioner New Zealand

APEC member economies APEC’s economic significance

World 6.8 billion World US$38 trillion World US$58 trillion APEC 2.7 billion APEC US$17 trillion APEC US$32 trillion APEC mission statement

• APEC is the premier Asia-Pacific economic forum. Our primary goal is to support sustainable economic growth and prosperity in the Asia-Pacific region.

• We are united in our drive to build a dynamic and harmonious Asia-Pacific community by championing free and open trade and investment, promoting and accelerating regional economic integration, encouraging economic and technical cooperation, enhancing human security, and facilitating a favourable and sustainable business environment. Our initiatives turn policy goals into concrete results and agreements into tangible benefits.

APEC privacy milestones

• 1998 – Blueprint for action on E-commerce: Electronic Commerce Steering Group (ECSG) established • 2001 – e-APEC strategy includes focus upon data protection and consumer trust • 2003 – ECSG Data Privacy Subgroup (DPS) established • 2005 – APEC Privacy Framework • 2006 – Data Privacy Individual Action Plans (IAPs) lodged for each economy, domestic capacity building • 2007 – Data Privacy Pathfinder • 2009 – Cross-border Privacy Enforcement Arrangement (CPEA) • 2011– Cross-Border Privacy Rules (CBPR) system finalised

APEC privacy documentation and institutions

Committee on Trade and Investment (CTI) APEC Privacy Framework 2005 Electronic Commerce Steering Group (ECSG)

Data Privacy Subgroup (DPS)

CPEA Administrators CBPR system CPEA documents 2010 To be available late 2011 CBPR Joint Oversight Panel (JOP) To be established 2012 Latest development: CBPR system

• In development since 2008 through Data Privacy Pathfinder – First major element (CPEA) endorsed 2009 • Approved by CTI September 2011, subject to APEC Ministerial endorsement • Implementation work in earnest 2012+ – Multi-year project planned for 2012-15 to support the effective and efficient roll out of CBPR

CBPR rationale

• A system to recognise organisations’ cross-border privacy rules across the APEC region • Organisations remain responsible to comply with laws • Aim to facilitate responsible and accountable cross border transfers and privacy protections without creating unnecessary barriers to information flows and avoiding unnecessary bureaucratic burdens for businesses or consumers

– See APEC Privacy Framework, clauses 46-48

• Objective to protect information if it travels to another participating APEC economy

Next Generation Trade and Investment Issues The Cross-Border Privacy Rules system will recognize the privacy rules developed by business organizations by providing minimum standards, compliance structures, and enforcement support that will work to hold organizations accountable for compliance with the rules they develop

– ECSG report to CTI, September 2011 CBPR recognition process at a glance

Detailed self assessment by applicant organisation using APEC approved questionnaire

APEC recognised Accountability Agent repeat process periodically to assess organisation’s completed questionnaire (and may assist it to meet programme requirements)

Addition to directory of participants Certified as compliant CBPR enforcement at a glance

The CBPR system to be enforceable by Accountability Agents and Privacy Enforcement Authorities: – Accountability Agents able to enforce CBPR program requirements through law or contract; and – Privacy Enforcement Authorities able to take enforcement action under applicable domestic laws & regulations that have the effect of protecting personal information consistent with the CBPR program requirements.

Privacy Enforcement Authorities

Accountability Agents A point of divergence: Accountability Agents

• CBPR system assigns key roles to Accountability Agents with statutory enforcement bodies held in reserve • Mechanisms are created to ensure that AAs are themselves trustworthy, held to account and operate in consistent ways • Accountability Agents: – may be better suited to the assessment, certification and re-certification roles given flexibilities and abilities to scale up or down to demand, and to the size and complexity of businesses, than enforcement authorities – Provide a useful adjunct in dispute resolution to the more formal processes of Enforcement Authorities – May prove especially useful in cross-border cases where enforcement authorities face particularly complex jurisdictional challenges

Interoperability: A promising issue to explore • No formal DPS positions on interoperability but September 2011 meeting started a discussion informed by a draft ICC paper

• Personal viewpoint: – Continued efforts at inter-operability in enforcement cooperation essential since domestic/regional solutions not well matched to global business models – CBPRs have elements that might be made to work well with other broadly compatible schemes (recognised ISO 27000 series audits? BCRs?) to avoid costly duplication of effort without sacrificing reliable demonstration of accountability