______

2011/SOM3/ECSG/011

Agenda Item: III1a

Report of Data Privacy Sub-Group Meeting

Purpose: Information

Submitted by: DPS Chair

/ 24th Electronic Commerce Steering Group MeetingSan Francisco, United States
21 September 2011

APEC ECSG Data Privacy Sub-Group

San Francisco, 18 September 2011

REPORT OF DATA PRIVACY SUB-GROUP MEETING

The DPS meeting was held on Sunday 18 September 2011 in San Francisco, the United States of America.

The following member economies and guest organisations were represented at the meeting: Australia; Brunei; Canada; Chile; China; Hong Kong, China; Indonesia; Japan; the Republic of Korea; Malaysia; Mexico; New Zealand; the Philippines; the Russian Federation; Singapore; Chinese Taipei; Thailand; the United States of America; Viet Nam; the International Conference of Data Protection and Privacy Commissioners; the Internet Society; the Global Business Dialogue on E-Commerce (GBDe); and the International Chamber of Commerce (ICC).

Item 1 – Introduction and Administration

The agenda was approved.

Nominations were sought for DPS executive positions for a two year term. Ms Daniele Chatelois, Canada, was nominated for the position of DPS Chair. Mr Joshua Harris, the United States of America, was nominated for the position of DPS Vice Chair. Both nominations were supported by all DPS members and accepted by Ms Chatelois and Mr Harris.

The APEC Secretariat brought to the attention of members the report on APEC key developments (2011/SOM3/ECSG/DPS/016). It was noted that CTI II and SOM II agreed to focus on next generation trade and investment issues. The Chair noted the relationship of the DPS’s work to key APEC priorities.

The PSU presented a report on TFAP II assessment for the DPS (2011/SOM3/ECSG/DPS/019 and 019a). The PSU made four recommendations which the Chair noted should be considered as part of the discussion of the DPS work plan. The PSU suggested that the DPS could adopt a case study approach to identify reductions in costs following the implementation of the Data Privacy Pathfinder.

Item 2 – Outcomes of the Technical Assistance Workshop

The project manager provided an oral report on the Technical Assistance Workshop. The Workshop focused on the cost benefit issues raised by participation in the CBPR System, focusing on the implications for business, consumers and governments as well as future challenges. DPS members thanked the project manager and speakers who took part in the Workshop for their valuable work. A seminar report will be circulated to members.

Item 3 – Data Privacy Pathfinder: A Discussion on Pathfinder Projects

DPS members discussed the outstanding Pathfinder projects.

The Pathfinder project 4 document, called ‘APEC CBPR system – Workplan for the Development of a Directory of CBPR Certified Organisations and APEC-Recognized Accountability Agents’ (2011/SOM3/ECSG/DPS/008) was discussed. It was noted that this document provides the framework for a CBPR website that will be appropriately linked to the APEC website (consistent with APEC policies) which will be put into place as part of the implementation process. A minor change was made to note that the website should also include any information about an Economy’s laws and regulations relevant to privacy issues, including links to the APEC IAPs. The DPS endorsed this Pathfinder project document.

The Pathfinder project 8 document, called ‘APEC CBPR System – Policies, Rules and Guidelines’ (2011/SOM3/ECSG/DPS/0162011/SOM3/ECSG/DPS/009) was discussed. The DPS agreed to a number of changes to the document as follows:

  • to more accurately express the requirement that Privacy Enforcement Authorities should have the ability to take enforcement actions under applicable domestic laws and regulations that have the effect of protecting personal information consistent with the CBPR program requirements;
  • to more accurately express the process by which an Economy participates in the CBPR system (including expressly including a role for the Joint Oversight Panel to consult with an Economy in developing a explanation of how the CBPR system program requirements will be enforced in that Economy, and for the Joint Oversight Panel to provide a report on how the conditions for participation by the Economy have been met) and by which Accountability Agents are certified under the CBPR system;
  • to provide that the Joint Oversight Panel may consider and recommend suspension of an Accountability Agent’s recognition at any time; and
  • to modify the Charter of the Joint Oversight Panel to incorporate the above changes.

The DPS endorsed this Pathfinder project document.

Having completed all the Pathfinder projects, the DPS discussed the endorsement of the complete CBPR system as satisfying the requirements of the Data Privacy Pathfinder and discussed the document called ‘APEC CBPR System – Endorsement Process’ (2011/SOM3/ECSG/DPS/012). The DPS noted that endorsement of the CBPR system as satisfying the Data Privacy Pathfinder does not mean that an economy is committed to participate in the CBPR system, as participation is a separate decision to be made by economies as appropriate. The DPS also noted the other previously endorsed documents that make up the complete set of CBPR system documents (2011/SOM3/ECSG/DPS/005, 2011/SOM3/ECSG/DPS/006, 2011/SOM3/ECSG/DPS/007, and 2011/SOM3/ECSG/DPS/010). Members noted that minor editorial changes had been made to a number of these documents to ensure consistency between all documents.

