Much of the privacy world is still focused on Europe and the implications of the EU General Data Protection Regulation (and eventually, the ePrivacy Regulation) for digital trade and data practices across borders, particularly between Europe and the U.S. However, Europe holds less than 10 percent of the world’s population, and developing economies in Asia are pressing for a seat at the table setting international rules and norms. Various actors have been working to develop cross-border trade agreements in the Asia-Pacific region that could result in a new privacy framework that could serve as an alternative to the European model. This work is starting to produce tangible results and will likely accelerate in the near future.
As Asian countries increasingly trade in digital goods and services, they will share data across national borders, between countries with drastically different legal regimes and cultural norms related to data and privacy. The Comprehensive and Progressive Trans-Pacific Partnership, the Regional Comprehensive Economic Partnership, and the Association of Southeast Asian Nations have all proposed or will propose rules for e-commerce and privacy.
How can companies possibly hope to navigate this array of international agreements, let alone the individual nations within each bloc? The answer may lie in the Asia-Pacific Economic Cooperation Forum’s Cross-Border Privacy Rules. The CBPR is a non-treaty privacy framework combining the binding corporate rules and Privacy Shield models that seeks to facilitate cross-border data sharing.
The following provides an overview of the various agreements and frameworks currently in development, with a focus on the CBPR, and lay out what companies need to do in order to participate.
Economic integration and cross-border trade in Asia
CPTPP is a modified version of the Obama administration's negotiated Trans-Pacific Partnership agreement, which President Donald Trump, as one of his first actions in office, left. The agreement includes Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore and Vietnam. China is also reportedly considering joining.
CPTPP’s e-commerce provisions prohibit discrimination in digital products and data localization and requires that parties to the agreement adopt online consumer protection provisions. Article 14(8) covers “personal information protection” and requires that parties “adopt or maintain a legal framework” to protect personal information. It also states that: “Recognising that the parties may take different legal approaches to protecting personal information, each party should encourage the development of mechanisms to promote compatibility between these different regimes. These mechanisms may include the recognition of regulatory outcomes, whether accorded autonomously or by mutual arrangement, or broader international frameworks.”
RCEP is an agreement between 16 countries in Asia, the 10 members of ASEAN (Brunei, Cambodia, Indonesia, Laos, Malaysia, Myanmar, the Philippines, Singapore, Thailand and Vietnam), and six of their trading partners (Australia, China, India, Japan, South Korea and New Zealand). The agreement is seen as a Chinese-led effort and was supposed to be finalized this year, but it has run into stumbling blocks, and negotiations may push into 2019. Draft language is not published, but ASEAN has published guiding principles that highlight e-commerce, and there has been conflicting speculation about whether cross-border data flows and data localization will make it into the final text. Regardless, a rise in cross-border trade is likely to present issues as data moves across borders.
A third potential agreement is one between the ASEAN members on e-commerce. The group announced negotiations for an e-commerce agreement in March, to be finalized by the end of the year. Its work program on e-commerce specifically calls out consumer protection and personal data/privacy protection.
Collectively, these agreements present a massive opportunity to liberalize and facilitate digital trade and commerce in Asia, and the increase in cross-border data flows will attend a rise in digital privacy and security issues. It is good that negotiators are considering such issues in advance, and — at least in the CPTPP — are including language that will nudge countries toward clear rules and protections. However, the devil is in the details, and there will surely be a great many details to work out between this many economies of significant size and influence. It is for this reason that a framework like the CBPR is useful and necessary.
The APEC CBPR
The CBPR is a framework established by the Asia-Pacific Economic Cooperation Forum, an intergovernmental forum for economies that border the Pacific Rim. The CBPR is a framework rather than a treaty, so it is not implemented through a formal treaty document. Rather, it provides a set of common standards to raise privacy protections and ease data exports. The current participating economies are the U.S., Mexico, Japan, Canada, Singapore and the Republic of Korea. Australia and Taiwan have also formally applied to join, and the privacy commissioner of the Philippines has made public commitments, as well.
Broadly speaking, the CBPR works similar to the binding corporate rules model, with an additional level of oversight. In order to receive CBPR certification, a company would submit to an accountability agent an inspection and inventory of the data practices which it wishes to certify. This could be its entire operation or particular practices. The AA will identify gaps in the company’s privacy practices based on the required CBPR standards and recommend remedial measures. The standards include important protections, such as notice and consent and a process for fielding consumer complaints, but do not go as far as the GDPR; there is no right of erasure, for example. Companies would also agree to continued compliance monitoring by the AA and would need to update the AA in the case of a material change to their privacy practices. CBPR, therefore, represents a good baseline for company privacy practices, the things they should already be doing. (For reference, the Article 29 Working Party has published an opinion tracking the similarities between BCRs and the CBPR.)
In a recent article, Markus Heyder laid out many of the key benefits for companies to join the CBPR framework, such as it facilitates legal compliance, it can help comply with data export restrictions, and it promotes consumer trust. To this list, I would add one more benefit in light of the previously discussed Asian free trade agreements: CBPR could facilitate access to and compliance with significant trading blocks in Asia.
The model for this benefit already exists in the USMCA agreement. The new NAFTA. USMCA Article 19(8) explicitly recognizes the APEC CBPR as a “valid mechanism to facilitate cross-border information transfers while protecting personal information.” Although CPTPP does not refer to it by name, it seems likely that the CBPR would qualify as “broader international framework” for cross-border data. If this is true, then the CBPR would facilitate data sharing between a larger group of nations than just the current group of participating APEC economies. For a sense of scale, the combined Gross Domestic Product of the RCEP and CPTPP countries is more than $50 trillion.
Given this, privacy-minded business people should expect to see more countries joining the APEC CBPR framework. They should also keep an eye on further developments in the RCEP and ASEAN trading blocs regarding e-commerce. And finally, they should explore the utility of participating in the APEC CBPR, and ask themselves, how important is Asia to my business?
photo credit: Leonid Yaitskiy via photopin