Consolidated Workshop Materialsmddb.apec.org/Documents/2019/ECSG/DPS-WKSP/19_ecsg_dps... · 2019....
94
___________________________________________________________________________ 2019/SOM1/ECSG/DPS/WKSP/001 Consolidated Workshop Materials Submitted by: CIPL Workshop on Key Building Blocks for Effective Data Protection and Innovation in the Data Driven Society Santiago, Chile 25 February 2019
Transcript of Consolidated Workshop Materialsmddb.apec.org/Documents/2019/ECSG/DPS-WKSP/19_ecsg_dps... · 2019....
___________________________________________________________________________
2019/SOM1/ECSG/DPS/WKSP/001
Consolidated Workshop Materials
Submitted by: CIPL
Workshop on Key Building Blocks for Effective Data Protection and Innovation in the Data
Driven SocietySantiago, Chile
25 February 2019
25 February 2019, Santiago
Centre for Information Policy Leadership (CIPL) Workshop
Key Building Blocks for EffectiveData Protection and Innovation in the Data Driven Society
2
Agenda
8:30 Registration
9:00 Opening Remarks
9:25 Keynote: The Dual Goal of Enabling Data Protection and Data Driven Innovation
9:45 Session I: Data Protection Developments in Chile, Latin America and Asia-Pacific
10:55 Break
11:10 Session II: The Role of Organizational Accountability in Modern Data Protection Frameworks
12:40 Lunch
13:40 Session III: Key Characteristics and Responsibilities of an Effective National Data Protection Authority
14:55 Break
15:10 Session IV: Ensuring Accountable Cross-Border Data Flows through APEC CBPR and other Mechanisms
17:30 End of Workshop
Mathias Francke, Director of Multilateral Economic Affairs and SOM Chair, Chile Ministry of Foreign Affairs
Bojana Bellamy, President, CIPL
Marcelo Drago, President, Chile Council of Transparency
Opening Remarks
70+Member
Companies
5+Active Projects
& Initiatives
20+Events annually
15+Principals and
Advisors
We SHAPE privacy policy,
law and practice
We CREATE and
implement best practices
We INFORM through publications and
events
We NETWORK with global industry and
government leaders
BRIDGING REGIONSBRIDGING INDUSTRY & REGULATORSBRIDGING PRIVACY AND DATA DRIVEN INNOVATION
ACTIVE GLOBAL REACH
A GLOBAL PRIVACY AND SECURITY THINK TANK
Twitter.com/the_cipl
https://www.linkedin.com/company/centre-for-information-policy-leadership
www.informationpolicycentre.com
2200 Pennsylvania Ave NW Washington, DC 20037
Park Atrium, Rue des Colonies 111000 Brussels, Belgium
30 St Mary AxeLondon EC3A 8EP
ABOUT US
• The Centre for Information Policy Leadership (CIPL) is a global privacy and security think tank
• Based in Washington, DC, Brussels and London
• Founded in 2001 by leading companies and Hunton Andrews Kurth LLP
• CIPL works with industry leaders, regulatory authorities and policy makers to develop global solutions and best practices for data privacy and responsible use of data to enable the modern information age
Keynote: The Dual Goal of Enabling Data Protection and Data Driven Innovation
JoAnn Stonier, Chief Data Officer, Mastercard
Session I: Data Protection Developments in Chile, Latin America and Asia-Pacific
6
Moderator: José Alejandro Bermúdez, Advisor – LATAM, CIPL Felipe Harboe, Senator of the Republic of Chile Hyunjune Song, Researcher, Korea Internet & Security Agency Paula Vargas, Privacy and Public Policy Manager – LATAM, Facebook Carolina Lessa, Director of Government Affairs, Latin America, RELX Group Danilo Doneda, Professor, IDP Manuel O’Brien Hughes, Corporate Affairs Manager, IBM
General Act for Personal Information Protection in Korea since 2011
It has many similarities and share the core principles with Network Act
Strict regulation for each stage of the life cycle of controlling personal Information
Prior opt-in consent
Stronger protection for sensitive personal Information
Privacy Officer and Privacy Policy
Data breach notification and report (within 5days)
Administrative sanctions, civil liability, imprisonment, etc
Personal Information Dispute Mediation Committee
Self regulation…etc
Widely used for regulating the Personal Information Protection until PIPA launched (Since 1999 till 2011)
The most experienced act in Data Protection Act in private sector in Korea
Runs by the independent authority(KCC) which stated by the law
Notification/reports of breach of personal information(immediately after accident)
