Presentation is loading. Please wait.

Presentation is loading. Please wait.

GRAHAM GREENLEAF AM PROFESSOR OF LAW & INFORMATION SYSTEMS UNSW AUSTRALIA PANEL 8 – MAPPING APEC CBPRS ONTO EU BCRS INTERNATIONAL DATA PROTECTION & PRIVACY.

Published byAugust Fitzgerald Modified over 9 years ago

Similar presentations

Presentation on theme: "GRAHAM GREENLEAF AM PROFESSOR OF LAW & INFORMATION SYSTEMS UNSW AUSTRALIA PANEL 8 – MAPPING APEC CBPRS ONTO EU BCRS INTERNATIONAL DATA PROTECTION & PRIVACY."— Presentation transcript:

1 GRAHAM GREENLEAF AM PROFESSOR OF LAW & INFORMATION SYSTEMS UNSW AUSTRALIA PANEL 8 – MAPPING APEC CBPRS ONTO EU BCRS INTERNATIONAL DATA PROTECTION & PRIVACY COMMISSIONERS CONFERENCE MAURITIUS, 15-16 OCTOBER 2014 Challenges to APEC-CBPR credibility

2 What has APEC-CBPR shown in 2 years? Questions: What is the value proposition for companies to become certified? What is the value proposition for consumers? Is CBPR being run as effective regulation?  Is APEC requiring that countries meet its standards?  Was the only certification of an AA rigorous enough?  Will the renewal of that AA be rigorous enough? What further tests of CBPR credibility will arise?

3 APEC-CBPR: What is the value proposition for companies to become certified? Certification does not reduce or satisfy obligation to comply with all local laws – including data export limits Certification has no effect on the same company in other APEC countries: NO ‘APEC-wide’ certification Certification does not mean personal data can be transferred FROM any other APEC country  It also has no direct effect on ability to import from outside APEC In countries with higher privacy standards than APEC, certification adds nothing – most APEC countries, but not US  Gilbert+Tobin Lawyers (Australia): ‘no compelling reason to participate’ CBPR will not lead to EU ‘interoperability’  EU A29 finds BCRs require more than CBPR in 26/27 elements  Some have no common elements eg no 3 rd P beneficiary rights

4 APEC-CBPR: Of no value to consumers Companies are only required to meet the 1980’s standard APEC Principles (eg no deletion required) CBPR certification does not cover all personal data a company collects – only data it intends to export!  Consumers cannot know if particular data is protected CBPR certification does not even mean that a company complies with local laws CBPR certification does not require compensation payments for breaches – or any other remedies CBPR certification does not apply to processors

5 APEC-CBPR administration: No independent assessment of economy participations CBPR participating countries must have effective laws enforcing to APEC standard  ‘laws and regulations … the enforcement of which have the effect of protecting personal information consistent with the APEC Privacy Framework’ Problem: JOP charter only allows consultation with economy concerned, not independent viewpoints  No provision for any external submissions before accreditation JOP Findings Reports show no external inputs or research – they are close to self-assessment  Eg Failure of Japan to enforce its laws is never questioned

6 APEC-CBPR administration: Ignoring the AA rules USA’s appointed AA did not meet APEC standards  Did not meet at least 21 of APEC’s program requirements  Only required by JOP to remedy non-application to offline activities; and to separate CBPR reporting from others Problem: no formal procedure for third party input AA’s first year shows continuing failure to comply  Did not apply program to offline activities, mobiles etc  2/5 certifications involved conflicts of interest in certifications Renewal of AA appointment tests credibility of JOP  Australian Privacy Foundation submission opposes renewal

7 APEC-CBPR administration: Further challenges ahead Will JOP require AA applicants to meet APEC standards?  Will JOP ever refuse an AA application/renewal?  If applications/renewals cannot fail, is this regulation? Will AAs ever revoke company certifications? Will AAs publish objective selections of case studies? Will any non-US companies get certification? Can CBPR certification be made relevant to consumers? APEC CBPR should prove itself, not be taken on trust The EU & all interested parties need to remain vigilant

