On November 13, 2011, Asia-Pacific Economic Cooperation
("APEC") leaders endorsed the APEC Cross-Border Privacy
Rules ("CBPR") system at an APEC meeting in Honolulu,
Hawaii. The leaders agreed, among other things, to
"[i]mplement the APEC Cross Border Privacy Rules System to
reduce barriers to information flows, enhance consumer privacy and
promote interoperability across regional data privacy
regimes." Businesses need to understand the opportunities and
challenges offered by the CBPR system.
This article explains what the CBPR system is and, perhaps more
importantly, what it is not. As a preliminary issue, it should be
noted that the leaders' endorsement does not mean that the
economies they represented are committed to participate in the CBPR
system. The endorsement only means that the leaders were satisfied
with APEC's work in developing the system. Participation will
be a totally separate decision to be made by the economies as they
see fit.
Background
The CBPR system is the newest addition to APEC's data
privacy projects, which started with the APEC Privacy Framework in
November 2004. The Privacy Framework, among other things, called
for cross-border cooperation in privacy law enforcement and
recognition of businesses' cross-border privacy rules across
the APEC region. The former call led to the APEC Cross-Border
Privacy Enforcement Arrangement (CPEA) and the latter the CBPR
system.
CPEA is an arrangement where participating economies are expected
to help each other with extraterritorial investigations and
enforcement of domestic data privacy laws. It was endorsed by APEC
Ministers in November 2009 and commenced on July 16, 2010. The
operation is based on mutual agreements rather than legal
obligations; whether to accept a request for assistance is within a
participant's sole discretion. Even with such a non-binding
approach, to date CPEA has only five participants: Australia,
Canada, Hong Kong, New Zealand and the United States. It should be
noted that an economy must be a part of CPEA in order to
participate in the CMPR system.
The CBPR System
While CPEA is an agreement among participating economies, the
CBPR system is designed to bring in more involvement by the
business community. Generally speaking, the CBPR system is where
businesses voluntarily request to be certified as compliant with
APEC's minimum privacy requirements. The name of the system,
Cross-Border Privacy Rules, does not mean a set of privacy laws
enacted by APEC, but rather refers to businesses' own internal
cross-border privacy rules. The system only applies to data that
moves across borders.
The CBPR system involves four categories of players: APEC, through
a CBPR Joint Oversight Panel (JOP); Accountability Agents (AAs);
participating businesses; and participating economies. The JOP
authorizes AAs, which are from either the public or the private
sector, to evaluate, certify and monitor participating businesses.
By participating in the CBPR system, a business is essentially
entering a contract that requires the business to act according to
the CBPR it offered for certification, even if the CBPR is more
stringent than domestic data privacy laws. In return, once
certified, the business will be listed in an online directory
accessible to the public. This directory serves a dual purpose.
First, consumers are more likely to trust a business with their
personal data if it is listed in the directory. Second, the
directory provides concerned consumers contact information of the
AA that certified the business and of relevant participating
economies. The AA will then investigate the complained matter and
attempt to correct any violation. If the violating business refuses
to comply, participating economies will step in by holding
violation of the business's own CBPR as a violation of domestic
data privacy laws. CPEA will facilitate cross-border enforcement
when necessary.
As to the substantive standards, the DPS has compiled a set of
baseline requirements against which an AA will assess a
business's CBPR. Notice is generally required before collection
of personal data, and businesses can only use collected data for
the stated purpose. In many circumstances, a choice must also be
provided to the individual. Businesses are responsible for personal
data's integrity and need to offer individuals the ability to
access and correct their personal information. Further, while
individual's consent is not necessary for data transfer, the
transferor is accountable for ensuring that the recipient will
protect the information consistently with APEC's requirements.
The requirements are subject to numerous exceptions, and businesses
are generally free to satisfy a requirement through multiple
ways.
A proposal on interoperability recognition has also suggested that
certain privacy regulatory regimes should be deemed interoperable
with the CBPR system, and businesses already under regulation of
those regimes should therefore be automatically certified. The
proposal identified, among others, the EU Binding Corporate Rules
and the U.S. Gramm-Leach-Bliley Act as potential candidates.
However, this proposal is still under study and has not been
adopted as a part of the CBPR system.
Conclusion
Does the CBPR system make life easier for businesses by "promoting interoperability across regional data privacy regimes" as the leaders promised? The answer depends on your perspective. The system itself does not provide interoperability because it does not harmonize or take the place of economies' domestic laws. Participating businesses still need to comply with relevant domestic laws and regulations of the economies in which they operate. On top of that, they now also need to comply with the requirements of the CBPR system for personal information that moves across borders, and the CBPR system's requirement can often be more stringent than domestic laws, given that many Asian economies do not have comprehensive privacy regulations in place yet. On the other hand, exactly because of this lack of privacy laws in many APEC economies, the CBPR system might shape their future legislations and thus help to harmonize the laws in the long run. Specifically, the United States and China are co-sponsoring a CBPR case study, which at least shows the two powers' interest in the model. APEC has agreed to a five-year project, commencing in 2012, to support the implementation of the CBPR system.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.