In recognition of the need for the world’s two largest economic blocks to coordinate data protection efforts, The Article 29 Working Party of the EU released a “Referential” to map the EU requirements for Binding Corporate Rules (“BCRs”) and the APEC Cross Border Privacy Rules System (“CBPRs”). This Referential is a tool for the two systems to determine common ground. Ultimately, it will be used by the EU in the process of determining what level of cross-recognition may exist between BCRs and CBPRs, in terms of the “adequacy” necessary to move data between the EU and Asia.
The APEC process started in 2007 with a pilot project to develop standard minimum data protection rules, and a framework within which such rules would operate. As part of the US Delegation, I drafted the initial set of baseline privacy requirements, as well as the other systemic operating documents. APEC’s Data Privacy Subgroup of the Electronic Commerce Steering Group (of which I was an active member in the US Delegation) then spent the next six years working through the political and legal ramifications of the system. While the requirements are heavily negotiated documents, they are foundationally consistent with the Fair Information Processing Principles
For those who are unfamiliar with the CBPR system, it has three basic parts:
- Baseline privacy requirements,
- “Accountability Agents” that certify privacy practices against these requirements, and
- A local enforcement mechanism for the data subject.
There are also specific requirements as to how to become an Accountability Agent, and what each Economy must do to join the system.
In its current state, the CBPR requirements aren’t as detailed as BCRs. They have the same basic principles (use limitation, notice, collection limitation, security, etc.) but there are pretty foundational differences. For example, APEC has to operate within countries that ascribe to both the “opt in” concept of the EU (e.g. Australia), and the “opt out” concept of the US. Consequently, there isn’t as much prescription as to *how* to get consent, just that consent has to be obtained. Further, the CBPR certification process is significantly less costly and invasive than the BCR process.
In each Economy that joins the system, there has to be a privacy enforcement authority (e.g. the US FTC, or the Hong Kong Data Protection Authority) and some sort of law that allows for the enforcement of the baseline requirements contained in the CBPRs. The country then endorses the Accountability Agent who will certify the privacy practices of companies who want to be a part of the system. The company builds one or more privacy policies to conform to the baseline rules, or local law (whichever is more protective), which are the basis of the certification. The Accountability Agent also manages dispute resolution for the certified company so the privacy enforcement authority doesn’t have to deal with the majority of complaints.
At present, Only the US and Mexico are members of the system. Japan and Canada are next in line to join; with South Korea, Singapore, Malaysia, and Indonesia also in process. Currently, the only accepted Accountability Agent is TRUSTe in the US. Currently, TRUSTe will need to get endorsement by the Mexican government before they can certify companies in Mexico. Mexico doesn’t have a local accountability agent yet. The same is true for each Economy which joins the system.
There also isn’t much in the way of experience on how the enforcement authorities will deal with extra-jurisdictional certified companies who have complaints locally (e.g. Oracle – certified in the US, has a problem in New Zealand). The fundamental concept of the CBPRs is that the obligations which attached at point of collection should travel with the data. This is also somewhat different than the EU’s Member State implementing laws.
Since both China and Russia are members of APEC (along with other large Economies in the region), there seems to be economic pressure on the EU to identify some sort of interoperability. What that is going to look like still remains to be seen. It is doubtful that the CBPRs will ever become a proxy for BCRs. However, CBPRs may operate to reduce the amount of additional work companies have to engage in when applying for their BCRs.