APEC, EU Data Protection Authorities Group Release Data Transfer Interoperability Map

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Donald G. Aplin  

March 7 --The European Commission's Article 29 Working Party of data protection officials from the European Union member states and the 21 Asia-Pacific Economic Cooperation (APEC) member economies March 6 made public a document aimed at helping companies navigate the similarities and differences between the two blocs' cross-border data transfer mechanisms.

The new document, known as a “referential,” is the result of a project aimed at comparing, or “mapping,” the differences in the systems and finding ways to move towards interoperability.

The effort was welcomed by privacy trust seal organization TRUSTe Inc., which oversees the application of the APEC system in the U.S.

“This is important for businesses,” TRUSTe Director of Product Policy Joanne Furtsch told Bloomberg BNA March 7. “We are very excited because this highlights greater interoperability to make both systems more effective for a wider range of businesses,” she said.

Cross-Border Rules, BCRs

The referential lists “the main elements generally required by national Data Protection Authorities” in the EU and “the relevant bodies in APEC Economies.”

In the EU, binding corporate rules (BCRs) are binding internal privacy commitments by companies that apply to data transfers within a multinational entity, allowing it to transfer personal data across European Economic Area borders without violating the EU Data Protection Directive (95/46/EC).

APEC's Cross Border Privacy Rules (CBPR) system is based on approval of a company's privacy practices by an independent auditor with government regulators in participating economies acting as an enforcement backstop.

APEC's Data Privacy Subgroup has been working on coordinating the APEC's CBPR system with the EU BCR system as part of its general review of the APEC Privacy Framework during the framework's 10-year anniversary (13 PVLR 45, 1/6/14).

In July 2012, the U.S. became the first formal participant in the CBPR system and named the Federal Trade Commission as its backstop regulator (11 PVLR 1191, 7/30/12).

The referential was announced by FTC Chairwoman Edith Ramirez and Isabelle Falque-Pierrotin, head of the French data protection authority (CNIL), who was recently elected to be chairwoman of the Art. 29 Party (13 PVLR 388, 3/3/14).

The Art. 29 Party approved the referential in a formal opinion adopted Feb. 27 and made public March 6.

The FTC also March 6 announced that it had entered into a cross-border personal information protection memorandum of understanding with the U.K. Information Commissioner's Office (see related report).

APEC System Growth

The CBPR system is based on the nine privacy principles set out in the Privacy Framework. APEC leaders pledged to implement the system in a November 2011 declaration .

The APEC CBPR system has only accredited one “accountability agent,” TRUSTe, to certify whether organizations are CBPR-compliant.

TRUSTe in turn has made public some certified companies--International Business Machines Corp. and Merck & Co. ; and Yodlee Inc. (13 PVLR 264, 2/10/14) --as being in compliance with CBPR requirements.

Furtsch said that TRUSTe has certified other companies as being in compliance with the CBPR, but the companies have elected not to make their certifications public.

TRUSTe Chief Executive Officer Chris Babel recently told Bloomberg BNA that he expected that 15 of the 21 APEC member economies will have joined the CBPR system by 2015 (13 PVLR 264, 2/10/14).

EU Surveillance Concerns

Meanwhile, some EU lawmakers have promoted the expanded use of BCRs as part of its move to replace the Data Protection Directive, which requires transposition into national law by each EU member state, with a harmonized data protection regulation for the entire bloc.

But in the wake of revelations of government surveillance efforts, there have been calls to disallow the use of BCRs “where it is established that the law to which the data importer is subject imposes upon him requirements which go beyond the restrictions necessary in a democratic society” (13 PVLR 97, 1/13/14).

The European Parliament is slated to vote March 12 on the proposed regulation as well as on a nonbinding resolution on surveillance (see related report).

To contact the reporter on this story: Donald G. Aplin in Washington at daplin@bna.com

To contact the editor responsible for this story: Katie W. Johnson at kjohnson@bna.com


The referential, Joint work between experts from the Article 29 Working Party and from APEC Economies, on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross Border Privacy Rules submitted to APEC CBPR Accountability Agents, is available at http://www.apec.org/~/media/Files/Groups/ECSG/20140307_Referential-BCR-CBPR-reqs.pdf.

The Art. 29 Working Party's Opinion 02/2014 on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities in the EU and Cross Border Privacy Rules submitted to APEC CBPR Accountability Agents is available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2014/wp211_en.pdf.

Request Bloomberg Law Privacy and Data Security