Washington, DC - The privacy framework for transatlantic exchanges of personal data between the EU and the United States has been in the headlines lately. But are you and your clients staying on top of your obligations on the Pacific side? If your company certifies its compliance with the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules, a proposed FTC settlement with Very Incognito Technologies serves as a reminder to honor those promises.
The APEC Cross Border Privacy Rules system is a self-regulatory initiative designed to facilitate the protection of consumer data transferred across the APEC region – 21 Pacific Rim member economies, including the United States. The Cross Border Privacy Rules are based on the APEC Privacy Framework’s nine information privacy principles: preventing harm, notice, collection limitation, use, choice, integrity, security safeguards, access and correction, and accountability.
To participate, companies must undergo a review by an APEC-recognized Accountability Agent to establish their compliance with program requirements. To retain their status as certified participants, they have to undergo annual reviews.
San Francisco-based Very Incognito Technologies – consumers know it as Vipvape – claimed on its website that it participates in the APEC self-regulatory system:
Vipvape abides by the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules System. The APEC CPBR system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies.
But according to the FTC, Vipvape is not – and never has been – certified to participate in the system, which is why the complaint challenges that claim as false. Under the terms of the proposed settlement, Vipvape is prohibited from misrepresenting its participation, membership, or certification in any privacy or security program sponsored by a government, a self-regulatory program, or a standard-setting organization.
You can file a comment about the proposed settlement by June 3, 2016. In the meantime, the case suggests three compliance tips for businesses.
Live up to your privacy promises. Participation in self-regulatory systems like APEC’s Cross Border Privacy Rules is voluntary. But if your company conveys to consumers – expressly or by implication – that you participate, honor your word.