1 Bender on Privacy and Data Protection § 33.04 (2020)
1 Bender on Privacy and Data Protection § 33.04[1] (2020)
Recognizing the importance of both data privacy and international data flow, APEC has established a Privacy Framework which, at this time, must be regarded as a work in progress, but one that bears close watching. The Framework equates the importance of facilitating international data flow with that of protecting privacy, and it focuses on protecting against actual harm, rather than covering the entire economy with a blanket of privacy. The Framework seeks to establish a consistent approach to privacy across the APEC region, while avoiding the erection of unnecessary barriers to information flow. The nine Principles of the Framework are Preventing Harm, Notice, Collection Limitation, Use, Choice, Integrity, Security, Access and Correction, and Accountability. Limited exceptions are provided for national sovereignty, national security, public safety, and public policy, so long as the exceptions are proportional to their objectives.
In terms of domestic application, the Framework focuses on six aspects: maximizing benefits, giving effect to the Framework, publicizing its existence, cooperation between government and the private sector, remedies, and reporting domestic implementation to APEC. With regard to international application, the Framework states the need for a multilateral mechanism for efficiently sharing information among APEC Member Economies, for the cooperation of Member Economies (including their enforcement agencies) to establish remedies for privacy violations with a cross-border dimension, and for Member Economy support for the development and recognition of organizations’ cross-border privacy codes across the APEC region.
1 Bender on Privacy and Data Protection § 33.04[2] (2020)
APEC appreciated that a generally accepted and practical standard of data protection was necessary to the success of international e-commerce. One of APEC’s important organs is its Electronic Commerce Steering Group (the “ECSG”),
1 whose mandate is “to promote electronic commerce by working to create transparent and consistent policy environments in the region. The group, which has a Data Privacy Subgroup (“DPS”), also provides a coordinating role for APEC e-commerce activities.”
2 The ECSG recognized early that cooperation between government and business would be required to realize the potential of e-commerce. Early workshops were held in Mexico (2002) and Thailand (2003). One of APEC’s major forays has been in the privacy area, where the Data Privacy Subgroup of the ECSG launched the “APEC Privacy Framework” (the “Framework”) in 2004.
Recognizing that information flows are vital to a global economy, the Framework seeks to promote a flexible approach to privacy protection, while avoiding the creation of unnecessary barriers to information flows. This Framework is characterized as “a practical policy approach to enable accountability in the flow of data while preventing impediments to trade.”
3 The Framework “balances privacy with all relevant interests while according due recognition to issues of cultural and economic diversity that exist within the APEC region.”
4 “The APEC Privacy Framework will establish a consistent approach to privacy across APEC Member Economies, while also avoiding the creation of unnecessary barriers to information flows … . The result will be region-wide privacy policy compatibility, which will help keep APEC on the cutting edge of e-commerce.”
5The Framework outlines the reasonable expectations of modern consumers on how their privacy should be protected and comprises a set of principles directed to achieving four goals:
- development of appropriate privacy protections for personal information,
- prevention of unnecessary barriers to information flows,
- enablement of multinational business to implement uniform approaches to the collection, use, and processing of data, and
- facilitation of domestic and international efforts to promote and enforce privacy protection.
Two major features distinguishing the Framework from some other privacy regimes (including the EU data protection regime) are (1) the Framework’s recognition that facilitating international data flow is just as important as protecting privacy, and (2) the Framework’s focus on preventing injury (as opposed to extending blanket provisions over the economy as a whole). The key ingredient in the Framework is balance. Nine principles are set out in the Framework that are designed to achieve a balance between effectively protecting data and assuring the continuity of cross-border data flow:
- Preventing Harm
- Notice
- Collection Limitation
- Uses of Personal Information
- Choice
- Integrity of Personal Information
- Security Safeguards
- Access and Correction
- Accountability
The Framework comprises four segments: the Preamble, the Scope, the Principles, and the Implementation. In the Scope and Principles segments, the Framework includes “Commentary” as well as text.
