When your privacy certification is Asia-Pacific specific

Share This Page

The privacy framework for transatlantic exchanges of personal data between the EU and the United States has been in the headlines lately. But are you and your clients staying on top of your obligations on the Pacific side? If your company certifies its compliance with the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules, a proposed FTC settlement with Very Incognito Technologies serves as a reminder to honor those promises.

The APEC Cross Border Privacy Rules system is a self-regulatory initiative designed to facilitate the protection of consumer data transferred across the APEC region – 21 Pacific Rim member economies, including the United States. The Cross Border Privacy Rules are based on the APEC Privacy Framework’s nine information privacy principles: preventing harm, notice, collection limitation, use, choice, integrity, security safeguards, access and correction, and accountability.

To participate, companies must undergo a review by an APEC-recognized Accountability Agent to establish their compliance with program requirements. To retain their status as certified participants, they have to undergo annual reviews.

San Francisco-based Very Incognito Technologies – consumers know it as Vipvape – claimed on its website that it participates in the APEC self-regulatory system:

Vipvape abides by the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules System. The APEC CPBR system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies.

But according to the FTC, Vipvape is not – and never has been – certified to participate in the system, which is why the complaint challenges that claim as false. Under the terms of the proposed settlement, Vipvape is prohibited from misrepresenting its participation, membership, or certification in any privacy or security program sponsored by a government, a self-regulatory program, or a standard-setting organization.

You can file a comment about the proposed settlement by June 3, 2016. In the meantime, the case suggests three compliance tips for businesses.

Live up to your privacy promises. Participation in self-regulatory systems like APEC’s Cross Border Privacy Rules is voluntary. But if your company conveys to consumers – expressly or by implication – that you participate, honor your word.

“But we don’t make any privacy promises!” Maybe so, but don’t assume that’s the case. First, check your privacy policy. Statements about how you handle data – including your compliance with self-regulatory systems – are claims you must substantiate. In addition, check for seals and logos that visually convey participation or compliance.

Make compliance checks part of your ongoing routine. Technology changes fast, but companies’ practices change even faster. That’s why data compliance can never be a one-and-done box to check. Many self-regulatory systems, including APEC’s Cross Border Privacy Rules, require companies to re-evaluate their practices periodically. In addition, when you update how you handle data, be sure to read your privacy policy and other privacy- and security-related representations with fresh eyes to make sure they accurately reflect your current practices.


Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.