Views on the APEC's Cross Border Privacy Rules System From Information Integrity Solutions Managing Director Malcolm Crompton

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Malcolm Crompton

Information Integrity Solutions recently published a report on the benefits of Asia-Pacific Economic Cooperation's Cross-Border Privacy Rules System (CBPR), which aims to allow free flow of data across borders while maintaining privacy and security of the data. The report—Preliminary Assessment: Potential Benefits for APEC Economies and Businesses Joining the CBPR System—identifies benefits to adopting CBPRs for governments, businesses and regulators.

Bloomberg BNA Privacy & Data Security News Senior Legal Editor George R. Lynch posed a series of questions to Malcolm Crompton, managing director of Information Integrity Solutions, and Australia's Privacy Commissioner from 1999 to 2004, on the Cross-Border Privacy Rules System.

Bloomberg BNA:

In your report on the benefits of CBPRs, what do you conclude is the most significant benefit for companies that participate in the APEC system?

Malcolm Crompton:

Our report has been published on the APEC website and on the publications page of our company website, found here.

Overall, the report found that the APEC CBPR system generated a considerable range of benefits to all stakeholders. They include a suitable level of privacy protection: effective without being onerous; benefits both to importers and exporters of personal information; and interoperability between economies and companies. One surprising benefit was the extent to which companies that had been certified found that it assisted them in gaining internal alignment and consistency within the company. The report sets out a number of other benefits too.

Beyond those general observations, the report also shows that it is hard to answer your question without considering to specific contexts. The extent to which economies and stakeholders, including companies, find value in the CBPR System largely depends on each economy’s underlying domestic law, the underlying domestic law of its current or future trading partners, and the requirements of stakeholders.

In Japan, for example, when the new privacy law comes into full effect, companies will only be able to export personal information in limited circumstances (14 PVLR 1689, 9/14/15). While the details are still being settled, it looks like certification under the APEC CBPR system may be one of the allowed circumstances.

Companies operating in Australia that are certified under the APEC CBPR system are able to take advantage of Australian Privacy Principle 8.2 that means they are no longer accountable for the actions of the offshore recipient of the data, which is the default under APP 8.1.

The original aim of the system was to allow certified companies to demonstrate to their customers that their personal information was safe, even when sent offshore. This is still a major benefit.

Yet again, at least one company has found that the APEC CBPR certification process significantly contributed to the processes that they later had to undergo to gain approval for their Cross Border Privacy rules under the EU Directive (15 PVLR 763, 4/11/16).


APEC Country Map
Bloomberg BNA:

Did you come across anything particularly problematic for companies that adopt CBPR?


The most important finding in our report is that the main barrier at present is the very low awareness and understanding of the CBPR System, which is in and of itself a limiting factor to the adoption of the CBPR System more broadly.

Publications such as yours can help considerably in taking the message out, but APEC itself has a lot more work to do. The system website, for example sets out all the formal documents but still does little to make the case for joining in simple terms.

The other issue that is problematic at the moment is the small number of economies that have subscribed to the system and the small but growing number of companies currently certified under the system.

In Japan for example when the new privacy law comes into full effect, companies will only be able to export personal information in limited circumstances. While the details are still being settled, it looks like certification under the APEC CBPR system may be one of the allowed circumstances.

However, these are all challenges that will melt away as the system grows. It is just like any network effect: the greater the number of participants, the greater the benefit to all other participants.

Incidentally, by way of comparison, more companies have been certified since the APEC CBPR system was formally launched than there were companies with approved EU Binding Corporate Rules at a comparable time after its launch.


Bloomberg BNA:

Where do things stand in terms of the progress of the CBPR system in harmonizing data transfer laws and raising the level of privacy protections?


The aim of the CBPR system hasn't really been to harmonize data transfer laws. In fact, the system was designed to provide a basis for transfers that took account of the extreme variety of approaches being taken by APEC economies, rather than to force a harmonization. This is one of the great strengths of the system and makes it the basis for a truly global system when economies wish to participate. Indeed, I understand that at least one economy outside of APEC is already seeking to join.


Bloomberg BNA:

Has APEC had any success making CBPRs interoperable with other regional code-of-conduct regimes, such as the EU binding corporate rules?


This is a work in progress. Officials from the APEC Data Privacy Subgroup of the E-Commerce Steering Group have been working with officials from the EU Article 29 Working Party for a couple of years now. While there is no official state of play in the public domain, they appear to be making progress. All stakeholders wish them well and urge them to complete the work.


Bloomberg BNA:

What needs to happen for the CBPRs system to be more widely used and to reach its mature potential?


As mentioned earlier, wider knowledge and understanding of the system and its inherent flexibility combined with continued growth. The growth will feed growth. While the startup phase has been very encouraging, more is to be done in taking out the message.


Bloomberg BNA:

What is the most important contribution that CBPR has made to ensuring privacy in data transfers through the organizational accountability and codes of conduct model?


Again, as mentioned earlier, it is the incredible flexibility of the system that is the eye opener. The CBPR is a system that is independent of law in the certifying process, much like financial information auditing. It certifies to an accepted framework (with the APEC privacy principles highly comparable to the 1980 Organization for Economic Cooperation and Development guidelines for example) and it ensures that customers can get their complaints resolved even if multiple jurisdictions are involved. From these basic tenets, the CBPR system can integrate with a huge range of privacy and consumer law frameworks.


For More Information

The full text of the report can be found at on the Information Integrity Solutions

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law Privacy and Data Security