Home » News » The New FTC/APEC/EU Agreement – Path Forward or Symbolic Gesture?

The New FTC/APEC/EU Agreement – Path Forward or Symbolic Gesture?

The U.S. Federal Trade Commission (FTC), APEC and EU authorities recently announced a joint agreement to aid companies in achieving compliance with global data privacy obligations.  The Agreement is aimed at providing companies with a checklist of common principles in the EU’s Binding Corporate Rules (BCRs) and APEC’s Cross Border Privacy Rules (CBPRs) processes.  The two programs are designed to enable companies to gain compliance for the cross border transfers of Personal Data.

The FTC/APEC/EU Agreement provides a checklist of commonalities between the two programs and strives to provide companies with the opportunity to seek certification with both programs.  However, Isabelle Falque-Pierrotin, chairwoman of the French Data Protection Authority (CNIL) and president of the Article 29 Working Party, stated at the announcement that this process is not designed to create a process where complying with one will automatically allow you to gain certification with the other.  While this tool can be used by companies to quickly understand their obligations under both regional regimes, it’s unclear if this tool will be more than just a “political and symbolic act”.

Organizations that routinely transfer personal data across country borders are faced with many difficult legal obligations under global data protection laws.  The EU’s Binding Corporate Rules process was created by the Article 29 Working Party to create a single path for compliance with the individual Member States’ data protection laws.  This program allows companies to establish a single set of operating procedures or Binding Rules which comply with EU data protection obligations.

Once completed, the process will allow a company to prove its adequacy in legally transferring data from the EU to other countries.  In addition to the simplicity offered by the BCRs process, this method of proving a company’s adequacy is preferred by a number of regulators over the Safe Harbor program.  FTC’s Safe Harbor program allows companies to self-certify as compliant with the EU Data Protection Directive.  The program has come under fire in the last year due to its lack of enforcement, which has regulators questioning companies who choose Safe Harbor as their EU data protection compliance program.

The BCR process for acceptance seems simple on the surface.  A company seeking to get their BCRs approved chooses a specific Data Protection Authority (DPA) who will sponsor the company’s BCRs.  Once the sponsor DPA has approved the company’s BCRs, the DPA will then facilitate the process of getting the BCRs approved by the other countries’ DPAs.  Currently, there are 21 countries that have agreed to mutual recognition, the process to automatically accept any BCRs already approved by a participating member’s Data Protection Authority.

This process, while seemingly being a straightforward method for achieving compliance, has serious issues with its acceptance across numerous countries.  Companies seeking BCRs have reported issues with the concept of mutual recognition.  In an interview with the Linklaters’ Global Head of Privacy on his company’s BCR process, Peter Church states that while their BCRs only needed to be submitted to two countries not on the mutual recognition list, they were given input by five different regulators (which regulators was not specified).  Indeed, dealing with the regulators was cited as one of the most difficult issues with the BCR process.  While there haven’t been significant concerns with the acceptance of the CBPRs by the different countries within the region, this program is newer than BCRs and fewer companies have completed the process at this point.

Different regulatory groups working together to highlight areas of common ground between individual countries’ privacy obligations is surely a step forward.  But until we have better consistency between regulators’ approval of these compliance mechanisms, companies are still going to be required to expend significant costs and effort to achieved global compliance.  The new Data Protection Regulation may still be the saving grace in providing a single obligation for the EU but until that is completed, global companies will be required to address each country’s laws – and regulator’s whims – on a case by case basis.

Lunarline is a provider of consulting services in the area of global privacy compliance.  Please visit our page at http://www.lunarline.com/Global_Privacy and email privacy@lunarline.com for more information.

About Jill Stacey

Jill is a privacy professional with over 9 years of experience working in the areas of Global and Government Privacy and Cyber Security. In those years, she has gained experience in broad areas relating to global privacy and security including the EU Directive, global data privacy laws, ISO27001 certification, Habeas Data, and other global privacy and security obligations. In addition, she has extensive knowledge in U.S. privacy and security obligations including HIPAA, Privacy Act of 1974, NIST 800-53 and Appendix J, State Social Security Number laws, Data Breach notification and response, and others. She is CIPP/US and CIPP/E certified.