Solutions for Cross Border Data Transfers: APEC CBPRs, BCRs and Global Interoperability December 9, 2015
Privacy Insight Series v
v
1
Today’s Speakers
Josh Harris Director of Policy TRUSTe
Hilary Wandall AVP Compliance & Chief Privacy Officer Merck & Co., Inc
Melinda Claybaugh Counsel for International Consumer Protection, Federal Trade Commission
Privacy Insight Series v
2
Agenda • Welcome • Global Interoperability and the Safe Harbor Ruling
Josh Harris
• Interoperability in Practice: Utilizing CBPR Certification to Demonstrate Requirements for BCR Approval
Hilary Wandall
• Cross-Border Enforcement Co-operation
Melinda Claybaugh
• Q&A
Privacy Insight Series v
3
Global Interoperability and the Safe Harbor Ruling Josh Harris, Director of Policy, TRUSTe
Privacy Insight Series v
v
4
Prospects for a Renewed Safe Harbor • US Secretary of Commerce: "A solution is within hand. We had an agreement prior to the court case. I think with modest refinements that are being negotiated we could have an agreement shortly.” • EU Justice Commissioner Jourová: “… The Commission aims to conclude negotiations in January 2016.”
• Current Negotiation Activities: - EU Delegation to DoC in November - December 17 Stocktake
Privacy Insight Series v
5
APEC Update Economy-Level Updates: • Japan • China • Mexico
• Singapore • Hong Kong • Australia • Peru Practical Interoperability: • CBPR as basis for global privacy policy • CBPR as basis for Safe Harbor? • CBPR as basis for BCR… Privacy Insight Series v
6
Status of APEC-Art. 29 Interoperability Project Creation of Joint EU-APEC Working Team: – Recognized value of collaboration to provide industry greater clarity on how to meet requirements of EU and APEC simultaneously Development of “Referential”: ‒ Mapped requirements of APEC CBPR System and EU BCR System ‒ Identified common and divergent elements to help inform companies seeking to develop policies and practices in compliance with both systems ‒ APEC Data Privacy Subgroup expression of interest to Article 29 Working Party regarding tools recommended by joint working team in January 2015
Next Steps: ‒ Work together to develop practical tools to facilitate dual certification to complement referential: Meetings held in most recently in Amsterdam, discussions to continue at APEC 2016 in Peru. Privacy Insight Series v
7
Interoperability in Practice: Utilizing CBPR Certification to Demonstrate Requirements for BCR Approval Hilary Wandall AVP Compliance & Chief Privacy Officer, Merck & Co., Inc.
Privacy Insight Series v
v
8
Benefits of Framework Approaches to Cross-Border Compliance • competitive advantage – frameworks (e.g., CBPR, BCR, Safe Harbor) provide a legal basis for efficiently transferring data across country borders in compliance with the data transfer restrictions of the privacy laws in these regions • compliance advantage – they are based on demonstration of organisational accountability and stewardship in how we operate rather than complicated transactional documentation that is resource-intensive to maintain • reputational advantage among regulators, customers and the public based on trust that the certified organisation responsibly protects data across countries, regions, and ultimately globally
Privacy Insight Series v
9
Our Approach to Interoperable Privacy Frameworks
BCRs
10
http://www.msd.com/privacy/cross-border-privacy-policy/
Privacy Insight Series v
10
Framework Interoperability Gap Analysis
Privacy Insight Series v
11
Cross-Border Enforcement Co-operation Melinda Claybaugh, Counsel for International Consumer Protection, Federal Trade Commission
Privacy Insight Series v
v
12
Note: The views expressed are mine alone and not necessarily those of the Federal Trade Commission or any individual Commissioner.
Melinda Claybaugh Counsel for International Consumer Protection,
Federal Trade Commission
Overview of Cross-Border Enforcement Cooperation • Authority: US SAFE WEB Act • Mechanisms: GPEN, CPEA, MOUs
• Examples of successful cooperation
Privacy Insight Series v
14
The Federal Trade Commission
SAFE WEB Act Enhanced Enforcement Powers
• Information Sharing: FTC may share confidential information with foreign law enforcers. • Investigative Assistance: FTC may provide investigative assistance to foreign law enforcers in certain cases by, for example, issuing a Civil Investigative Demand.
Privacy Insight Series v
16
FTC Use of SAFE WEB Tools • Information Sharing: Provided evidence in response to 63 information-sharing requests from 17 foreign law enforcement agencies in 9 countries (as of mid-2012). • Investigative Assistance: The FTC has issued 52 civil investigative demands in 21 investigations on behalf of 9 agencies in 5 countries (as of 2012).
Privacy Insight Series v
17
Global Privacy Enforcement Network (GPEN)
• Network of public privacy enforcement authorities
• Range of Activities • “GPEN Alert” secure information-sharing system
Privacy Insight Series v
18
APEC Cross-Border Privacy Enforcement Arrangement • 26 members from 9 economies • Practical mechanism allowing PEAs to cooperate in crossborder privacy enforcement by sharing information and providing assistance.
Privacy Insight Series v
19
Memoranda of Understanding • MOUs with Dutch, Irish, and UK Data Protection Authorities • Sets out the agencies’ intent regarding mutual assistance and procedures for sharing information and providing assistance.
Privacy Insight Series v
20
Examples of Successful Cooperation • Many public examples in fraud cases – In Canadian Competition Bureau case against a phone company, District Court of MD ordered compliance with FTC civil investigative demand. – Robocalls, spam
• GPEN Alert • Under CPEA: Australia/Canada cooperation on data breach investigation.
Privacy Insight Series v
21
Questions?
Privacy Insight Series v
v
22
Contacts Josh Harris Hilary Wandall Melinda Claybaugh
Privacy Insight Series v
jharris@truste.com hilary_wandall@merck.com mclaybaugh@ftc.gov
v
23
Thank You! See http://www.truste.com/insightseries for details of our 2016 Privacy Insight Series and past webinar recordings.
Privacy Insight Series v
v
24