22nd APEC Electronic Commerce Steering Group and Related Meeting Outcomes
September 15–19, 2010
Sendai, Japan
I. Summary
The APEC Electronic Commerce Steering Group (ECSG) and related meetings were held from September 15 – 19 in Sendai, Japan. The United States delegation, led by Robin Layton, Director of the Office of Technology and E–Commerce, U.S. Department of Commerce, believes that these meetings were very productive, with several key milestones reached, including:
Committee on Trade and Investment (CTI) endorsement of two of the three documents necessary to complete the certification portion of the APEC Cross Border Privacy Rules System (CBPRs): the Data Privacy Intake Questionnaire (Project 1/9 of the Data Privacy Pathfinder) and the Accountability Agent Recognition Criteria (Project 2/9 of the Data Privacy Pathfinder);
Development of the third piece of the certification process, the program requirements that Accountability Agents will use to certify applicant companies (Project 3/9 of the Data Privacy Pathfinder), a critical component to the CBPR system. This document was circulated with the goal of final approval at the next Data Privacy Subgroup Meetings and;
Substantial agreement by participants on the essential elements of the remaining work (a governance mechanism and outreach documents) and a timetable for achieving them;

(Comment – The APEC Privacy Framework and draft CBPRs are already demonstrably improving privacy protection in the APEC region through the technical assistance projects with Chile, Thailand, Vietnam, and the Philippines, which are each actively pursuing laws and regulations to improve commercial data privacy protection and enforcement activities in line with the principles listed in the APEC Privacy Framework. The APEC Privacy Framework and CBPRs are also advancing regional integration as Australia, Canada, the Philippines, and Peru are each actively considering or are developing domestic privacy frameworks that refer to the APEC Privacy Framework – End Comment). The next ECSG and related meeting will be held on the margins of next year’s Senior Officials’ Meetings, scheduled for February 27th – March 14, 2011 in Washington, D.C. End Summary.

II. Cross Border Privacy Rules Technical Assistance Workshop
On September 15, the United States sponsored a technical assistance workshop (with co–sponsorship from Japan, Australia and Canada). This workshop was the second of a 2–phase project on the development of Accountability Agents as a component of APEC’s cross border privacy rules system. The first phase of this project consisted of consultations with volunteer economies (Chile and Thailand) to better understand how their regulatory infrastructure can facilitate participation in the APEC Cross Border Privacy Rules System (CBPRs), specifically in the development of Accountability Agents. This workshop follows on a previous two–phase Technical Assistance project with Vietnam, Indonesia, and the Philippines, conducted between September 2009 and March 2010. The workshop was attended by over 50 representatives of both the public and private sectors. Introductory remarks were provided by United States Federal Trade Commissioner Edith Ramirez. Commissioner Ramirez lauded the ECSG’s significant efforts to date and encouraged the completion of this important work.

Session I: The first session, moderated by Project Consultant Prof. William Luddy, provided an overview of the outcomes of Phase I of the Technical Assistance project. Panelists included representatives from the governments ofChile and Thailand.
Chile: Through the technical assistance consultation process, Chile identified two primary obstacles to participation in a CBPR system: (1) Chilean law does not provide express privacy protections for private sector commercial transactions, and; (2) Chile does not have a regulatory entity that could function to enforce such protections. However, a proposed amendment to the 1998 Privacy Law would both address private sector commercial transactions consistent with the APEC Privacy Framework and establish a privacy enforcement authority. Under this proposed amendment, Chile’s Transparency Council would become the Transparency and Personal Information Protection Council. The re–chartered Council would enforce the privacy protections enumerated in the proposed amendment, including the regulation of cross–border data flows. Should this amendment be enacted, Chile indicated that it would most likely make use of a public–sector Accountability Agent, to be developed by the Transparency Council. Thailand: Like Chile, Thailand does not have a law that provides express privacy protections for private sector commercial transactions nor is there currently an enforcement authority that could enforce such protections. However, Thailand has a proposed data privacy law (The Data Privacy Protection Act) that would likely facilitate Thailand’s participation in the CBPR system. The proposed law, initially drafted by the Ministry of Information and Communications Technology (MICT) and later revised by the Office of the Official Information Commission (OIC), has since been sent to Parliament. The provisions of this proposal are substantially similar to those found in the APEC Privacy Framework and include: Consent; Notice; Purpose Specification; Use Limitation; Accuracy; Access; Security, and; Transfer. The law would also create an enforcement authority known as the Personal Data Protection Commission. This Commission would have the authority to develop and promulgate a national certification mark. It is anticipated that an applicant would apply to the OIC for this mark, which would serve as the Secretariat for this new Commission. Thailand indicated that other certifications (potentially including the APEC Cross Border Privacy
Rules mark) might also be enforced by the Commission with prior approval by OIC.

