GRAHAM GREENLEAF AM PROFESSOR OF LAW & INFORMATION SYSTEMS UNSW AUSTRALIA PANEL 8 – MAPPING APEC CBPRS ONTO EU BCRS INTERNATIONAL DATA PROTECTION & PRIVACY.

Slides:

Advertisements

Similar presentations

Yukiko Ko Binding Corporate Rules – Global Implications Conference on Cross Border Data Flows and Privacy October 16, 2007.

Advertisements

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

ARMENIA: Quality Assurance (QA) and National Qualifications Framework (NQF) Tbilisi Regional Seminar on Quality Management in the Context of National.

Surveillance – Restoring Trust on the IN, 5 Aug 2014 Lim May-Ann Executive Director

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

The Defence & Security Public Contracts Regulations 2011 Sub-Contracting and Offset Arrangements Katherine Calder 8 June

The Data Protection (Jersey) Law 2005.

New International Laws: the EU Timber Regulation, US Lacey Act and Australian Illegal Logging Law Forest Governance Forum Kinshasa September 2012.

Non-Tariff Barriers in the Trade of Transport Services – Final Report TPT 02/2002T Steering Committee on More Competitive Transportation (including infrastructure)

CONFIDENTIAL1 TRUSTe Certification & APEC FTC Workshop on Enforceable Codes of Conduct Panel on APEC’s CBPR System November 29, 2012.

Hong Kong Privacy Code on Human Resource Management

Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.

EU: Bilateral Agreements of Member States

Rome II Regulation Conflict rules for torts. Rome II Regulation The Regulation defines: the conflict-of-law rules applicable to non- contractual obligations.

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

Per Anders Eriksson

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

IEKA - Albanian Institute of Authorized Chartered Auditors Towards application of new standards on accounting and auditing – Albanian challenge on implementing.

Ministry of Transport, Information Technology and Communications Technological base: Interoperability Tsvetanka Kirilova Ministry of TITC Bulgaria.

Data Protection Paul Veysey & Bethan Walsh. Introduction Data Protection is about protecting people by responsibly managing their data in ways they expect.

1 Raymond Doray Conflicts between the new Canadian Money Laundering Act and the rules of professional conduct and ethics September 13, 2002.

David Halldearn, ERGEG Conference on Implementing the 3 rd Package 11 th December 2008 Implementating the 3rd Package: An ERGEG Consultation paper.

HIPAA Trading Partners, Legal Relationships October 2, 2001 presented by Peter B. Goldstein, Esq. Cap Gemini Ernst & Young, US LLC.

We Never Stop Working for You. APOLLO Offices : Seychelles Hong Kong London Cyprus Russia Ukraine.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Support of the foreign language profile of law tuition at the Faculty of Law in Olomouc CZ.1.07/2.2.00/

East Asia and the Pacific Region

European Enforcement Order for uncontested claims JUDr. Radka Chlebcová.

1 SAFE HARBOR FRAMEWORK Barbara S. Wellbery Morrison & Foerster LLP 2000 Pennsylvania Avenue Washington, DC /

Attorney-Client Privilege and Privacy Considerations Between US Corporations & Foreign Affiliates General Counsel Conference, Washington, D.C. October.

FIDIC MDB Conference Brussels June 2012 © European Bank for Reconstruction and Development 2010 | EBRD Procurement considerations when financing.

1 Sydney, 2 Oct 2008 Cross-border data flows: Who benefits from abandoning borders? Ø + Graham Greenleaf & Nigel Waters.

Meeting with the Romanian Motor Insurers’ Bureau Bucharest 19 th August 2004 Ulf Lemor.

© Copyright 2011, Vorys, Sater, Seymour and Pease LLP. All Rights Reserved. Higher standards make better lawyers. ® CISO Executive Network Executive Breakfast.

Delivering transparency, choice and control for European citizens.

Principles of Local Governance: Covering local governmental legislations and compliance issues IMFO WOMEN IN LOCAL GOVERNMENT FINANCE CONFERENCE 07/02/13.

A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008.

Finding a PPP Partner Essential EU Law Considerations Bernard Wilson Maribor, 18 January 2005 Bernard Wilson Maribor, 18 January 2005.

The FPP Test What you (or your students) need to know Flight Training Division Presentation AIA Aviation Week Conference July 2011.

Data Protection Act AS Module Heathcote Ch. 12.

Privacy, Personal Data and the Cloud Billy Hawkes Data Protection Commissioner Public Affairs Ireland Conference Dublin, 30 June 2011.

The Data Protection Act What Data is Held on Individuals? By institutions: –Criminal information, –Educational information; –Medical Information;

© 2014 IBM Corporation Mapping APEC CBPRs onto EU BCRs Anick Fortin-Cousens Privacy Officer, Canada, Latin America, Middle East & Africa Program Director,

The International Privacy Law Library Graham Greenleaf Professor of Law & Information Systems, UNSW Co-Director, AustLII GPEN open Seminar, International.

ENVIRONMENTAL PERMITTING 1 Environmental Law. Environmental Permitting 2 Environmental Permitting (England and Wales) Regulations 2007 introduced a new.

Malcolm Crompton APEC Information Privacy Framework: review, impact, & progress APEC Symposium on Information Privacy Protection in E Government & E Commerce.

TERMDEFINITION Code of conductThe collection of rules applicable to customs officers regarding conduct, conflict of interest and possible sanctions and.

International canons of professional ethics of lawyers - Code of Conduct - (The Council of Bars and Law Societies of Europe) Speakers:  Agnieszka Gadomska.

