www.informationpolicycenter.com

A Perspective: Data Flow Governance in Asia Pacific & APEC FrameworkA Perspective: Data Flow Governance in Asia Pacific & APEC Framework

Martin Abrams

October 21, 2008

www.informationpolicycenter.com

My Experience

Lead a global information policy think tank financially supported by 40+ companies

21 years experience in privacy with consistent focus on global data flows

Deep involvement in Asia Pacific over the last five years

Co-organizer of two privacy conferences in China with Professor Zhou Hanhua

2

www.informationpolicycenter.com3

Law in Canada, Hong Kong, New Zealand and Australia based on traditional data protection concepts

US law consumer protection based, but individual autonomy a value

Asian cultural views of individual autonomy are different

However, protection of individuals from the harmful use of information or the negative effects of bad security reamin highly relevant

AP data governance must be inter-operable with this mosaic

International Differences are a Challenge

www.informationpolicycenter.com4

Breaking Privacy into its Elements is HelpfulElements include:

Information security Consumer protection Cultural aspects, such as autonomy

Security and consumer protection are common from place to place, system to system

Autonomy is different everywhere Global companies must build respect for those differences and be

accountable for promises

www.informationpolicycenter.com

Looking at APEC

5

www.informationpolicycenter.com6

APEC Privacy Framework

Developed over the past five years

Based on OECD with a few changes

Prioritization based on prevention of harm

Transfers based on accountability

Domestic implementation – flexible

International implementation – Cross Border Privacy Rules

www.informationpolicycenter.com7

Nine APEC Privacy Principles

1. Preventing Harm – privacy protections should focus on preventing harm and misuse

2. Notice – clear & easily accessible

3. Collection Limitation – collect what’s relevant in a lawful & fair manner

4. Uses of Personal Information – for expected and compatible purposes, with consent, or where necessary

5. Choice – where appropriate, provide clear, accessible mechanism to exercise choice

www.informationpolicycenter.com8

Nine APEC Privacy Principles

6. Integrity – personal information should be appropriate, accurate, complete and up-to-date

7. Security – appropriate safeguards to protect against unauthorized access, use, modification or disclosure

8. Access & Correction – important (but not absolute) rights

9. Accountability – controllers are accountable for compliance with all Principles and must use reasonable steps to ensure that recipients of personal information also comply

www.informationpolicycenter.com

APEC Framework Has Two Pathways

Domestic implementation

International Implementation Governance for the flow of data between APEC members

Basis is Corporate Privacy Rules

9

www.informationpolicycenter.com10

What Are Cross Border Privacy Rules?

A matching of corporate policies against APEC principles

A requirement that organizations honor the obligations that come from local law and promises made when collecting data

Functionally similar to BCRs

Implements accountability principle

www.informationpolicycenter.com

Accountability Rooted In Data Protection History

OECD Principle 8

APEC Principle 9 “A personal information controller should be accountable for

complying with the measures that give effect to the Principles stated above. When personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles.”

Canadian Privacy Law

11

www.informationpolicycenter.com12

How Do They Work?

Organization completes documents that demonstrate that it has the capacity to honor a set of cross border privacy rules

The application is reviewed by an accountability agent

The organization’s cross border privacy rules are recognized

Complaints are processed by accountability agents and government agencies that supply oversight

www.informationpolicycenter.com13

Where Do We Stand?

9 APEC pathfinder projects

Cover all aspects of the program Company CBPRs

Approvals

Accountability agents

Cooperation between enforcement agencies

Complaints

Documents being finalized

Testing in 2009

Overseen by Data Privacy Subgroup

www.informationpolicycenter.com

Process Lessons

The APEC process has profited from the active participation of privacy enforcement agencies, governments, civil society and business

Accountability agencies must be answerable and overseen by enforcement agencies, but play an important role in assuring accountability

The globalization of privacy is teaching us many lessons applicable to the future.

14

www.informationpolicycenter.com

How to Reach Me

mabrams@ hunton.com

15