150 likes | 317 Vues
A Perspective: Data Flow Governance in Asia Pacific & APEC Framework. Martin Abrams October 21, 2008. My Experience. Lead a global information policy think tank financially supported by 40+ companies 21 years experience in privacy with consistent focus on global data flows
E N D
A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008
My Experience • Lead a global information policy think tank financially supported by 40+ companies • 21 years experience in privacy with consistent focus on global data flows • Deep involvement in Asia Pacific over the last five years • Co-organizer of two privacy conferences in China with Professor Zhou Hanhua
International Differences are a Challenge • Law in Canada, Hong Kong, New Zealand and Australia based on traditional data protection concepts • US law consumer protection based, but individual autonomy a value • Asian cultural views of individual autonomy are different • However, protection of individuals from the harmful use of information or the negative effects of bad security reamin highly relevant • AP data governance must be inter-operable with this mosaic
Breaking Privacy into its Elements is Helpful • Elements include: • Information security • Consumer protection • Cultural aspects, such as autonomy • Security and consumer protection are common from place to place, system to system • Autonomy is different everywhere • Global companies must build respect for those differences and be accountable for promises
APEC Privacy Framework • Developed over the past five years • Based on OECD with a few changes • Prioritization based on prevention of harm • Transfers based on accountability • Domestic implementation – flexible • International implementation – Cross Border Privacy Rules
Nine APEC Privacy Principles • Preventing Harm – privacy protections should focus on preventing harm and misuse • Notice – clear & easily accessible • Collection Limitation – collect what’s relevant in a lawful & fair manner • Uses of Personal Information – for expected and compatible purposes, with consent, or where necessary • Choice – where appropriate, provide clear, accessible mechanism to exercise choice
Nine APEC Privacy Principles • Integrity – personal information should be appropriate, accurate, complete and up-to-date • Security – appropriate safeguards to protect against unauthorized access, use, modification or disclosure • Access & Correction – important (but not absolute) rights • Accountability – controllers are accountable for compliance with all Principles and must use reasonable steps to ensure that recipients of personal information also comply
APEC Framework Has Two Pathways • Domestic implementation • International Implementation • Governance for the flow of data between APEC members • Basis is Corporate Privacy Rules
What Are Cross Border Privacy Rules? • A matching of corporate policies against APEC principles • A requirement that organizations honor the obligations that come from local law and promises made when collecting data • Functionally similar to BCRs • Implements accountability principle
Accountability Rooted In Data Protection History • OECD Principle 8 • APEC Principle 9 • “A personal information controller should be accountable for complying with the measures that give effect to the Principles stated above. When personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles.” • Canadian Privacy Law
How Do They Work? • Organization completes documents that demonstrate that it has the capacity to honor a set of cross border privacy rules • The application is reviewed by an accountability agent • The organization’s cross border privacy rules are recognized • Complaints are processed by accountability agents and government agencies that supply oversight
Where Do We Stand? • 9 APEC pathfinder projects • Cover all aspects of the program • Company CBPRs • Approvals • Accountability agents • Cooperation between enforcement agencies • Complaints • Documents being finalized • Testing in 2009 • Overseen by Data Privacy Subgroup
Process Lessons • The APEC process has profited from the active participation of privacy enforcement agencies, governments, civil society and business • Accountability agencies must be answerable and overseen by enforcement agencies, but play an important role in assuring accountability • The globalization of privacy is teaching us many lessons applicable to the future.
How to Reach Me mabrams@ hunton.com