The DPS endorsed the complete CBPR system.

The DPS considered the work undertaken to map a self-assessment and certification process in an economy (Japan) against the requirements of the CBPR system (2011/SOM3/ECSG/DPS/018). It was noted that this process may form the basis of a template approach for other economies, who are encouraged to consider this approach. The DPS will consider further developing this approach as part of the implementation of the CBPR system.

The DPS discussed a scoping paper prepared by the Interoperability Ad Hoc Working Group (2011/SOM3/ECSG/DPS/013) which discussed the policy issues raised by considering interoperability. The DPS agreed to provide comments by 30 October 2011 on the paper to the APEC Secretariat. Member economies were asked to consider participating in the Working Group (which is lead by the ICC with observers from Canada and the United States).

Item 4 – DPS Input for Ministerial Statement

The DPS discussed the key concepts that should be proposed for the Ministerial Statement. It was agreed that the endorsement of the CBPR system was a significant achievement that should be noted, and that it should be recognized that the CBPR system will provide benefits for consumer and business trust, boost economic growth and trade, help Economies develop innovative legal regimes on the protection of personal information, increase regulatory predictability for global organisations and for governments, and reduce cost and transaction burdens. It was also noted that Economies may wish to issue their own statements in support of the completion of the CBPR system.

Item 5 – APEC Projects

The APEC Secretariat noted that the timing of sessions for project approval in 2012 will be set after BMC.

The DPS considered the project proposal from Vietnam (2011/SOM3/ECSG/DPS/015) for submission in the current session 3. The DPS endorsed this project proposal.

The DPS discussed the proposal from the Philippines for a self-funded project (2011/SOM3/ECSG/DPS/017). The DPS endorsed this project proposal.

The DPS discussed the proposal from China and the United States for a self-funded project (2011/SOM3/ECSG/DPS/020). The DPS endorsed the project proposal.

The DPS discussed the multi-year project proposal submitted by the United States (2011/SOM3/ECSG/DPS/014) called ‘APEC CBPR System Implementation and Administration Assistance’. Noting that 11 member economies are required to co-sponsor multi-year proposals, the DPS acknowledged Hong Kong China, Malaysia and China as additional co-sponsors, so that the project has the required number of co-sponsors. The DPS noted that support of another forum is required for multi-year proposals, and that CTI has been identified as the additional forum. It is understood that CTI will consider support at its meeting. The DPS endorsed the multi-year project proposal.

Item 6 – Review of DPS Work Plan

The DPS considered work plan for 2012 (2011/SOM3/ECSG/DPS/002) and noted the priority on implementation of the CBPR system, and noted that the interoperability and mapping work should also be included. The DPS also noted the importance of developing and maintaining information sharing relationships and opportunities with other international organisations, such as the International Conference of Data Protection and Privacy Commissioners. The DPS endorsed the work plan.

Item 7 – IAPs and Domestic Implementation

The DPS welcomed NZ’s updated IAP (2011/SOM3/ECSG/DPS/003) and encouraged other economies to update their IAPs as necessary. Thailand and Indonesia provided updates of their domestic developments that was welcomed by the DPS.

Item 8 – Reports from Sub-Group Member Economies

The DPS welcomed a detailed report from Chinese Taipei (2011/SOM3/ECSG/DPS/021) on the implementation of personal information protection in both the public and private sectors.

