While much of the world is focused on the privacy developments in Europe, where the General Data Protection Regulation is sucking much of the oxygen from the room, Asia has quietly been very busy, indeed, on the privacy front. Hong Kong hosted the most recent privacy commissioners’ conference; the Philippines data protection authority has quickly grown into new voice on the global stage; and Asian regulators, in general, are becoming known for their savvy approaches to enforcement and robust resources for business.
However, perhaps most of the energy in Asia has been put toward new developments in methods for cross-border data flow.
Most prominently, after a relatively long ramp-up time, we have seen a great deal of activity in the Cross Border Privacy Rules program, known as CBPRs. Part of the Asia-Pacific Economic Cooperation Privacy Framework, CBPRs (for both data controllers and processors) are a methodology that allows companies that certify with a third-party accountability agent to transfer personal data throughout the 21 member economies of APEC.
This includes non-Asian countries like the United States, Canada, Mexico, Peru and Chile.
However, before a company can participate, its home country must join the CBPRs program, which involves appointing a “home” accountability agent, the country’s regulator agreeing to join the cooperative enforcement network, and a mapping of the country’s privacy laws to the APEC privacy framework and the CBPRs program.
Created in 2011, the CBPRs system took some time to build up steam but has seen Singapore and South Korea join in the last nine months, with Australia making noises about joining shortly. They join the United States, Canada, Mexico and Japan in the program.
Japan’s joining seemed to open the floodgates in 2016. Further, Japan’s new privacy law, which came into power in June of 2017, helped solidify the validity of the CPBRs program when it declared the CBPRs one of very few valid mechanisms for transferring personal data outside of Japan. Similarly, the joining of South Korea, thought by many to have the most robust privacy law in the world, signaled the seriousness of the CBPRs program.
If it’s good enough for South Korea, many thought, it must have teeth.
Many expect the floodgates to now open, especially with the news that the European Commission has been in discussions with APEC leadership about the interoperability of CBPRs and the EU’s binding corporate rules, which is a mechanism whereby an organization can have a data protection authority certify its privacy practices and allow for data transfer to countries that have not been deemed to have adequate privacy protections by the European Commission.
Should CBPRs become equivalent to BCRs, we will see rapid uptake, indeed.
Further, the European Commission has been working with Japan on a “co-adequacy” agreement, where the EU would recognize Japan as adequate and so, too, would Japan recognize the European Union. Considering Japan’s membership in the CBPRs program, there’s some thought that an adequacy decision from the EU would be a tacit endorsement of the CBPRs program as a whole.
Essentially, since data coming into Japan from the EU would then, theoretically, be allowed to move freely through the APEC countries via CBPR-participating companies, the CBPRs would be a mechanism for transferring data from the EU to any of the 21 member economies. Theoretically.
There is still much ground to cover. The EU and Japan have not yet come to an agreement. It’s still not clear whether that agreement would allow for onward transfer of personal data. And, who knows, maybe Japan won’t find the EU to provide adequate protection of personal data, considering some of the EU’s surveillance practices.
However, there is definitely strong evidence that CBPRs are becoming more widely accepted by both governments and companies alike – 21 companies were fully participating in CBPRs as of January, including Apple, Box, Cisco, HP, Electronic Arts, Rackspace and Workday – and we are likely to see a flood of activity surrounding cross-border data transfer in Asia for the rest of 2018 and into 2019.