© 2007 TransUnion LLCAll Rights Reserved

Binding Corporate Rules – Global Implications

Conference on Cross Border Data Flows and PrivacyOctober 16, 2007Washington, D.C.

Yukiko Koyko@transunion.com

2

TransUnion OverviewTransUnion is a trusted partner for business and consumers around the world

Maintains credit histories on an estimated 500 million consumers around the globe

Processes billions of updates each month

Affiliates with partners with more than 100 years of experience

Employs privacy protocols and security measures to provide high confidence in personal financial information

Helps prevent and combat financial crimes, such as identity theft and credit fraud, by establishing the industry's first dedicated fraud victim assistance department

Founded in 1968

Headquartered in Chicago

Provides solutions to more than 50,000 businesses worldwide

Reaches businesses and consumers in more than 30 countries on six continents

3

TransUnion Global Reach

4

TransUnion as Part of a Global Community

• Active participation in the APEC Data Privacy Subgroup

• Share best practices through Identity Theft Prevention and Identity Management Standards Panel (IDSP), American National Standards Institute

• Contribute to capacity building for SMEs and other players in emerging markets – TransUnion Central America, among others

5

Why Global Corporate Privacy Rules?

• Proliferation of various data protection laws– History– Culture– Institutional structure (enforcement system)– Economic needs

• Constant flows of data sans frontière – Data transfers (electronic, oral and physical)– Access to network

• Privacy, security, and market demands

6

Features of Global Corporate Privacy Rules

• Transparency– Intra-company– Inter-company– Accountability to the public and regulators

• Efficiency– Operational– Compliance– Training and education

• Uniformity

7

Different Backgrounds yet Common Interest – EU and APEC

EU APECSize 28% of world GDP1)

493 million people 2)

27 member states 2)

56% of world GDP3)

2.6 billion people 3)

21 member economies 3)

Privacy culture

Protection of human rights – data processing not infringing human rights

Protection of consumer rights - Economic growth based on secure data processing

Co-ordination

Article 29 Working Party (mandated by the Directive)

APEC ECSG Data Privacy Sub-group (voluntary participation)

Source: 1) World Bank 2) EU at a Glance, 3) APEC at a Glance and World Bank

8

BCRs and CBPRs

• Both BCRs and CBPRs aim to facilitate privacy compliance by creating corporate accountability

• Implementation is key for both BCRs and CBPRs

Binding Corporate Rules (BCRs)

• Widely recognised compliance tool

Cross Border Privacy Rules (CBPRs)

• Tool currently in works

9

Comparing BCRs and CBPRs

BCRs CBPRs (still in works)Self-assessment

Internal coordination, audits, policy setting, standard application form

Internal coordination, audits, policy setting, APEC self-assessment questionnaire (?)

Compliance Review

27 data protection authorities with a “lead authority”

Designated government regulator or accredited third party organisations (e.g. trustmarks?)

Approval/ Recognition

27 data protection authorities with a “lead authority”

Designated government regulator or accredited third party organisations (e.g. trustmarks?)

Dispute Resolution/ Enforcement

Cross-border dispute resolution/enforcement in 2 steps: business, enforcement authorities

Cross-border dispute resolution/enforcement in 2 or 3 steps: business, accredited third parties, enforcement authorities

10

Observation

• Commonalities between BCRs and CBPRs hint at global corporate best practice for data protection

• There is a strong need to provide capacity building/technical assistance for emerging economies and SMEs

• Rules development and approval process should be streamlined and clear

• Frequent information exchange among businesses,

governments, and civil society organisations in the two regions is essential

11

Thank you

Yukiko KoDirector, International Fraud and ID Management

TransUnionyko@transunion.com