Cross-Border Privacy Rules in Asia: An Overview
The United States, Canada and Mexico recently completed negotiations on a new trade agreement, the United States-Mexico-Canada Agreement (USMCA), to supersede NAFTA. While the treaty is pending ratification in the legislative bodies of the respective countries, the digital trade portion of the agreement has already garnered a positive response from U.S. technology trade associations. Specifically, the new agreement promotes cross-border data flows by: (1) prohibiting local laws requiring data to be stored within specific jurisdictions (data localization), with limited exceptions; and (2) recognizing the Cross Border Privacy Rules (CBPR) system as a valid data privacy compliance mechanism for data-transfers between the United States, Canada and Mexico.
The CBPR was first established in 2011 by the Asia-Pacific Economic Cooperation (APEC)—a “regional economic forum” of 21 Asian-Pacific member economies. Like the European Union’s General Data Protection Regulation (GDPR), the CBPR also governs the transfer of personal information across the borders of participating nations. However, unlike the GRPR—which is a binding regulation that applies to all European Union countries, the CBPR is a voluntary, principles-based framework that only extends to APEC members that have formally joined.
This post provides a high-level summary of the APEC CBPR system, how it differs from its European cousin and the reasons why the system may become more prominent in the future.
Background: APEC and the Privacy Framework
To put the CBPR in context, a brief history of APEC and its Privacy Framework is necessary. APEC was first established in 1989 by 12 Asian-Pacific nations as “a cooperative, multilateral economic and trade forum.” Today, APEC has grown to 21 members and includes nearly all of the Asian-Pacific economies, such as the United States, China and Russia. Notably, India has not been included in APEC even though its membership request has been pending for over 20 years. Each APEC nation is referred to as a “member economy” due to the focus of the forum on promoting trade and economic integration. Most importantly, participation in APEC does not impose any binding commitments or treaty obligations on the nations. Each member economy has an equal say, decisions are reached by consensus and commitments are voluntary.
In 2005, the APEC member economies first endorsed the APEC Privacy Framework—a principles-based model for national privacy laws that recognized the importance of “effective privacy protections that avoid barriers to information flows.” Each APEC member was encouraged to implement their domestic privacy laws based on the principles in this framework. But, while the 2005 framework recognized the importance of cross-border information flows, the guidance for international implementation was aspirational, it: encouraged bi- or multilateral arrangements between nations and stated that the member economies would work with stakeholders to develop a regional “mechanism” that implemented cross-border privacy rules.
The CBPR system—endorsed by APEC member economies in 2011—was the outcome of APEC’s efforts to develop a regional “mechanism” promised in the 2005 version of the Privacy Framework. The framework was updated in 2015.
CBPR System—the APEC Solution to Cross-Border Data Privacy
The CBPR system attempts to create a regional solution across 21 member economies, whose governments are at different stages of compliance with the Privacy Framework. The structure of the CBPR system reflects the underlying goals of both APEC and the Privacy Framework. For example, when it was first implemented in 2011, the CPBR was framed by APEC leaders as a solution to “further open markets and facilitate regional trade,” consistent with APEC’s broader goal to increase economic prosperity in the region by “accelerating regional economic integration.” The system also reflects the Privacy Framework’s adherence to voluntary, non-binding principles. Thus, the CBPR system is a non-binding, accountability-based framework that facilitates “privacy-respecting” data flows across national borders. But what does that actually mean?
First, each APEC member economy must follow prescribed steps to join the CBPR system—each nation must identify at least one government agency with enforcement authority and at least one third-party accountability agent to verify compliance of participating businesses. For example, in the United States, the Federal Trade Commission is the enforcement agency, while TrustArc (formerly TRUSTe) is the accountability agent. To obtain CBPR compliance, the accountability agent must certify that a company’s data privacy policies are compliant with the Privacy Framework.
Second, businesses that are CBPR compliant are theoretically subject to one privacy regime—the Privacy Framework—for data transfers between APEC member economies that have joined the CBPR system. However, because the CBPR system does not replace domestic laws, companies must still comply with any domestic privacy laws that set a stricter standards. Thus, while the CBPR mechanism establishes a privacy floor, the compliance benefits to individual businesses vary. The true benefits to businesses likely materialize if the APEC member economy adopts the Privacy Framework instead of its own stricter privacy regime, or when the nations participating in the CBPR system recognize it as a valid transfer mechanism in their laws or trade agreements.
Third, consumers in APEC member economies without domestic data privacy laws obtain data privacy protections under the Privacy Framework when their data is controlled by CBPR compliant businesses.
Thus, the CPBR system attempts to solve the problem of non- or variable-adoption of the Privacy Framework within the APEC region by imposing a minimum standard for data privacy (consonant with the Framework) on all CBPR compliant data controllers.
To date, eight nations have joined the CBPR system—United States, Canada, Mexico, Japan, Singapore, Taiwan, Australia and the Republic of Korea.
Key Differences With the GDPR
The Privacy Framework (and by extension the CBPR mechanism) and the GPDR both have their origin in the nine privacy principles suggested by the Organisation for Economic Co-operation and Development (OECD) in 1980. However, while the CBPR remains tied to the free-trade principles within the OECD framework, the European privacy framework has evolved—first with the EU Data Protection Directive in 1995, and subsequently with the GPDR, which took effect in 2018. Thus, while the GDPR is effectively a third-generation version of the original OECD principles-based approach, the CBPR remains firmly rooted as version 1.0. From this several key differences arise.