Order correctional measures to the business operators who violates articles
Imposition of a penalty surcharge and fines
Power to request the submission of materials - concerning violations and their examination and for the assurance of an order for remedial action
Prior to introducing or modifying personal data files, public institutions should conduct the assessment for the
analysis and Improvement of such risk factors, and submit its result to the MoIS. (PIPA §33, Decree §35~38)
Structure
Applicable to :
unique identifier>50K, in combining more than two files >500K, one file alone >1M
Personal
Information
Protection
Commission
(PIPC)
Ministry of the Interior and
Safety(MOIS)
PIA Institutions
Delegation of authority
Designation
KISA(PIA assessment criteria, training
program, etc)
Public Institutions
Assessment ReportAssessment Request
Report Submittal
Deliberation
Request
If necessary
Deliberation
Result
Opinion
(+ PIPC deliberation)
PI
Total of 2,752 cases (14’~18’) of personal data impact assessment reports submitted
There are 17 designated PIA institutions, and they have an obligation to hire at least 10 PIA specialists every 3 years in regular.
Classification 2014 2015 2016 2017 2018
Status of impact assessment 255 Cases 229 Cases 1472 Cases 474 Cases 322 Cases
The total number of certified PIA specialists is 1,135.(Accumulation from 2012~2018 September)
☞ In order to be certified PIA specialist, he or she should take KISA’s special education and pass the test, and take continuing
education(supplementary education) every 2 years.
Classification 1st designation 2nd designation 3rd designation
Validity of designation 12/23/2015-12.22/2018 3/9.2016 - 3/8/2019 8/7/2017 - 8/6/2020
Number of institutions 5 7 5
Call Center for Illegal Spam, Personal Data, Hacking/Virus
☞Consulting, Reporting, etc. regarding Internet
Classification 2012 2013 2014 2015 2016 2017 2018
Personal information 164,698 175,389 155,908 149,835 96,651 103,873 163,172
Spam 112,482 105,395 134,297 117,704 81,631 53,039 45,960
Hacking/virus 57,710 119,247 153,046 122,475 67,779 74,037 58,333
Internet in general 16,051 9,711 4,808 3,404 2,694 2,906 6,499
Internet address 1,856 3,191 2,519 2,367 1,895 824 1,793
Inquiry about KISA’s business 22,353 40,757 41,874 39,793 27,153 20,101 24,251
Other 102,242 158,806 141,308 118,086 106,508 81,627 78,170
Total 477,392 612,496 633,760 553,664 384,311 336,407 378,178
Year ‘11 ’12 ‘13 ‘14 ‘15 ‘16 ‘17 ‘18
Business 7,194 17,391 37,742 63,569 51,974 47,482 48,153 69,546
User 358,149 307,350 303,880 6,909 175,335 149,330 191,095 152,400
Total 365,343 324,741 341,622 70,478 227,309 196,812 239,248 221,946
Personal Data Managers
User Education Online Education
Privacy Officers
Regular education for personal data controllers and Privacy Officer(e.g. CPO Workshop); Users(
Regional off-site education; Specialized education for mandatory requirements in public area and
specialized areas(e.g. medical, labor management, etc.);
(Online) Providing year-round through a personal data protection portal (www.i-privacy.kr)(privacy.go.kr)
Annual training result (in the end of August 2016) Business : personal data managers+ Privacy Officers
2017. 04
2017. 12
2018. 05. 25
Title Data Place Nation
Korea·EU Personal Data Protection Seminar ’ 16. 7. 17~19 Korean Chamber of Commerce and Industry
Korea·EU GDPR Seminar hosted by KBA ’ 16. 11 The Westin Grand Frankfurt Germany
EU GDPR Introduction session for Korean Businesses ’ 17. 5. 29 Korea International Trade Association
GDPR Open Seminar ’ 17. 10.13 Riverside Hotel in Seoul
Korea·EU High Level Meeting ’ 17. 11. 20 Headquarter, European Commission Belgium
Korea·EU Data Protection Workshop ’ 17. 11. 20 Committee of Region in Brussels Belgium
GDPR Seminar for Korea Businesses ’ 17. 12. 11 President Hotel in Seoul
GDPR forum with KITA ’ 18. 4. 11 Korea International Trade Association
2nd Korea·EU Data Protection Workshop ’ 18. 4. 19 Korean Embassy Belgium
GDPR series Seminar ’ 18. 4..27, 5.4, 5.11 KISA Seoul branch
GDPR book Concert ’ 18.5.25 Kyobo Building
GDPR Seminar ’ 18.6.22 Korean Embassy France
MOIS&KCC`s join for CPEA(2011/2014)
MOIS&KCC`s application for CBPR(2016.12)
KISA`s application for AA(2017.12)
Study on introduction method of CBPR in KOREA(2016)
Official approval of APEC(2017.6)
