Earlier this week, South Korea became the fifth country to join the Asia-Pacific Economic Cooperation Cross Border Privacy Rules system. The Ministry of the Interior and the Korea Communications Commission made the announcement June 12.
The CBPR framework features principles and implementation guidelines for bolstering privacy protections and diminishing barriers to data flows among the APEC member economies. In addition to Canada, Japan, Mexico, South Korea and the United States, nearly two dozen private companies belong to the framework, as well.
The addition of South Korea to the CBPR framework was welcomed by the U.S. Department of Commerce.
“South Korea’s participation in the CBPR System is another win for businesses committed to high-standard privacy protections and continuity of operations throughout the Asia-Pacific region,” Shannon Coe said in comments provided to The Privacy Advisor. Coe serves as team lead for Data Flows and Privacy with the International Trade Administration, an agency within the DoC. “We are committed to furthering the expansion of the CBPR System and welcome South Korea’s accession as a major benefit for businesses and consumers in participating economies.”
TrustArc International Regulatory Affairs Director Joshua Harris also applauded the announcement. "I would characterize this as a major step forward for the system, especially when considered in light of Japan's inclusion of CBPRs as a recognized transfer mechanism under their revised privacy law," he said in emailed comments to The Privacy Advisor. "In addition to the participation, both Japan and South Korea have assumed leadership roles, along with the United States, in the governance of the CBPRs, as each is now a member of the Joint Oversight Panel."
From 2011 to 2013, Harris served as vice chair of APEC's Data Privacy Subgroup and chair of the Cross-Border Privacy Rules System's Joint Oversight Panel. TRUSTe, an affiliate of TrustArc, is an accountability agent that has been formally approved to certify data transfer policies under the CBPR framework.
In a recent Privacy Tracker post matching up the EU General Data Protection Regulation with the CBPR system, Radar Senior Counsel & Global Privacy Officer Alex Wall, CIPP/E, CIPP/US, wrote, "Unlike the GDPR, which is a directly applicable regulations, the CBPR system does not displace or change a country's domestic laws and regulations. Where there are no applicable domestic privacy protection requirements in a country, the CBPR system is intended to provide a minimum level of protection."
Wall also pointed out that "enforcement authorities of a country that takes part in the system should have the ability to take enforcement actions under applicable domestic laws and regulations that have the effect of protecting personal information consistent with the CBPR program requirements."
Looking forward, the CBPR system may see further expansion in the not-too-distant future.
"There has been and will continue to be work to facilitate interoperability with Europe," Harris pointed out. "Several member economies, including the Philippines, Singapore and Taiwan have also expressed their intention to join the system in the near term. At that pace, the CBPRs could be on track to double the number of economies in just under a year."
If you want to comment on this post, you need to login.