Personal Data Transfers In Asia-Pacific: The CBPR System
Where the European Union member states share a common vision of the data privacy principles and consumer protection, the situation is different in the Asia-Pacific region. Indeed, Asia-Pacific includes very diverse societies, culturally and economically. As they don’t have a system equivalent to the European directives and regulations, the laws of the APEC members are diverse: while a number of countries have adopted more of less stringent data protection legislation, others have not.[1]
The APEC members have therefore come to the conclusion that strong data protection principles should be implemented to facilitate transnational data transfers between their companies.
The CBPR: an international data transfers system based on non-mandatory participation
The Cross-Border Privacy Rules or CBPR were developed by APEC in 2011 to allow companies located in different members states to transfer personal data according to safe rules and common principles.[1]
The CBPR system was established on the basis of the APEC Privacy Framework. The Privacy Framework was first set up in 2005 and revised in 2015.[2] It works as a reference for the national data protection laws of the APEC member States and constitutes a minimum set of rules for the APEC countries without data protection laws but wishing to adhere to the system. The Privacy Framework includes the basic personal data protection principles issued from the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.[3]
The CBPR system is not mandatory and works on the principle of a dual voluntary adherence / certification system i) of the member States wanting to adhere, and within these States, ii) of the companies wishing to get certified. Thanks to this system, the adhering countries and certified companies can guarantee that transnational personal data flows are protected pursuant to the CBRP rules.
The APEC member states wishing to join the CBPR system must follow an adherence procedure, identify a government organisation in charge of enforcing the personal data protection principles (equivalent to the European supervisory authorities such as the CNIL in France) and at least one third party certification entity.
Whereas the GDPR is a mandatory regulation encompassing all personal data processing entities located in the EU, and non-EU entities targeting the European market, the CBPR applies only to data controllers wanting to get certified and that are located in an APEC member State adhering to the CBPR. The companies wishing to get CBPR certified must submit an application to an accredited certification agent. CBPR certification is valid for one year and is renewable annually.
To date 9 countries among the 21 APEC members have joined the CBPR system: Australia, Canada, Japan, Mexico, the Philippines, Singapore, South Korea, Taiwan and the United States.
The Privacy Recognition for Processors system or PRP was added to the CBPR system to allow data controllers to identify subcontractors (hosting providers, developers, etc.) in the Asia-Pacific region that comply with data protection principles.
The PRP system is a set of personal data protection principles that a sub-contractor, or data processor, must comply with to get certified. Although the PRP does not include the Privacy Framework, which only applies to data controllers, this system allows certified data processors to demonstrate their ability to process personal data in accordance with the CBPR.
Like companies that are CBPR certified, data processors must be located in an APEC member State adhering to the system to be able to get PRP certified. This procedure is also carried out by a third party certification entity.
The CBPR is a developing data transfer system. Although this system was launched in 2005, the concept of personal data protection is more recent in most Asia-Pacific countries than in Europe. Based on a voluntary move by the APEC member States, the certification phase is a lengthy process before new countries are admitted in the system. There are however many core differences between the CBPR and the GDPR, preventing the CBPR to be recognised by the EU Commission as offering adequate protection according to the European criteria.
Bénédicte DELEPORTE
Avocat
October 2020
[2] APEC’s Privacy Framework: https://www.apec.org/Publications/2017/08/APEC-Privacy-Framework-(2015)
[3] OECD Guidelines: www.oecd.org/internet/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm
[1] The Asia-Pacific Economic Cooperation or APEC was founded in 1989. APEC is an intergovernmental regional economic forum including 21 countries bordering the Pacific. (www.apec.org)
Image by rawpixel.com