• Join the CPEA(privacy law cooperate enforcement system), as a pre-requisite for CBPR subscription
•Analyze the expected benefits and effective domestic CBPR introduction methods
• Submitted CBPR vs Domestic
privacy law comparative analysis
•KISA is designated as a domestic AA, and officially apply to APEC
• Formally approved as the fifth member
country, following the US, Mexico, Japan
and Canada
Establish domestic operating system(2018)
• Develop domestic certification criteria,
operating system guideline, etc
Thank you.
Session II: The Role of Organizational Accountability in Modern Data Protection Frameworks
31
Moderator: Bojana Bellamy, President, CIPL Sarah Saucedo, Lead Privacy Counsel for Latin America, Mastercard Vivienne Artz, Chief Privacy Officer, Refinitiv Eric Ancelovici, Executive Director of Big Data, Telefónica Mark Jaffe, Senior Vice President and Regional Privacy Officer, Teleperformance
32
Accountability, Effective
Compliance and Protection for
Individuals
Leadership and
Oversight
Risk Assessment
Policies and Procedures
TransparencyTraining and Awareness
Monitoring and
Verification
Response and
Enforcement
Organisations must be able to demonstrate accountability –
internally and externally
Universal Elements of Accountability
Accountability – Examples of Content of Privacy Management Programmes
• Executive oversight
• Data privacy officer/office of oversight and reporting
• Data privacy governance
• Privacy engineers
Leadership & Oversight
• At program level
• At product or service level
• DPIA for high risk processing
• Risk to organisations
• Risk to individuals
• Records of processing
Risk Assessment
• Internal privacy rules based on DP principles
• Information security
•Legal basis and fair processing
•Vendor/processor management
•Procedures for response toindividual rights
• Other (e.g. Marketing rules, HR rules, M&A due diligence)
• Data transfers mechanisms
• Privacy by design
• Templates and tools for PIA
• Crisis management and incident response
Policies & Procedures
•Privacy policies and notices to individuals
•Innovative transparency –dashboards, integrated in products/apps, articulate value exchange and benefits, part of customer relationship
•Access to information portals
•Notification of data breaches
Transparency
• Mandatory corporate training
• Ad hoc and functional training
• Awareness raising campaigns and communication strategy
Training &Awareness
•Documentation and evidence -consent, legitimate interest and other legal bases, notices, PIA, processing agreements, breach response
•Compliance monitoring as appropriate, such as verification, self-assessments and audits
•Seals and certifications
Monitoring & Verification
•Individual requests and complaints-handling
•Breach reporting, response and rectification procedures
•Managing breach notifications to individuals and regulators
•Implementing response plans to address audit reports
•Internal enforcement of non-compliance subject to local laws
•Engagement/Co-operation with DPAs
Response and Enforcement
Organisations must be able to demonstrate - internally and externally
Enable new business models, digitalisation, globalisation and data-driven innovation
Address increased expectations of individuals for transparency, control and value exchange
Ensure data protection, sustainability and digital trust
Address regulatory change, impact and implementation
Mitigate legal, commercial and reputational risks
Accountability – Self-Enlightened Interest of Organisations
Proactive data management is a business issue; accountability > legal compliance
35
Accountability requires: • Following substantive privacy rules• Implementation infrastructure • Verification • Ability to demonstrate
Corporate Privacy Programs
Binding Corporate Rules
(BCR)
APEC Cross Border Privacy
Rules
(CBPR)
Codes of Conduct
Certifications & Seals
ISO Standards
Proliferation of Accountability Frameworks
DPAs
Reduces enforcement and oversight burden of DPAs
Promotes constructive engagement with accountable organisations
Encourages race to the top rather than race to the bottom
Individuals
Effective protection and reduced risk/harm
Empowered, able to exercise rights and complaints
Trusting and ready to benefit and participate in digital society
36
Accountability – Benefits for DPAs and Individuals
37
How Can DPAs and Policymakers Incentivise Accountability?
