FTC’s First Foray into APEC Cross-Border Privacy Rules: Settlement Reached
By Mary-Elizabeth M. Hadley
Yesterday, the Federal Trade Commission (“FTC” or the “Commission”) accepted, subject to final approval, a
Expanding on its recent focus on EU-U.S. data transfers (including
This is the first public enforcement action by the agency based solely on violations relating to the APEC CBPR framework.
Background on the CBRP System
The APEC CBPR system is a voluntary accountability-based system to facilitate privacy-respecting data flows among APEC economies. The CBPR System is based on the APEC Privacy Framework’s nine information privacy principles, namely: preventing harm, notice, collection limitation, use, choice, integrity, security safeguards, access and correction, and accountability.
To participate in the CBPR system, companies must undergo a review by an APEC-recognized accountability agent to establish compliance with the program’s requirements. Companies wishing to remain certified under the CBPR system must also undergo annual compliance reviews.
In the United States – which along with Japan, Canada and Mexico is one of the participating APEC CBPR system economies – the FTC is responsible for enforcement. Where, as in this case, it believes a company has misrepresented its participation in the program, the FTC can assert its expansive Section 5 authority to challenge the deception.
Guidance for Companies
In commenting on the consent agreement, the
Live Up to Your Privacy Promises: Although participation in a self-regulatory system such as APEC’s CBPR is voluntary, businesses must honor any express or implied statements to consumers regarding their compliance.
Do Not Assume You Make No Promises: Organizations should check their privacy policies to ensure they substantiate any statements regarding how they handle data, including compliance with any self-regulatory frameworks.
Make Compliance Checks Routine: Importantly, the FTC reminds companies that “data compliance can never be a one-and-done box to check.” The APEC CBPR system and other self-regulatory frameworks require periodic reevaluation of the certifying entity’s practices. In addition, as data handling practices change, privacy policies must be updated to reflect a business’ current practices – something with which we here at Paul Hastings’ Privacy & Cybersecurity Practice are always available to assist.
PH Privacy is Paul Hastings’ Privacy, Cybersecurity and Data Governance blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.