61 Bender on Privacy and Data Protection § 33.04[3] (2020)
The Preamble states that the Framework is consistent with the core values of the 1980 Organization for Economic Cooperation and Development (“OECD”) Guidelines and was developed in recognition of the importance of developing privacy protection; recognizing the essential nature of the free flow of information; enabling global organizations that process data to develop and implement uniform approaches; enabling enforcement agencies to fulfill their mandates to protect privacy; and advancing international mechanisms to promote and enforce privacy and to maintain continuity of information flows.
1 Bender on Privacy and Data Protection § 33.04[4] (2020)
The Scope of the Framework is defined in terms of four parameters:
- personal information,
- controller,
- publicly available information, and
- application.
The Framework applies to “personal information,” which means “information about an identified or identifiable individual.” This includes living individuals, and not legal persons. The term includes information that alone would not identify a particular individual if it would identify that person “when put together with other information.” The Framework directly governs the conduct of information “controllers.” The controller is the person or organization who controls the processing. A person or organization that follows the instructions of another and processes on behalf of that other is not a controller, nor is an individual who processes in connection with his or her personal, family, or household affairs.
The information governed by the Framework excludes “publicly available information.” Publicly available information is information that an individual knowingly makes or permits to be made available to the public, and is legally obtained and accessed from public government records, journalistic reports, or information required by law to be public.
The Framework states that, with regard to its application, there should be a flexibility of implementation. The Framework focuses on those aspects of privacy protection that are most important to international commerce, and it notes that compatible approaches to privacy will greatly facilitate international commerce. Exceptions exist for national sovereignty, national security, public safety, and public policy, so long as the exceptions are limited and proportional to their objectives and are either publicized or in accordance with law.
1 Bender on Privacy and Data Protection § 33.04[5] (2020)
The nine Principles are to be interpreted as a whole, rather than individually.
Preventing Harm recognizes that one of the Framework’s primary objectives is to prevent misuse of personal information and the resulting harm to individuals. Remedies for violations should be designed to prevent harm and should be proportionate to the likelihood and severity of threatened harm.
Notice requires the controller to provide a clear and accessible statement of its privacy practices and policies, including the fact and purposes of collection, types of persons or organizations who will be disclosees, controller identity and contact information, and options available for limiting use and disclosure and for accessing and correcting the data. If reasonably practicable, notice should occur at or before collection; otherwise it should be given as soon as practicable thereafter. Notice permits individuals to make more informed decisions about interacting with the controller. According to the Commentary, business contact information and other “professional information” that identifies an individual in his or her professional capacity in a business context do not require notice.
Collection Limitation requires that the information be limited to that which is relevant to the purposes of collection. Moreover, the information collected must be obtained by “lawful and fair means” and, where appropriate, with notice or consent. “[P]roportionality to the fulfillment of the [stated] purposes may be a factor in determining what is relevant.”
Uses7 of Personal Information requires that collection be only to fulfill the purposes of collection and compatible purposes, except (i) where the individual consents, (ii) when it is necessary to provide a service or product requested by the individual, or (iii) if the law permits it. The fundamental criterion for determining compatibility with stated purposes is “whether the extended usage stems from or is in furtherance of such purposes.”
8 Choice requires that where appropriate, individuals must be given clear, prominent, comprehensible, accessible, and affordable mechanisms for exercising choice over the collection, use, and disclosure of their information. In some instances, this may mean use of a particular language. There are situations where consent is implied and it would not be necessary to provide choice. In collecting publicly available information, no choice need be provided. Also, in some other situations it would not be necessary or practicable to provide choice, such as when business contact or other professional information identifying an individual in his or her professional capacity is exchanged in a business context, as it is generally impractical or unnecessary to provide a mechanism for exercising choice. In some situations it would be impractical for employers to provide choice regarding personal employee information when using it for employment purposes, such as centralizing human resources information.
Integrity of Personal Information requires that the information be kept accurate, complete, and up-to-date to the extent necessary for the purposes of use.
