Australia and the APEC Cross-Border Privacy Rules (CBPR) System

Contents

Australia and the APEC Cross-Border Privacy Rules (CBPR) System

Introduction

APEC Cross-Border Privacy Rules (CBPR) System

Benefits in joining the CBPR system

Criticisms of CBPR

CBPR interaction with Privacy Act (APP8 and section16C)

Impediment analysis report by IIS – July 2014

Privacy enforcement arrangements

Can business enter contracts with foreign service providers that are CBPR participants before Australia formally participates in the CBPR system?

Submissions and Questions

Attachments:

Att.A – Structure of the CBPR system

Att.B – Process for participating in the CBPR system

This paper has been prepared by the Attorney-General’s Department. It does not represent the views of the Australian government. Information is provided on the CBPR system and a range of potential issues. This is not intended to be, nor should it be relied upon as, legal advice.

1

Introduction

This paper discusses the APEC CBPR system and its implications for Australia. This paper has been developed to assist consultation by the Attorney-General’s Department with Australian stakeholders by providing information on the CBPR system and some of the issues for consideration. Consultation is intended to provide us with an understanding of stakeholder and community views on the CBPR system, including their views on the costs and benefits, to inform future discussion and advice to government, including on whether Australia should consider participation in the CBPR system.

The development and implementation within APEC of the CBPR system was endorsed by all APEC economies[1] in 2011, including Australia. However, it is a matter for each individual economy to determine if, and when, it will become a participant in the CBPR system. In November 2016 the APEC Leaders’ statement and the APEC Ministers’ statement both renewed calls for member economies to participate in the CBPR system. Australia is not currently a participant in the CBPR system.

To date the United States of America, Mexico, Japan and Canada are participants in the CBPR system. As at February 2017 the Republic of Korea was in the process of becoming a participant and The Philippines, Singapore and Chinese Taipei have announced their intention to participate in the CBPR system. An APEC survey identified a number of other economies that may consider joining the CBPR system (Australia, Hong-Kong China, Russia, and Viet Nam)[2].

APEC Cross-Border Privacy Rules (CBPR) System

The APEC CBPR has been developed by the Data Privacy Subgroup of APEC’s Electronic Commerce Steering Group and it builds on the APEC Privacy Framework[3], which contains the APEC Information Privacy Principles. These principles in turn are based upon the 1980 OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data[4], which also underpin the Australian Privacy Act1988.

The CBPR system provides a mechanism to facilitate the flow of personal information across borders while at the same time providing effective protection for personal information, essential to trust and confidence in the online marketplace.

The CBPR system is voluntary. It is a matter for companies based in a participating economy to decide whether or not they wish to take part in the system, noting that there are costs involved in participation.If a company decides to take part in the CBPR system, then the privacy policies and practices of the company are assessed and certified by a third party verifier (known as an ‘Accountability Agent) against a set of commonly agreed upon rules, based on theAPEC Privacy Framework. By applying this commonly agreed-upon baseline set of rules, the CBPR system bridges differences that may exist amongst domestic privacy approaches[5].

Importantly, the APEC CBPR system does not replace or change a participating economy’s domestic laws and regulations. An APEC CBPR certified business needs to comply with both the APEC CBPR system as well as the domestic laws in economies where the business operates. The APEC CBPR system is intended to provide a minimum level of protection for cross-border information flows within the APEC region. To the extent that domestic laws of APEC economies impose higher standards, including in relation to cross-border information flows, a business that is subject to the laws of that economy will need to comply with those domestic laws.

A flowchart showing the structure of the CBPR system is at Attachment A, and a table showing the step-by-step process for participation in the system is at Attachment B.

The fundamental components required for an economy to participate in the CBPR system are:[6]

  • The establishment of criteria for bodies to become recognised as CBPR Accountability Agents
  • A process for certifying businessesas CBPR compliant
  • Assessment criteria for Accountability Agents to decidewhether a businessmeets CBPR system requirements, and
  • Enforcement arrangements.

