Some governments “restrict the free flow of data, weakening the internet economy by requiring government approval of data transfer and data localization,” according to U.S. Commerce Secretary Wilbur Ross. Speaking at a U.S. Chamber of Commerce event on March 26, he said that part of the American commitment to eliminating barriers to cross-border data trade is our leadership in establishing the Asia-Pacific Economic Cooperative (APEC) Cross-Border Privacy Rules (CBPR), which “ensure safe and free cross border data flows.”
The APEC CBPR are based on non-binding principles adopted by APEC countries, including the U.S., based on the Fair Information Privacy Practices. They were conceived to protect consumer privacy while promoting digital commerce across the Asia-Pacific region. Participating companies certify their compliance with the CBPR and domestic laws in the economies in which they operate after having their privacy policies and practices evaluated by certain independent third-party verifiers (known as an Accountability Agents), who monitor and enforce companies' compliance.
To date, only 23 companies worldwide have been certified to the CBPR (including Merck, an Insights Association corporate research department member). And “U.S. enforcement authorities take these commitments seriously,” Secretary Ross pointed out. The Federal Trade Commission (FTC) goes after companies making false statements of compliance or certification to the CBPR just like they do with the U.S.-EU Privacy Shield.
In a world of digital uncertainty, Ross said, the APEC CBPR “system provides consumers confidence that their personal information will be protected when using online products and services.”
FTC Chair Maureen Ohlhausen asserted that the APEC CBPR system “facilitates privacy-protected data transfers” in the region and “is a step in the direction of global interoperability.” She asserted that it “stands to benefit all stakeholders,” with consumers benefiting “from key privacy and data security protections,” like adequate notice and choice, third party verification and enforcement. CBPR adherence can also mean “better compliance with domestic U.S. laws, since there is “significant overlap between CBPR program requirements and US privacy laws,” and the public commitment to being certified is prosecutable if any false claims are made.
According to FTC staff who presented at the event, the FTC follows a set process for determining how to handle data violations of any sort, including the extent of the violation of a relevant law, the steps a company took to comply, and the steps a company took to remediate. Meanwhile, there are some 50 different program requirements just to get started with the CBPR. “That a company has demonstrated compliance with all that,” said one FTC staffer, “is a significant demonstration” of compliance, or at least the intention to comply, and provides a process for remediation – the FTC would consider that front-and-center as part of how the agency responds to any violations at the CBPR-adherent company.
To join the CBPR program, a company must be a resident of an APEC-member nation. There is a ton of paperwork necessary to demonstrate compliance with those 50 program requirements, which must be submitted to governing authorities.
Anick Fortin-Cousens, privacy officer for IBM in Canada, Latin America, the Middle East & Africa, noted that IBM was the first company certified to join the Cross Border Privacy Rules. “IBM saw that the data ecosystem was getting more complex,” she said, because the company had a “different vantage point than most” companies. Recognizing that “it was only going to get more complex,” IBM knew that “more opaque users of data would be a part of that system,” and the company could soon see a day where companies couldn’t just claim compliance with some law in order to demonstrate their trustworthiness to customers and government agencies. “That is why IBM joined” CBPR. Fortin-Cousens said that IBM appreciated being able to just certify once and benefit from the economy of scale of only having to do so in one country to be able to benefit across the APEC region.
Harvey Jang, Cisco’s Director of Global Data Protection & Privacy Counsel, explained his company’s interest in CBPR certification quite plainly: “every country has privacy laws on the books,” and Cisco operates in nearly every country around the world. Further, Cisco clients (like IBM) often have high standards and expectations, so Cisco saw a “greatest common multiplier” in joining CBPR. Jang said that the CBPR provides detailed documentation of an optimized privacy program, which helps a company satisfy curious or demanding clients, customers and vendors, as well as government authorities.
The biggest help for Cisco comes “with customers,” suggested Jang, since “privacy is no longer just a matter of private contract, but a public commitment that is enforceable” by all the APEC enforcers (like the FTC), which provides “comfort” to customers that they will be protected. He insisted that CBPR didn’t “momentously change how we handled privacy, but provided the paper trail and demonstration of what we do,” making it particularly easy to sign up for the U.S.-EU Privacy Shield because “all the documents were ready to go.”
The CBPR “privacy framework is flexible and interoperable across the APEC countries,” Jang asserted, and “if you can’t live up to the privacy principles, than you probably aren’t compliant with any of the APEC countries’ privacy laws.”
Bonnie Yeomans, VP, Assistant General Counsel and Privacy Officer at CA Technologies, remarked that his company already had a “strong privacy program” and other cross border programs in place, partially just to get ready for the European Union’s General Data Protection Regulation (GDPR). While he said that it took his company six years to get approved for the EU’s Binding Corporate Rules, having already gone through that process made CBPR certification a relatively quick process (an estimated six months).
A dispute resolution function has to be in place for CBPR to work, noted Josh Harris, director of international regulatory affairs at TrustArc (formerly known as TRUSTe), which provides that for companies. The company publishes data on CBPR complaints, of which there were 191 last year. Harris said that “65-70% were nonsensical inputs in an open field,” while most of the remaining third were issues outside of the scope of resolution (like “I forgot my password”), and only about seven cases constituted actual complaints about a CBPR violation.
A member of the audience asked why, if the CBPR rules were designed for small and medium sized businesses, “none have certified to them?” Lots of such companies are in the throes of getting ready for GDPR. “Are you going to require your vendors and partners to be CBPR-compliant,” he asked of the company representatives on stage, since that is what drives most companies to get GDPR-compliant.
Harris replied that the “program requirements are flexible,” but range from no proof (simple self-attestation) to a full-on company-wide audit. TrustArc demands some evidence of compliance. “Considering this would have applicability across 21 different countries,” he said, “there needed to be proof-points built in.” Harris insisted that CBPR can scale up and scale down.
Jang concluded that “taking the most restrictive privacy approach” in your privacy practices and programs “makes it simpler to work across borders. That is the sort of thing we expect of our vendors and partners.”