1. © 2014 IBM Corporation Mapping APEC CBPRs onto EU BCRs Anick Fortin-Cousens Privacy Officer, Canada, Latin America, Middle East & Africa Program Director, Corporate Privacy IBM Corporation

2. © 2014 IBM Corporation22 IBM at a Glance 400,000+ employees170+ countries CloudAnalyticsMobile Cognitive Computing Security Social First company to be CBPR- certified

3. © 2014 IBM Corporation3  Issue  Cross border data flow is critical to trade, growth and innovation  Individuals need assurance that their personal information will receive the same level of protection regardless of where it flows  Compliance with various rules on cross border data flows can be difficult, and such rules do not necessarily guarantee adequate treatment  Practical solution: certified accountability  Focuses on the adequacy of an organization’s policies and practices to protect data regardless of where it flows  Requires organizations to be answerable to regulators for the effectiveness of those policies and practices  Makes use of third party assessments and regulatory enforcement to provides credible evidence of trustworthiness Certified Accountability as a Basis for Cross Border Data Transfers

4. © 2014 IBM Corporation4  Certified accountability as a basis for interoperability  Regional “interoperability”- the ability of diverse systems to work together- through certified accountability is already in effect in the EU and is underway in APEC  Interoperability between countries and regions is desirable and achievable  We must look for these building blocks Certified Accountability as a Basis for Interoperability 1. Baseline level of privacy protection 2. Expressed through internal rules and policies 4.Demonstrated via initial and ongoing methods 3.Enforceable via redress mechanisms

5. © 2014 IBM Corporation5 Certified Accountability- Other Benefits Business  Increased trust from stakeholders  More robust privacy programs and practices  Improved compliance with local standard  Ability to demonstrate good faith efforts in case of enforcement Individuals  Enhanced privacy protection  User-friendly and streamlined complaint handling  Coordinated government enforcement  Ability to continue to embrace innovative products and services that benefit them Government  Facilitate two important policy objectives: trade and privacy  Facilitate cross-border cooperation  Provides credible evidence of viability of privacy protections through flexible and adaptable accountability schemes  Provides for greater economic rewards

6. © 2014 IBM Corporation6 The Road to Success to Further Adoption APEC CBPR  Critical mass must be achieved  United States, Mexico and Japan have joined; Canada in process of accession  Only one approved Accountability Agent to date  Interest on the part of business:  IBM, Merck, Apple, HP, Ziff Davis, Lynda.com, Workday, Yodlee, with at least a dozen more in progress in just over a year of existence– and in the US only  Impediments to adoption  Endorsement of commitments by APEC economies is non-binding  In a “chicken and egg” situation at present, although beginning to see positive movement  Tangible incentives need to be made available for companies to join

7. © 2014 IBM Corporation77 Anick Fortin-Cousens acousens@ca.ibm.com acousens@ca.ibm.com 1.613.836.4751