  1. Australia – The Government continues work on the implementation of comprehensive reforms to Australia’s privacy law. The Government is preparing draft legislation for introduction into the Parliament in 2012.
  2. Brunei– The Government is developing a privacy law that is currently under consideration.
  3. Canada – on 1 April 2011 provisions came into force which provides the Privacy Commissioner with an expanded ability to share information with international counterparts, including a greater range of regulatory authorities in other jurisdictions; and with a power to decline to investigate, including where another mechanism to resolve a complaint is available. Legislation is being prepared to amend the privacy sector privacy law, including the introduction of a data breach notification regime.
  4. Chile– the existing privacy is being amended and public consultation is underway. It is expected that a bill will be presented to the Congress by the end of October 2011.
  5. China– while there is no specific privacy law, China attaches great importance to this issue, as on-line sales currently exceed 3% of all transactions. China will revise its consumer protection law and is drafting regulations concerning on-line retail which it is expected will include privacy provisions.
  6. Hong Kong, China– the privacy ordinance has been reviewed and, following public consultations, changes have been proposed (including specific requirements for direct marketing, sales of personal information, situations where there is no consent, and to permit the Commissioner to provide legal assistance for consumer actions). A bill was submitted in July 2011 for legislative scrutiny.
  7. Indonesia– noted that there is no specific law, but that developments around e-commerce laws have had the effect of providing privacy protection.
  8. Japan– noted that it is ready to join the APEC Cross-Border Privacy Enforcement Agreement and will submit the appropriate documentation to the Secretariat for consideration by the co-facilitators.
  9. Korea – The Privacy Protection Act commenced in September 2011. In addition, amendments have been made to the communications law to provide that users can control their data and lodge complaints with the communications commission on privacy issues.
  10. Malaysia– noted that the privacy law was enacted in June 2010 and that it expects to complete the establishment of the Office of the Commissioner for Personal Data Protection by the end of 2011.
  11. Mexico – the law on protection of data held by private parties was approved by Congress in July 2010. A transition regime has been approved for the implementation of the law. Organisations had until July 2011 to create privacy notices, and guidelines have been issued to assist this task. A privacy notice generator for agencies has been developed and will be launched at the end of 2011. Work has commenced on regulations to implement the law, and over 400 public comments have been received. It is expected that the regulations will be issued in November 2011. Self-regulation guidelines will also be issued in 2012. By January 2012 organisations are expected to be able to receive requests from individuals about their personal information, and from that time individuals will also be able to lodge complaints with the regulator. Mexico will be hosting the International Data Protection Commissioner’s Conference and the OECD meeting in November 2011.
  12. New Zealand– a law reform commission report has recommended changes to the privacy law, including changes to recognize CBPRs (the relevant text is excerpted in 2011/SOM3/ECSG/DPS/011). A government response to the recommendations is expected before the end of 2011.
  13. The Philippines – a privacy bill has been marked for urgent consideration by Congress. The existing administrative orders dealing with privacy protection remain in place, and the existing private sector guidelines for privacy protection are being reviewed.
  14. Singapore– a privacy law is being developed, and public consultation is occurring. It is expected the law will be enacted in 2012 and a privacy regulator established.
  15. Thailand– a draft private sector privacy law has been prepared for consideration.
  16. Chinese Taipei – The Personal Data Protection Management Act has been amended and implementation of the new requirements has commenced.
  17. The United States– An invitation was extended to attend an APEC conference on trade and innovation, noting that privacy is a directly relevant issue.
  18. Vietnam – a privacy law is being developed, along with a new anti-spam decree and a new e-commerce decree that may include a chapter on personal information protection.

Item 9 – Information Sharing on Cross-Border Privacy Issues

DPS guest members provided reports.

  1. The International Conference on Data Protection and Privacy Commissioners, represented by the CNIL, provided a report on developments in the Conference. It was noted that the Conference has a resolution on international standards in 2010 agreeing principles and rules, and it was noted that the G8 has issued a declaration recognizing privacy as a fundamental right. The EU Directive is being revised to reinforce and simplify the rights of data subjects and enforce the responsibilities of data controllers, and it will also deal with police and justice issues to ensure a comprehensive approach.
    Mexico reported that the next Conference will be held in Mexico City in November 2011 and that it will include, in addition to the International Conference, parallel events including a public voice conference, and OECD conference, a privacy by design conference, and an e-commerce day set of activities. All delegates were invited to attend the events.
  2. The ICC will continue to lead work on interoperability, and also highlighted its participation in the Internet Governance Forum, for which the ICC coordinates business participation and where privacy is a significant issue for discussion.
  3. The Internet Society provided an overview of its involvement in privacy issues in the IGF, as well as the Internet Engineering Task Force and the WWW Consortium. The ISOC is encouraging mechanisms to consider privacy issues in these meetings, as part of the development of technical standards.
  4. The GBDe reported on the continuing sustainable e-business initiative.
  5. A report was presented on behalf of the OECD covering privacy developments, noting the review of the privacy guidelines and the expected release of terms of reference for future work to define the review process, and that this may assist in providing guidance to the DPS on future privacy work
  6. The APPA Forum provided a report on recent activities (2011/SOM1/ECSG/DPS/004) which was discussed and noted by members.
  7. An update was provided on the Accountability Project. Work in 2011 is sponsored by the Spanish Data Protection Commissioner, and is focusing on the nature of accountability and how it can be demonstrated. The project will continue in 2012 (under the sponsorship of the EU Data Protection Supervisor) and will focus on infrastructure issues. APEC members are encouraged to participate.

DPS members agreed to continue to take advantage of opportunities to share information, including with other international organizations such as the International Conference of Data Protection and Privacy Commissioners, on relevant privacy issues.

Item 10 – Conclusion and Next Steps for the DPS

The Chair provided an oral summary of the meeting.

The Chair (Colin Minihan, Australia) thanked members for their support and assistance and welcomed the incoming Chair and Vice-Chair.

DPS members were informed that the 25th DPS meeting will be held as part of SOM I in Russia in 2012.