Session II: The second session, also moderated by Project Consultant Prof.
William Luddy, provided previous technical assistance participants the opportunity to update attendees on the latest privacy–related developments in their respective economies. Panelists included representatives from the governments of Vietnam, the Philippines and Indonesia. Vietnam: Vietnam noted that the Vietnamese General Assembly is still considering a comprehensive consumer protection law. Article 4 of this draft law, “Protection of Consumers’ Privacy”, imposes requirements on businesses in line with those outlined in the APEC Privacy Framework. Vietnam has already established a national trustmark that can serve as an Accountability Agent, TrustVN, as a sub–unit within their e–Commerce and IT Agency. A final decision as to the appropriate enforcement authority has not been made but will likely be the Ministry of Trade. Vietnam also provided an overview of the recently–adopted ‘Master Plan on e–Commerce Development for the Period 2011–2015’. This plan recommends “[s]tate Agencies review, supplement, amend and promulgate new policies and legal texts to give support and create favorable conditions for the e–commerce development, including: Legal texts ensuring that personal information in e–transactions is legally protected according to international standards and Vietnam’s international commitments” (emphasis added), acknowledging the importance of Vietnam’s considerable involvement in the APEC Data Privacy Pathfinder. The Philippines: The Philippines proposed comprehensive privacy law was not voted out before the expiration of the previous Congress. However, the same bill has been introduced to the new Congress, where it is expected to be approved. Unlike Vietnam, the Philippines will likely make use of private–sector entities to serve as Accountability Agents and is actively considering that they be accredited through the Department of Trade and Industry (DTI) while all enforcement would be a governmental function. It is anticipated that DTI will be designated as the governmental enforcement authority, either through a Presidential Decree or through regulation.Indonesia: Indonesia’s “Law Number 11 of 2008 on Electronic Information and Electronic Transactions” establishes a general privacy right. However, the government must still develop implementing
regulations that further define this right. Indonesia indicated it is preparing several such regulations, including “Provisioning Electronic Information and Transaction” and “Protecting Strategic Data”. It is anticipated that these two regulations will provide the basis for implementation of the law. Indonesia reiterated that any Accountability Agent in their economy must be certified and approved by the government and that the Ministry of Trade or Ministry of Information Tech and Communications would most likely serve as the enforcement authority.

Session III: The third session, moderated by U.S. Department of Commerce, Office of Technology and E–Commerce Director Robin Layton, focused on program requirements for Accountability Agents being developed as part of the Data Privacy Pathfinder’s Project 3. Panelists included representatives from AMIPCI (Mexico), JIPDEC (Japan), and TRUSTe (U.S.).
AMIPCI: As Project 3 coordinator, AMPCI provided an overview of thecollaborative development of the program requirements, including an overview of the structure of the Project document. In addition, AMIPCI discussed how this work related to the recently–enacted Federal Law on Protection of Personal Data Held by Private Parties, which considers the AMPICI trustmark as a self–regulatory mechanism to comply with the law [see Article 44: “Individuals or legal entities may establish agreements between themselves and with domestic or foreign civil or governmental organizations on self–regulatory schemes on the subject, complementing the provisions of the Law hereof. Said schemes must include mechanisms to measure their effectiveness in protecting data, consequences and effective corrective measures in case of non–fulfillment. Self–regulatory schemes may be translated into codes of ethics or codes of good professional practice, Trustmarks or other mechanisms, and will include specific rules or standards enabling harmonization of data processing performed by adherents and facilitation of the exercise of data owners' rights.”] JIPDEC: JIPDEC provided a comparison between the requirementsoutlined in Project 3 and those of their P–Mark system. JIPDEC noted that their Voluntary Third–Party Assessment System is keyed to the criteria listed in the JISQ15001:2006 (Personal Information Protection Management Systems Requirements) and that the requirements outlined in this standard are considerably more specific than those in the Project 3 document. Given these differences, JIPDEC indicated that
mapping the two standards would be difficult. [TNOTE: he issues identified during this presentation were noted as a possible basis for continued technical assistance with Japan.]

iii. TRUSTe: TRUSTe emphasized the need for high–level consistencybetween the program requirements of Accountability Agents. However, in noting JIPDEC’s concern over variation in specificity as between the P–Mark system and Project 3, TRUSTe also stressed the need to facilitate localization of these requirements in a way that would allow the more specific requirements of the P–Mark system to interoperate with those contemplated in Project 3. It was noted that practically speaking, such a balance would likely make a full system of cross recognition unworkable, but that at a minimum, some degree of acceptance of accredited Accountability Agents (including facilitation of dispute resolution) would be necessary to promote the necessary confidence in the integrity of the system. [NOTE: The issues identified during this presentation were noted and incorporated as a part of the 2011 Work Plan, specifically, the development of an Accountability Agent Memorandum of Understanding on dispute resolution.]