Security Safeguards require the controller to use appropriate safeguards against risks such as unauthorized access, destruction, use, modification, or disclosure. Safeguards should be proportional to the likelihood and severity of the threatened harm, the information’s sensitivity, and the context in which it is held. The safeguards should also be reviewed and reassessed from time to time.
Access and Correction require the controller to supply to the individual on request a confirmation of whether the controller has personal information about the individual, and to communicate to the individual (after the individual provides sufficient proof of identity) personal information about the individual within a reasonable time, at a charge (if any) that is not excessive, in a reasonable manner, and in a generally understandable form.
9 The individual is entitled to challenge the accuracy of that information and have it “rectified, completed, amended or deleted.”
10 However, this right is not absolute,
11 as it does not extend to situations where (i) the burden or expense would be unreasonable or disproportionate to the risk to the individual’s privacy; (ii) the information would not be disclosed for legal or security reasons or to protect “confidential commercial information,”
12 or (iii) disclosure would violate the privacy of another individual. Moreover, in the event that an individual’s request under this Principle is denied, the reason must be given,
13 and a means for challenging the decision must be provided. The Commentary notes that access must be provided in a reasonable manner and form.
14 Accountability requires that the controller “be accountable for complying with measures that give effect” to the foregoing Principles. “When personal information is to be transferred to another person or organization, whether domestically or internationally, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to ensure that the recipient person or organization will protect the information consistently with these Principles.”
15 1 Bender on Privacy and Data Protection § 33.04[6] (2020)
The Implementation provides guidance to the Member Economies on implementation of the Principles, set forth in two sections. Section A focuses on steps the Member Economies should consider for domestic implementation of the Framework, while Section B (which is to be addressed by the Privacy Sub Group) describes “APEC-wide arrangements for the implementation of the Framework’s cross-border elements.”
The domestic guidance in Section A is divided into six segments: maximizing benefits of privacy and information flow; giving effect to the Framework; publicizing domestic privacy; public-private sector cooperation; remedies; and reporting domestic implementation.
With regard to maximizing benefits, the basic concept is that personal information must be processed so as to protect privacy and permit realization of the benefits of cross-border information flow. Accordingly, Member Economies are to identify and remove unnecessary barriers to information flows and avoid the creation of such barriers.
As to
giving effect to the Framework, the Framework offers options: legislative, administrative, industry self-regulatory, or a combination. But whatever approach is adopted in any particular Member Economy, the goal must be “to develop compatibility of approaches in privacy protections in the APEC region that is respectful of requirements of individual economies.”
16Publicizing involves making widely known the privacy protections available, educating controllers about them, and teaching individuals how to report violations and pursue remedies.
Cooperation implicates a dialog between government and appropriate private sector groups, including privacy groups, consumer groups, and industry groups. And in jurisdictions that lack privacy regimes, ample attention must be paid to whether private sector opinions are reflected in developing privacy protections. Non-governmental entities should be encouraged to assist with public education, refer complaints to enforcement agencies, and cooperate in investigating those complaints.
Remedies involve providing an appropriate array of remedies for violations, including redress, injunction, and others. Pertinent factors include the particular privacy system used in that Member Economy and the importance of having a range of remedies for different levels of actual or potential harm.
And reporting domestic implementation means that the Member Economies should keep APEC apprised of their domestic implementation of the Framework through periodic updates.
Section B recites general points on three matters. With regard to information sharing among jurisdictions, and in light of existing arrangements, Member Economies should develop “a multilateral mechanism for promptly, systematically and efficiently sharing information among APEC Member Economies.” As to cross-border cooperation, Member Economies (including among their enforcement agencies) should cooperate to establish remedies for privacy violations with a cross-border dimension. Regarding cross-border privacy codes, Member Economies should support the development and recognition of organizations’ cross-border privacy codes across APEC.