Benefits in joining the CBPR system

In February 2016, Information Integrity Solutions (IIS) released an APEC commissioned report on the potential benefits for APEC economies and businesses joining the CBPR System[7]. This report did not consider Australia specifically, but selected economies that have signed up to the CBPR system (US, Mexico, Japan and Canada) as well as Singapore because it is an important trade hub. The report constituted a preliminary assessment of possible benefits to economies and businesses joining the CBPR system from business, government and regulator perspectives.

The report found that general awareness and understanding of the CBPR system is low, which is a limiting factor to the adoption of the CBPR system more broadly. It found the extent to which economies and stakeholders find value in the CBPR system largely depends on each economy’s underlying domestic law, the domestic law of its trading partners, and the requirements of stakeholders.

Both the APEC Leaders’ Statement and the APEC Ministers’ Statement in November 2016 called for member economies to consider participation in the CBPR system. The Data Privacy Sub-Group work-plan includes encouraging greater participation by APEC member economies in the CBPR system. The Sub-Group is considering a range of relevant issues, and is managing the re-development of the CBPR website, making it more user-friendly and accessible to business and consumers. A revised website should be operational in the second half of 2017.

Benefits identified by advocates &the CBPR website

Below is a table that outlines some of the benefits for Business, Consumers and government as identified by various CBPR advocates as well as identified on the CBPR website.

Group / Benefits of APEC CBPR
communicated by advocates. / Benefits of CBPR on website
Business /
  • Demonstrates organisational accountability
  • Creates consumer trust
  • Makes organization-wide privacy protections more uniform (of particular benefit to multinational businesses)
  • Self or co-regulation can be effective, as it’s flexible – companies can update privacy policies when it suits them[8]
  • As more economies join, compliance costs for businesses across borders will be reduced.
/
  • Reduces barriers to flow of information across borders: the need to comply with different legislative requirements is reduced. This enhances trade and efficiency
  • Demonstrates a commitment to consumer privacy.[9]

Consumers /
  • Enhanced privacy protections
  • Streamlined complaint handling
  • Improves consumer trust.[10]
/
  • Protection of personal data when it moves across borders.[11]

Government /
  • Facilitates trade and privacy (both important political objectives)
  • Facilitates cross-border privacy enforcement cooperation: cooperation can generally only occur when standards are agreed upon
  • Efficiency gains for governments from outsourcing frontline enforcement to Accountability Agents – means governments can focus on more high- impact, high level privacy issues
  • Aids investigations and enforcement of privacy breaches.[12]
/
  • Provides a ‘unique opportunity’ to facilitate cross border trade through privacy standards
  • Provides for voluntary participation that will raise the standard of privacy across the region.[13]

Benefits for Business

Businesses are key contributors to, and beneficiaries of the CBPR system. The 2016 IIS report identified several benefits for business stakeholders, including trade benefits, internal organisational benefits and external stakeholder benefits (relating to the impact on consumers). Notably, the scope of the report did not include any direct discussion with consumers, and specifically focussed on the benefits of the CBPR system (not an assessment of the pros and cons).

The following are some of the suggestions made in the report:

