1 / 15

A Perspective: Data Flow Governance in Asia Pacific & APEC Framework

A Perspective: Data Flow Governance in Asia Pacific & APEC Framework. Martin Abrams October 21, 2008. My Experience. Lead a global information policy think tank financially supported by 40+ companies 21 years experience in privacy with consistent focus on global data flows

paul2
Download Presentation

A Perspective: Data Flow Governance in Asia Pacific & APEC Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008

  2. My Experience • Lead a global information policy think tank financially supported by 40+ companies • 21 years experience in privacy with consistent focus on global data flows • Deep involvement in Asia Pacific over the last five years • Co-organizer of two privacy conferences in China with Professor Zhou Hanhua

  3. International Differences are a Challenge • Law in Canada, Hong Kong, New Zealand and Australia based on traditional data protection concepts • US law consumer protection based, but individual autonomy a value • Asian cultural views of individual autonomy are different • However, protection of individuals from the harmful use of information or the negative effects of bad security reamin highly relevant • AP data governance must be inter-operable with this mosaic

  4. Breaking Privacy into its Elements is Helpful • Elements include: • Information security • Consumer protection • Cultural aspects, such as autonomy • Security and consumer protection are common from place to place, system to system • Autonomy is different everywhere • Global companies must build respect for those differences and be accountable for promises

  5. Looking at APEC

  6. APEC Privacy Framework • Developed over the past five years • Based on OECD with a few changes • Prioritization based on prevention of harm • Transfers based on accountability • Domestic implementation – flexible • International implementation – Cross Border Privacy Rules

  7. Nine APEC Privacy Principles • Preventing Harm – privacy protections should focus on preventing harm and misuse • Notice – clear & easily accessible • Collection Limitation – collect what’s relevant in a lawful & fair manner • Uses of Personal Information – for expected and compatible purposes, with consent, or where necessary • Choice – where appropriate, provide clear, accessible mechanism to exercise choice

  8. Nine APEC Privacy Principles • Integrity – personal information should be appropriate, accurate, complete and up-to-date • Security – appropriate safeguards to protect against unauthorized access, use, modification or disclosure • Access & Correction – important (but not absolute) rights • Accountability – controllers are accountable for compliance with all Principles and must use reasonable steps to ensure that recipients of personal information also comply

  9. APEC Framework Has Two Pathways • Domestic implementation • International Implementation • Governance for the flow of data between APEC members • Basis is Corporate Privacy Rules

  10. What Are Cross Border Privacy Rules? • A matching of corporate policies against APEC principles • A requirement that organizations honor the obligations that come from local law and promises made when collecting data • Functionally similar to BCRs • Implements accountability principle

  11. Accountability Rooted In Data Protection History • OECD Principle 8 • APEC Principle 9 • “A personal information controller should be accountable for complying with the measures that give effect to the Principles stated above. When personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles.” • Canadian Privacy Law

  12. How Do They Work? • Organization completes documents that demonstrate that it has the capacity to honor a set of cross border privacy rules • The application is reviewed by an accountability agent • The organization’s cross border privacy rules are recognized • Complaints are processed by accountability agents and government agencies that supply oversight

  13. Where Do We Stand? • 9 APEC pathfinder projects • Cover all aspects of the program • Company CBPRs • Approvals • Accountability agents • Cooperation between enforcement agencies • Complaints • Documents being finalized • Testing in 2009 • Overseen by Data Privacy Subgroup

  14. Process Lessons • The APEC process has profited from the active participation of privacy enforcement agencies, governments, civil society and business • Accountability agencies must be answerable and overseen by enforcement agencies, but play an important role in assuring accountability • The globalization of privacy is teaching us many lessons applicable to the future.

  15. How to Reach Me mabrams@ hunton.com

More Related