APEC, OECD, etc

Question 1

What is APEC?

Answer 1

21 nations on the Pacific Coast in Asia and Americas, in a non-binding agreement. Formed in 1989.

Question 2

What is the APEC Privacy Subgroup?

Answer 2

Developed in 2003, it’s for “developing a framework for privacy practices”

Question 3

APEC Cross-Border Privacy Enforcement Agreement

Answer 3

CPEA.

1) Facilitates info sharing among Privacy Enforcers (PEs) in APEC countries
2) promotes effective cooperation between countries for enforcement/investigation in APEC
3) “” outside of APEC

Question 4

APEC Cross-Border Privacy Rules

Answer 4

CBPR- data privacy certification based around APEC privacy framework.

Question 5

APEC CBPR Requirements

Answer 5

1. Enforceable standards
2. Accountability (ID one person)
3. Risk-based protections
4. Consumer friendly complaint handling
5. Consumer empowerment (access, correct data)
6. Consistent protection
7. Cross-border enforcement cooperation

Question 6

Which US agency participates in APEC CBPR and CPEA?

Answer 6

FTC

Question 7

What is the full name of the OECD Guidelines?

Answer 7

Guidelines Governing the Protection of privacy and Transborder Flows of Personal Data

Question 8

What are the OECD Guidelines principles? (8)

ACID SOUP

Answer 8

• Accountability: data controller supports the above
• Collection limitation: limit collection, get consent when needed.
• Individual participation: Ppl have the right to know if someone has their data. You can ask for the data, and if they say no, challenge it and know why
• Data quality: data is relevant to the reason it was collected. It’s accurate and complete
• Security Safeguards: have ‘em
• Openness: Openness in development, policies, and practices
• Use limitation: Don’t disclose unless you have consent/by law
• Purpose specification: Reason for collecting data shared when it’s collected. Don’t change reasons later

Question 9

What are the OECD Guidelines based on?

Answer 9

FIPs- perhaps the “most widely recognized framework for FIPS”

Question 10

EU-US Privacy Shield- what is it, who does it cover?

Answer 10

2016. Follows transfer of data from EU to US for participating companies.

Only companies under FTC jurisdiction apply. No EU coverage.

23 principles

Question 11

EU-US Privacy Shield- Exceptions

Answer 11

Healthcare, FinServ, and nonprofits are not covered.

Question 12

EU-US Privacy Shield- Primary Principles (7)

CASE AND

Answer 12

Of the 23, the primary ones are:
Choice
Accountability of Transfer
Security
Enforcement/Recourse/Liability
Access
Notice
Data Security/Purpose Limitation

Question 13

Who enforces EU-US Privacy Shield?

Answer 13

Dept of Commerce, for those companies covered by the FTC.

It’s in contest!

Question 14

“Consumer Data Privacy in a Networked World” Paper, 2012 (7)

FAT AIRS

Answer 14

AKA “the White House Report.” 7 focus areas:

• Focused collection
• Access and accuracy
• Transparency (privacy and sec docs should be easily understandable)
• Accountability
• Individual control
• Respect for context (data is used for reasonable things)
• Security

Based on FIPS

Question 15

“Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers” 2012 (3)

Answer 15

Privacy by design, simplified consumer choice, and transparency are key.

Based on FIPS

Question 16

FTC Report Priority Areas (5)

Answer 16

• Do Not Track- signal you don’t want tracking
• Mobile- self-regulation re: location services
• Data Brokers- Support laws that give consumers access to their data if the org isn’t already covered by FCRA
• Large Platform Providers- examine their “comprehensive” tracking
• Promote enforceable, self-regulatory codes

Question 17

Data Protection Directive- 1995

Answer 17

Superceded by GDPR in 2016
Don’t process PII unless:
- Transparent: Consent is given, there’s a good reason to do so, etc
- Legitimate purpose: only do what’s needed
- Proportionality: Processing is in line with the request

Basis for law was OECD

Question 18

“Internet of Things: Privacy and Security in a Connected World”

Answer 18

FTC paper authored after TrendNet (IoT company with unencrypted home cameras).

Issues with IoT:

• Lax security
• Vulnerabilities
• Potential for physical harm (insulin pumps, door locks)

Companies should:

• Follow security by design
• ensure personnel training
• do security at all levels
• follow access control limitations
• monitor products throughout lifecycle and patch as needed

Question 19

“Protecting Consumer Privacy in an Era of Rapid Change”

Answer 19

FTC Report, 2010

“No consumer choice” / “no option” - it’s expected that some third party sharing will happen and it won’t need opt in or notification. For example, your info is shared with shipping companies when you buy something online.

These companies should still follow secure PII programs.

Question 20

GDPR- “Right to be Forgotten”

Answer 20

You have the right to have PI erased. You can request it verbally or in writing, and an entity has one month to respond to the request.

It is not absolute, and only applies sometimes.

Question 21

GDPR- “Right to be Forgotten” - when do you have the right to erase? (7)

Answer 21

• The PI isn’t necessary for the original reason it was collected
• you withdraw consent
• there’s no legitimate reason to continue processing it
• the data is for marketing and you object to it
• the data was processed unlawfully (eg., breach)
• legally required
• the data is being used to offer kids services