www.informationpolicycenter.com a perspective: data flow governance in asia pacific & apec...
TRANSCRIPT
![Page 1: Www.informationpolicycenter.com A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008](https://reader036.vdocument.in/reader036/viewer/2022081516/56649eb45503460f94bbd0b7/html5/thumbnails/1.jpg)
www.informationpolicycenter.com
A Perspective: Data Flow Governance in Asia Pacific & APEC FrameworkA Perspective: Data Flow Governance in Asia Pacific & APEC Framework
Martin Abrams
October 21, 2008
![Page 2: Www.informationpolicycenter.com A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008](https://reader036.vdocument.in/reader036/viewer/2022081516/56649eb45503460f94bbd0b7/html5/thumbnails/2.jpg)
www.informationpolicycenter.com
My Experience
Lead a global information policy think tank financially supported by 40+ companies
21 years experience in privacy with consistent focus on global data flows
Deep involvement in Asia Pacific over the last five years
Co-organizer of two privacy conferences in China with Professor Zhou Hanhua
2
![Page 3: Www.informationpolicycenter.com A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008](https://reader036.vdocument.in/reader036/viewer/2022081516/56649eb45503460f94bbd0b7/html5/thumbnails/3.jpg)
www.informationpolicycenter.com3
Law in Canada, Hong Kong, New Zealand and Australia based on traditional data protection concepts
US law consumer protection based, but individual autonomy a value
Asian cultural views of individual autonomy are different
However, protection of individuals from the harmful use of information or the negative effects of bad security reamin highly relevant
AP data governance must be inter-operable with this mosaic
International Differences are a Challenge
![Page 4: Www.informationpolicycenter.com A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008](https://reader036.vdocument.in/reader036/viewer/2022081516/56649eb45503460f94bbd0b7/html5/thumbnails/4.jpg)
www.informationpolicycenter.com4
Breaking Privacy into its Elements is HelpfulElements include:
Information security Consumer protection Cultural aspects, such as autonomy
Security and consumer protection are common from place to place, system to system
Autonomy is different everywhere Global companies must build respect for those differences and be
accountable for promises
![Page 5: Www.informationpolicycenter.com A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008](https://reader036.vdocument.in/reader036/viewer/2022081516/56649eb45503460f94bbd0b7/html5/thumbnails/5.jpg)
www.informationpolicycenter.com
Looking at APEC
5
![Page 6: Www.informationpolicycenter.com A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008](https://reader036.vdocument.in/reader036/viewer/2022081516/56649eb45503460f94bbd0b7/html5/thumbnails/6.jpg)
www.informationpolicycenter.com6
APEC Privacy Framework
Developed over the past five years
Based on OECD with a few changes
Prioritization based on prevention of harm
Transfers based on accountability
Domestic implementation – flexible
International implementation – Cross Border Privacy Rules
![Page 7: Www.informationpolicycenter.com A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008](https://reader036.vdocument.in/reader036/viewer/2022081516/56649eb45503460f94bbd0b7/html5/thumbnails/7.jpg)
www.informationpolicycenter.com7
Nine APEC Privacy Principles
1. Preventing Harm – privacy protections should focus on preventing harm and misuse
2. Notice – clear & easily accessible
3. Collection Limitation – collect what’s relevant in a lawful & fair manner
4. Uses of Personal Information – for expected and compatible purposes, with consent, or where necessary
5. Choice – where appropriate, provide clear, accessible mechanism to exercise choice
![Page 8: Www.informationpolicycenter.com A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008](https://reader036.vdocument.in/reader036/viewer/2022081516/56649eb45503460f94bbd0b7/html5/thumbnails/8.jpg)
www.informationpolicycenter.com8
Nine APEC Privacy Principles
6. Integrity – personal information should be appropriate, accurate, complete and up-to-date
7. Security – appropriate safeguards to protect against unauthorized access, use, modification or disclosure
8. Access & Correction – important (but not absolute) rights
9. Accountability – controllers are accountable for compliance with all Principles and must use reasonable steps to ensure that recipients of personal information also comply
![Page 9: Www.informationpolicycenter.com A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008](https://reader036.vdocument.in/reader036/viewer/2022081516/56649eb45503460f94bbd0b7/html5/thumbnails/9.jpg)
www.informationpolicycenter.com
APEC Framework Has Two Pathways
Domestic implementation
International Implementation Governance for the flow of data between APEC members
Basis is Corporate Privacy Rules
9
![Page 10: Www.informationpolicycenter.com A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008](https://reader036.vdocument.in/reader036/viewer/2022081516/56649eb45503460f94bbd0b7/html5/thumbnails/10.jpg)
www.informationpolicycenter.com10
What Are Cross Border Privacy Rules?
A matching of corporate policies against APEC principles
A requirement that organizations honor the obligations that come from local law and promises made when collecting data
Functionally similar to BCRs
Implements accountability principle
![Page 11: Www.informationpolicycenter.com A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008](https://reader036.vdocument.in/reader036/viewer/2022081516/56649eb45503460f94bbd0b7/html5/thumbnails/11.jpg)
www.informationpolicycenter.com
Accountability Rooted In Data Protection History
OECD Principle 8
APEC Principle 9 “A personal information controller should be accountable for
complying with the measures that give effect to the Principles stated above. When personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles.”
Canadian Privacy Law
11
![Page 12: Www.informationpolicycenter.com A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008](https://reader036.vdocument.in/reader036/viewer/2022081516/56649eb45503460f94bbd0b7/html5/thumbnails/12.jpg)
www.informationpolicycenter.com12
How Do They Work?
Organization completes documents that demonstrate that it has the capacity to honor a set of cross border privacy rules
The application is reviewed by an accountability agent
The organization’s cross border privacy rules are recognized
Complaints are processed by accountability agents and government agencies that supply oversight
![Page 13: Www.informationpolicycenter.com A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008](https://reader036.vdocument.in/reader036/viewer/2022081516/56649eb45503460f94bbd0b7/html5/thumbnails/13.jpg)
www.informationpolicycenter.com13
Where Do We Stand?
9 APEC pathfinder projects
Cover all aspects of the program Company CBPRs
Approvals
Accountability agents
Cooperation between enforcement agencies
Complaints
Documents being finalized
Testing in 2009
Overseen by Data Privacy Subgroup
![Page 14: Www.informationpolicycenter.com A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008](https://reader036.vdocument.in/reader036/viewer/2022081516/56649eb45503460f94bbd0b7/html5/thumbnails/14.jpg)
www.informationpolicycenter.com
Process Lessons
The APEC process has profited from the active participation of privacy enforcement agencies, governments, civil society and business
Accountability agencies must be answerable and overseen by enforcement agencies, but play an important role in assuring accountability
The globalization of privacy is teaching us many lessons applicable to the future.
14
![Page 15: Www.informationpolicycenter.com A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008](https://reader036.vdocument.in/reader036/viewer/2022081516/56649eb45503460f94bbd0b7/html5/thumbnails/15.jpg)
www.informationpolicycenter.com
How to Reach Me
mabrams@ hunton.com
15