Aiia : voice of the digital economy ASR: voice of services in Australia Presented by Kaaren Koomen Director, Australian Services Roundtable Director (Alternate),

Data protection and compliance in context 19 November 2007 Stewart Room Partner.

APEC vs APT?: The struggle for regional privacy standards Graham Greenleaf ‘Terrorists & Watchdogs’ Conference, 8 September 2003.

THE DATA PROTECTION ACT Data Protection Act 1998 DPA 1. Reasons2. People3. Principles 4. Exemptions 4 key points you need to learn/understand/revise.

1 Copyright © International Security, Trust & Privacy Alliance -All Rights Reserved Making Privacy Operational International Security, Trust.

APEC Privacy Framework “The lack of consumer trust and confidence in the privacy and security of online transactions and information networks is one element.

Technical Assistance Office TCP Projects 2005 Contractual and Financial Management Administrative and Financial Handbook Prepared by IA, 14/12/2001 SOCRATES.

1 This project is supported by the European Union 3 rd MEDREG-IMME Seminar Reform and Opening of Maghreb Electricity Markets September 2013 MRA (Malta)

The EU General Data Protection Regulation Frank Rankin.

Introduction to the Australian Privacy Principles & the OAIC’s regulatory approach Privacy Awareness Week 2016.

Summer Summit June 30 – July 1, We needed another acronym in education? TOP REASONS FOR A CHARTER SCHOOL PERFORMANCE FRAMEWORK 4. Our assessment.

Holli LaJoice, Michigan Assigned Claims Plan Manager.

What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.

GDPR (General Data Protection Regulation)

Data Protection: EU & International

The International Privacy Law Library

General Data Protection Regulation

Data protection issues in regulatory investigations

Data transfers to non-EU countries under the new GDPR

Overview of the recommendations regarding approximation of the Law on personal data protection to the new EU General data protection regulation Valerija.

EU Data Protection Legislation

Presentation transcript:

GRAHAM GREENLEAF AM PROFESSOR OF LAW & INFORMATION SYSTEMS UNSW AUSTRALIA PANEL 8 – MAPPING APEC CBPRS ONTO EU BCRS INTERNATIONAL DATA PROTECTION & PRIVACY COMMISSIONERS CONFERENCE MAURITIUS, OCTOBER 2014 Challenges to APEC-CBPR credibility

What has APEC-CBPR shown in 2 years? Questions: What is the value proposition for companies to become certified? What is the value proposition for consumers? Is CBPR being run as effective regulation?  Is APEC requiring that countries meet its standards?  Was the only certification of an AA rigorous enough?  Will the renewal of that AA be rigorous enough? What further tests of CBPR credibility will arise?

APEC-CBPR: What is the value proposition for companies to become certified? Certification does not reduce or satisfy obligation to comply with all local laws – including data export limits Certification has no effect on the same company in other APEC countries: NO ‘APEC-wide’ certification Certification does not mean personal data can be transferred FROM any other APEC country  It also has no direct effect on ability to import from outside APEC In countries with higher privacy standards than APEC, certification adds nothing – most APEC countries, but not US  Gilbert+Tobin Lawyers (Australia): ‘no compelling reason to participate’ CBPR will not lead to EU ‘interoperability’  EU A29 finds BCRs require more than CBPR in 26/27 elements  Some have no common elements eg no 3 rd P beneficiary rights

APEC-CBPR: Of no value to consumers Companies are only required to meet the 1980’s standard APEC Principles (eg no deletion required) CBPR certification does not cover all personal data a company collects – only data it intends to export!  Consumers cannot know if particular data is protected CBPR certification does not even mean that a company complies with local laws CBPR certification does not require compensation payments for breaches – or any other remedies CBPR certification does not apply to processors

APEC-CBPR administration: No independent assessment of economy participations CBPR participating countries must have effective laws enforcing to APEC standard  ‘laws and regulations … the enforcement of which have the effect of protecting personal information consistent with the APEC Privacy Framework’ Problem: JOP charter only allows consultation with economy concerned, not independent viewpoints  No provision for any external submissions before accreditation JOP Findings Reports show no external inputs or research – they are close to self-assessment  Eg Failure of Japan to enforce its laws is never questioned

APEC-CBPR administration: Ignoring the AA rules USA’s appointed AA did not meet APEC standards  Did not meet at least 21 of APEC’s program requirements  Only required by JOP to remedy non-application to offline activities; and to separate CBPR reporting from others Problem: no formal procedure for third party input AA’s first year shows continuing failure to comply  Did not apply program to offline activities, mobiles etc  2/5 certifications involved conflicts of interest in certifications Renewal of AA appointment tests credibility of JOP  Australian Privacy Foundation submission opposes renewal

APEC-CBPR administration: Further challenges ahead Will JOP require AA applicants to meet APEC standards?  Will JOP ever refuse an AA application/renewal?  If applications/renewals cannot fail, is this regulation? Will AAs ever revoke company certifications? Will AAs publish objective selections of case studies? Will any non-US companies get certification? Can CBPR certification be made relevant to consumers? APEC CBPR should prove itself, not be taken on trust The EU & all interested parties need to remain vigilant

Documentation Australian Privacy Foundation (APF) ‘Submission [to APEC-CBPR JOP] opposing the 2014 renewal of recognition of TRUSTe as a CBPR Accountability Agent (AA)’ (13 June 2014). G Greenleaf ‘APEC's Cross-Border Privacy Rules System: A House of Cards?' (2014) 128 PLBIR, G Greenleaf & N Waters ‘APEC's CBPRs: Two years on – take-up and credibility issues’ (2014) 129 PLBIR, G Greenleaf & F Shimpo ‘The puzzle of Japanese data privacy enforcement’ (2014) 4 (2) International Data Privacy Law