www.internetsociety.org

Internet Societys contribution to the 3rd APT Preparatory Meeting for the ITU World Telecommunication Development Conference (23-25 October 2013)

Part II: An Overview of Some International and Regional Initiatives Concerning Privacy and Data

INTRODUCTION Considerable efforts are already being undertaken in various international and regional forums to assess whether existing privacy principles remain relevant and effective, and where necessary to modify or develop new principles. Countries that have been without privacy and data protection laws are rapidly developing and implementing new laws. New solutions are being developed for specifically for cross border flows of personal data. This information paper provides a brief overview of some recent international and regional initiatives concerning privacy and data protection. It is not intended to be exhaustive. ASIA-PACIFIC (Asia-Pacific Economic Cooperation) In 2011, Asia-Pacific Economic Cooperation (APEC) leaders approved the APEC Cross Border Privacy Rules (CBPR) system, a voluntary accountability-based system to facilitate privacy-respecting data flows among APEC economies. It has four main components:

recognition criteria for organisations wishing to become an APEC CBPR system certified Accountability Agent;

an intake questionnaire for organisations that wish to be certified as APEC CBPR system compliant by a third-party CBPR system certified Accountability Agent;

assessment criteria for use by APEC CBPR system certified Accountability Agents when reviewing an organisation's answers to the intake questionnaire; and

a regulatory cooperative arrangement (the CPEA) to ensure that each of the APEC CBPR system program requirements can be enforced by participating APEC economies.

There are currently two APEC member economy participants: USA and Mexico. Japan has also applied to join the APEC CBPR system. TRUSTe has been recognised as an Accountability Agent and IBM recently became the first organisation certified as APEC CBPR system compliant. In 2011, APEC also approved a Multi-Year Project (MYP) (2012-2016) APEC Cross Border Privacy Rules System Implementation and Administration Assistance.1 This project has two primary goals aiming to support the effective and efficient implementation of the Cross Border Privacy Rules System in APEC economies. This will be through providing economy-level

1 http://aimp2.apec.org/sites/PDB/Lists/Proposals/DispForm.aspx?ID=1166

2 www.internetsociety.org

implementation assistance for the [CBPR system] in the form of capacity building workshops, seminars, meetings, and the provision of consultant services as necessary, and; to provide assistance in the administration of the [CBPR system], including any associated programmatic functions. 2 The targeted audience of the capacity-building component of the project includes APEC Electronic Commerce Steering Group (ECSG) delegates, individual APEC member economy representatives responsible for privacy issues, privacy regulators, civil society, academia, and business representatives, including representatives of trust mark organisations in the Asia-Pacific region. Peru has received assistance under the MYP. Other APEC member economies are invited to ask for technical assistance under the MYP.3 Further details regarding the MYP are available here: http://aimp2.apec.org/sites/PDB/Lists/Proposals/DispForm.aspx?ID=1166 ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT (OECD) In 2011, the Organisation for Economic Co-operation and Development (OECD) published The Evolving Privacy Landscape: 30 Years After The OECD Privacy Guidelines and commenced its review of the guidelines.4 Two years later, in 2013, the OECD adopted a Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013) revising the OECD Privacy Guidelines.5 COUNCIL OF EUROPE The Council of Europe Consultative Committee of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (T-PD) prepared proposals for the modernisation of the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) and an accompanying supplementary explanatory memorandum.6 These will be considered by the Ad Hoc Committee on Data Protection (CAHDATA)7 set up by the Council of Europe Committee of Ministers at a meeting in November 2013. In 2013, Uruguay became the first non-Council of Europe member to accede to the Convention. Morocco has also been invited to accede.8 INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY COMMISSIONERS In 2009, the 31st International Conference of Data Protection and Privacy Commissioners (Conference) produced a Joint Proposal for a Draft of International Standards on the Protection of Privacy with regard to the processing of Personal Data (the Madrid Resolution).9 In 2010, the 32nd Conference adopted a Resolution calling for the organisation of an intergovernmental conference with a view to developing a binding international instrument on privacy and the

2 http://aimp2.apec.org/sites/PDB/Lists/Proposals/DispForm.aspx?ID=1166 (project summary)

3 http://apec.org/Groups/Committee-on-Trade-and-Investment/Electronic-Commerce-Steering-Group.aspx (see under current activities)

4 Please see Chapter 2 at http://www.oecd.org/sti/ieconomy/49710223.pdf

5 http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf

6 http://www.coe.int/t/dghl/standardsetting/dataprotection/modernisation_en.asp

7 http://www.coe.int/t/dghl/standardsetting/dataprotection/CAHDATA/Terms%20of%20reference%20-%20Ad%20hoc%20committee%20on%20data%20protection%202013.pdf

8 http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=108&CM=1&DF=&CL=ENG

9 http://privacyconference2011.org/htmls/adoptedResolutions/2009_Madrid/2009_M1.pdf

3 www.internetsociety.org

protection of personal data10. In 2013, the 35rd Conference adopted a Resolution on anchoring data protection and the protection of privacy in international law.11 Other resolutions of the Conference are available at: https://privacyconference2013.org/Resolutions_and_Declarations INTERNET GOVERNANCE AND PRIVACY 1. Internet Governance Forum (IGF)

Security, Openness and Privacy has been one of the main themes of the Internet Governance Forum (IGF) since 2009. In the last five years, in addition to main sessions devoted to this theme, participants have organised numerous multistakeholder workshops on a range of current and emerging privacy topics. For example, in 2009 the Internet Society (ISOC) co-organised a workshop with the Electronic Frontier Foundation (EFF) entitled The Future of Privacy.12 In 2012, ISOC co-organised a workshop with the Council of Europe entitled Who is following me: tracking the trackers13 and a workshop with International Chamber of Commerce Business Action to Support the Information Society (ICC BASIS) entitled Solutions for enabling cross border data flows14.

2. WSIS+10 Review

Privacy is also an important topic in the World Summit on Information Society (WSIS) +10 review. For example, at the WSIS+10 Review Meeting in February 2013, UNESCO organised a Special Internet Event entitled Promoting Freedom of Expression and Privacy on the Internet.15 ISOC also organised a roundtable under the ethics action line entitled The New PII: Privacy-Impacting Information.16

10 http://privacyconference2011.org/htmls/adoptedResolutions/2010_Jerusalem/2010_J3.pdf

11 https://privacyconference2013.org/web/pageFiles/kcfinder/files/5.%20International%20law%20resolution%20EN%281%29.pdf

12 Report: http://www.internetsociety.org/sites/default/files/future-privacy%2020100914.pdf

13 Report: http://wsms1.intgovforum.org/content/no181-who-following-me-tracking-trackers#report Background papers:

http://www.internetsociety.org/sites/default/files/Tracking%20-%20Background%20paper%2020120711_0.pdf and http://www.internetsociety.org/sites/default/files/Tracking%20-

%20Background%20paper%202%2020121030.pdf

14 http://www.internetsociety.org/sites/default/files/IGF%202012%20cross-border%20data%20flows.pdf

15 https://www.unesco-ci.org/cmscore/events

16 https://www.unesco-ci.org/cmscore/events