Submission to the Cross-Border Privacy Rules Consultation

Consultation closes COBThursday 27 July 2017

Your details

Name/organisation
(if you are providing a submission on behalf of an organisation, please provide the name of a contact person) / KuppingerCole (Asia Pacific) Pte Ltd.
Contact details
(one or all of the following: postal address, email address or phone number)

Publication of submissions

In meeting the Australian Government’s commitment to enhancing the accessibility of published material, the Attorney-General’s Department will only publish submissions to this website that have been submitted electronically.

Please complete this template and send it to .

If you choose to provide a separate document, the following formats are preferred:

  • Microsoft Word
  • Rich Text Format (RTF)
  • txt format.

Please limit individual file size to less than 5MB. The department may create PDF documents from the above formats.

The department will still consider hardcopy submissions received by mail, but these submissions will not be published on the website.

Confidentiality

Submissions received may be made public on the Attorney-General’s Department website unless otherwise specified. Submitters should indicate whether any part of the content should not be disclosed to the public. Where confidentiality is requested, submitters are encouraged to provide a public version that can be made available.

Would you prefer this submission to remain confidential?YES / NO

Your submission

Pre-amble

A common problem for multi-national corporations is how to adhere to the myriad of regulatory controls in the countries in which they operate. This is especially true in the area of privacy regulation. Europe has addressed this issue with the harmonisation of privacy regulation across member countries and the imposition of a common redress process in the event of contravention. In North America there is strong support for cross-border trade under NAFTA but privacy is not specifically addressed and regulation is lax. But in Asia the problem is more acute. There is a higher percentage of companies engaging in cross-border trade and in some jurisdictions such as Australia, Singapore and Japan there is strong privacy legislation. This means that the potential for liability is significant because reviewing legislation each time a company conducts business in a new country is an impost most organisations are unwilling to incur.

The Cross-border Privacy Rules (CBPR) system was developed to address this situation. The initiative was commenced in 2004 by the Asia-Pacific Economic Cooperation (APEC) organisation in response to increasingly stringent privacy legislation being adopted by their members. The initiative has been widely endorsed by government and industry bodies in the Asia Pacific region where personal dataoften transits country borders when companies operate in multiple geographies. The region also hosts large call centre operations which must access personally identifiable information (PII) in client organisations outside their country of operation, often in jurisdictions with stringent privacy regulation.

The initiative has garnered increasing support from global industry associations seeking to expand economic growth. In 2016 they issued a joint statement entitled “Global Industry Calls for Timely and Ambitious Expansion of Participation in the APEC Cross Border Privacy Rule System”.

The requirement for cross-border PII access has recently become more important as the United States has re-aligned its Privacy Shield initiative in response to a legal challenge and Europe is pursuing its GDPR legislation. There is the potential for the expansion of the CBPR system to incorporate interaction with countries in Europe by agreement on an extended set of rules to normalise the protection of PII between participating jurisdictions.

It is important to note that GDPR is a prescriptive regulation with strong remedy for contravention. CBPR is less prescriptive, relying more on negotiation between parties in the administration of privacy protection.

Discussion

Australia is at a cross-roads and must decide whether or not to participate in the CBPR System. The Department of the Attorney General is undertaking public consultation to assist government in preparation of the proposal as to whether or not to participate in the initiative.

Arguments for participation:

  • Australia has actively participated in the formation and operation of APEC and as such has the ability to participate in programs such as the CBPR designed to enhance cooperation between member states. The success of CBPR will, in large part, be a result of sufficient members participating in the initiative. The more economies that participate in the CBPR system, the higher the value of participation and the greater the incentive to countries considering joining the scheme.
  • Australia has the legal infrastructure to allow participation in the CBPR; there is strong privacy regulation in place with an administrative body in the OAIC, with an enforcement regime in place. This makes it relatively easy for Australia to participate and commit to the responsibility that comes with supporting the CBEA.
  • Australia has a stated aim to foster trade in the Asia Pacific and to take a greater role in the “Asian Century” as the 21st century has been dubbed. In order to more fully interoperate with Asian economies Australia has the opportunity to remove at least one impediment: the necessity of multi-national corporations to adhere to privacy regulation in their target markets.

Arguments against participation

  • Australia has well-defined privacy regulation in the 2012 amendment of the Privacy Act. This amendment strengthened regulation regarding the sharing and use of personal information and provided recourse for individuals wanting to verify and correct information being kept on them.

The CBPR Privacy Framework is not as prescriptive as Australia’s legislation and lacks some of the specific protection that exist under Australian law, specifically in the restrictions on sharing personal data with email promotion organisations and, in the rights of individuals to access the data that organisations might be maintaining on them. If Australia joins the CBPR System it would be incumbent on the OAIC to develop strong ties with enforcement agencies inother jurisdictions to ensure on-going protection of the rights of Australians when engaging in trade with companies in other participating economies.

