During the week of February 25, 2019, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP participated in the meetings of the APEC Data Privacy Subgroup (“DPS”) and Electronic Commerce Steering Group (“ECSG”) in Santiago, Chile. CIPL enjoys formal guest status and a seat at the table at these bi-annual APEC privacy meetings.
In connection with these meetings, CIPL was asked by the General Directorate of International Economic Relations of Chile’s Ministry of Foreign Affairs to organize an official workshop for the APEC DPS and ECSG delegates from the participating APEC-based governments and data protection authorities, as well as for local Chilean government and industry stakeholders and other international industry and academic stakeholders. The purpose of this workshop was to support APEC’s privacy and data protection work and provide a forum to exchange experiences and global perspectives on key issues relating to data protection in an era of rapid technological change.
CIPL’s workshop was the first official APEC ECSG/DPS event in Santiago, kicking off a weeklong series of meetings by these groups on the further implementation of the APEC Cross-Border Privacy Rules (“CBPR”) and other privacy and data protection related issues of interest to these groups, including, among other issues, the intersection between privacy laws and emerging technologies, potential updates to the APEC Privacy Framework, data portability, cross-border enforcement cooperation and privacy law and policy developments in the 21 APEC member-economies. A portion of the meetings also concerned possible future work on interoperability between the APEC and EU cross-border transfer mechanisms.
CIPL’s February 25 workshop on “Key Building Blocks for Effective Data Protection and Innovation in the Data Driven Society” featured opening remarks by Mathias Francke, the Director of Multilateral Economic Affairs and SOM Chair from Chile’s Ministry of Foreign Affairs, and Marcelo Drago, the President of Chile’s Council of Transparency, and a keynote by Mastercard’s Chief Data Officer on the dual goal of enabling data protection and data-driven innovation.
This was followed by updates from various speakers, including Senator Felipe Harboe from Chile, on the status of Chile’s privacy law development process, Brazil’s implementation of its new privacy law, South Korea’s implementation of the CBPR system and adequacy negotiations with the EU and other developments across Latin America.
Following that, a panel of industry representatives discussed the role of organizational accountability as the cornerstone of modern data protection, explaining the elements of accountability (such as risk-assessments, policies and procedures, transparency, oversight and redress), how to implement them through comprehensive, risk-based organizational privacy programs or through participation in formal accountability mechanisms such as codes of conduct or certifications, how to demonstrate accountability to data protection authorities and how and why data protection authorities and lawmakers should incentivize accountability.
A third panel of privacy regulators from the U.S. Federal Trade Commission, the Canadian Office of the Privacy Commissioner, the Singapore Personal Data Protection Commission and a former privacy regulator from Colombia, as well as two industry representatives, discussed the key characteristics and responsibilities of an effective national data protection authority. The panelists addressed the role of the national data protection authority both with respect to its domestic policy setting and enforcement functions and its role as central data protection contact in the context of international enforcement cooperation and global privacy and data protection organizations and fora, such as the International Conference of Data Protection and Privacy Commissioners, the Asia-Pacific Privacy Authorities forum, the APEC Cross-Border Privacy Enforcement Arrangement and the Global Privacy Enforcement Network. In addition, they considered contemporary regulatory strategies to maximize the data protection authority’s effectiveness through risk-based prioritization of tasks and constructive engagement with industry.
The final session of the day considered how to ensure accountable cross-border data flows through APEC CBPR and other mechanisms. Speakers from data protection authorities in the Philippines and Japan, present and former U.S. government officials, academics, as well as industry representatives from the U.S. and Chile, discussed perspectives on the economic, business and innovation impact of cross-border data flows as well as approaches to accountable cross-border data flows in APEC member economies and other regions such as the EU, Russia and the Eurasian Economic Union. A significant portion of the discussion focused on next steps for the rapidly expanding APEC CBPR system.