A differentiating or mitigating factor in
investigation or enforcement
“Licence to operate” and use data responsibly, based on organisations' evidenced
commitment to data privacy
Publicly recognising best in class organisations and
showcasing accountable “best practices”
Supporting and guiding organisations (particularly
small and emerging companies) on a path towards heightened
accountability
Co-funding between DPAs and industry for research into novel accountability
tools
Offer to play proactive advisory role to
organisations seeking to implement heightened
accountability
Using accountability as evidence of due diligence in
business processes (outsourcing, IT services etc)
Enable cross-border data transfers within the company
group and to third parties, based on formal
accountability schemes
Articulate proactively the elements and levels of
accountability to be expected
Session III: Key Characteristics and Responsibilities of anEffective National Data Protection Authority
38
Moderator: Bojana Bellamy, President, CIPL Noah Phillips, Commissioner, Federal Trade Commission, USA Daniele Chatelois, Senior Policy Officer, Office of the Privacy Commissioner, Canada Evelyn Goh, Director of Policy, Technology and Trustmarks, PDPC, Singapore Hilary Wandall, Chief Data Governance Officer, General Counsel & Corporate Secretary, TrustArc Geff Brown, Associate General Counsel, Microsoft José Alejandro Bermúdez, Advisor – LATAM, CIPL
39
The Importance of a Central DPA
DPA
Centralisedexpertise to enable safe and reliable
digital environment Ensures
consistency and legal
certainty for organisations
and individuals
Promotes uniform
standards and best practices
for organisations
Prevents organisationsengaging in
“forum shopping”
Harmonisesdata
protection across borders
with other nations
Single voice and point of
contact internationally
One national agenda for the development
of data privacy law
Consistent interpretation and
application of DP law+
Consistentcomplaint, oversight
and enforcement procedures
International representation and cooperation (e.g. ICDPPC, RPID, APPA, GPEN, CPEA, etc.)
+Single contact in cross-border enforcement matters
40
Results Based Approach for Effective DPAs
Strategic, prioritised, risk-based, transparent regulatory policy - must be “selective to be effective”
Favour constructive engagement with accountable organisations and innovative regulatory approaches (e.g. Regulatory Sandbox)
Understand motives for compliance and incentivise and showcase best practices and accountability efforts of organisations
Avoid excessive reliance on deterrence/punishment, but deal firmly with organisations not trying to comply
Collaborate with foreign DPA counterparts and build bridges with different regimes to improve consistency in the global economy - Regulatory guidance; Approaches to enforcement; Mutual cooperation
Leadership
Top priority, with an emphasis on constructive
engagement
Police Officer
Not the first port of call, reserved for deliberate,
wilful or seriously negligent or repeated breaches
Complaint Handler
Demand-led / Resource-intensive
Need triage and selection criteria toavoid swamping, justify investigation
and use as source of intelligence
Authoriser
Non-strategic role
Post facto review of certified self-assurance and accountability is preferred
41
Framework for Trusted Digital Age
Civil SocietyMedia MarketForces
Political Forces
Redress Schemes
Effective Regulators Accountable OrganisationsConstructive Engagement
Effective Protection for Individuals and Benefits for Digital Society
Certifiers
Session IV: Ensuring Accountable Cross-Border Data Flows through APEC CBPR and other Mechanisms
42
Moderator: Markus Heyder, Vice President and Senior Policy Counselor, CIPL Jim Sullivan, Deputy Assistant Secretary, US Department of Commerce Shuhei Ohshima, Commissioner for International Cooperation, Japan PPC Raymund Liboro, Privacy Commissioner and Chairman, Philippines National Privacy Commission Karina Kudakaeva, Researcher at Institute for International Economics and Finance, Russian Foreign Trade
