Views on Cross-Border Data Protection in the Asia-Pacific Economic Cooperation From Department of Commerce Deputy Assistant Secretary Ted Dean

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

The Asia-Pacific Economic Cooperation (APEC) held a recent meeting in Peru on the group's Cross-Border Privacy Rules (CBPR) System which seeks to enable the cross-border data sharing while protecting personal information essential to online commerce.

On the sidelines of the conference, Bloomberg BNA Privacy & Data Security News Lima Correspondent Lucien Chauvin posed a series of questions to Ted Dean, deputy assistant secretary of the U.S. Department of Commerce and chair of the APEC Electronic Commerce Steering Group, on the applicability and viability of the CBPR.

Bloomberg BNA:

What is the state of the CBPR?


We have spent a number of years developing the system and it is really just now coming to market. We have four economies in the system, but only one, the U.S., that today has an accountability agent and certified companies.

It is really significant that Japan now has an accountability agent so that they can now begin to certify companies. One of the ways I have talked about this is saying that it was like having just one telephone, which isn't very viable, but now that Japan is fully operational in the system we think there is going to be a much stronger business case for this.

While we are very confident in how the system works, very confident in the privacy protections it provides, and very confident in the enforcement that agencies provide, you still need, ultimately, a business case for companies to invest in it, spend the time to do certification and build from there.

We are in a new position with Japan now operating and we are pushing very hard to have other economies join. It is a network effect, because when you have more economies involved and more companies involved, the system becomes more commercially relevant and makes it easier for the next companies to get involved.

Bloomberg BNA:

There is criticism that the CBPR hasn't been effective because only 14 companies have been certified. How do you respond?


We understand this and I freely accept that prior to Japan being involved we were in the one-telephone scenario I mentioned. We are putting a lot of effort into it now because I think in many ways the last seven or eight years have been policy development process and the process we are involved in now is how to we take it to market and how do we grow it. That is where our energy is now.

Bloomberg BNA:

What progress to the CBPR would you like to see in a year?


We would like to have 100 companies certified by the end of this year and double the number of economies that are participating by the end of 2017.

“When you have more economies involved and more companies involved, the system becomes more commercially relevant and makes it easier for the next companies to get involved.”

Candidly, that is an ambitious goal and we have some work to do to get there, but I think it is the kind of program where you can build momentum when you make it more relevant by having more people involved.

Bloomberg BNA:

The companies involved in the CBPR are largely multinationals. Do you foresee small and medium enterprises (SME) or larger non-multinational companies getting involved?


Absolutely. We want it to be relevant to SMEs, which is one of the mandates of APEC. I would say having a big company like HP involved helps. If HP, for example, offers a cloud service and they are certified and they have 500 cloud customers who transfer their personal data back to HP, its certification provides confidence in data flows to a lot of SMEs.

The SMEs are helped indirectly when the big guys come in, but we want something where smaller companies can do it and it is one of the reasons why we developed the Privacy Recognition for Processors (PRP).

Bloomberg BNA:

So is the CBPR scalable for countries like Peru or Vietnam?


Certainly. We would love for Peru to participate.

Vietnam is APEC's host in 2017 and we have had a lot of conversations with Vietnam. I think APEC is such a good forum to do this, because all the economies had to agree so it can work in a developed economy with a sophisticated privacy regulator or a country that is still trying to figure out privacy laws.

“It is better for privacy protection if the rules of the game are rules that people have confidence in.”

Bloomberg BNA:

There are concerns about the inter-operability of the CBPR and Europe's Binding Corporate Rules (BCR). Can you envision these two systems work together?


We do, but it is a long-term goal. It is better for privacy protection if the rules of the game are rules that people have confidence in, but that are also consistent because then a company can spend its money really making sure that it is protecting data and not spend its money with lawyers checking to see if they got that jurisdiction right, or how the transfer issue works.

I would like to point out a difference. While we are working with Europe on the connections between BCRs and CBPRs, BCRs are really a European instrument and relate to data being transferred out of Europe. The CBPR, from the time it was set up, is designed to transfer data between all the APEC economies so it is a more diverse system.