Report from Administrators of APEC Cross-Border Privacy Enforcement Arrangement (CPEA)

1

Report from Administrators of APEC Cross-border Privacy Enforcement Arrangement (CPEA)

Background:

• The APEC Cross-border Privacy Enforcement Arrangement (CPEA), available at now been in effect for about two years. It has 20 member privacy authorities.

• The CPEA is a multilateral enforcement cooperation arrangement in which all privacy enforcement authorities from APEC member economies can participate. It provides a framework for investigatory and enforcement cooperation and information sharing among participating privacy enforcement authorities.

• The CPEA is not limited to the enforcement of Cross-Border Privacy Rules (CBPRs), although that is an important underlying objective; it was intentionally designed to provide a framework for cooperation on any privacy enforcement matters. Thus, privacy enforcement authorities from APEC member economies that do not participate in the cross-border privacy rules system may also sign on to the CPEA.

• The CPEA has a four person Administrator to whom enquiries can be directed:

• Alan L. Deniega, APEC Secretariat
• Markus Heyder, U.S. Federal Trade Commission
• Leife Shallcross, Office of Australian Information
• Blair Stewart, Office of the Privacy Commissioner, New Zealand

• Website: The APEC CPEA webpage is available at Access to the non-public page requires an APEC Information Management Portal (AIMP) user account and password.

• Current participants: Participating authorities as at May 2012 include: Australia (Office of the Australian Information Commissioner); Canada (Privacy Commissioner of Canada), Hong Kong, China (Office of the Privacy Commissioner for Personal Data), Japan (Cabinet Office; Consumer Affairs Agency; Financial Services Agency; Ministry of Agriculture, Forestry and Fisheries; Ministry of Defense; Ministry of Economy, Trade and Industry; Ministry of Education, Culture, Sports, Science and Technology; Ministry of Environment; Ministry of Finance; Ministry of Foreign Affairs; Ministry of Health, Labor and Welfare; Ministry of Internal Affairs and Communications; Ministry of Justice; Ministry of Land, Infrastructure, Transport and Tourism; and the National Police Agency); New Zealand (Privacy Commissioner); USA (Federal Trade Commission).

Activity Update:

• Participant increase:In the last 6 months, 15 Japanese government authorities joined. A further 3 authorities, from 2 economies, are expected to become participants shortly.

• Relationship with APEC Cross-border Privacy Rules (CBPR) system: To participate in the CBPR system an economy must have at least one privacy enforcement authority that participates in the CPEA. Accordingly, the ranks of CPEA participants are expected to continue to grow now as the CBPR system is implemented from 2012 onwards.

• CPEA logo: The CPEA Administrators have developed a CPEA logo. The prototype on this report is undergoing final checks before approval.

• Economy Privacy Enforcement Contact Point Directory: The Data Privacy Subgroup at its January meeting approved the first contact point directory assembled by the CPEA Administrators. This directory is intended to include a contact point for all economies and not merely those participating in CPEA. The first directory includes contacts for 9 of APEC’s 21 member economies.

• Cooperation with OECD: The APEC DPS approved a proposal to share the economy contact point directorywith other international and regional enforcement networks to facilitate cross-border enforcement cooperation. In March 2012 the directory was provided to the OECD that has compiled a similar list of OECD contact points. The Administrators have since shared the list with the Global Privacy Enforcement Network (GPEN)and arrangements have been made for a combined APEC/OECD enforcement contact point list which would be maintained and made available on the GPEN secure web platform.

• Cooperation with EU: The CPEA administrators wrote to the European Commission in December 2011 and again in March 2012 commenting on an aspect of draft regulations proposed to replace the European Data Protection Directive. The letter welcomed an initiative to promote cross-border enforcement cooperation among privacy enforcement authorities and made a suggestion as to how that might more effectively be achieved.

• Cross-border enforcement cooperation:

• CPEA participants have begun to engage and cooperate on particular enforcement matters of mutual interest and are looking forward to increasing such cooperation.

• CPEA participants, in cooperation with participants in the Global Privacy Enforcement Network (GPEN) and the International Conference of Data Protection and Privacy Commissioners have been engaged in exploring and developing enhanced tools and frameworks for cross-border coordination and cooperation in specific enforcement matters.

The year ahead:

• 2012 work plan: In 2012, CPEA Administrators intend to focus the following tasks: (1) increase CPEA participation, particularly to support the implementation of APEC CBPRs; (2) encourage cooperation between CPEA members on specific enforcement matters; (3) continue to work on ways to enhance cross-border coordination and cooperation in privacy enforcement matters; (4) pursue the development of a CPEA logo.

• Enforcement cooperation event: Planning has begun for a workshop to be held to mark CPEA’s 3rd anniversary in July 2013.

Blair Stewart

Assistant Commissioner (Auckland), Office of the Privacy Commissioner, New Zealand

On behalf of the Administrators APEC Cross-border Privacy Enforcement Arrangement

I/0151/A284821