Academy Harvey Jang, Senior Director, Global Data Protection & Privacy Counsel, Cisco Systems, Inc. Josh Harris, Director of Regulatory Affairs, TrustArc Sean Heather, Vice President, Executive Director, US Chamber of Commerce Gonzalo Navarro, CEO, ALAI Ambassador Robert Holleyman, President and CEO, C&M International
Accountability and InteroperableCross-border Data Flows
Accountability delivers benefits to organisations, regulators, individuals
and society
Accountability The cornerstone of corporate digital responsibility, sustainable privacy protection, responsible use of data,
and the 4th industrial revolution
Enables compliance with local law requirements
Enables compliance with cross-border transfer requirements
Regulators and policymakers must incentivise accountability and
accountable organisations
Solutions = Interoperable Accountability Frameworks
BCR Certifications CBPR & PRP Codes of Conduct Privacy Shield ISO Standards
APEC CBPR vs. European UnionMarket Dynamic
* Concept Source: C&M International **Data Source: IMF World Economic Outlook, WTO Trade Profiles and CIA World Factbook *** Map not to scale
CBPR Participating Economies:United States, Japan, South Korea, Mexico, Canada, Singapore, Chinese Taipei, Australia Economies Preparing to Join CBPR: Philippines Eligible to Join CBPR: Chile, Peru, Russia, China, Hong Kong, Vietnam, Thailand, Malaysia, Brunei, Papua New Guinea, Indonesia, New Zealand
28 EU Member States: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, UK
Population827 Million 517 Million
Total GDP$31.2 Trillion $17.31 Trillion
% of Global Share26.89% 16.04%
Share in World Exports26.14% 15.22%
APEC CBPRParticipants
(including Philippines)
vs.28 EU
MemberStates
--------------------------------------------------
• Insights from Multi-Certification ProjectsPrivacy Program Certification Interoperability
© 2016, TRUSTe All rights reserved.
Legend• Green - substantively interoperable / comparable requirements• Dark Green - more stringent standard• Light Green - comparable standard, but narrower application / scope
• Yellow - less stringent standard• Gray - no known requirement 45
46
CBPR Process Overview
CPEA
Administrators
Joint Oversight
Panel
APEC Member Economies
CPEA
Participation
Entity meets the definition of a PEA
Confirmation of PEA status
Contact Information
Statement of policies and practices
Economy
Participation
Letter of intent to participate
Confirm CPEA participation
Confirm intent to use an endorsed AA
Description of relevant laws
Completed enforcement map
Accountability
Agent(s)
Designation
Application through notification or nomination
Description of how 15 recognition criteria have
been met
47
Raymund E. Liboro
Privacy Commissioner
National Privacy Commission
February 25, 2019
Santiago, Chile
Cross-Border Data Flows, the CBPR
and Regulating in the Fourth
Industrial Revolution
48
Reference: Computerworld Magazine as noted by the McKinsey Singapore Office
Roughly 210 terabytesper second in 2017
http://s17026.pcdn.co/wp-content/uploads/sites/11/2017/08/AdobeStock_135873223-634x0-c-default.jpeg
http://4.bp.blogspot.c
om/-
s367TP8u6Mw/ULZ
mvTPEiNI/AAAAAAA
ACyk/glTGYJrzj9Q/s
1600/friends+collage
.jpg
From 2005 to 20015, cross-border data flow grew 45 times.
49
Reference: Computerworld Magazine as noted by the McKinsey Singapore Office
http://s17026.pcdn.co/wp-content/uploads/sites/11/2017/08/AdobeStock_135873223-634x0-c-default.jpeg
http://4.bp.blogspot.c
om/-
s367TP8u6Mw/ULZ
mvTPEiNI/AAAAAAA
ACyk/glTGYJrzj9Q/s
1600/friends+collage
.jpg
That’s 1.6 Billion Selfiesa Minute
From 2005 to 20015, cross-border data flow grew 45 times.
51
“Laws too gentle are seldom obeyed; too severe, seldom executed.”
Benjamin Franklin
52
Responsible data flows can
only come from responsible
companies handling personal
data.