Session IV: The fourth session, moderated by Daniele Chatelois of Industry Canada, considered the various approaches to dispute resolution and enforcement contemplated under the CBPR System. Panelists included representatives from Qartas Corporation (the Philippines), the United States Federal Trade Commission and NEC Corporation (Japan).
U.S. Federal Trade Commission: The U.S. FTC discussed the basis of their legal authority to enforce against privacy violations. Specifically, Section 5 of the Federal Trade Commission Act is a general consumer protection statute which is used in the privacy and data security area to enforce promises made in privacy policies and to address privacy and security practices that cause or are likely to cause harm to consumers. The FTC also discussed their role as an enforcement authority in the context of the Safe Harbor program, noting that it is anticipated that its role in a system of APEC–wide CBPRs would be substantially similar. The FTC noted a February, 2010 action against a seal provider as an illustration of the enforcement process in the online context. The FTC alleged that the seal provider did not undertake verifications of its seal–holders, despite public claims to the contrary. In that instance, injunctive relief and disgorgement of ill–gotten gains was ordered. Qartas Corporation: Qartas discussed dispute resolution policies from the viewpoint of a trustmark provider in a developing economy. Qartas provided an overview of their internal dispute resolution process and escalation procedures, including: suspension, whereby the Qartas seal is temporarily revoked due to non–compliance; withdrawal, a permanent removal of the seal, and; blacklisting for those companies determined to have acted maliciously and deceptively. In noting the need for international cooperation on dispute resolution (and echoing the issues raised in the previous session), Qartas recommended that member economies keep any cross–recognition process simple and to limit the scope of such cross–recognition so as to facilitate participation by as broad a range of trustmarks as possible. NEC Corporation: NEC discussed their work in the Global Business Dialogue on e–Society’s (GBDe) International Consumers Advisory Network (ICA–Net). ICA–Net is an international complaint–handling network for cross–border online transactions. The goal of ICA–Net is to facilitate cross–border dispute resolution between consumers and online merchants. NEC provided examples of such disputes, including trustmark misuse or non–delivery after payment. NEC also outlined planned future collaboration with the European Consumers Center Network (ECC–Net). NEC noted that the lessons learned in the development of this system would be particularly useful to member economies as the APEC CBPR system is established.

Session V: The final session, co–moderated by Data Privacy Subgroup Chair Colin Minihan and Project Consultant William Luddy was an open discussion on future technical assistance efforts. The primary outcome of this brainstorming session was an agreement by participants to produce a technical assistance road map (whereby past activities can be catalogued and future work can be identified). It was agreed that this road map would be socialized for intersessional consideration by member economies so that the lessons learned in previous sessions will be available to all APEC economies, as well as those countries outside APEC which may be interested in building or improving their commercial data privacy approaches.

III. Informal Meeting on the Data Privacy Pathfinder
DPS Chair Colin Minihan (Australia) moderated the Data Privacy Pathfinder Informal Meeting Day held on September 16. Private and public sector representatives from Australia, Canada, Chile, Hong Kong, China, Indonesia, Japan, Malaysia, Mexico, Peru, The Philippines, Chinese Taipei, the United States, and Viet Nam discussed outstanding policy issues on the Data Privacy Intake Questionnaire (Project 1/9 of the Data Privacy Pathfinder), Accountability Agent Recognition Criteria (Project 2/9 of the Data Privacy Pathfinder), an initial draft of the Program Requirements to be used by Accountability Agents (Project 3/9 of the Data Privacy Pathfinder), and the CBPR Governance Mechanism (Project 8/9 of the Data Privacy Pathfinder).

• Participating economies, including the United States agreed to incorporate suggestions raised at this meeting into revised Project documents for consideration at the Data Privacy Subgroup meeting.

• The Centre for Information Policy Leadership (CIPL) concluded the session by providing participants with an update on their Accountability project.

IV. Data Privacy Subgroup Meeting

• The Data Privacy Subgroup meeting was held on September 17.

• At the previous DPS meeting, the Chair (Colin Minihan, Australia) requested intersessional consideration of nominations for Deputy Chair of the Data Privacy. Canada, Hong Kong, and Japan were nominated to these positions, pending formal authorization from their respective economies.

