Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On Monday, June 12, South Korea became the latest country approved to officially join the Asia-Pacific Economic Cooperation’s (APEC) Cross-Border Privacy Rules (CBPR) system. It is the fifth APEC economy to participate in the system, joining the United States, Canada, Japan, and Mexico. To date, twenty companies—including Apple, Cisco, HP, IBM, Rackspace, and Workday—have been certified under CBPR.
As businesses expand their services and operations globally, concerns have increased about the protection of personal information as it moves across borders and into countries with varying data protection regimes. Developed by the twenty-one APEC member economies, the voluntary CBPR system is intended to strengthen the general level of privacy protections while facilitating flows of data to fuel trade and economic growth across the APEC region. In a nutshell, the CBPR system centers around a voluntary privacy code of conduct for participating member economy businesses that are operating in the APEC region based on the nine APEC Privacy Principles developed in the APEC Privacy Framework: preventing harm, notice, collection limitation, use, choice, integrity, security safeguards, access and correction, and accountability.
In its June 12 announcement, South Korea’s Ministry of the Interior and the Korea Communications Commission cited its expectation that participation in the CBPR system will improve the overall level of protection for its citizens’ personal information and bolster international confidence in Korean companies’ privacy and security practices, thus improving Korean competitiveness in the global market.
Before businesses in an APEC member economy can be CBPR-certified, the APEC member economy must: (1) file formal notice to participate in and adhere to the CBPR system, (2) designate at least one domestic “Privacy Enforcement Authority” that participates in the APEC Cross-Border Privacy Enforcement Arrangement (CPEA) and is capable of enforcing CBPR pursuant to domestic law or the CPEA, (3) receive approval from APEC to join the CBPR system, and (4) appoint at least one “Accountability Agent” (who APEC must approve) responsible for certifying businesses’ compliance with the CBPR. Once the member economy has completed these steps, businesses in that member economy can seek CBPR certification.
A business seeking CBPR certification must develop internal rules and procedures for protection of personal data and cross-border data transfers that meet minimum standards set out in the CBPR framework. The company then self-assesses and attests to its compliance with CBPR using an intake questionnaire developed by the domestic Accountability Agent. The Accountability Agent verifies the attestation and certifies the company’s CBPR compliance or provides direction on remediation necessary for certification. Once a business is CBPR-certified, the Accountability Agent will add the business to a publicly accessible directory of its CBPR-certified companies. The compliance of the business with CBPR is thereafter enforceable by its domestic Privacy Enforcement Authority or the Accountability Agent (either via contract or domestic law).
In the United States, the only Privacy Enforcement Authority designated thus far is the Federal Trade Commission (FTC), so only those companies subject to the FTC’s jurisdiction may seek CBPR certification from the FTC’s designated Accountability Agent, TrustArc (formerly known as TRUSTe). Japan’s Privacy Enforcement Authority is the Ministry of Economy, Trade, and Industry, and it has designated JIPDEC as its Accountability Agent. To date, Canada and Mexico have not yet designated Accountability Agents.
A commissioned report presented in February 2016 at the APEC Senior Officials’ Meeting in Lima, Peru outlined stakeholder views on the benefits of participation in the CBPR system for APEC member economies and businesses. Stakeholders consulted for the report identified significant trade benefits and internal business benefits. For businesses, CBPR may help advance a privacy compliance program that generally addresses privacy risks across the globe. For example, one company reported that it benefited greatly from its CBPR certification through lowered cost and time in creating binding corporate rules (BCRs) to serve as its data transfer mechanism for EU privacy compliance purposes. Businesses also reported benefits tied to future proofing for change, efficiency in business negotiations, quicker product roll-outs as the internal regulatory review process can be streamlined, and increased consumer trust.
For consumers, benefits of their country’s participation in the CBPR system include enhanced privacy protections, improved trust through strong rules and third party trust marks, streamlined complaint handling, and coordinated government enforcement across borders. Participating member economies may be able to foster and facilitate trade and economic growth while protecting privacy, improving enforceability of data protections through cross-border cooperation, and augment data protection enforcement resources and the reach of Privacy Enforcement Authorities through front-line enforcement by Accountability Agents.
Companies considering CBPR certification, however, should be aware that participation in the APEC CBPR system is not a one-size-fits-all solution to compliance in the APEC region. Since the creation of the APEC Privacy Framework in 2004, an avalanche of new data protection laws have been passed, but such laws have been far from uniform and increasingly have trended towards including data export restrictions. The CBPR system does not provide a safe harbor for data exports from APEC member economies unless such member economies formalize their participation in the CBPR system and deem a company’s CBPR certification sufficient to satisfy any data export restrictions or other data protection requirements.
Even so, additional APEC member economies endorsing the CBPR system by officially joining should benefit companies seeking clarity and continuity in their global data protection compliance programs.
Jeff Gary, in our Washington, D.C. office, contributed to this post.
Authored by Britanie Hall