1 Bender on Privacy and Data Protection § 33.04[7] (2020)
At a 2007 seminar in Canberra, Australia, participants concluded that some flexibility was needed in approaching the topic of CBPRs. Participants envisioned problems stemming, for example, from confidentiality restrictions, differences in laws, and the capabilities of regulators. One method proposed for resolving some of these issues was a memorandum of understanding signed by all members. Participants seemed to recognize that working out a feasible scheme would take time. In addition, some Member Economies believed they needed legislative changes. For example, Australia’s privacy commissioner stated that she did not have the power to enforce the Framework. There were also discussions of APEC’s relationship to trustmarks and of the relationship between trustmarks and regulators.
In December 2007, at a program sponsored by the Direct Marketing Association, the U.S. Department of Commerce (the “DOC”) announced that it would commence a cross-border transfer test program under the APEC Privacy Framework. The details of the test program have certain similarities to those of the US/EU Safe Harbor program for cross-border data transfer. In the DOC test program, in which the Federal Trade Commission would also be involved, companies would be able to certify their compliance with the Framework in transferring data among APEC Member Economies. The purpose of the test program was to determine what would actually work well in such an environment, before moving into a full-scale program. Among the aspects that would be subject to the test was an alternative dispute resolution mechanism. It was contemplated that once the test program was completed, and after any revisions deemed appropriate were made, the DOC would seek comments from the public.
Like the US/EU Safe Harbor program, the APEC test program would rely on self-regulation and certification. As is also the case with the Safe Harbor program, a company that certified to certain standards and failed to meet them would be deemed to have engaged in a deceptive trade practice in violation of the U.S. Federal Trade Commission Act. The test program involved the United States, Canada, and Mexico, and about a dozen companies, all subject to the FTC’s jurisdiction. Unlike the present status of the US/EU Safe Harbor program, the ultimate goal of the APEC test program is to develop a program available to companies in all sectors of the economy. The test program was halted on account of difficulties regarding common documentation.
In early 2008 the Vietnamese Ministry of Trade and Industry, convinced that privacy issues were adversely impacting Vietnamese e-commerce, announced it would take steps to increase the level of privacy attendant to the commercial websites of Vietnamese businesses.
17 The deputy head of the ministry’s National-E-commerce and Information Technology Department stated that Vietnamese enterprises were aware of the importance of e-commerce. Indeed, according to a survey conducted by the ministry, almost two-thirds of responding companies said they believed they would become more competitive through e-commerce transactions. The survey also reported that the chief concern among these businesses was privacy, yet only about one quarter of Vietnamese e-commerce companies stated that protecting the customer’s privacy was a goal. Although Vietnam has laws requiring privacy, they are little known, and the maximum fine for a Vietnamese company that violates them is only about US$125. In order to foster the growth of e-commerce in Vietnam, the ministry is initiating a “TrustVn” license program. This license may be earned by businesses conducting e-commerce with businesses in other APEC Member Economies. Requirements for this license apparently will be based on compliance with the nine APEC privacy principles.
At the 2010 meeting in Sendai, Japan, the U.S. Department of Commerce was of the view that the draft CBPRs had already improved privacy in the APEC region through projects that assisted in Chile, Thailand, Vietnam, and the Philippines. Each of those nations was considering laws directed to enhancing both commercial data protection, and enforcement. The DOC was also of the opinion that the APEC Privacy Framework generally, and the CBPRs in particular, were promoting regional integration; at that time Australia, Canada, Peru, and the Philippines were at least considering domestic privacy regimes that referred to the APEC Privacy Framework.
The United States (with the assistance of Australia, Canada, and Japan) sponsored a technical assistance workshop on development of Accountability Agents, with emphasis on the privacy regimes in Chile and Thailand. Updates were presented on privacy law in Vietnam, the Philippines, and Indonesia. And a session dealt with program requirements for Accountability Agents being developed as part of Pathfinder Project #3 (Compliance Review of an Entity’s CBPR). Another session dealt with different approaches to dispute resolution and enforcement that were contemplated under the CBPR system. Among the presenters in that session was a representative of the FTC, who discussed its Safe Harbor enforcement role, opining that its role in a system of APEC CBPRs would be similar to this. At that meeting there was an informal gathering on the Pathfinder. Policy issues on the Intake Questionnaire (Project #1) were discussed, as were the Accountability Agent Recognition Criteria (Project #2) and a draft of the Program requirements for Accountability Agents (Project #3), and the CBPR Governance Mechanism (Project #8).
