On March 1st, Merck & Co. Inc. (Merck) formally concluded their Binding Corporate Rules (BCR) approval process with the Belgian Data Protection Authority, becoming the 82nd company to achieve the compliance landmark. But in a global first, Merck based its BCR application on its APEC Cross Border Privacy Rules (CBPR) certification. This work was facilitated by Merck’s use of a common referential developed by the Article 29 Working Party and APEC’s Data Privacy Sub Group in 2014 to facilitate interoperability between companies seeking certification under both systems. In October 2013, TRUSTe certified Merck as the first health-care company and the second … Continue reading Merck Successfully Concludes First APEC-based BCR Approval
If you missed today’s webinar covering solutions for Cross Border Data Transfers, the short clip below will give you an idea of just some of the material covered. Speakers were Hilary Wandall, AVP Compliance & Chief Privacy Officer at Merck & Co., Inc.; Josh Harris, Director of Policy at TRUSTe, and Melinda Claybaugh, Counsel for International Consumer Protection, Federal Trade Commission. To download the full webinar, click here.
This article originally appeared in the June edition of The Privacy Advisor.
By Angelique Carson, CIPP/US
In 2014, Hewlett-Packard (HP) became the first company to win approval for both binding corporate rules (BCRs) and cross-border privacy rules (CBPRs). Both processes take a significant number of man hours to achieve, as HP’s privacy staff will tell you. But to demonstrate compliance, many of the administrative hurdles are the same. That’s why, as companies increasingly turn to BCRs—69 to date with 45 or 50 additional companies in the assessment phase—and CBPRs—with 12 to date with another 20 or so in the pipeline—as data transfer mechanisms, an EU/APEC working group has approved a plan for increased interoperability by making it easier for companies to comply with both BCRs and CBPRs at once.
A U.S. Department of Commerce (DoC) official said the main feedback from industry was the heavy lift in applying for approval under both frameworks was not that they had to make substantial changes to their privacy programs but the demonstration of the provisions of those programs.
The EU’s Article 29 Working Party has agreed to the APEC Data Privacy Subgroup’s proposal to develop a common questionnaire based on the forms that now must be completed to apply for BCRs and CBPRs separately.
The idea is that organizations will be able to submit the single questionnaire to both EU DPAs, whose approval is needed for organizations to be granted BCRs, and to APEC Accountability Agents, whose approval is needed to be granted CBPRs, to reach compliance with both systems at once.
Hewlett-Packard (HP) has become the first company to be approved under both the EU Binding Corporate Rules (BCR) and Asia-Pacific Economic Cooperation’s Cross-Border Privacy Rules (CBPR) systems. The concept of dual certification was first introduced last March at the IAPP Global Privacy Summit when the Article 29 Working Party and APEC published a Referential mapping the requirements between the two frameworks. The document was introduced as a practical tool to help streamline the process for global companies seeking approval under both frameworks and welcomed as a first step towards to greater inter-operability. For HP, obtaining the TRUSTe APEC Privacy Seal was … Continue reading HP First to Achieve Dual Certification for BCRs and CBPRs