1. www.informationpolicycenter.com A Perspective: Data Flow Governance in Asia Pacific & APEC Framework Martin Abrams October 21, 2008

2. www.informationpolicycenter.com My Experience  Lead a global information policy think tank financially supported by 40+ companies  21 years experience in privacy with consistent focus on global data flows  Deep involvement in Asia Pacific over the last five years  Co-organizer of two privacy conferences in China with Professor Zhou Hanhua 2

3. www.informationpolicycenter.com 3  Law in Canada, Hong Kong, New Zealand and Australia based on traditional data protection concepts  US law consumer protection based, but individual autonomy a value  Asian cultural views of individual autonomy are different  However, protection of individuals from the harmful use of information or the negative effects of bad security reamin highly relevant  AP data governance must be inter-operable with this mosaic International Differences are a Challenge

4. www.informationpolicycenter.com 4 Breaking Privacy into its Elements is Helpful  Elements include:  Information security  Consumer protection  Cultural aspects, such as autonomy  Security and consumer protection are common from place to place, system to system  Autonomy is different everywhere  Global companies must build respect for those differences and be accountable for promises

5. www.informationpolicycenter.com Looking at APEC 5

6. www.informationpolicycenter.com 6 APEC Privacy Framework  Developed over the past five years  Based on OECD with a few changes  Prioritization based on prevention of harm  Transfers based on accountability  Domestic implementation – flexible  International implementation – Cross Border Privacy Rules

7. www.informationpolicycenter.com 7 Nine APEC Privacy Principles 1. Preventing Harm – privacy protections should focus on preventing harm and misuse 2. Notice – clear & easily accessible 3. Collection Limitation – collect what’s relevant in a lawful & fair manner 4. Uses of Personal Information – for expected and compatible purposes, with consent, or where necessary 5. Choice – where appropriate, provide clear, accessible mechanism to exercise choice

8. www.informationpolicycenter.com 8 Nine APEC Privacy Principles 6. Integrity – personal information should be appropriate, accurate, complete and up-to-date 7. Security – appropriate safeguards to protect against unauthorized access, use, modification or disclosure 8. Access & Correction – important (but not absolute) rights 9. Accountability – controllers are accountable for compliance with all Principles and must use reasonable steps to ensure that recipients of personal information also comply

9. www.informationpolicycenter.com APEC Framework Has Two Pathways  Domestic implementation  International Implementation  Governance for the flow of data between APEC members  Basis is Corporate Privacy Rules 9

10. www.informationpolicycenter.com 10 What Are Cross Border Privacy Rules?  A matching of corporate policies against APEC principles  A requirement that organizations honor the obligations that come from local law and promises made when collecting data  Functionally similar to BCRs  Implements accountability principle

11. www.informationpolicycenter.com Accountability Rooted In Data Protection History  OECD Principle 8  APEC Principle 9  “A personal information controller should be accountable for complying with the measures that give effect to the Principles stated above. When personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles.”  Canadian Privacy Law 11

12. www.informationpolicycenter.com 12 How Do They Work?  Organization completes documents that demonstrate that it has the capacity to honor a set of cross border privacy rules  The application is reviewed by an accountability agent  The organization’s cross border privacy rules are recognized  Complaints are processed by accountability agents and government agencies that supply oversight

13. www.informationpolicycenter.com 13 Where Do We Stand?  9 APEC pathfinder projects  Cover all aspects of the program  Company CBPRs  Approvals  Accountability agents  Cooperation between enforcement agencies  Complaints  Documents being finalized  Testing in 2009  Overseen by Data Privacy Subgroup

14. www.informationpolicycenter.com Process Lessons  The APEC process has profited from the active participation of privacy enforcement agencies, governments, civil society and business  Accountability agencies must be answerable and overseen by enforcement agencies, but play an important role in assuring accountability  The globalization of privacy is teaching us many lessons applicable to the future. 14

15. www.informationpolicycenter.com How to Reach Me mabrams@ hunton.com 15