There was also a gathering of the Data Privacy Subgroup, which formally endorsed Pathfinder Projects #1 and #2, and noted the successful implementation of the APEC Cooperation Arrangement for Cross-Border Enforcement (former Projects #5, #6, and #7); signatories include Australia, Canada, Hong Kong, New Zealand, and the United States. It was reported that 16 economies were participating in the APEC Privacy Pathfinder; four were actively considering or developing domestic privacy frameworks referring to the APEC Privacy Framework, and two documents were endorsed in furtherance of implementation.
APEC has formed an Asia Pacific Privacy Authorities group (“APPA”), comprising as of February 2012 several national data protection authorities (Office of the Australian Information Commissioner; Office of the Privacy Commissioner, Canada; Korea Internet & Security Agency; Federal Institute for Access to Information and Data Protection, Mexico; Office of the Privacy Commissioner, New Zealand; Federal Trade Commission, United States of America), along with several sub-national data protection authorities (Office of the Information and Privacy Commissioner, British Columbia, Canada; Office of the Privacy Commissioner for Personal Data, Hong Kong; Office of the New South Wales Privacy Commissioner, Australia; Office of the Northern Territory Information Commissioner, Australia; Office of the Information Commissioner, Queensland, Australia; Office of the Victorian Privacy Commissioner, Australia). In one of APPA’s initial activities, it made an inquiry of Google after Google revised its privacy policies in early 2012.
18As of 2010 the status of the law in the following Member Economies was as described below:
Chile. The law did not provide explicit privacy protection for private sector commercial transactions, nor did Chile have a governmental entity to enforce any such protection. In 2010 an amendment was proposed to the 1998 privacy law; that amendment would establish such protection in a manner consistent with the APEC Privacy Framework and would establish an enforcement agency. The amendment would rename the Transparency Council as the Transparency and Personal Information Protection Council and would make it responsible for enforcing the privacy law.
Thailand. There was no law providing explicit privacy protection for private sector commercial information, nor an enforcement authority to enforce any such law. A bill styled the Data Privacy Protection Act had been sent to Parliament, and its provisions closely follow the APEC Privacy Framework. The bill would also create a Personal Data Protection Commission that would have the authority to develop a national certification mark.
Vietnam. Vietnam was considering a comprehensive consumer data protection law consistent with the APEC Privacy Framework. By that time the nation already had a national trustmark (TrustVN) that could serve as an Accountability Agent.
The Philippines. A proposed comprehensive privacy law was introduced in the Philippines parliament in 2010, after failing enactment previously. In the Philippines it is likely that private sector entities would serve as Accountability Agents, although enforcement would be a governmental role.
Indonesia. In 2008 Indonesia enacted a general privacy right but lacks legislation that defines the right of privacy. By 2010 the government was developing draft legislation that would implement the law. Most likely the enforcement authority would be either the Ministry of Trade or the Ministry of Information Technology and Communications.
1 Bender on Privacy and Data Protection § 33.04[8] (2020)
In 2016, APEC instituted a Privacy Recognition for Processors (“PRP”) program intended to certify data protection compliance for personal information processors within the APEC region. The four elements of the program are self-assessment; compliance review; recognition/acceptance; and complaint processing and enforcement. The PRP program issues a trustmark certification to processors that show a capacity to assist controllers comply with certain data protection requirements. The purposes of the program are so that controllers can identify qualified processors; processors can show their qualifications; and small and medium sized organizations can be recognized by a global processing network.
To receive the trustmark, a processor must implement data protection practices and policies that are determined by an APEC-designated Accountability Agent to comply with PRP System requirements. The program is meant to ensure a minimum level of data protection where domestic law provides does not do so, and is not intended to modify existing domestic law. The APEC Privacy Framework, and the APEC Cross Border Privacy Rules (“CBPR”) system apply only to controllers. The trustmark is intended to complement those programs, but a controller certified under the CBPR that uses a processor is not required to select a processor that has the trustmark.
