25 February 2015

APEC Privacy Framework

The APEC Data Privacy Subgroup meeting in the Philippines earlier this month featured a "comparative review" [PDF] by Australia, Canada and New Zealand of the 2013 changes to the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in relation to the APEC Privacy Framework. The review is "a contribution to the APEC Privacy Framework Stocktake".

The review document comments that in updating the APEC Framework
The approach to be taken in any concrete proposals need not be identical to the approach taken by the OECD Guidelines as they must suit APEC conditions and objectives. However, the DPS should give some weight to the benefits of maintaining consistency with the OECD where that enhances interoperability and the facilitation of data transfers beyond the APEC region. 
The document offers the following findings
A. The 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data were the foundation and starting point for developing the APEC Privacy Framework.
B. The OECD Guidelines and APEC Framework have the same objectives and contain many similarities in terms of structure and content.
C. After 30 years of operation, the OECD Guidelines underwent a major review by experts resulting in the adoption of significant updating changes in 2013.
D. The 2013 changes modernised and supplemented the Guidelines, to make them more effective for the changed technological and business environment, while maintaining the 1980 principles unchanged and basic structure of the Guidelines intact.
E. Given that the origins of the APEC Framework lie in the 1980 version of the OECD Guidelines that are now superseded, and that substantial effort and expertise has gone into updating those Guidelines, it is fitting that the Stocktake should be based on an understanding and consideration of the 2013 updates to the 1980 OECD Guidelines.
F. As a result of the 2013 changes, there are several areas in which the APEC Framework is now lacking counterpart content to the OECD Guidelines.
G. The review has identified several areas where the APEC Framework may benefit from updating in areas where changes have been made to the OECD Guidelines.
It accordingly recommends the development of "concrete proposals" for updating the APEC Privacy Framework, in particular through -
a. Incorporation of the concept and elements of a privacy management programme into the APEC Framework Part IVA (Guidance for domestic implementation).
b. Adding breach notification into the APEC Framework at Part IVA(V) (Guidance for domestic implementation: Providing for appropriate remedies in situations where privacy protections are violated).
c. In Part IVA (Guidance for domestic implementation), include new content promoting:
i. Economy privacy strategies.
ii. Technical measures that will help protect privacy.
iii. The establishment of privacy enforcement authorities with reference to their role and the attributes and support needed for such authorities.
d. In Part IVB (Guidance for international implementation), include text promoting:
i. Interoperability with privacy frameworks based outside the APEC region.
ii. Internationally comparable metrics to inform policy making in relation to privacy.
e. In Part IVB (Guidance for international implementation), in existing part (III) or as a new part (IV), outline the factors to be considered in balancing trade considerations when restricting cross‐border transfers for reasons of privacy.
f. Make suitable updates to the preface and facing page commentary.