8 Documentation Australian Privacy Foundation (APF) ‘Submission [to APEC-CBPR JOP] opposing the 2014 renewal of recognition of TRUSTe as a CBPR Accountability Agent (AA)’ (13 June 2014). G Greenleaf ‘APEC's Cross-Border Privacy Rules System: A House of Cards?' (2014) 128 PLBIR, 27-30 http://ssrn.com/abstract=2468782 http://ssrn.com/abstract=2468782 G Greenleaf & N Waters ‘APEC's CBPRs: Two years on – take-up and credibility issues’ (2014) 129 PLBIR, 12-15 http://ssrn.com/abstract=2481812 http://ssrn.com/abstract=2481812 G Greenleaf & F Shimpo ‘The puzzle of Japanese data privacy enforcement’ (2014) 4 (2) International Data Privacy Law 139- 154 http://idpl.oxfordjournals.org/content/4/2/139.abstract http://idpl.oxfordjournals.org/content/4/2/139.abstract

Download ppt "GRAHAM GREENLEAF AM PROFESSOR OF LAW & INFORMATION SYSTEMS UNSW AUSTRALIA PANEL 8 – MAPPING APEC CBPRS ONTO EU BCRS INTERNATIONAL DATA PROTECTION & PRIVACY."

Similar presentations

Yukiko Ko yko@transunion.com Binding Corporate Rules – Global Implications Conference on Cross Border Data Flows and Privacy October 16, 2007.

Yukiko Ko Binding Corporate Rules – Global Implications Conference on Cross Border Data Flows and Privacy October 16, 2007.
29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL DATA PROTECTION AND PRIVACY COMMISSIONERS.
ARMENIA: Quality Assurance (QA) and National Qualifications Framework (NQF) Tbilisi Regional Seminar on Quality Management in the Context of National.

ARMENIA: Quality Assurance (QA) and National Qualifications Framework (NQF) Tbilisi Regional Seminar on Quality Management in the Context of National.
Surveillance – Restoring Trust on the IN, 5 Aug 2014 Lim May-Ann Executive Director

Surveillance – Restoring Trust on the IN, 5 Aug 2014 Lim May-Ann Executive Director
Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.

Navigating Compliance Requirements DCM 6.2 Regs and Codes linford & co llp.
The Defence & Security Public Contracts Regulations 2011 Sub-Contracting and Offset Arrangements Katherine Calder 8 June 2011 16938863.1.

The Defence & Security Public Contracts Regulations 2011 Sub-Contracting and Offset Arrangements Katherine Calder 8 June
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
New International Laws: the EU Timber Regulation, US Lacey Act and Australian Illegal Logging Law Forest Governance Forum Kinshasa 11-12 September 2012.

New International Laws: the EU Timber Regulation, US Lacey Act and Australian Illegal Logging Law Forest Governance Forum Kinshasa September 2012.
Non-Tariff Barriers in the Trade of Transport Services – Final Report TPT 02/2002T Steering Committee on More Competitive Transportation (including infrastructure)

Non-Tariff Barriers in the Trade of Transport Services – Final Report TPT 02/2002T Steering Committee on More Competitive Transportation (including infrastructure)
CONFIDENTIAL1 TRUSTe Certification & APEC FTC Workshop on Enforceable Codes of Conduct Panel on APEC’s CBPR System November 29, 2012.

CONFIDENTIAL1 TRUSTe Certification & APEC FTC Workshop on Enforceable Codes of Conduct Panel on APEC’s CBPR System November 29, 2012.
Hong Kong Privacy Code on Human Resource Management

Hong Kong Privacy Code on Human Resource Management
Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.

Managing Personal Information - Australian Companies Outsourcing to India and the Philippines Professor Margaret Jackson and Marita Shelly.
EU: Bilateral Agreements of Member States

EU: Bilateral Agreements of Member States
Rome II Regulation Conflict rules for torts. Rome II Regulation The Regulation defines: the conflict-of-law rules applicable to non- contractual obligations.

Rome II Regulation Conflict rules for torts. Rome II Regulation The Regulation defines: the conflict-of-law rules applicable to non- contractual obligations.
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.

The role of the Office of the Privacy Commissioner in telecommunications Andrew Solomon Director, Policy.
Per Anders Eriksson

Per Anders Eriksson
Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection: International. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
IEKA - Albanian Institute of Authorized Chartered Auditors Towards application of new standards on accounting and auditing – Albanian challenge on implementing.

IEKA - Albanian Institute of Authorized Chartered Auditors Towards application of new standards on accounting and auditing – Albanian challenge on implementing.
Ministry of Transport, Information Technology and Communications Technological base: Interoperability Tsvetanka Kirilova Ministry of TITC Bulgaria.

Ministry of Transport, Information Technology and Communications Technological base: Interoperability Tsvetanka Kirilova Ministry of TITC Bulgaria.

Similar presentations

Ads by Google