The first institution certified as an accountability agent for the new certification was the TRUSTe subsidiary of TrustArc.
19 The number of companies participating in the CBPR program reached 23 companies as of November, 2018, including Apple, Box, Hewlett-Packard Enterprise, HP, Inc, Hightail, IBM, JELD-WEN, Merck, Rimini, Saba Software, Workday, Yodle, and Ziff-Davis.
20 According to TrustArc, the process of processor certification can often be completed in two months or less. Moreover, the APEC processor certification was said to be analogue to complying with GDPR Art. 28, which governs agreements required between controllers and processors. The processor certification relies on accountability agents for approval, rather than regulatory bodies.
In order to obtain approval, TrustArc had to show to an APEC joint oversight committee the policies it had in place to ensure independent review, the specific requirements to which it would hold companies, the specifics of its program, and how it would comply with the 18 program requirements set by APEC for processors.
In June 2019 APEC announced it had another accountability agent,
viz., the certification firm Schellman & Co.
21 This was APEC’s third accountability agent, and the second one in the United States. (TrustArc subsidiary TRUSTe, designated in 2013, is the other U.S.-based accountability agent for the CBPR program.) The US Department of Commerce’s International Trade Administration (ITA) observed: “Having multiple options really shores up the strength and foundation of U.S. participation in the system.” Some observers believe that, with Schellman jumping on board, and additional companies showing interest in possibly becoming an accountability agent, CBPR may become more commonly known and more widely adopted. For its part, the ITA espoused that accountability agents are “a critical piece of the CBPR’s foundation, without which we could not function. We cannot serve companies if these accountability agents aren’t in place to certify them.”
In July 2019 Singapore became the third APEC economy to appoint an accountability agent.
22 Singapore designated the Infocomm Media Development Authority (IMDA) as its accountability agent. The CBPR system allows participating organizations to develop their own internal rules and policies that are consistent with specific CBPR program requirements on which certification is based, so as to secure privacy in cross-border transfers. Accountability agents ensure that the privacy policies and practices of participating organizations comply with the APEC CBPR and Privacy Recognition for Processors (PRP) by making independent third party assessments, and certifying those who meet the standards. Approval of the IMDA as an accountability agent was reached by the Joint Oversight Panel of the APEC Electronic Commerce Steering Group, which administers the APEC CBPR system. IMDA will join other accountability agents such as Schellman & Company, TrustArc in the United States and the Japan Institute for Promotion of Digital Economy and Community (JIPDEC) in Japan.
Data protection is an urgent issue for businesses in the APEC region; the APEC economies are home to 45 per cent of the world’s internet users—almost 2 billion people, and an increasing amount of data is flowing across borders. There are currently eight participating APEC economies in the CBPR system, including Australia, Canada, the Republic of Korea, Japan, Mexico, Singapore, Chinese Taipei and the United States.
Footnotes — § 33.04:
1 The Group has an Information Privacy Sub-Group.
2 Press Release, APEC Electronic Commerce Steering Group, Privacy Principles on the Agenda at Canberra APEC Seminar (Jan. 22, 2007),
available at http://www.apec.org/en/Press/News-Releases/2007/0122_aus_privacyprinciples.aspx.
3 “APEC Privacy Framework,” issued by the APEC Electronic Commerce Steering Group.
5 Press Release, APEC, APEC Ministers Endorse the APEC Privacy Framework (Nov. 20, 2004) (quoting U.S. Secretary of State Colin Powell),
available at http://www.apec.org/Press/News-Releases/2004/1120_apecminsendorseprivacyfrmwk.aspx.
6 The APEC Privacy Framework, summarized below, is reproduced at
§ 53App.01,
below.
