A few months ago, I reported on the status of the APEC Cross-Border Privacy Rules (CBPR) system, a privacy code of conduct for cross-border data flows in the Asia-Pacific region. It’s time for an update on the CBPR and also for offering some further considerations on the benefits of interoperability schemes such as the CBPR.
Earlier in August, another round of meetings of the APEC Data Privacy Subgroup (DPS) took place in Beijing. Having participated in them on behalf of the Centre for Information Policy Leadership and witnessed the level of energy and interest that government- and private-sector stakeholders continue to bring to this work, I continue to believe that interoperability schemes such as the CBPR are gaining ground.
I will explain why, but I am also concerned about the possibility of CBPR gridlock and a resulting loss of momentum or, as we’ve come to call it at recent APEC meetings, the “chicken and egg” problem: Businesses are waiting for more APEC countries to join the CBPR system before they seek CBPR certification, and APEC countries are waiting for more interest from the business community before joining.
We must extract ourselves from this dilemma.
After all, interoperability schemes such as the CBPR may very well be the only realistic and practical way forward in ensuring global data flows while protecting the privacy and security of personal data. As my friend Joshua Harris once said, “CBPRs and similar codes of conduct are Plan A for cross-border data flows, and there is no Plan B.”
Status of CBPR Implementation
Let’s turn to the current status of the CBPR. The three APEC economies currently participating in the CBPR system—the U.S., Mexico and Japan—will soon be joined by Canada, which formally submitted its Notice of Intent to participate in the system during the Beijing meetings.
Hopefully, more APEC countries are on their way to joining. One promising prospect: Australia. An APEC-sponsored study of Australia’s privacy regime gave it a thumbs-up on compatibility with the CBPR system. That may set the stage for Australia’s future participation in the system, assuming outstanding policy issues can be resolved. Similar studies may be performed on additional APEC economies that are considering joining the system. New Zealand apparently is a likely candidate. According to the grapevine, Singapore, Thailand and Papua New Guinea are also toying with joining the CBPR system soon.
But it takes more than countries joining.
Each APEC country in the CBPR system must also put forward at least one “accountability agent,” a third-party certifier that reviews and certifies businesses for CBPR participation. So far, only the U.S. has an accountability agent: TRUSTe. Neither Mexico nor Japan have identified their Accountability Agents.
This, obviously, is an impediment for businesses that want to sign up in these countries. Canada will have to put forward its accountability agent too as it completes its process of joining the system. The good news is that TRUSTe, as the only APEC accountability agent so far, has reported an uptick in interest among U.S. businesses in receiving their CBPR certification. At the Beijing meeting, it reported that in addition to the five U.S. companies it certified since last summer, there are now 14 additional companies in the certification pipeline. Importantly, these companies include both large multinational companies and SMEs.
Finally, to complete the status update, the CBPR system’s own government backstop enforcement network that was specially developed for this purpose is growing. The APEC Cross-border Privacy Enforcement Arrangement (CPEA) now has 25 member privacy enforcement authorities from eight APEC countries: the U.S., Canada, Mexico, New Zealand, Australia, Japan, Singapore and South Korea. These authorities currently can and, in fact, do cooperate with each on non-CBPR privacy matters that are within the scope of the cooperation arrangement. However, they have not yet used it for its principal purpose—enforcing the CBPR—not least because some of these CPEA member authorities are in countries that have not yet joined the system.
Resolving the Chicken and Egg Dilemma
There are a number of steps that can be taken to resolve the “chicken and egg” problem described above. First and foremost, the relevant government departments in the APEC countries need to make the case for APEC CBPRs more energetically, both within their own countries and with their foreign counterparts. This requires better internal coordination with other relevant domestic departments and branches of government to ensure that all relevant domestic stakeholders are aware of the privacy work that’s being done in APEC and that new privacy laws in the various APEC countries end up being consistent with the APEC Privacy Framework and the CBPR.
A small measure that could go a long way to accomplish this would be to encourage participation in the DPS by a broader range of relevant government agencies—including trade departments—from APEC member countries as well as greater involvement by the relevant domestic privacy enforcement authorities that are responsible for enforcing the CBPR. So far, only the U.S. and Hong Kong have consistently included their privacy enforcement authorities in the APEC privacy meetings. Hopefully, this will change. After all, all APEC countries made a commitment at the highest level of government to develop cross-border privacy rules for the APEC region and to use them once they exist to enhance privacy protection and eliminate barriers to cross-border data flows to facilitate trade.
It is incumbent upon APEC governments to devise effective domestic strategies to actually implement these commitments and to incentivize businesses to use the system these governments have helped to build.