  • There will be some costs for CBPR participation. It will be necessary to establish a facility to administer Australia’s participation and a need to resource the OAIC to fulfil Australia’s commitments to the CBEA. There will also be the need to participate in the Joint Oversight Panel and to establish at least one Accountability Agent. To the degree possible Accountability Agents should be user-funded via a fee for certification.

Questionnaire

Respondents are asked to respond to the following questions:

  1. Would it be advantageous to Australian business and consumers for Australia to join the CBPR
    system?

Yes. It would allow certified companies to engage in trade in other participating economies without specifically investigating the privacy regulation in those countries before engaging with customers and business partners located there. Participation in the CBPR system would reduce risk and provide clarity on privacy policy that should be adopted by the organisation.

Companies with CBPR certification would have a heightened appreciation for privacy issues, a more advanced privacy policy statement and stronger compliance with privacy legislation.

  1. Has Australia’s lack of participation in the CBPR system hindered your business relations in the
    APEC region, or beyond? Why?

No. Our head office is in Singapore, with relatively strong privacy regulation, and our major corporate owner is headquartered in Germany, operating with a high degree of privacy regulation compliance. Our business processes are therefore low-risk from a privacy standpoint and we are confident that we are compliant in our major trading jurisdictions: Australia, Singapore and Hong Kong.

In the event that Australia joins the CBPR system we would look favourably on applying for CBPR certification in order to clarify our commitment to privacy protection, improve our compliance with privacy regulation and remove the potential risk associated with cross-border transactions.

  1. What is your experience in dealing with businesses in other APEC economies that are a part of the CBPR system?

We do not trade with companies in Japan, Canada, the United States of America or the United States of Mexico.

  1. Would you be prepared to contribute to the cost of establishing and maintaining an Accountability Agent system?

Our preference is that the system should be “user-pays”. Organisations operating as Accountability Agents should contribute to the cost of their enrolment in the System and the organisations that are certified by Accountability Agents should absorb the costs of doing so.

  1. Would you be prepared to contribute to the cost of the development and maintenance of
    additional enforcement arrangements (such as those that might be established through a code)?

We would be prepared to participate in the preparation of a Code to govern Australia’s participation in the CBPR system. It is likely that this will be required in order to provide guidance on the alignment of the Privacy Framework with Australian privacy legislation. This should be a relatively simple activity and should not be a significant impost on government resources, paid for by the Australian taxpayer, because the guidelines for code development already exist and the body charged with the administration of privacy regulation, the OAIC, is body responsible for the with CBEA role. The need for “additional enforcement arrangements” should therefore be minimal. The impact of CBPR participation is should be limited to development of an enhanced negotiation capability and accommodation of a wider cohort of CBEA regulators.

  1. What accountability and redress mechanisms do you think are appropriate for consumers dealing with businesses operating under the CBPR system?

The main issue is with the Australian Privacy Act 2012, specifically principles 12 & 13 that allows consumers to request their identity data that an organisation is maintaining and correct it, or annotate it, as appropriate.

For Australian companies, certification under CBRP would not absolve them of the need to comply with this legislation so the rights of consumers would not be diminished by participation in the CBPR scheme.

For off-shore companies with CBPR certification the redress would be dependent upon negotiation between the OAIC and the CBEA regulator in the country where a possible infraction has occurred. In this instance the reliance would be on co-operation between the authorities in the two jurisdictions to determine the way in which an alleged contravention of an individual’s privacy rights should be addressed.

Conclusion

Australia should join the CBPR system in order to:

-support Australian companies that are engaged in cross-border trade with APEC countries and remove the risk associated with a potential source of uncertainty regarding privacy legislation,

-demonstrate Australia’s commitment to the Asia-Pacific region in a tangible way by supporting the APEC CBPR initiative,

-provide an incentive for growth by encouraging export initiatives for companies considering cross-border trade across the region.

About KuppingerCole (Asia Pacfic)

KuppingerCole was founded in 2004 by Martin Kuppinger and his partners. The KuppingerCole Analyst firm is now one of the leading Global Analyst companies specializing in Information Security, Identity & Access Management, and Cloud Infrastructure Management. KuppingerCole (Asia Pacific) is a joint venture between KuppingerCole Holdings and Internet Commerce Australia, with headquarters in Singapore and a presence in Brisbane, Sydney, Melbourne, Hong Kong & Manila.

KuppingerCole is focused on the needs of companies wanting to leverage their Information Technology to provide effective and efficient alignment of IT Services to their business objectives. Advice provided is vendor-independent, technically detailed and practical.

As an internationally-focussed analyst company, KuppingerCole monitors industry trends and maintains knowledge of vendor’s products and services. A constant analysis of the identity and access management IT sector allows KuppingerCole analysts to provide advice on the strategic direction of the industry.

KuppingerCole (Asia Pacific) Pte Ltd is an Australian registered business and a GITC Approved supplier.