Yukiko Ko yko@transunion.com Binding Corporate Rules – Global Implications Conference on Cross Border Data Flows and Privacy October 16, 2007 Washington, D.C. Yukiko Ko yko@transunion.com
TransUnion Overview TransUnion is a trusted partner for business and consumers around the world Founded in 1968 Headquartered in Chicago Provides solutions to more than 50,000 businesses worldwide Reaches businesses and consumers in more than 30 countries on six continents Maintains credit histories on an estimated 500 million consumers around the globe Processes billions of updates each month Affiliates with partners with more than 100 years of experience Employs privacy protocols and security measures to provide high confidence in personal financial information Helps prevent and combat financial crimes, such as identity theft and credit fraud, by establishing the industry's first dedicated fraud victim assistance department
TransUnion Global Reach
TransUnion as Part of a Global Community Active participation in the APEC Data Privacy Subgroup Share best practices through Identity Theft Prevention and Identity Management Standards Panel (IDSP), American National Standards Institute Contribute to capacity building for SMEs and other players in emerging markets – TransUnion Central America, among others
Why Global Corporate Privacy Rules? Proliferation of various data protection laws History Culture Institutional structure (enforcement system) Economic needs Constant flows of data sans frontière Data transfers (electronic, oral and physical) Access to network Privacy, security, and market demands
Features of Global Corporate Privacy Rules Transparency Intra-company Inter-company Accountability to the public and regulators Efficiency Operational Compliance Training and education Uniformity
Different Backgrounds yet Common Interest – EU and APEC Size 28% of world GDP1) 493 million people 2) 27 member states 2) 56% of world GDP3) 2.6 billion people 3) 21 member economies 3) Privacy culture Protection of human rights – data processing not infringing human rights Protection of consumer rights - Economic growth based on secure data processing Co-ordination Article 29 Working Party (mandated by the Directive) APEC ECSG Data Privacy Sub-group (voluntary participation) Source: 1) World Bank 2) EU at a Glance, 3) APEC at a Glance and World Bank
Implementation is key for both BCRs and CBPRs Binding Corporate Rules (BCRs) Widely recognised compliance tool Cross Border Privacy Rules (CBPRs) Tool currently in works Both BCRs and CBPRs aim to facilitate privacy compliance by creating corporate accountability Implementation is key for both BCRs and CBPRs
Comparing BCRs and CBPRs CBPRs (still in works) Self-assessment Internal coordination, audits, policy setting, standard application form Internal coordination, audits, policy setting, APEC self-assessment questionnaire (?) Compliance Review 27 data protection authorities with a “lead authority” Designated government regulator or accredited third party organisations (e.g. trustmarks?) Approval/ Recognition Dispute Resolution/ Enforcement Cross-border dispute resolution/enforcement in 2 steps: business, enforcement authorities Cross-border dispute resolution/enforcement in 2 or 3 steps: business, accredited third parties, enforcement authorities
Observation Commonalities between BCRs and CBPRs hint at global corporate best practice for data protection There is a strong need to provide capacity building/technical assistance for emerging economies and SMEs Rules development and approval process should be streamlined and clear Frequent information exchange among businesses, governments, and civil society organisations in the two regions is essential
Director, International Fraud and ID Management Thank you Yukiko Ko Director, International Fraud and ID Management TransUnion yko@transunion.com