While governments must take a leadership role in this effort, friendly pressure by a private sector that is interested in the CBPR can’t hurt. And for that pressure to build, a better job needs to be done in explaining the CBPR value proposition to businesses. Make that to all stakeholders, businesses, governments and consumers, but with a heavy emphasis on governments and privacy regulators letting their private sectors know why the CBPR are good for them. For example, privacy regulators need to communicate to businesses more clearly how participation in codes of conduct such as CBPR helps them in a privacy-enforcement scenario. What’s in it for us from a compliance and enforcement perspective? That’s the most common question companies ask as they are considering the CBPR and similar schemes.
Why Join the CBPR System?
There are good reasons for all stakeholder groups to support the CBPR, and many of these reasons apply to other interoperability schemes and codes of conduct as well. Let’s start with businesses, which, by the way, stand to gain more than advantages in the event of an enforcement action. The benefits to businesses include:
- Facilitating legal compliance: Businesses that are CBPR-certified are likely to have gone a long way towards compliance with the respective legal requirements in the various participating jurisdictions.
- Facilitating cross-border data transfers: The CBPR were designed to function as a cross-border transfer mechanism in countries that have data export restrictions but that allow for exceptions, such as where a company participates in a recognized cross-border code of conduct.
- Demonstrating organizational accountability: Having a CBPR-compliant internal privacy infrastructure will help organizations demonstrate accountability and good faith efforts to comply with privacy obligations in the event of an investigation or enforcement action.
- Creating consumer trust: Participating in the CBPR creates consumer trust and may be a competitive advantage.
- Making organization-wide privacy protections more uniform: Participating in the CBPR system enhances a multinational organization’s ability to have a streamlined, uniform approach toward privacy protections.
- Demonstrating the effectiveness of self- or co-regulation: In the long run, participating in the CBPR and similar enforceable codes of conduct will help demonstrate the viability of delivering credible privacy protections through flexible and adaptable accountability schemes, which is in the long-term interest of businesses that do not favor rigid, one-size-fits-all statutory privacy regimes.
For governments, the CBPR value proposition occurs at two levels, the political level and the enforcement level:
- Facilitating trade and privacy: For governments, both trade and credible privacy protections are important political goals.
- Facilitating cross-border privacy enforcement cooperation: Privacy-enforcement authorities typically can only cooperate on matters that involve mutually agreed-on privacy protections and commonly shared principles.
- “Outsourcing” front-line enforcement: Under the CBPR system, accountability agents have frontline responsibility for ensuring CBPR-compliance by their certified companies as well as consumer complaint-handling and dispute resolution, which augments the typical reach of government privacy enforcement that is subject to resource limitations.
- Aiding investigations and enforcement: Participation in the CBPR or similar codes of conduct can aid privacy enforcement authorities in discerning and validating the privacy policies and practices of a company during an investigation or enforcement action.
Finally, and perhaps most importantly, the CBPR can deliver significant benefits to consumers:
- Enhanced and effective privacy protections: Companies that participate in schemes such as the CBPR are likely to deliver better, more consistent and more easily enforceable privacy protections.
- Streamlined complaint-handling: The CBPR system delivers a more user-friendly and streamlined mechanism for complaint-handling.
- Trust: Participation in the CBPR can improve consumer trust.
Next Steps
So, clearly, the potential benefits of the CBPR system are numerous, but the system needs to gain critical mass to realize them. More APEC countries and companies need to get on board. To accomplish this, the benefits need to be articulated more clearly and by the right people (Hint hint: U.S. Department of Commerce and Federal Trade Commission).
Over the next few months, the members of the APEC DPS will continue to work on a strategy to improve the CBPR implementation process. They will also continue to work on related projects in APEC, such as developing a set of rules for data processors (the CBPR apply only to data controllers), continuing their collaboration with the EU’s Article 29 Working Party toward possible interoperability between the CBPR and the EU’s Binding Corporate Rules (BCR) and a work plan for updating the now 10-year old APEC Privacy Framework in light of big data, cloud computing and the Internet of Things.
Each one of these work-streams is essential for the success of the APEC CBPR. Indeed, to the extent they ensure the viability of the CBPR, they will also help advance the concept of achieving global interoperability through flexible but enforceable codes of conduct more generally. After all, CBPRs are not the only example of such schemes. They also include the EU’s BCR and the privacy seals and marks found in the EU Data Protection Directive as well as in the proposed new EU regulation. But priority number one for APEC countries is now to actually implement the CBPR system they just built. And for that, the continued leadership of the Department of Commerce, the Federal Trade Commission and the relevant authorities of the other APEC countries is key.