Data Protection Advances in APEC
"Supply and distribution chains are becoming more globally integrated," said Joe Ahladeff, Oracle's Vice President of Global Public Policy, who spoke at the opening session of the First Technical Assistance Seminar on Cross-Border Privacy Rules (CBPRs) in Canberra, Australia held on 22 23 January. "The Internet has created a global marketplace that drives both price and service competition across regions. Consumers are freed from reliance on local vendors."
Due to the importance of protecting personal information and the proliferation of e commerce, the APEC privacy initiative was launched to include the development of the APEC Privacy Framework and seminars to help economies implement privacy law.
In their 2006 Annual Statement, APEC Ministers emphasized the need to ensure "responsible and accountable cross border information flows and effective privacy protection without creating unnecessary barriers".
They also acknowledged the role that the cross-border rules concept could play in achieving this goal. In their statement, Ministers "encouraged Officials to facilitate this goal by developing and disseminating implementation frameworks such as best practices for cross-border rules".
Cross-border privacy rules are a set of rules developed by an organization. The organization then commits to apply these rules to its activities involving transfers of personal information across borders. With the wide range of approaches to privacy frameworks applying to personal information across APEC economies, APEC has decided that facilitating the use of, compliance with and enforcement of CBPRs was a particularly good place to start for implementing the APEC Privacy Framework as it applies to personal information when it moves across borders.
Addressing this need, the seminar, organized by the APEC Electronic Commerce Steering Group's Data Privacy Sub-Group, is the most recent step in the development and implementation of the APEC Privacy Framework.
Business, government and consumer groups focused on the implementation of cross-border privacy rules as a way of ensuring accountability of information flows to make organizations keep their original privacy promise to the customer.
In a number of APEC economies, the privacy promise that an organization makes is backed by data protection regulation. However, the challenge is that while regulation is mainly bound to a domestic jurisdiction and can only 'see' and regulate the information flows in that jurisdiction data processing has become increasingly global.
Trust in the protection given to personal information wherever it is processed or used is a central issue with the global integration of information processing. Leading organizations in APEC are seeking ways of giving individuals reason to trust in the simplest and most efficient way possible. Nonetheless, organizations are often forced to bear the burden of compliance overlap or design expensive legal contracts to protect privacy. Unless these issues are addressed, there is a risk of brand damage because of a lack of customer trust and this, in turn, has the potential to retard economic growth in the region.
Lisa Thomson, Chief Privacy Officer of National Australia Bank, pointed to the media controversy that is often generated when finance organizations in Australia send information between economies. She believes this is made worse by a lack of public confidence in cross-border privacy protection.
Australian Attorney General Phillip Ruddock, who opened the conference, emphasized that implementation of cross-border privacy rules and the APEC Privacy Framework could be used to reduce the accountability gap when personal information flows between domestic jurisdictions.
"What makes the APEC Privacy Framework distinctive is the focus on practical implementation of consistent privacy protection within a regional context. A key feature of the framework is the need to maintain accountability in the flow of information among APEC economies and trading partners," said Attorney General Ruddock.
"It is vital for businesses to have clear and simple ways of complying with basic principles for the protection of people's personal information" Mr. Ruddock added.
Regulators have already begun to take some steps to address cross-border enforcement. A memorandum of understanding has been signed between Australian and New Zealand Privacy Commissioners while Canadian and US regulators have conducted information sharing to aid enforcement. The Asian Trustmark Alliance is also seeking to respond to the challenges presented by cross border information flows.
The diverse regulatory approaches of the different APEC economies was one of the major challenges in finding a suitable model. The seminar met this challenge and was successful in developing broad agreement on an implementation model that contained sufficient flexibility to allow for this diversity while being robust enough to be trustworthy. Leading experts in regulatory development from other arenas agreed that the most suitable regulatory model for a pathfinder project in the APEC region would be a 'choice of approach' model to assess the compliance of an organization's cross-border privacy rules with the APEC Privacy Framework.
"The most effective way of implementing regulation is to work with willing parties to create a norm of civilized practice," said Professor John Braithwaite an expert in responsive regulation from the Australian National University. "Then, gradually expand the scope of regulatory focus to include capacity development, restorative justice, deterrence and finally incapacitation of irrational actors who will not adhere to regulation."
Former Auditor General of Australia, Pat Barrett, discussed how to develop a regulatory framework that can achieve public confidence while facilitating business efficiency. This can be achieved by specifying in the regulation appropriate requirements for desired outcomes or desired practices whose delivery can be observed. In other words, regulation can be targeted towards conformance or performance.
"Different forms of regulation such as internal governance mechanisms, external audits, and regulator oversight can help to strike the right balance between conformance and performance to achieve public confidence with responsive regulation that encourages business efficiency," said Mr. Barrett.
Summing up the seminar's discussion David Loukidelis, Privacy Commissioner for the District of British Columbia in Canada, said "It's important to make a start with a pathfinder project for cross-border privacy rules. Identifying a fixable problem and tackling it begins a process of confidence building."
The seminar reached the view that a key feature of the pathfinder regulatory model would be the identification of a designated review entity in each economy. This entity could be either a private assessment firm or a regulator combined with maintaining a process of government sanctioned law enforcement even if only available as a measure of last resort. The model also required a forum for designated review entities to standardize the approach to reviews of organizations wishing to be recognized as having in place CBPRs that complied with the APEC Privacy Framework.
Under this model, a list of compliant businesses could be posted on an APEC Privacy Framework website, along with guidance material for stakeholders, including both business and individuals. Such an online 'shopfront' could also help consumers to lodge complaints in the one place. From there complaints would then be distributed to the appropriate economies for investigation and action.
Following the seminar, the Data Privacy Sub-Group discussed what it would do to implement this model as projects within a pathfinder framework. The meeting supported the proposal of the seminar group that cross-border privacy rules had to be flexible, credible and enforceable to be implemented in a range of economies. The Data Privacy Sub-Group is developing a framework for implementation of the choice of approach model and conducting further discussion about mechanisms for cross-border enforcement amongst privacy and consumer regulators in the APEC region.
The second seminar, to be held in Cairns, Australia in June 2007, will help shape the future compliance regime for personal information that moves between APEC economies.