  • The CBPR system increases privacy protections in economies where there is no data protection law, while not detracting from privacy protection in economies where there is data protection law.
  • The CBPR system has the potential to make connections with other international data protection frameworks, such as EU Binding Corporate Rules system (BCR).[14]
  • The system may positively impact foreign direct investment, where economies have intimated that they would invest more in economies where there is no data protection law if those economies businesses participate in the CBPR system.
  • Having a common set of baseline standards which are interpreted in the same way may help overcome cultural differences that might otherwise make cross-border data transfers more complex. For example, one CBPR certified company had reported that its CBPR certification had lowered the cost and time involved in obtaining its EU BCR certification for its existing global privacy program[15].
  • Adopting regional baseline standards may facilitate entry into new markets for businesses by removing some of the regulatory burden through simplifying and standardising data handling policies.
  • Likewise, new products and services could be rolled out to market more quickly as the internal regulatory processes could be conducted faster.
  • The CBPR system allows businesses to have flexibility as to the data to which it applies and the economies that will be covered. For example, a CBPR certified company may choose to apply the CBPR system to a narrow data set, or limit the economies to which CBPR apples (such as to business processes across its operations that transfer personal information from its affiliates in one economy to its affiliates in other APEC economies.
  • The third party validation and enforcement components of the CBPR system provided by Accountability Agents, independent privacy regulators, and the Joint Oversight Panel (which oversees Accountability Agents, and processes the applications made by economies that wish to join the system), provides a high level of assurance to external stakeholders (including consumers)[16].
  • There is value to consumers where business is perceived as being a good data steward, through participating in the CBPR.

Benefits for Australian consumers

The CBPR system may provide more efficient complaint resolution for Australian consumers dealing with a CBPR compliant business in a CBPR participating economy. The Accountability Agent provides a consumer complaint resolution service for business members in the event that a consumer is unable to get a satisfactory resolution to their complaint made to the business. Resolution of the complaint by the Accountability Agent is at no cost to the consumer and provides the opportunity for fast and convenient dispute resolution, always with the option of taking the complaint to the appropriate regulator if the consumer remains dissatisfied. As all relevant regulators in participating economies must be members of the APEC Cross-Border Privacy Enforcement Arrangement (CPEA), a consumer would be able to make their complaint to the local regulator and the complaint would, consistent with the CPEA, be transferred to the relevant regulator in the participating economy of the business for consideration and resolution. The availability of an Accountability Agent to assist in dispute resolution provides an additional support for consumers in this context.

Criticisms of CBPR

The CBPR system has been criticisedby privacy advocates. The key criticism is that the benefits of CBPR certification are misleading. They claim CBPR fails to reduce the barriers to cross-border transfer of information. This is because domestic privacy laws in APEC economies have higher standards of privacy than the APEC Privacy Principles.[17] Hence, companies wishing to transfer information may need to comply with these higher standards, so the CBPR does not lessen the legislative barriers businesses will face.[18] This reduces incentives to join the CBPR, because businesses will be required to satisfy the same compliance obligations of other economies as they would if they were not participants in the CBPR system. Furthermore, economies may prefer to rely on the protection provided by their own laws and ask other economies to comply with these, rather than the weaker protections of the APEC Privacy Principles.[19]

Other criticisms that have been made include:

  • The APEC Privacy Framework has the lowest minimum standards of any international privacy agreements, which may create a risk for consumers.[20]
  • The Privacy Framework and CBPR are biased towards multinational businesses that want to deflect economies from adopting privacy laws. When multinationals have operations in economies without domestic privacy laws, they have no regulatory burdens when transferring data to these locations. Hence, a lack of domestic privacy laws benefits businesses by making data flow easier for them. Yet because CBPR is a ‘minimum’ framework, not an enforceable law, the risk is that it does not adequately protect consumers if economies sign on to CBPR without their own domestic privacy laws.[21]
  • The benefits to consumers are slight. Consumers do not need to be told under CBPR what data about them is exported to another economy. They also have limited redress options if they are unsatisfied. The only remedy available is an Accountability Agent terminating or suspending a company’s certification.[22]

CBPR interaction with Privacy Act (APP8 and section16C)

ThePrivacy Act 1988imposes strict rules on APP entities governing the cross-border disclosure of personal information held in Australia, where:

  • APP8 generally requires an APP entity, before disclosing personal information to a foreign recipient, to take reasonable steps to ensure that foreign recipient will handle the personal information in accordance with the APPs.[23]
  • Section 16C of the Privacy Act makes the APP entity responsible for personal information disclosed to a foreign recipient, unless an exception applies.

