Until Privacy Shield, Look to APEC Data Transfer Rules

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George R. Lynch

April 7 — The inclusion of privacy and data security principles in trade agreements, such as the Trans-Pacific Partnership (TPP), highlights the global importance of privacy issues in a trade context.

The Asia Pacific region has played an increasingly important role in global privacy in recent years as countries there have adopted data protection framework laws, Harriet Pearson, co-chair of the privacy and data security practice at Hogan Lovells LLP in Washington, said during a Bloomberg Law panel at the 2016 International Association of Privacy Professionals Global Privacy Summit.

With European Union privacy policies in flux, now is a good time for companies to look towards Asia, Pearson and fellow panelist John Drennan, counsel in the privacy practice at King & Spalding LLP in Washington, said.

The Asia Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules are a good place for companies to start assessing their compliance because those standards are directly applicable to move into the Binding Corporate Rules (BCRs) process for data transfers out of the EU, Drennan said.

Pearson noted that the EU's forthcoming General Data Protection Regulation continues to recognize BCRs as a valid mechanism .

The panel—“Making Sense of International Trade Agreements—The Impact on Privacy Policy” —was moderated by Donald G. Aplin, managing editor of privacy and data security news at Bloomberg BNA.

Trans-Pacific Partnership

The TPP was approved by trade representatives from 12 Pacific rim countries to encourage the free cross-border flow of personal information used for business and restricting the ability of countries to demand local storage of information. The Electronic Commerce chapter of the TPP, to a great extent, shows a commitment by the signatory countries—Australia, Brunei Darussalam, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, the U.S. and Vietnam—to expand their cooperation on data transfer and data localization issues .

The TPP's default of allowing cross-border transfers is significant, Drennan said. TPP proscribes data localization laws, but contains exceptions, including a public policy exception .

“The $64,000 question,” Pearson said, is “whether exceptions are so broad that they undercut the advantages in the provisions.”

Vietnam is the only TPP signatory country that has a strong data localization law, but “we will have to see which countries create cross-border transfer restrictions and which pass data localization laws,” Pearson said.

Drennan said it may be five to 10 years until there is enough development of law and other context to tell whether the exceptions will undercut the rule.

Pearson said that although the TPP may not set a trade law precedent by invalidating already-existing data localization rules, the TPP will have an impact on national laws.

She predicted that TPP won't drive companies into adopting APEC privacy rules, but again emphasized that it's a good idea for companies to start with APEC certification while there's uncertainty around BCRs and the European Union-U.S. Privacy Shield set to replace the invalidated Safe Harbor program .

Transatlantic Trade and Investment Partnership

With the EU-U.S. Privacy Shield unresolved and no immediate end in sight for negotiations over the Transatlantic Trade and Investment Partnership (TTIP)—the sister agreement to TPP—, it is unclear whether or to what extent TTIP will include any privacy and data security provisions.

“I would be surprised if privacy and cross-border transfers are addressed head-on,” Drennan said, explaining that Europeans view data privacy as more of a human rights issue that isn't necessarily properly included in a trade agreement.

Pearson predicted that TTIP negotiations won't be done this year, but expressed more optimism that a final agreement will include privacy provisions if negotiators can establish that a lack of interference in data protection helps businesses trade.

“Despite reluctance to address privacy in a frontal way, there may be a way to address cross-border data flows in another way,” she said.

Impact of Privacy Shield

The Privacy Shield will affect the role of privacy in TTIP whether or not it passes.

“If Privacy Shield fails, the question that will be asked is whether European laws are impeding trade, and that may make data provisions in TTIP more likely,” Pearson said. By the time TTIP passes, the Privacy Shield should be up and running, she added. And a well-working Privacy Shield will take the pressure off of TTIP negotiators to include privacy provisions.

Drennan expressed skepticism about the Privacy Shield. “Companies would do well to focus on Asia and APEC at the moment,” he said

Trade and data privacy have emerged, however, and “they're not going away,” Drennan said.

Pearson added that “if there's a trade priority for your organization make sure the policy strategy in trade factors in data privacy.”

To contact the reporter on this story: George R. Lynch in Washington at glynch@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com