7 The term “use” here includes transfer or disclosure.
8 “The use of personal information for ‘compatible or related purposes’ would extend, for example, to matters such as the creation and use of a centralized database to manage personnel in an effective and efficient manner; the processing of employee payrolls by a third party; or, the use of information collected by an organization for the purpose of granting credit for the subsequent purpose of collecting debt owed to that organization.”
Framework p.12.
9 The Commentary states that, where the information is maintained in a language different form the language in which collected, on request for the information in the original language the organization must supply it in that form if the individual pays for the translation.
10 The Commentary acknowledges that in some situations it may be “impossible, impracticable or unnecessary to change, suppress or delete records.”
11 But the Commentary imposes on the organization an obligation to make a good faith effort to provide access, and specifically mentions the use of redaction.
12 The Commentary defines the term as “information in an organization that an organization has taken steps to protect from disclosure, where such disclosure would facilitate a competitor in the market to use or exploit the information against the business interest of the organization causing significant financial loss,” and gives examples. The Commentary again mentions redaction as an alternative that may be available in some—but not all—situations.
13 The Commentary provides: “An organization would not be expected to provide an explanation, however, in cases where such disclosure would violate a law or judicial order.”
14 The Commentary gives examples of what would be considered reasonable.
15 The Commentary states that there will be certain situations where due diligence will be impossible or impractical (
e.g., where there is no on-going relationship between controller and disclosee), and suggests that in such situations controllers may choose to use other means (such as consent) to assure protection consistent with the Principles. “However, in cases where disclosures are required by domestic law, the personal information controller would be relieved of any due diligence or consent obligations.”
16 The Framework notes: “Discussions with domestic law enforcement, security, public health, and other agencies are important to identify ways to strengthen privacy without creating obstacles to national security, public safety, and other public policy missions.”
17 VietNamNet Bridge: http://english.vietnamnet.vn/biz/2008/04/776201.
18 See letter of 23 Feb. 2012 from Timothy Pilgrim (Australian Priv. Commr) to Larry Page (Google CEO) (found at <http://privacy.org.nz/assets/Files/Media-Releases/APPA-TWG-to-Google-Feb-2012.pdf>; letter of 29 Feb. 2012 from P. Fleischer (Google Global Privacy Counsel) to Commr. Pilgrim (found at <http://privacy.org.nz/assets/Files/Media-Releases/Googles-response-to-APPA.pdf>.
19 See, e.g., A. Carson, “TrustArc launches APEC certification for processors,”
The Privacy Advisor (Sept. 25, 2018), available at <
https://iapp.org/train/>.
21 J. Duball, “APEC announces new US accountability agent for CBPR certifications,”
IAPP Dashboard (June 14, 2019), available at https://iapp.org/news/a/apec-announces-schellman-company-as-newest-us-accountability-agent-for-cbpr-certifications/?
mkt_tok=eyJpIjoiWVRJMFpXWmhOREk1WkdReiIsInQiOiJDcFJkSGRqT1NLdk
VNNGNaVVpLSlwvMFVId2lNZjF3YXYzbHNtSWJlV1R4ZjlBaDRHNXZJe
W5XR2YyTnI5Zmd1NHpnQzk3WURXWXhmc1JDTXE0eEVcL1pJ
bngxU2FDbjdsZTJ2T3NRRlI4OUlicTdIaFhNUU1
PblBKM01ESkFWQ0NvIn0%3D.
22 APEC Electronic Commerce Steering Group Press Release, “APEC Strengthens Trust with Data Protection System,” (July 23, 2019), available at https://www.apec.org/Press/News-Releases/2019/0723_IMDA?mkt_tok=eyJpIjoiWldGaVlUZ3paVFF6TjJZMi
IsInQiOiI4eVNDK1lwbmErSzlSWnJi
ZydzgrakFucnRVV1VWVtYnBZUFpaZVFLeGdtRHVncm5VTFN4TTh1M
WlhaXUxVW4xQU5QY0VINUhuUFpEWDU3NzdGOWJYUDlmU1o5NXN
yRkdrdkoxeUY3aERacnExZGRSYTlcLzhWM0lieGFJK2g3OTUifQ%3D%3D.