Most relevantly, APP 8.2(a) provides an exception where the foreign recipient will not be required to handle personal information transferred to it from Australia in accordance with the APPs where:

(i)The foreign recipient is subject to a law, or binding scheme, that has the effect of protecting the information in a way that is, overall, at least ‘substantially similar’ to the way in which the APPs protect the information

(ii)There are mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme.

Is CBPR a ‘binding scheme’ that is ‘overall, at least substantially similar’ to the APPs?

The inclusion of the phrase ‘binding scheme’ in APP 8.2 was specifically intended to capture possible future arrangements, such as if Australia were to participate in the APEC CBPR system, but only if these arrangements meet the criteria of being ‘at least substantially similar’ to the APPs.[24]

Neither the department nor the OAIC operate a ‘white list’ that endorses disclosures to any particular foreign recipients or any specific foreign jurisdictions. However, Australian participation in the CBPR system would provide a basis for APP entities to assume that disclosure to a foreign recipient that is subject to a CBPR compliant Accountability Agent in another jurisdiction was subject to a binding scheme that was, overall, ‘substantially similar’ to the APPs.

Are there mechanisms that the individual can access to take action to enforce that protection of the law or binding scheme?

The wording of APP 8.2 was also specifically designed to provide flexibility for future enforcement arrangements. The Explanatory Memorandum to the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 stated that:

‘It is not essential that the overseas jurisdiction have an office equivalent to the OAIC in order to provide accessible enforcement mechanisms. It should be possible for a range of dispute resolution or complaint handling models to satisfy this requirement. Effective enforcement mechanisms may be expressly included in a law or binding scheme or may take effect through the operation of cross-border enforcement arrangements between the OAIC and an appropriate regulatory authority in the foreign jurisdiction.’

Accordingly, the second limb of APP 8.2(a) would allow for effective enforcement mechanisms of the kind that Australia would need to arrange in any event to participate in the CBPR scheme. As discussed below, these mechanisms could be in the form of a binding code or a co-regulatory approach to enforce the more specific prescriptive provisions of the CBPR.

Impediment analysis report by IIS – July 2014

In 2014 an APEC funded consultant (Information Integrity Solutions ‘IIS’) was engaged to prepare a report on whether there were any legal impediments to Australia joining the CBPR. While the reportconcluded that there are no legal impediments to Australia joining the CBPR system, it did identify a number of policy issues requiring consideration[25].

Meeting requirements to participate in the CBPR system

Australia would be able to satisfy the first requirement of the CBPR system, which is that it has a Privacy Enforcement Authority that participates in the Cross Border Privacy Enforcement Arrangement (CPEA). The Office of the Australian Information Commissioner (OAIC) became a participant of the CPEA in 2010.

The OAIC actually participates in two cross-border privacy enforcement arrangements:

  • The APEC Cross-border Privacy Enforcement Arrangement (CPEA), which commenced on 16July 2010. The CPEA provides a framework for privacy regulators to cooperate, and to seek information and advice from each other on cross-border enforcement matters. Any Privacy Enforcement Authority in an APEC economy may participate (eg Privacy Commissioners' Offices, Data Protection Authorities or Consumer Protection Authorities that enforce privacy laws), and
  • The Global Privacy Enforcement Network (GPEN)which is designed to facilitate cross-border cooperation in the enforcement of privacy laws.GPEN builds on the Organisation for Economic Co-operation and Development's (OECD) Recommendation on Privacy Law Enforcement Cooperation (2007) which recognised the need for greater cooperation between privacy enforcement authorities in cross-border privacy matters. The Recommendation states that member economies should foster the establishment of an informal network of privacy enforcement authorities and other appropriate stakeholders to discuss the practical aspects of privacy law enforcement cooperation.

The next CBPR requirement for participating economies is that they confirm their intention to make use of an APEC recognised Accountability Agent. This requires the Accountability Agent to have either a location in that economy or to be subject to the jurisdiction of the relevant privacy enforcement authority, and to also meet the Recognition Criteria under the CBPR System.