One of the sessions I attended at the IAPP Privacy Academy this past week was “APEC Update – Self Regulatory Approaches to Cross Border Transfers of Personal Data.” The presenters were: Pamela Jones Harbour, Commissioner, Federal Trade Commission (FTC), Marty Abrams, Executive Director, Center for Information Policy Leadership, and Fran Maier, Executive Director and President, TRUSTe.
It was an interesting session, and I got some good information during the quick hour.
Here are my notes as I took them (admittedly sketchy in places…but, hey, they’re notes!):
* Pamela Jones Harbour:
– The U.S. will lead the Pathfinder project.
– Australia provides a good flexible model for Cross Border Privacy Rules (CBRs).
– Goal of CBRs: to preserve privacy of data going outside country borders. Countries need to determine, will the APEC privacy framework work for them?
– There is widespread misunderstanding about the APEC framework, Pathfinder project and the CBRs. Many have erroneously reported that the APEC privacy framework will only go into effect AFTER harm from incidents has occurred. This is WRONG. The APEC framework is meant to help protect and prevent harm.
– U.S. approach will include self regulation in addition to regulatory oversight.
– Trustmarks can refer violators to the FTC.
– U.S. implementation has 4 elements from the FTC perspective:
1) Self Asssessment: what qualifies organizations to participate? Consultation and vetting of rules.
2) Review and Accredit (by Trustmarks) organizations for participation.
3) Create procedure to communicate the list of certified organizations to other countries. The Department of Commerce will enforce.
4) Dispute resolution & enforcement: FTC and other government agencies will enforce.
– OECD recently issued guidance for cross border data sharing.
– They (FTC) will launch a test pilot in January 2008.
* Marty Abrams:
– “There is nothing self regulatory about the APEC framework.” If an organization is not complying with the APEC framework after they indicate participation, they are subject to Section 5 of the FTC Act (unfair and deceptive business practices).
– Described a hypothetical 5-country situation for the APEC framework.
– Discussed the accountability concepts.
– It will be easier to qualify individual organizations to be “adequate” (a safe entity) than it will be for qualifying an entire country. For example, the EU has identified the countries that they consider as having adequate security and privacy protections. It will be better through the APEC framework to determine if each organization has adequate protections. [To me this makes much more sense than the country-level determination.]
– Principle 8 of the APEC framework, the adequacy concept, is in many ways an updating of the corresponding OECD privacy principle.
– The accountability concept in the FTC Act is going to abe applied when sending data outside the U.S.
– Organizations must demonstrate:
1) Privacy policies and procedures match to APEC framework; they must prove this to Trustmarks.
2) Show they are accountable for the statements they make about privacy protections.
– Predicts the APEC framework will spread worldwide and define how BCRs are created in Europe.
– Accountability agents (Trustmarks) will ooperate with the backing and support of the U.S. government.
* Fran Maier:
– TRUSTe was selected for the Pathfinder accountability test.
– Why are Trustmarks considered the accountability agent?
1) Flexibility
2) Practical knowledge
3) Doing 10th update to stay current
4) Very responsive
5) Evaluate – elevate – reward (the basic Trustmark process)
* Q&A:
– Will current EU Safe Harbor participation have an impact on qualifying for Pathfinder/APEC framework? If organizations are currently participating in the EU Safe Harbor program, they will find they will already have much of the Pathfinder work done, but just being in Safe Harbor is not a shoe-in to the Pathfinder participation. Safe Harbor participants will still have to fill in the paperwork and provide all the same types of documentation that the non-Safe Harbor applicants must provide.
– New term is “accountability agent.”
– CBR versus APEC? CBRs are individual agreements with ~27 EU countries. If an organization has a process for CBRs it will facilitate APEC compliance, but it will not be a replacement.
– Does APEC put the burden on consumers to establish harm? One of the 9 principles is preventing harm. You can show actual harm, potential harm and prevention of harm.
– Listen to the statement from the Australian commissioner.
– What will be the enforcement mechanism? Memorandums of understanding.
– Any plans to lift the concept of the APEC framework to World Trade Organization (WTO) levels? No; this would be inappropriate. The WTO involves the white house and other country heads. The APEC framework is focused on getting the regulatory agencies within each of the countries to work together.
Tags: APEC, awareness and training, Center for Information Policy Leadership, cross border privacy rules, Fran Maier, FTC, identity theft, Information Security, IT compliance, Marty Abrams, medical identity theft, Pamela Jones Harbour, pathfinder, policies and procedures, privacy, privacy framework, risk management, safe harbor, truste