Ten years ago, APEC inserted energy into the global debate on privacy management. They did so by creating the Data Privacy Subgroup (“DPS”) to develop a governance structure for assuring consumer confidence in regional flows of data for electronic commerce in a region where privacy protections were inconsistent and diverse. Asian economies had begun to use information and communications technologies to drive their economies forward. Outsourcing to Asia led to a growing concern that data flowing from the United States and other countries with privacy laws would not be protected. At the same time, European adequacy requirements inhibited the global flow of data, and some worried that adequacy laws would spread to other locations. There was a broad demand for trust building solutions so privacy would not inhibit trade in services.
The Data Privacy Subgroup took on the task of developing a privacy framework for the Asia Pacific Community. It was a diverse group of individuals sitting at the table, truly multi-stakeholder. The attendees included government leaders, privacy agencies, consumer protection offices, civil society, business and think tanks. The group began with the OECD Privacy Guidelines, but it made significant changes. Concepts such as prevention of harm were part of the group’s innovation along with transfer governance being part of organizational accountability. The work at APEC had influence on the development of BCRs in Europe and data protection law beyond the APEC region.
A decade later, I have just returned from attending the meeting of the DPS during 6-10 August in Beijing. Today, we have an APEC process deeply rooted in implementing a certification system that has promise but is troubled by slow progress. Canada will soon join the United States, Japan and Mexico as economies that have or will seek to be part of the certification team. Each of those countries will need to identify one or more accountability agents. Currently, there exists only one approved accountability agent, TRUSTe. We need more accountability agents and that requires corporate demand for certification. For that to happen, there needs to be compelling incentives – both positive and negative – for companies to seek certification. Broad restrictions on cross-border data flow and corresponding administrative burdens act as incentive for European BCRs. Those requirements, for the most part, exist in less than a majority of countries in the APEC region. So, the push needs to come from either market forces or policy maker encouragement. Currently, that push is not visible. The companies seeking certification consist of those that want a total solution that includes both Europe as well as Asia. For them, the ongoing interoperability work between APEC and the WP29 is crucial. But that is not enough to create new energy in APEC.
So what will?
First, the DPS needs new endeavours that match the new privacy challenges emerging in the information age. Effective governance for observational technologies and advanced analytics is a necessity. In other words, establishing protections for individuals when consent (the APEC term is choice) is not sufficient. There is a growing global debate legal basis for processing beyond consent, and the APEC DPS needs to be part of that conversation. European law includes a legal basis for processing called legitimate interest that has been the nexus for the discussion. A similar concept needs to be part of the APEC discussion.
Second, data governance concerns must move beyond privacy to include other individual and societal interests and impact. Information technologies drive the broad distribution of the benefits of an information age, including new opportunities, greater trade, better education and a healthier public. There are also risks associated with the implementation of these new technologies. However, the risk abatement process needs to include reticence risk as well as privacy. The domain for the parent Electronic Commerce Group needs to be this balanced approach to governance so individuals’ varying interests have protection as we break down the regional barriers to information-driven trade. Trade is no longer just about containers with computers, clothing and other hard goods. Trade is about the movement of data to support global medical research, software development, and distributed business processes. This needs to be reflected at the ECSG.
Third, privacy enforcement agencies in the APEC region need to have a greater role in APEC’s policy discussions. They have their own group, the Asia Pacific Privacy Agencies (“APPA”). Ten years ago, regulators drove much of the work at APEC. Today, some are still present, but not enough. The APEC and APPA processes need to be better linked.
Fourth, interoperability between Europe and APEC needs to include not only cooperation in the certification process itself but also discussions of substantive policy matters such as legitimate interests and the corresponding accountability of organizations that rely on such interests as the basis for data processing. Today, the privacy laws of many APEC members rely heavily on consent. Yet, certification systems will have to deal with protection beyond consent, and that means breaking new policy ground together. That is not currently part of the interoperability work plan.
Lastly, the private sector throughout the APEC region needs to take demonstrating their trustworthiness as a business imperative. They should not wait for an explicit push from government but see it as part of a global trust strategy. Today, every company discusses how to utilize advanced analytics, also known as big data. Cloud and the internet of things makes having a comprehensive privacy program a necessity, and certification is part of that process. Therefore, business needs to consider embracing certification as a means for demonstrating trustworthiness while being innovative with data.
The time to reinvigorate the privacy process in APEC is now.