Now Available:

line

Featured Resources:

line

Realtime Communities

line

Newsletter

Email Address:


line

Monthly Archives

line

RSS

line

Ask the Expert

Have a question for our resident expert? Email your questions to Rebecca.

« Many Kinds of Identity Theft Cause Many Types of Long Lasting Negative Impacts | Main | 5-Point Checklist for Info Sec and Privacy Pros to Use for Data Protection and Privacy Law Compliance »

APEC Privacy Framework: Viewpoints from the FTC, TRUSTe & Marty Abrams

One of the sessions I attended at the IAPP Privacy Academy this past week was "APEC Update - Self Regulatory Approaches to Cross Border Transfers of Personal Data." The presenters were: Pamela Jones Harbour, Commissioner, Federal Trade Commission (FTC), Marty Abrams, Executive Director, Center for Information Policy Leadership, and Fran Maier, Executive Director and President, TRUSTe.

It was an interesting session, and I got some good information during the quick hour.

Here are my notes as I took them (admittedly sketchy in places...but, hey, they're notes!):

* Pamela Jones Harbour:

- The U.S. will lead the Pathfinder project.

- Australia provides a good flexible model for Cross Border Privacy Rules (CBRs).

- Goal of CBRs: to preserve privacy of data going outside country borders. Countries need to determine, will the APEC privacy framework work for them?

- There is widespread misunderstanding about the APEC framework, Pathfinder project and the CBRs. Many have erroneously reported that the APEC privacy framework will only go into effect AFTER harm from incidents has occurred. This is WRONG. The APEC framework is meant to help protect and prevent harm.

- U.S. approach will include self regulation in addition to regulatory oversight.

- Trustmarks can refer violators to the FTC.

- U.S. implementation has 4 elements from the FTC perspective:

1) Self Asssessment: what qualifies organizations to participate? Consultation and vetting of rules.

2) Review and Accredit (by Trustmarks) organizations for participation.

3) Create procedure to communicate the list of certified organizations to other countries. The Department of Commerce will enforce.

4) Dispute resolution & enforcement: FTC and other government agencies will enforce.

- OECD recently issued guidance for cross border data sharing.

- They (FTC) will launch a test pilot in January 2008.

* Marty Abrams:

- "There is nothing self regulatory about the APEC framework." If an organization is not complying with the APEC framework after they indicate participation, they are subject to Section 5 of the FTC Act (unfair and deceptive business practices).

- Described a hypothetical 5-country situation for the APEC framework.

- Discussed the accountability concepts.

- It will be easier to qualify individual organizations to be "adequate" (a safe entity) than it will be for qualifying an entire country. For example, the EU has identified the countries that they consider as having adequate security and privacy protections. It will be better through the APEC framework to determine if each organization has adequate protections. [To me this makes much more sense than the country-level determination.]

- Principle 8 of the APEC framework, the adequacy concept, is in many ways an updating of the corresponding OECD privacy principle.

- The accountability concept in the FTC Act is going to abe applied when sending data outside the U.S.

- Organizations must demonstrate:

1) Privacy policies and procedures match to APEC framework; they must prove this to Trustmarks.

2) Show they are accountable for the statements they make about privacy protections.

- Predicts the APEC framework will spread worldwide and define how BCRs are created in Europe.

- Accountability agents (Trustmarks) will ooperate with the backing and support of the U.S. government.


* Fran Maier:

- TRUSTe was selected for the Pathfinder accountability test.

- Why are Trustmarks considered the accountability agent?

1) Flexibility
2) Practical knowledge
3) Doing 10th update to stay current
4) Very responsive
5) Evaluate - elevate - reward (the basic Trustmark process)


* Q&A:

- Will current EU Safe Harbor participation have an impact on qualifying for Pathfinder/APEC framework? If organizations are currently participating in the EU Safe Harbor program, they will find they will already have much of the Pathfinder work done, but just being in Safe Harbor is not a shoe-in to the Pathfinder participation. Safe Harbor participants will still have to fill in the paperwork and provide all the same types of documentation that the non-Safe Harbor applicants must provide.

- New term is "accountability agent."

- CBR versus APEC? CBRs are individual agreements with ~27 EU countries. If an organization has a process for CBRs it will facilitate APEC compliance, but it will not be a replacement.

- Does APEC put the burden on consumers to establish harm? One of the 9 principles is preventing harm. You can show actual harm, potential harm and prevention of harm.

- Listen to the statement from the Australian commissioner.

- What will be the enforcement mechanism? Memorandums of understanding.

- Any plans to lift the concept of the APEC framework to World Trade Organization (WTO) levels? No; this would be inappropriate. The WTO involves the white house and other country heads. The APEC framework is focused on getting the regulatory agencies within each of the countries to work together.

Tags:                  
 Email This!  Digg it!  Sphere it!  Del.icio.us  Reddit!  Newsvine

Posted by Rebecca Herold on October 27, 2007 2:57 PM |

TrackBack

TrackBack URL for this entry:
http://www.realtime-itcompliance.com/type/mt-tb.cgi/557

Post a comment

(All comments are approved by site leader before appearing here. Thanks for commenting!)

Search

line

Most Active Posts

line

Library Resources

line
line

Recent Posts

line

Categories

line

Rebecca Herold's Bio:

Rebecca Herold,CISSP, CIPP, CISM, CISA, FLMI, has been providing information security, privacy and regulatory assistance and services to organizations from a wide range of industries for over 18 years. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the CSI Information Security Program of the Year Award in 1998. IT Security ranked Rebecca as one of the top 59 IT security influencers, and Computerworld put Rebecca their list of the 25 top privacy experts and on their list of the 9 best privacy consulting firms. Rebecca has been CPO for two consulting organizations, and has had her own information privacy, security and compliance business since 2004. Rebecca has written chapters for several books, dozens of articles, and has been writing a monthly privacy column for the CSI Alert newsletter since the beginning of 2001, and is working on her 11th book. Some of her other books include The Privacy Papers, Managing an Information Security and Privacy Awareness and Training Program, The Definitive Guide to Security Inside the Perimeter (Realtime Publishers), The Shortcut Guide to Improving IT Service Support through ITIL (Realtime Publishers), and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, Rebecca is the leader of The Realtime IT Compliance Community where she posts to her IT Compliance weblog. You can contact Rebecca at: rebecca_herold@realtimepublishers.net.