© 2014 IBM Corporation

Mapping APEC CBPRs onto EU BCRs

Anick Fortin-CousensPrivacy Officer, Canada, Latin America, Middle East & AfricaProgram Director, Corporate PrivacyIBM Corporation

© 2014 IBM Corporation22

IBM at a Glance

400,000+ employees 170+ countries

Cloud Analytics Mobile

Cognitive Computing

Security Social

First company to be CBPR-certified

© 2014 IBM Corporation3

Issue

Cross border data flow is critical to trade, growth and innovation Individuals need assurance that their personal information will receive the same level of

protection regardless of where it flows Compliance with various rules on cross border data flows can be difficult, and such

rules do not necessarily guarantee adequate treatment

Practical solution: certified accountability

Focuses on the adequacy of an organization’s policies and practices to protect data regardless of where it flows

Requires organizations to be answerable to regulators for the effectiveness of those policies and practices

Makes use of third party assessments and regulatory enforcement to provides credible evidence of trustworthiness

Certified Accountability as a Basis for Cross Border Data Transfers

© 2014 IBM Corporation4

Certified accountability as a basis for interoperability

Regional “interoperability”- the ability of diverse systems to work together- through

certified accountability is already in effect in the EU and is underway in APEC Interoperability between countries and regions is desirable and achievable We must look for these building blocks

Certified Accountability as a Basis for Interoperability

1. Baseline level of privacy protection

2. Expressed through internal rules and policies

4.Demonstrated via initial and ongoing methods

3.Enforceable via redress mechanisms

© 2014 IBM Corporation5

Certified Accountability- Other Benefits

Business Increased trust from stakeholders More robust privacy programs and practices Improved compliance with local standard Ability to demonstrate good faith efforts in case of enforcement

Individuals Enhanced privacy protection

User-friendly and streamlined complaint handling

Coordinated government enforcement

Ability to continue to embrace innovative products and services that benefit them

Government

Facilitate two important policy objectives: trade and privacy

Facilitate cross-border cooperation Provides credible evidence of viability of privacy protections through flexible and adaptable accountability schemes Provides for greater economic rewards

© 2014 IBM Corporation6

The Road to Success to Further Adoption

APEC CBPR

Critical mass must be achieved

United States, Mexico and Japan have joined; Canada in process of accession Only one approved Accountability Agent to date Interest on the part of business: IBM, Merck, Apple, HP, Ziff Davis, Lynda.com, Workday, Yodlee, with at least a dozen

more in progress in just over a year of existence– and in the US only

Impediments to adoption

Endorsement of commitments by APEC economies is non-binding In a “chicken and egg” situation at present, although beginning to see positive

movement Tangible incentives need to be made available for companies to join

© 2014 IBM Corporation77

Anick Fortin-Cousensacousens@ca.ibm.com1.613.836.4751

Anick Fortin-Cousensacousens@ca.ibm.com1.613.836.4751