Events on data protection held during the APEC senior officials meeting in San Francisco earlier this month marked the completion of the APEC Cross Border Privacy Rules (CBPR) Pathfinder project. USCIB and its members have been active participants in the development of the APEC Privacy Framework and its implementation, including the CBPR Pathfinder, which was launched in 2007.
The purpose of the CBPR system, which companies will be able to voluntarily participate in after its launch next year, is to ensure that personal information continues to be protected when it is transferred to another participating APEC member economy, without unnecessarily hindering the flow of vital business information across borders. The CBPR system is based on a four-step process: self-assessment, a compliance review by an accountability agent, recognition, and dispute resolution and enforcement, underpinned by a cross-border enforcement agreement signed by regulators in 2009.
In San Francisco, Heather Shaw, USCIB’s vice president for ICT policy, organized an APEC-funded workshop on the “APEC Cross-Border Privacy Rules: The Value Proposition for Industry, Consumers and Governments.” More than 90 participants from across the APEC region joined the workshop, which won high praise from a number of USCIB members. Following upon several capacity-building workshops, held in conjunction with previous APEC meetings, that established an understanding of the purpose of the CBPR, workshop participants examined a cost/benefit analysis of participating in the cross-border privacy rules system, and identified issues to be addressed in its implementation.
Panelists at the workshop called the CBPR system unique, in that its development served as an opportunity for stakeholders to shape a new framework, as opposed to a top-down process imposed by regulators. Initial participants in the CBPR program are expected to be global companies who are early-adopters, have existing company privacy standards in place, and want predictability and mechanisms to demonstrate their programs.
“In general, companies following the development of CBPRs believe that the process holds a lot of promise, especially in its potential to be a stepping-stone to global interoperability across data protection regimes,” said USCIB’s Ms. Shaw.
Panelists considering the system from a consumer perspective saw the key benefits as lowered cost and more efficient processing of data, but mentioned the need for flexibility and an ability for the system to be able to account for new uses of information and technological abilities. Another panel featured privacy regulators from Canada, New Zealand, Chinese Taipei and France, who discussed the benefits of certification, confirmation and demonstration of compliance, and their experience with reviewing and approving private sector codes. To them, CBPRs present an opportunity for new spaces for regulators and new ways to encourage compliance.
Future work is expected to consider how to make the CBPR system interoperable with other validation mechanisms, such as the European Union’s binding corporate rules on privacy or sector-specific regulatory examination processes. This could lower costs and mitigate barriers to participation, by allowing companies to build on what has already been done and focus on the gap needed to demonstrate compliance with the APEC framework. Delegates in San Francisco pledged to continue discussions, and to respond to a proposal tabled by USCIB toward this end during the 2012 APEC process.