53
NPC 5 PILLARS OF ACCOUNTABILITY AND COMPLIANCE
54
NPC 5 PILLARS OF ACCOUNTABILITY AND COMPLIANCE
CIPL ESSENTIAL ELEMENTS OF
ACCOUNTABILITY
55
Accountability and Compliance = Data
Privacy Resilience
Non-
Accountabl
e/Non-
Compliant
Accounta
ble and
Complian
t
Deliberate
Willful
violators
Bad Actors
Ignorant Basic
organizational
compliance
Operational
compliance through
heightened
organizational
accountability and
data ethics
Responsive
Regulation
Constructive
Stakeholder
Engagement
ENFORCEMENT
Advice
Information
Dialogue
Support
Demonstrating Accountability and
Compliance
Accountability
frameworks like the
CBPR could provide the
metrics for controllers
56
2016-2022Road to Data Privacy Resilience through
Accountability Frameworks
Five Pillars of Accountability & Compliance
CertificationAnd Seals
Global Certification
• DPO-ACE (Accountability, Compliance and Ethics) Certification Program
• Privacy Marks and Seals Program
• CBPR: Cross-border Privacy Rules
• GDPR “Adequacy”
• (1) Appoint a DPO
• (2) Know your Risks: Conduct a Privacy Impact Assessment
• (3) Create a Privacy Management Program and Privacy Manual
• (4) Demonstrate accountability and compliance
• (5) Be prepared for Breach
Sectoral/IndustryCodes ofConduct• Privacy Codes of Conduct
59
Building a culture of privacy
and
Establishing the NPC as
Knowledge Center,
Knowledge Authority and
Enabler through Technology
Regulatory
and
Enforcement
Strategy(Operations)
60
Building a culture of privacy
and
Establishing the NPC as
Knowledge Center,
Knowledge Authority and
Enabler through Technology
Regulatory
and
Enforcement
Strategy(Operations)
Prosecute
Enforce
Regulate
Advise,
Inform,
Dialogue,
Support,
62
Responsive Privacy Regulation
Prosecute
Enforce
Regulate
Advise, Inform, Dialogue, Support,
• Compliance Support Contact Center
• Multi-industry Data Privacy Council
• Regular Stakeholder Consultations
• Issuances of Advisory opinions
• Conduct of information, Education and
Communication programs
• Initiating DPO Cert Program
• Launch of Privacy, Safety, Security and
Trust Online campaign.
• Initiate privacy marks system
• And other accountability programs
• Trust encounters
• Conduct Compliance Checks
• Handle complaints
• Issue Compliance Orders
• Impose Fines
• Recommend Prosecution
64
Constructive Stakeholder Engagement: The NPC Industry Approach
65
66
67
Data Privacy
Council Assemblies23 sectors, 525 attendees
DPO Briefing Sessions1,382 pax
National Data
Privacy ConferenceEst. 2,000 pax
463 DPA OrientationsNPC Resource Speakers
Data Privacy
Council
Engagement23 sectors
135
1
184
42
Social Media Campaigns
253,589 website visits
555,097 FB likes
1,572 Twitter followers
831Public AffairsMedia coverages,
pick-ups, & mentions
21
Stakeholders’
Engagement(Coordination, Consultation
& Meetings)
DPO Summits2,621 pax
including regional summits
20
14
Public AffairsPR activities, press conferences,
TV/Radio/Print Interviews,
press statements, etc
1 Privacy Wall Launch
1Data Protection Officer
Certification Assembly
Hi g h l i g h t s Co n s t r u c t i v e S t a k e h o l d e r En g a g e m e n t s o f 2 0 1 8
68
69
70
71
Raymund Enriquez Liboro
Privacy CommissionerNovember, 2018
Thank you
for listening!facebook.com/privacy.gov.phtwitter.com/[email protected]
The Personal Information Protection Commission’s
initiatives
25th February, 2019
Personal Information Protection Commission, Japan (PPC)
The U.S.
TRUSTArc
Mexico
Other APEC Economies
are considering
participation in the APEC
CBPR system!
:Participating Economies
The more Economies participate, the greater benefit from the CBPR system will be available.A certified business operator’s brand power will also be built up in the APEC region.
