CBPR System Grows with Entry of Australia and Chinese Taipei
Posted on January 15, 2019
2018 saw two new members of APEC’s Cross Border Privacy Rules (CBPR) system: Australia and Chinese Taipei. They join the US, Mexico, Canada, Japan, South Korea and Singapore. As we have reported on previously, the CBPR system is meant to help companies transfer information between participating countries. In the coming months, Australia’s Attorney General plans to work with businesses to implement the system. The Chinese Development Council also plans to work with China’s ministries and departments to boost discussions about privacy protection with other countries. The system has often been compared to other cross-border schemes, including the Privacy Shield (see our update to that program). Companies join by completing self-assessments and participating with an “accountability agent” (in the US, there is only one approved accountability agent).
PUTTING IT INTO PRACTICE: We will continue to monitor the CBPR. The more countries that participate the broader the potential scope of transfers for companies.
A Look Back at 2018 Privacy Shield Enforcement
Posted on January 14, 2019
Over the course of 2018, the FTC brought several actions against US companies for violations of the Privacy Shield program. The program, which as we have reported on previously gives participating US companies a mechanism to receive personal information from EU entities. The program is reviewed annually by the EU to determine if, from an EU perspective, it continues to provide “adequate levels of privacy protection.” In December the EU concluded in its report (and accompanying working document) that the program continues to provide sufficient protection levels. The EU commission noted in reaching its conclusion that the Department of Commerce has increased its scrutiny of privacy policies (looking to see if companies are posting correct complaint forms), and pursuing companies who were mentioning their adherence to the program before the certification had been finalized by the Department of Commerce.
This last point was a particular concern for both the EU the US Department of Commerce when the program was put in place was the possibility of companies saying that they participated in the program when, in fact, they did not. Illustrating enforcement efforts in this area, in July, the FTC brought action against ReadyTech an online training company, for saying that “it was in the process of certifying” compliance with the program when in fact, although the application was filed with the Department of Commerce, the company did not take the remaining steps needed to participate. The settlement with ReadyTech was finalized in October. In four similar cases, the FTC alleged that IDmission, mResource, SmartStart Employment Screening, and VenPath also each stated incorrectly that they were certified under the program. IDmission, however, like ReadyTech, had started but not completed the certification process. mResource, SmartStart and VenPath had been certified previously, but their certifications had lapsed.
PUTTING IT INTO PRACTICE: The EU will be reviewing Privacy Shield’s sufficiency again at the end of 2019. In anticipation of this review we expect to see ongoing enforcement from the FTC, in particular for companies whose policies state they are participating in the program when they have not been certified, or their certifications have lapsed.
              Eye on Privacy 2019 Year in Review 20