The Information Commissioner’s Office (“ICO”) has released its International Strategy 2017-2021  (“Strategy”). The Strategy supports its Information Rights Strategic Plan, which we reported on earlier this year. The first part of the Strategy refers to the challenges and priorities for the next five years, particularly in light of changes brought about by the General

This week, it was officially announced that South Korea has become the fifth country to join the Asia-Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rules (CBPR) system. This system was developed by APEC in 2011 to “build consumer, business and regulator trust in cross border flows of personal information” and thus facilitate e-commerce among APEC countries. The Ministry of Interior and the Korea Communications Commission stated on Monday that approval for joining the CBPR had been secured. In order for countries to opt in to the system, their legal systems and privacy protection must meet APEC’s standards.

APEC is an economic forum comprised of countries throughout Asia-Pacific. APEC’s importance should be noted: its 21 member economies comprise 54 per cent of the world’s GDP and 40 per cent of world trade. It exists to assist in trade through faster customs procedures and initiatives to synchronise regulatory systems across its member countries. The CBPR is a voluntary accountability-based system that facilitates the safe transfer of personal information across the APEC region.Continue Reading South Korea joins APEC’s Cross Border Privacy Rules system

In late May, the Article 29 Working Party published the letter it sent to the APEC Data Protection subgroup. The letter follows previous discussions and extends cooperation between the two international organisations on data transfer mechanisms, and sets out new plans to align the EU Binding Corporate Rules (‘BCR’) with the APEC Cross-Border Privacy Rules (‘CBPR’) to make it easier for organisations to be granted approval under both regimes.

Three initiatives put forward at the previous meeting were adopted by the Art. 29 Working Party to ‘develop the practical tools that will help organisations implement both requirements from the BCR and CBPR systems’. Both processes currently take significant time and resources to achieve, so the continued relationship between the EU and APEC will benefit organisations certified, or seeking certification, to BCRs and CBPRs. Despite this cooperation, no uniform standard will be produced, and organisations will still need to go through each certification process separately.Continue Reading APEC and Article 29 Working Party cooperation helps facilitate growth of BCRs and CBPRs

On 15 April 2015, Canada became the fourth country to join the APEC Cross-Border Privacy Rules System, a voluntary consumer data privacy program, behind Japan (2014), Mexico (2013), and the United States (2012).  All 21 APEC countries were involved in the construction of this system, but membership is not guaranteed. Interested countries are required

This post was also written by Taisuke Kimoto, Matthew N. Peters, and Yumiko Miyauchi.

In recent weeks, Japanese data protection and privacy law has seen developments in two areas:

(1) The Ministry of Economy, Trade and Industry (METI) issuing its first code of practice on privacy notices
(2) The Asia-Pacific Economic Cooperation (APEC) approving Japan’s

At the beginning of March, representatives of the EU Article 29 Working Party and the Asia-Pacific Economic Cooperation (which includes, among others, the United States and the People’s Republic of China) announced the introduction of a new Referential on requirements for binding corporate rules (the Referential).

Both the EU and Asia-Pacific Economic Cooperation (APEC) regimes

This post was written by Cynthia O’Donoghue.

In February 2013, Mexico became the second approved participant in the Cross-Border Privacy Rules (CBPR) programme – a system for convenient cross-border data transfers introduced in 2011 by the Asia-Pacific Economic Cooperation (APEC). At the same time, APEC and EU Data Protection Authorities (DPAs) plan to create

Asian countries continue to focus on developing their data protection legislation.

The Philippines Congress recently finished its second reading of House Bill 1554 which will introduce a unified and special law relating to data protection and privacy. Singapore, which already has some sectoral laws and a voluntary data protection model code, is now calling for the introduction of formal data protection legislation for parliamentary debate in early 2012.

The Philippines draft bill seeks to establish fair practices and regulate the collection, use and protection of individuals’ private information as well as to promote the development of its business process outsourcing industry. Under the Filipino bill, businesses and government agencies would have to obtain an individual’s unambiguous consent to collect and use their personal data. The bill also sets out data breach notification requirements to the regulator and to affected individuals when there is a real risk of serious harm, including breaches that may enable identity fraud. The proposed bill defines personal information quite broadly as “any data that can be used alone or in conjunction with other data to identify an individual”, and provides additional protections for sensitive personal information. Under the bill, a national Privacy Commission would be created that has the power to implement and enforce data protection legislation, including the authority to impose civil fines for certain violations and to refer suspected intentional violations to the Philippines Government’s Justice Department for investigation and potential imposition of criminal penalties of up to three years imprisonment.Continue Reading Asian Data Privacy Update