Solutions for Cross Border Data

Transfers: APEC CBPRs, BCRs

and Global Interoperability
December 9, 2015

Privacy Insight Series

v

Todays Speakers

Josh Harris
Director of Policy
TRUSTe

Hilary Wandall
AVP Compliance & Chief Privacy Officer
Merck & Co., Inc

Melinda Claybaugh
Counsel for International Consumer Protection,
Federal Trade Commission

Privacy Insight Series

v

Agenda
Welcome
Global Interoperability and the Safe Harbor Ruling

Josh Harris

Interoperability in Practice: Utilizing CBPR Certification to

Demonstrate Requirements for BCR Approval

Hilary Wandall

Cross-Border Enforcement Co-operation

Melinda Claybaugh

Q&A

Privacy Insight Series

v

Global Interoperability and the

Safe Harbor Ruling
Josh Harris, Director of Policy, TRUSTe

Privacy Insight Series

v

Prospects for a Renewed Safe Harbor

US Secretary of Commerce: "A solution is within hand. We had an
agreement prior to the court case. I think with modest refinements that
are being negotiated we could have an agreement shortly.
EU Justice Commissioner Jourov: The Commission aims to
conclude negotiations in January 2016.

Current Negotiation Activities:

- EU Delegation to DoC in November
- December 17 Stocktake

Privacy Insight Series

v

APEC Update
Economy-Level Updates:
Japan
China
Mexico

Singapore
Hong Kong
Australia
Peru
Practical Interoperability:
CBPR as basis for global privacy policy
CBPR as basis for Safe Harbor?
CBPR as basis for BCR
Privacy Insight Series
v

Status of APEC-Art. 29 Interoperability Project

Creation of Joint EU-APEC Working Team:
Recognized value of collaboration to provide industry greater clarity on how to
meet requirements of EU and APEC simultaneously
Development of Referential:
Mapped requirements of APEC CBPR System and EU BCR System
Identified common and divergent elements to help inform companies seeking
to develop policies and practices in compliance with both systems
APEC Data Privacy Subgroup expression of interest to Article 29 Working
Party regarding tools recommended by joint working team in January 2015

Next Steps:
Work together to develop practical tools to facilitate dual certification to
complement referential: Meetings held in most recently in Amsterdam,
discussions to continue at APEC 2016 in Peru.
Privacy Insight Series
v

Interoperability in Practice: Utilizing CBPR

Certification to Demonstrate
Requirements for BCR Approval
Hilary Wandall
AVP Compliance & Chief Privacy Officer, Merck & Co., Inc.

Privacy Insight Series

v

Benefits of Framework Approaches to Cross-Border Compliance

competitive advantage frameworks (e.g., CBPR, BCR, Safe Harbor)
provide a legal basis for efficiently transferring data across country
borders in compliance with the data transfer restrictions of the privacy
laws in these regions
compliance advantage they are based on demonstration of
organisational accountability and stewardship in how we operate rather
than complicated transactional documentation that is resource-intensive
to maintain
reputational advantage among regulators, customers and the public
based on trust that the certified organisation responsibly protects data
across countries, regions, and ultimately globally

Privacy Insight Series

v

Our Approach to Interoperable Privacy Frameworks

BCRs

10

http://www.msd.com/privacy/cross-border-privacy-policy/

Privacy Insight Series

v

10

Framework Interoperability Gap Analysis

Privacy Insight Series

v

11

Cross-Border Enforcement Co-operation

Melinda Claybaugh, Counsel for International Consumer Protection,
Federal Trade Commission

Privacy Insight Series

v

12

Note: The views expressed are mine alone and

not necessarily those of the Federal Trade
Commission or any individual Commissioner.

Melinda Claybaugh
Counsel for International Consumer Protection,

Federal Trade Commission

Overview of Cross-Border Enforcement Cooperation

Authority: US SAFE WEB Act
Mechanisms: GPEN, CPEA, MOUs

Examples of successful cooperation

Privacy Insight Series

v

14

The Federal Trade Commission

SAFE WEB Act Enhanced Enforcement Powers

Information Sharing: FTC may share confidential

information with foreign law enforcers.
Investigative Assistance: FTC may provide
investigative assistance to foreign law enforcers in
certain cases by, for example, issuing a Civil
Investigative Demand.

Privacy Insight Series

v

16

FTC Use of SAFE WEB Tools

Information Sharing: Provided evidence in
response to 63 information-sharing requests from 17
foreign law enforcement agencies in 9 countries (as of
mid-2012).
Investigative Assistance: The FTC has issued 52
civil investigative demands in 21 investigations on
behalf of 9 agencies in 5 countries (as of 2012).

Privacy Insight Series

v

17

Global Privacy Enforcement Network (GPEN)

Network of public privacy enforcement authorities

Range of Activities
GPEN Alert secure information-sharing system

Privacy Insight Series

v

18

APEC Cross-Border Privacy Enforcement Arrangement

26 members from 9 economies
Practical mechanism allowing PEAs to cooperate in crossborder privacy enforcement by sharing information and
providing assistance.

Privacy Insight Series

v

19

Memoranda of Understanding
MOUs with Dutch, Irish, and UK Data Protection Authorities
Sets out the agencies intent regarding mutual assistance
and procedures for sharing information and providing
assistance.

Privacy Insight Series

v

20

Examples of Successful Cooperation

Many public examples in fraud cases
In Canadian Competition Bureau case against a phone company, District Court of
MD ordered compliance with FTC civil investigative demand.
Robocalls, spam

GPEN Alert
Under CPEA: Australia/Canada cooperation on data breach
investigation.

Privacy Insight Series

v

21

Questions?

Privacy Insight Series

v

22

Contacts
Josh Harris
Hilary Wandall
Melinda Claybaugh

Privacy Insight Series

v

jharris@truste.com
hilary_wandall@merck.com
mclaybaugh@ftc.gov

23

Thank You!
See http://www.truste.com/insightseries for details of our 2016 Privacy
Insight Series and past webinar recordings.

Privacy Insight Series

v

24