Regulatory Approach and Enforcement
Described as “one of the toughest online privacy rules in the world,” the GDPR is a legally binding regulatory framework that imposes an EU-wide data privacy regime for EU-citizen data handled anywhere in the world. Non-compliance may result in fines of up to 4% of global revenues. Conversely, the CBPR framework is a voluntary, principles-based accountability framework that relies on a third-party accountability agent to resolve consumer concerns and disputes. Non-compliance with the CBPR framework may result in loss of CBPR certification, referral to the relevant government enforcement authority and penalties.
The GDPR applies globally to any violation of the handling of EU citizen data. In fact, the first enforcement action was against a Canadian-based firm that handled UK citizens’ data. Violations of the CBPR framework must go through a more circuitous route—a customer in an APEC member economy must file a complaint with the accountability agent in the jurisdiction where the company is based. After the accountability agent investigates, it engages in dispute resolution with the individual. For example, during an almost two-year period, Truste reported 55 complaints, all of them resolved and none referred to the FTC. In fact, during the CPBR’s existence there is no evidence of a company losing its CBPR certification; the only enforcement actions taken by the FTC were against three companies falsely claiming to be CBPR certified.
Consent and Data Breach Notification
Both the GDPR and the CBPR are premised on consent and notice, meaning that the consumer has ideally consented to their data being controlled and has adequate notice about how their data will be used. In the context of cross-border data transfers, under the GDPR, the data controller becomes a data processor and must obtain “explicit” consent, or have another legal basis (e.g. Binding Corporate Rules). The CBPR takes a less stringent approach, allowing for the data controller to “exercise due diligence and take reasonable steps” as an alternative to obtaining consent. Because the CBPR is principles-based, it is not clear what legal standard (if any) a business must apply when determining “due diligence” or “reasonable steps.”
Further, the CBPR does not define “data breach” or establish any notification requirements—both important elements of GDPR. The Privacy Framework encourages data breach notification but does not require it.
Scope and Compliance
While the GDPR applies to both data processors and data controllers, the CBPR only applies to data controllers. A separate mechanism – the Privacy Recognition for Processors, has recently been developed by APEC for data processors. In addition, CBPR compliance allows a business to transfer data across borders within the company and to another CBPR-compliant business. Conversely, the GDPR requires two separate legal mechanisms for cross-border data transfer to a lower data privacy regime: binding corporate rules for inter-company transfers and model contract clauses for intra-company transfers.
Fundamentally, the GDPR and CBPR frameworks represent competing views on the tradeoffs between privacy and economic growth. The CBPR system arose from APEC’s desire to increase information flows and trade, while the GDPR arose out of the Charter of Fundamental Rights of the European Union, which includes the right to privacy and data protection. The CBPR system does not provide any affirmative rights to consumers. In effect, while both systems arose out of the need to resolve the tension between individual privacy and global data flows, the CBPR maximizes trade and the digital economy while the GDPR is rooted in protecting individual rights.
Why Is the CBPR Important?
So why does the CBPR merit discussion on the global stage? As Dr. Hong Yanqing has noted, the CBPR by “any standard is an underperformer.” For example, the U.S.-EU Privacy Shield, a cross-border data transfer mechanism for U.S. businesses to comply with the GPDR, has nearly 4,000 companies participating after just one year of existence. Since its inception in 2011, the CBPR has 23.
Part of the answer likely lies in the rise of data protectionism and data localization regimes. The United States is becoming increasingly isolated in the data privacy space. The EU has implemented the GDPR, while China has also developed its own data privacy regime, with a greater emphasis on data localization. Notably, China, an APEC member economy that endorsed the CBPR system in 2011, has never expressed any interest in joining. As Ron Cheng has argued, China and the United States “stand on different sides of the CBPR.” In addition, Vietnam, another APEC member, enacted a sweeping cybersecurity bill this summer that includes data localization requirements for certain personal data. India, while not currently an APEC member, is considering a data privacy and protection regime that is largely modeled on the GDPR. The window for the U.S. to protect cross-border data flows in the Asia region is rapidly closing—and this partially explains why inclusion of the CBPR into the Trans-Pacific Partnership and growth of the CBPR system was a top priority for President Obama.
All of this brings us to the recent signing of the USMCA. The legal recognition of the CBPR mechanism within an enforceable treaty establishes a much clearer signal to businesses that the U.S., Mexico and Canada are committed to creating a unified cross-border data flow regime. Coupled with the Japan’s amended privacy law that recognizes the CPBR system a valid transfer mechanism—CBPR compliant businesses finally have a unified regime within these four countries. For example, U.S. corporations seeking to transfer data from Japan do not need an adequacy decision (a determination that U.S. data privacy laws are “adequate”) from the Japanese government if they are CBPR compliant—a significant cost benefit to participation. Assuming the three countries ratify the treaty, the four nations cannot restrict the flow of data by a CBPR-compliant business to a less strict privacy regime even if domestic privacy laws impose a stricter standard. This likely future-proofs the CBPR system against any future changes domestic data privacy and data localization laws to incentivize additional businesses to participate.
It remains to be seen whether the CBPR system is the ultimate solution in Asia for preserving cross-border data flows. But the U.S., Mexico and Canada can send a strong signal to the remaining APEC member economies and domestic companies that there are clear benefits to cross-border data flows. Ultimately, the success or failure of the CBPR framework will likely be tied to its ability to articulate the benefits of increasing cross-border data transfers to other APEC member economies contemplating Chinese, Vietnamese or Indian style data privacy and protection laws.