understanding apec: nuts and bolts _hk.pdftrade •united states and mexico are participating...
TRANSCRIPT
Understanding APEC: Nuts and Bolts
IAPP
31 March 2014
Allen Brandt
Chief Privacy Official
Graduate Management Admission Council
Scott Thiel Foreign Legal Consultant DLA Piper
Agenda
• US-Europe-Asia • What’s the difference?
• APEC Privacy Framework
• EU-APEC Referential
US-Europe-Asia What’s the difference?
• US: sectorial rules • HIPPA, GLBA, FCRA, etc.
• Europe: privacy as a fundamental right • Comprehensive requirements
• Asia: somewhere in between
Asia Regulatory Developments • Broader than the US, generally less restrictive
than the EU
• Rapidly changing environment
• Watch for both formal laws and local regulations
APEC Cross Border Privacy Rules System
www.cbprs.org
APEC Cross Border Privacy Rules System
• Designed with same principles in mind that formed the basis for the U.S.-EU Safe Harbor Framework, the OECD Privacy Framework and the EU Directive
• 21 member economies of APEC comprise a market of 2.7 billion consumers, 55 %of world real domestic gross product, 44 % of world trade
• United States and Mexico are participating economies. Japan’s application is almost complete and Canada intends to apply shortly
• US contact: Christopher Hoff, Policy Advisor for Asia Privacy Initiatives [email protected]
Privacy as an Economic Engine
The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element that may prevent member economies from gaining all of the benefits of electronic commerce.
APEC economies realize that a key part of efforts to improve consumer confidence and ensure the growth of electronic commerce must be cooperation to balance and promote both effective information privacy protection and the free flow of information in the Asia Pacific region.
Personal Information
• Any information about an identified or identifiable individual.
• Natural, living persons • Not corporations
• Includes information that when added together, can identify an individual
APEC information privacy principles • Preventing Harm
• Notice
• Collection Limitation
• Uses of Personal Information
• Choice
• Integrity of Personal Information
• Security Safeguards
• Access and Correction
• Accountability
http://publications.apec.org/publication-detail.php?pub_id=390
Preventing Harm
• Legitimate expectation of privacy
• Measures proportional to likelihood & severity of harm
• Design systems to minimize wrongful collection and misuse • Consider a Privacy Impact Assessment & Privacy by Design
Notice
• Clear and assessable statements: • Information being collected
• Purposes
• All potential disclosures
• Identity & contact details of information controller
• Available choices
• Website notices, employee handbook, mobile apps • At or near the time of collection
Collection Limitation
• Collection relevant to the purpose and proportionate
• Methods that are lawful and fair
• What about Big Data?
Uses of Personal Information
• Information used only for the purposes stated when collected
• Consider user consent
• Necessary to fulfill requested product or service
• Law enforcement
Choice
• Choice in relation to collection, use, transfer and disclosure of personal information • Clear
• Prominent
• Easily understandable • languages
• Accessible
• Affordable mechanisms
Integrity of Personal Information
• Information accurate, complete, up to date
• Very important if you are making decisions about individuals
Security Safeguards
• Safeguards appropriate to the risk, sensitivity, likelihood of harm
• Privacy Impact Assessments and Privacy by Design
• Periodic review
Access & Correction • Individuals should be able to know what information is being held
• Reasonable time
• Costs
• Reasonable manner
• Understood form
• Get proof of identity
• Allow people to challenge and correct the data
• Exceptions • Burden on company
• Secrets
Accountability
• Information controller accountable for compliance
• Demonstrate enforceability, promotes user trust
• Third parties • Vendor management
• Selection
• Contract provisions
• Audits
• Privacy program management
EU-APEC Referential • Goal: facilitate cross border data flows between Asia, Europe and the
United States
• NOT mutual recognition • Potential basis for double certification
• Adequate Protection-enforceable obligation
• Scope of protection
• Third parties
• Sensitive information
• Transparency
http://www.apec.org/~/media/Files/Groups/ECSG/20140307_Referential-BCR-CBPR-reqs.pdf
Scott Thiel Allen Brandt
Foreign Legal Consultant Chief Privacy Official
DLA Piper Graduate Management Admission Council +852 2103 0519 +1 703.668.9719