interoperable solutions for cross border data transfers – apec, cbpr, bcr from truste

1 v Privacy Insight Series v

Solutions for Cross Border Data

Transfers: APEC CBPRs, BCRs

and Global Interoperability

December 9, 2015

2 v Privacy Insight Series

Today’s Speakers

Josh Harris

Director of Policy

TRUSTe

Hilary Wandall

AVP Compliance & Chief Privacy Officer

Merck & Co., Inc

Melinda Claybaugh

Counsel for International Consumer Protection,

Federal Trade Commission


Agenda

• Welcome

• Global Interoperability and the Safe Harbor Ruling Josh Harris

• Interoperability in Practice: Utilizing CBPR Certification to

Demonstrate Requirements for BCR Approval Hilary Wandall

• Cross-Border Enforcement Co-operation Melinda Claybaugh

• Q&A


Josh Harris, Director of Policy, TRUSTe

Global Interoperability and the

Safe Harbor Ruling


• US Secretary of Commerce: "A solution is within hand. We had an

agreement prior to the court case. I think with modest refinements that

are being negotiated we could have an agreement shortly.”

• EU Justice Commissioner Jourová: “… The Commission aims to

conclude negotiations in January 2016.”

• Current Negotiation Activities:

- EU Delegation to DoC in November

- December 17 Stocktake

Prospects for a Renewed Safe Harbor


Economy-Level Updates:

• Japan

• China

• Mexico

• Singapore

• Hong Kong

• Australia

• Peru

Practical Interoperability:

• CBPR as basis for global privacy policy

• CBPR as basis for Safe Harbor?

• CBPR as basis for BCR…

APEC Update


Creation of Joint EU-APEC Working Team:

– Recognized value of collaboration to provide industry greater clarity on how to

meet requirements of EU and APEC simultaneously

Development of “Referential”:

‒ Mapped requirements of APEC CBPR System and EU BCR System

‒ Identified common and divergent elements to help inform companies seeking

to develop policies and practices in compliance with both systems

‒ APEC Data Privacy Subgroup expression of interest to Article 29 Working

Party regarding tools recommended by joint working team in January 2015

Next Steps:

‒ Work together to develop practical tools to facilitate dual certification to

complement referential: Meetings held in most recently in Amsterdam,

discussions to continue at APEC 2016 in Peru.

Status of APEC-Art. 29 Interoperability Project


Interoperability in Practice: Utilizing CBPR

Certification to Demonstrate

Requirements for BCR Approval

Hilary Wandall

AVP Compliance & Chief Privacy Officer, Merck & Co., Inc.


Benefits of Framework Approaches to Cross-Border Compliance

• competitive advantage – frameworks (e.g., CBPR, BCR, Safe Harbor)

provide a legal basis for efficiently transferring data across country

borders in compliance with the data transfer restrictions of the privacy

laws in these regions

• compliance advantage – they are based on demonstration of

organisational accountability and stewardship in how we operate rather

than complicated transactional documentation that is resource-intensive

to maintain

• reputational advantage among regulators, customers and the public

based on trust that the certified organisation responsibly protects data

across countries, regions, and ultimately globally


Our Approach to Interoperable Privacy Frameworks

10

BCRs

http://www.msd.com/privacy/cross-border-privacy-policy/










Framework Interoperability Gap Analysis


Cross-Border Enforcement Co-operation

Melinda Claybaugh, Counsel for International Consumer Protection,


Note: The views expressed are mine alone and not necessarily those of the Federal Trade

Commission or any individual Commissioner.

Melinda Claybaugh Counsel for International Consumer Protection,



Overview of Cross-Border Enforcement Cooperation

• Authority: US SAFE WEB Act

• Mechanisms: GPEN, CPEA, MOUs

• Examples of successful cooperation

The Federal Trade Commission


SAFE WEB Act Enhanced Enforcement Powers

• Information Sharing: FTC may share confidential

information with foreign law enforcers.

• Investigative Assistance: FTC may provide

investigative assistance to foreign law enforcers in

certain cases by, for example, issuing a Civil

Investigative Demand.


FTC Use of SAFE WEB Tools

• Information Sharing: Provided evidence in

response to 63 information-sharing requests from 17

foreign law enforcement agencies in 9 countries (as of

mid-2012).

• Investigative Assistance: The FTC has issued 52

civil investigative demands in 21 investigations on

behalf of 9 agencies in 5 countries (as of 2012).


Global Privacy Enforcement Network (GPEN)

• Network of public privacy enforcement authorities

• Range of Activities

• “GPEN Alert” secure information-sharing system


APEC Cross-Border Privacy Enforcement Arrangement

• 26 members from 9 economies

• Practical mechanism allowing PEAs to cooperate in cross-

border privacy enforcement by sharing information and

providing assistance.


Memoranda of Understanding

• MOUs with Dutch, Irish, and UK Data Protection Authorities

• Sets out the agencies’ intent regarding mutual assistance

and procedures for sharing information and providing

assistance.


Examples of Successful Cooperation

• Many public examples in fraud cases

– In Canadian Competition Bureau case against a phone company, District Court of

MD ordered compliance with FTC civil investigative demand.

– Robocalls, spam

• GPEN Alert

• Under CPEA: Australia/Canada cooperation on data breach

investigation.


Questions?


Josh Harris [email protected]

Hilary Wandall [email protected]

Melinda Claybaugh [email protected]

Contacts

mailto:[email protected]


See http://www.truste.com/insightseries for details of our 2016 Privacy

Insight Series and past webinar recordings.

Thank You!

http://www.truste.com/insightseries

interoperable solutions for cross border data transfers – apec, cbpr, bcr from truste

Documents

privacy laws

global privacy policy

cbpr certification

bcr apec update

apec cbprs

requirements of eu

status of apec

truste global interoperability