Cross-border data flows have never been more important. According to a McKinsey Global Institute report, digital global data flows increased global gross domestic product by at least 10 percent in 2013 alone, accounting for $7.8 trillion. And with that growth, the importance of protecting those data flows has also grown.
That's according to the Department of Commerce's Shannon Coe, who is team lead on data flows and privacy. Speaking at an IAPP KnowledgeNet this week, hosted by Hogan Lovells and moderated by former FTC Commissioner Julie Brill, Coe said consumers are looking for reasons to trust companies and governments with their data, and companies and governments are looking for ways to convince customers they can.
And that's why the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules are starting to be an attractive solution, especially for Asian companies, given that no country in Asia has yet been deemed as an "adequate" country for data transfers by the European Union. APEC endorsed CBPRs in 2011, citing they would allow data to flow across borders "while enhancing data privacy practices; facilitating regulatory cooperating, and enabling great accountability through the use of common principles, coordinated legal approaches and accountability agents."
To date, there are four economies participating in CBPRs: the U.S., Japan, Canada and Mexico.
To date, there are four economies participating in CBPRs: the U.S., Japan, Canada and Mexico. There are 16 companies participating, with several more under review, Coe said. Japan became fully operational just this year. Coe said now is a "critical point of growth in the system" and the Department of Commerce expects to see increased growth in the coming year.
To join the CBPR framework, economies need several elements in place: a privacy law; an enforcement authority; trust-mark providers and legislation that's consistent with APEC's privacy framework's principles. But Coe said 16 out of the 21 APEC economies have a privacy law; 14 have a privacy-enforcement authority, and nine of those are already participating in the group that makes up APEC's enforcement authority.
She said the benefit to companies joining the CBPR system include that many companies are operating in countries that don't have strict privacy laws, and the CBPR designation provides a mechanism to demonstrate compliance. Plus, the rules are built on "globally recognized privacy principles."
But Mark Parsons, a partner at Hogan Lovells based in Hong Kong, said while some businesses are taking to CBPRs, many are "frankly confused about where it gets them," he said. They're asking, "If I do APEC's CBPRs, am I compliant everywhere? The answer is no."
That's because many countries have laws that now exceed the requirements set out in CBPRs, meaning companies are asking, "'Why am I spending money on this if it doesn't make me compliant? I need to focus on the legal result here.' The problem is it won't achieve a perfect result."
But Coe said, while CBPRs aren't a perfect solution for every company, many find attractive that APEC's transfer mechanism, requiring CBPRs, is similar to that under EU law. In addition, CBPRs don't supplant a domestic legal system, those protections are still in place.
For example, Japan has plans to introduce a data-transfer mechanism regulation in 2018, but that doesn't mean it will abandon CBPRs when that happens.
"They have announced the intention of referencing CBPRs as an allowable transfer mechanism," she said.
In addition, Coe said the DoC is looking at allowing non-APEC countries to join CBPRs, but didn't offer a timeline on when progress might be made on that.