Communications Daily is a Warren News publication.
‘An Early Step’

FTC, International Officials Reveal Checklist for Transferring Data Internationally

A group of international officials Thursday unveiled a checklist for companies wishing to transfer data among Asia, Europe and the U.S. The “referential tool” is the culmination of two years of conversations between the Asia-Pacific Economic Cooperation (APEC) group and the European Commission’s Article 29 Working Party, with input from the U.S. FTC and Department of Commerce (DOC), said Isabelle Falque-Pierrotin, president of France’s data privacy regulatory agency Commission Nationale de L'Informatique et des Libertés, during a press conference at an International Association of Privacy Professionals conference. The Article 29 Working Party includes all EU data protection authorities, according to a release about the checklist (http://bit.ly/1jWbfTB). The tool is “an early step” but “an important step” in building toward interoperability between various countries’ data privacy rules, said FTC Chairwoman Edith Ramirez. “Interoperability is absolutely critical,” she said.

Sign up for a free preview to unlock the rest of this article

Communications Daily is required reading for senior executives at top telecom corporations, law firms, lobbying organizations, associations and government agencies (including the FCC). Join them today!

In 2011, the FTC and DOC were “actively involved” in developing APEC’s Cross-Border Privacy Rules (CBPR) -- a self-regulatory code of conduct for transferring data among APEC’s 21 member economies -- Ramirez said. The new checklist, released Thursday (http://bit.ly/1jWbfTB), gives CBPR-certified companies a list of what they need to accomplish to transfer data to EU countries under its Binding Corporate Rules (BCR), an EU alternative to the U.S.-EU Safe Harbor agreement, said Ted Dean, a DOC deputy assistant secretary. BCR-certified companies can also use the checklist see what steps they can take to become CBPR certified, he said. It’s there “to know what you've already done that would be valid in another market and what you still need to do,” Dean said. It’s “a pragmatic checklist for companies,” said Falque-Pierrotin.

Discussions about the checklist sprawled over two years because of “linguistic” and “idiosyncratic” cultural differences between the two privacy systems, Ramirez said. The process was “very technical,” said Falque-Pierrotin, but it was also “very political."

The “Internet is borderless,” said Jacob Kohnstamm, chair of the Article 29 Working Party and chairman of the Dutch Data Protection Authority. Different privacy regimes are not only obliged to work together to bridge their differences -- they “need to do so because without that, people in the field and on the ground will not take privacy rules the way they should take them -- seriously,” he said. Ramirez echoed Kohnstamm’s sentiment. “Without the ability to work across systems, we simply can’t protect the privacy of consumer data,” she said. But officials agreed that solution is a ways off. “The tool we're presenting doesn’t aim at creating a mutual recognition system,” said Falque-Pierrotin. “There’s no judgment between the two systems, no legal assessment of the level of protection."

But “I hope it’s going to develop,” Falque-Pierrotin said. Ramirez said the group will convene a multistakeholder working group “to refine the referential [tool] further.” DOC’s Dean elaborated that the group will involve civil society and industry representatives. He hopes the group will not only give feedback, but also will develop other uses for the checklist. “It’s a very useful document as it is right now, but there are many ways companies might want to use it,” he said. Dean did not reveal a timeline for the working group.

"I like the idea of having consistent, predictable cross-border data transfer protocols,” said Clark Hill intellectual property lawyer Jennifer Woods. “The benefits both to business and consumers could be significant, and the mechanics of the process will be interesting to watch.” But the exact issue of APEC and EU interoperability is not one that has “gotten quite to the point of generating a meaningful buzz,” she said. Safe harbor remains the dominant data transfer regime, she said. “Right now, out of necessity, given the current landscape of international data transfer laws, I have been more focused on safe harbor and existing cross-border data flow laws, particularly in the EU member countries."

An international coalition of data commissioners, with FTC input, is now focusing on enforcement coordination, said Chris Graham, U.K. information commissioner, who oversees data privacy. Ramirez said the FTC had also weighed in on the enforcement issue at an APEC meeting in Jakarta, Indonesia, last year. The FTC will attend the group’s next meeting in early April in Manchester, England, in the hopes of creating “a multilateral framework for enforcement coordination, so we can get over some of the barriers that exist,” Graham said. The goal is to take a completed framework to the international data commissioners’ conference in October, he said. “It’s early days and we have to proceed carefully,” he said.