Pacific Privacy Rules to Ease Trade Are Set to Take Off

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

A single privacy framework for the corporate transfer of data across Pacific Rim national borders is ready for lift-off after years of idling, as a raft of Asia-Pacific nations move to adopt the data transfer plan, privacy professionals told Bloomberg BNA.

For years, only the U.S., Mexico, Japan and Canada participated in the system.

As more countries move to join, and as Japan’s amended privacy law--which creates an incentive to participate--takes effect in May, the Cross-Border Privacy Rules (CBPR) are finally poised to become the data transfer plan of record in the region.

In today’s global digital economy, multinational corporations need a mechanism to transfer data such as names, social insurance numbers, financial information, health information and other personal information across borders. The 21-country Asia-Pacific Economic Cooperation (APEC) economies, which include the world’s three largest economies--the U.S., Japan and China--created the voluntary CBPR in 2011 to ease data transfers among nations with varying privacy laws. The combined 2015 total gross domestic product of the three countries was $30.6 trillion, according to Bloomberg data.

U.S. companies participating in the CBPR system include technology giants IBM Corp., Cisco Systems, Apple Inc., Hewlett Packard Inc. and Box Inc. and pharmaceutical behemoth, Merck & Co. Inc. IBM raked in $17.2 billion and Merck earned $7.89 billion in Asia Pacific fiscal year 2016 revenue, Bloomberg data show.

The CBPR system eases trade in the region “by treating the transfers of personal data among participating APEC countries pursuant to the single APEC Privacy Framework,” Yumi Watanabe, counsel at Baker McKenzie LLP in Tokyo told Bloomberg BNA.

The CBPR requires participating businesses to implement privacy policies consistent with the 2004 APEC Privacy Framework. The policies are assessed by an independent accountability agent appointed by each participating country and approved by APEC. Enforcement is carried out by national privacy regulators, with APEC facilitating cross-border cooperation among regulators. In the U.S., for example, privacy trustmark company TRUSTe Inc. serves as the accountability agent and the Federal Trade Commission is the primary enforcement authority.

Josh Harris, director of policy at TRUSTe, told Bloomberg BNA that the CBPR system has reached “escape velocity” regarding the number of countries that have joined. TRUSTe serves as the independent accountability agent in the U.S. for CBPR.

apecgraph

Although the proposed Trans-Pacific Partnership would have reinforced the importance of CBPR, “the need for efficient and accountable trans-border data flows is too strong” for U.S. withdrawal from TPP to negatively affect it, Markus Heyder, vice president and senior policy counsel at Hunton Williams LLP’s Centre for Information Policy Leadership, told Bloomberg BNA.

Joining CBPRs is likely to improve the data handling practices of organizations, and as more countries and organizations enroll, it will become an even more attractive alternative to companies, Mark Parsons, a partner at Hogan Lovells LLP in Hong Kong, told Bloomberg BNA.

Expanding the number of companies and countries in the CBPR system was a top priority for the Obama Administration, which viewed the building of trust in cross-border data flows among businesses, consumers and regulators as an economic imperative

CBPR Liftoff

Privacy professionals told Bloomberg BNA they are optimistic that the system will expand soon beyond the U.S., Mexico, Japan and Canada.

Harris said that the lack of participation in the system was a hindrance in the past, but “the next set of hurdles is that the system is expanding quickly, so it will need to concurrently expand administration capabilities.”

Japan’s amendments to its privacy framework law have received attention and pushed off the fence countries that were noncommittal about joining CBPRs, a source close to the matter said. The Japanese law requires companies to obtain consent before transferring data to another country, but allows an exception for companies that are CBPR-certified, providing companies a concrete benefit for certification.

South Korea in January formally submitted its intent to join CBPR, and the CBPR Joint Oversight Panel is reviewing its application. The participation of Korea is especially notable because the Korean privacy framework is significantly more strict than that of other APEC countries.

APEC’s Data Privacy Subgroup of the Electronic Commerce Steering Committee noted at its Feb. 23 meeting that “the Philippines, Singapore and Chinese Taipei announced they are at different stages of consideration to participate in the CBPR,” according to an APEC official.

Heyder said that “each of these developments will cause ripple effects across the region and make the CBPR more interesting and useful, and joining it more urgent to the other APEC economies that have not yet joined.”

Kwang Bae Park, a partner at Lee & Ko in Seoul, told Bloomberg BNA that he expects “increased participation from the other remaining APEC countries.”

Benefits for Companies

Parsons said that, given the cost of certification, organizations need to see “an obvious benefit” from participating in CBPR, “in terms of market perception to coming out of the process having the right to display a trust-mark.”

The consent exception in Japan’s law is one such benefit.

CBPR has also served as a trust-mark for other systems as well. Merck, for example, was able to use its CBPR certification as a basis for their European Union Binding Corporate Rules certification that allows it to transfer personal data out of the EU.

The APEC Privacy Framework is based on the same common principles as the EU-U.S. Privacy Shield, the EU Data Protection Directive and the General Data Protection Regulation, a Commerce Department official said.

All of these privacy regimes are based on the Organization for Economic Cooperation and Development (OECD) privacy guidelines, and include the principles of notice, choice, collection limitation, use limitation, security and onward transfers, for example, are “elements found in every privacy law,” Harris said.

Heyder said a trust-mark will “likely have more meaning as wider acceptance of the program comes on.”

A Commerce Department official said they “have been working very hard to work with Europe to establish interoperability, including with BCRs.”

CBPR certification can help multinationals create uniform privacy practices across their organizations jurisdictions, “which has definitive administrative advantages,” Heyder said.

Bridging the Gap

CBPR does not negate the need for participating companies to also comply with national data protection laws in APEC countries, and companies need to fill the gap between CBPR requirements and national laws.

The gaps are growing and becoming more numerous as more than a dozen APEC countries have passed OECD-based data protection laws since the APEC Privacy Framework was developed in 2004.

“Compliance with the CBPR system should go a long way toward compliance in the various APEC economies,” Heyder said. Any instances where national laws differ can be handled on a case-by-case basis, he said.

Watanabe said that Japan’s exception for CBPR-certified data transfers provided by Japan’s law could be considered evidence that CBPR is still effective for compliance even though data protection laws in the region are becoming more strict.

Keeping the Ball Rolling

The APEC Data Privacy Subgroup recently held its first 2017 biannual meeting with “a major focus” on APEC CBPRs , a U.S. Department of Commerce official involved in the process told Bloomberg BNA on background.

The Data Privacy Subgroup also intends to work with countries to facilitate their participation in CBPRs, an APEC official told Bloomberg BNA.

APEC member countries are focused on trying to improve administration, the website for consumers and businesses, and better serve customer complaints and provide high levels of oversight for customers, a Commerce Department official said.

The APEC members are: Australia, Brunei Darussalam, Canada, Chile, the People’s Republic of China, Hong Kong, Indonesia, Japan, South Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, the Philippines, Russia, Singapore, Chinese Taipei, Thailand, the U.S. and Vietnam.

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.