Can’t We Just Get Along? EU-Asia Pacific Cross Border Data Flow Privacy Rules Interoperability


Setting up ways for companies to move data across borders more easily while at the same time protecting privacy is a good thing, the political and trade groups the European Union and the Asia-Pacific Economic Cooperation agree. Now if they can only make their separate cross-border transfer rules systems play nicely with each other.

The EU and APEC have commenced discussions to explore the interoperability between their cross-border data flow systems, APEC announced in a recent statement. Probably a good idea given that the EU’s new privacy regime is coming just over the horizon.

The APEC Electronic-Commerce Steering Group’s Data Privacy Subgroup (DPS) and the European Commission, the EU’s executive arm, met recently in Ho Chi Minh City, Vietnam to exchange information on APEC’s Cross Border Privacy Rules (CBPR) and the EU’s General Data Protection Regulation (GDPR).

The working group will look at collaboration options that GDPR will present when it enters into force in May 2018, such as corporate privacy certifications and codes of conduct.

The GDPR introduces a data transfer scheme based on certification backed up by binding and enforceable commitments by companies that use personal data. Industry associations and other groups are also able to draft codes of conduct that can be approved by the appropriate EU national privacy regulator.

The CBPR requires participating businesses to implement privacy policies consistent with the 2004 APEC Privacy Framework. The policies are assessed by an independent accountability agent appointed by each participating country and approved by APEC. Enforcement is carried out by national privacy regulators, with APEC facilitating cross-border cooperation among regulators.

Interoperability talks started in 2012 with DPS creating a working group with representatives from APEC and a group of privacy regulators from the 28 EU countries. Although the group released in 2014 a “referential” identifying common elements of the EU’s binding corporate rules and the CBPR, it didn’t meet between 2015 and now and much work remained.

The working group discussions track EU efforts to approve the privacy legal regimes in APEC members South Korea and Japan as adequate to protect the privacy of personal data transferred there from the EU. That effort would also certainly strengthen cooperation between EU and APEC privacy regulators.

The working group agreed to continue discussions during the time leading up to the next APEC privacy meetings slated to be held in Papua New Guinea in February 2018.

To keep up with the constantly evolving world of privacy and security sign up for the Bloomberg BNA Privacy and Security Update.


By George R. Lynch