• The DPS formally endorsed Pathfinder Projects 1 and 2, which have subsequently been formally endorsed by the Committee on Trade and Investment (CTI).

• The DPS noted the successful implementation of the APEC Cooperation Arrangement for Cross Border Enforcement (the former Pathfinder projects 5, 6 and 7 that were endorsed by APEC Ministers in November 2009). Current signatories include Australia, Canada, Hong Kong, New Zealand, and the United States.

• Ongoing Work: The DPS agreed to seek intersessional endorsement of Project 3 as several member economies could not formally endorse at this time. The DPS Chair will circulate a revised version of this document, incorporating suggested edits from the informal meeting day as well as identified outstanding policy issues by early October with an aim to resolve all outstanding issues and circulate final text by the end of October. It is expected that formal CTI endorsement of Project 3 will be sought in March, 2011. The DPS considered a proposal for Pathfinder Project 1(a), a self–assessment questionnaire for use by data processors. The United States and Canada agreed to serve as co–leads for this project group. A first draft of this document will be circulated to member economies by December. The DPS considered a proposal for an Accountability Agents Cross Recognition Agreement on Dispute Resolution (see Data Privacy Workshop, Session III). The United States agreed to lead work on this project. A first draft of this document will be circulated to member economies by November. The DPS considered a proposal for creation of facing page commentary for the APEC Recognition Criteria for Accountability Agents (Project 2/9 of the Data Privacy Pathfinder). The United States agreed to lead work on this project. A first draft of this document will be circulated to member economies by December. The DPS considered the latest draft of the CBPR Outreach Document (Project 4/9 of the Data Privacy Pathfinder). It was agreed that as part of this work, Project participants should develop a series of FAQs for APEC member–economies, Accountability Agents, applicant companies, consumers, and non–member economies. Australia will continue to lead this working group and will circulate an updated draft of this document in October. The DPS considered the latest draft governance document as part of Project 8 – Scope and Governance of the CBPR System. It was recognized that this document needs further development, including a draft charter outlining the scope of authority for this governance entity as well as an implementation plan. Australia will continue to lead this working group. The U.S. and Canada also agreed to participate. A first draft of the charter will be circulated to member economies by December.
• It was reported that the ad hoc project group on sectoral issues fact–finding report would be introduced to member economies in October for their review and subsequent discussion at the next DPS meeting.

• The DPS reported the results of the following Key Performance Indicators in assessing the work of the Sub Group for this year as part of the CTI’s Trade Facilitation Action Plan: 16 economies are participating in the APEC Privacy Pathfinder (Australia; Canada; China; Chile; Hong Kong, China; Japan; Korea; Mexico; New Zealand; Peru; Philippines; Singapore; Chinese Taipei; Thailand; United States; and Viet Nam); 4 economies are actively considering or are developing domestic privacy frameworks that refer to the APEC Privacy Framework (Australia, Canada, the Philippines, and Peru); 2 documents were endorsed in furtherance of implementation (see above).

• The DPS supported a U.S. sponsored Project Proposal for a capacity–building workshop to be held on the margins of the next DPS meeting on issues related to CBPR governance and economy–level accession to the system. Australia, Canada, the Philippines, and Vietnam agreed to co–sponsor this proposal, which has since been forward to the CTI (see below).

VIII. ECSG Project Proposals: Session 1 Funding
The ECSG heard a presentation for the following Project proposal for Session 1 (Proposing economies will be notified of final results by the Budget and Management Committee (BMI) in October.)
. Title: Operationalizing the APEC Cross Border Privacy Rules System (Sponsor: The United States; Co–Sponsors: Australia, Canada, the Philippines, Vietnam) Overview: This project seeks to facilitate participation in the APEC Cross Border Privacy Rules (CBPR) system by member economies through the provision of technical assistance on key aspects of this system as developed in the APEC Data Privacy Pathfinder. These aspects include issues related to governance of and accession to the CBPR system. The project proposes a one–day workshop to be held on the margins of SOM I in the United States in 2011, immediately prior to the Data Privacy Sub–Group meeting. IX. Administrative: Elections
. ECSG Plenary Chair: Monchito Ibrahim (Phillipines)
. ECSG Plenary Vice Chair: Duong Minh (Vietnam)
. Subgroup Chair (PTS): Susan Liu (Chinese Taipei), Acting
. Subgroup Vice Chairs (DPS): Daniele Chatelois (Canada, pending approval); Brenda Kwok (Hong Kong, pending approval); Kenjiro Suzuki (Japan, pending approval)