Image of the APEC CBPR system
(Notes)Source of the map above:Ministry of Foreign Affairs’ (Japan) website
Picture image of the cross-border personal data transfer under the APEC CBPR system
KOREA
Canada
JAPAN
JIPDEC
Singapore
Australia
Chinese
Taipei
More promotion to increase applicants.
Continuous dialogue between PEA and business sector
to improve CBPR system.
Cooperation with other AMEs.
CBPR participating companies in Japan are quite few.
We are still on the way to go.
88
In November 2011, Japan participated in CPEA (Cross border Privacy
Enforcement Arrangement)
In April 2014, Japan also participated in the APEC CBPR System.
In January 2016, JIPDEC was approved as Japan’s first Accountability
Agent
In December 2016, The JIPDEC certified Inta Sect communication, Inc. as
the first CBPR-certified company in Japan. (The second certified company is
GMO GlobalSign K.K. which was certified in May 2018. The third is Paidy
Inc. certified in December 2018.)
The APEC CBPR system and Japan
Japan’s participation in the CBPR System
Personal data provision to a foreign third party under the Act on the Protection
of Personal Information (APPI)
In any of the following cases, personal data may be provided to a third party in
a foreign country in the same way as in-country (Article 24);
(1) Cases in which the foreign country or region has been designated by the
PPC rules;
(2) Cases in which a third party in a foreign country has established and
maintained a system that conforms to the standards prescribed by the
PPC rules;
- The CBPR certification is included.
(3) Cases in which consent has been made by the data subject for the
provision to a foreign third party.
The PPC’s initiatives on promotion of the CBPR system
Participation in the AASG (Administration and Accountability Study Group)
Dissemination of CBPR promotion brochures
Seminars:260 times, reached about 26,200 participants in total (from
FY2016) in Japan
CBPR Workshops at international conferences and fora (in particular, the side
event at the 39th ICDPPC in 2017)
The PPC’s initiatives to promote the CBPR system
The reason why the PPC is promoting the CBPR system
Practicability
Developed based on one of the global standards
Ensuring base line of privacy protection in line with the OECD Privacy
Principles, on which the APPI (Japanese data privacy law) is also based
Potential for making the APAC region one of the largest areas of
safe and smooth data flows
Best suitable for complicated APAC region
Balancing privacy protection and promotion of utilization (data flows)
Enhancement of the level of protection
Effective remedy
Vitalizing economic activities
Effective Enforcement
Benefits of the CBPR system
Benefits of the CBPR system from the viewpoint of the
Privacy Enforcement Authority:
In Japan, it is required to be an Accredited Personal Information Protection
Organization in order to become AA.
An Accredited Personal Information Protection Organization is a state-
recognized private membership organization.
Accredited Personal Information Protection
OrganizationMember entities Consumers
Providing informationGiving instructions
Issuing recommendations
Handling complaints
PPC
Accrediting
Enforcement scheme in Japan
(1) AA’s monitoring
Monitors certified companies as needed.
Processes complaints.
Request additional reviews, suspend the certification, or cancel the
certification, depending on the situation.
(2) The PPC’s enforcement
Onsite Inspection (Article 40)
Administrative Instruction and Advice (Article 41)
Recommendation and Order (Article 42)
Enforcement to certified companies
Enforcement scheme in Japan
GDPR APPI
EU EUJAPAN JAPAN
Adequacy decision
Binding corporate rules
Standard data protection clauses
Consent
System has been established
Consent
Designation of a country or a region
Regulations on Cross-border Data Transfer in the EU and Japan
July 2016 PPC decided a policy to establish a framework of mutual data transfer between Japan and the EU
July 2017 Confirmation including the concrete measures (*) etc. to construct a framework for smooth
personal data transfer between the EU and Japan * Japan side: A designation of the EU based on article 24 of APPI
EU side: An adequacy decision on Japan based on Article 45 of GDPR
July 2018 Final agreement between PPC and EC on establishing the framework for mutual smooth personal data transfer between Japan and the EU
Activities Concerning the Transfer of Personal Data between Japan and the EU
January 2019 The framework for mutual and smooth transfer of personal data between Japan and the EU has come into force
Future Framework of data flow
Certification derived from CBPR system
Certification under GDPR Certification derived
from CBPR system
Participants from
third countries
APEC-CBPR
economies
EU
