Donate
‹ Back
Privacy 9 February 2015

Moving data across borders: APAC and the CBPR system

Noelle Francesca De Guzman
By Noelle Francesca De GuzmanRegional Policy Manager, Asia-Pacific

This year, Asia-Pacific is set to surpass North America as the world’s largest e-commerce market. But while it drives the global growth in online transactions, the region has yet to see a similar push by domestic economies to beef up laws to protect consumer data.  Privacy provisions in the region remain patchy, with most economies relying on disparate policies to govern the collection of personal information online.

The four-year old APEC Cross-Border Privacy Rules (CBPR), hailed as the first pan-global framework for data privacy, might be a step in the right direction. Based on the guidelines set by the APEC Privacy Framework, the CBPR is intended to provide a minimum layer of protection for online consumers: It places limits on the types and amount of personal data that commercial entities can gather, and requires that businesses notify customers before information about them is collected or shared with third parties.

The system is voluntary, and relies largely on businesses aligning their privacy programmes with its code of conduct.  To participate, an economy must satisfy the conditions set by the Joint Oversight Panel, and must also put forward an accountability agent to review businesses for the CBPR stamp of approval.

While it does not cover the entire region, the CBPRs, if implemented properly, can provide a baseline for accountable data handling by companies operating in APEC member economies, 15 of which are in Asia-Pacific. It can also foster complementarity between domestic data protection regimes, as well as regional cooperation on privacy-related law enforcement.

The scheme is not without its limitations. To start, the CBPR system is self-regulatory, and applies only to the data collection practices of businesses—not governments and individuals—and only to data that moves across different jurisdictions. A government backstop is in place, the APEC Cross-Border Privacy Enforcement Arrangement, but only five countries in Asia-Pacific–New Zealand, Australia, Japan, Singapore and South Korea—have public enforcement authorities on the list.

Thus far, three economies, Japan, Mexico and the US, have opted into the CBPRs, but only one—the US—has an accountability agent, TRUSTe, which means that at the moment, only US-located businesses can apply for CBPR certification. As APEC observers have pointed out, the system is fraught with a ‘chicken and egg’ problem, with both companies and governments withholding their participation until the other signs up, or expresses enough interest to join. Businesses lament the lack of uniformity in the language used by regional bodies to define terms like ‘personal data’, which can hinder proper compliance. Meanwhile, civil society groups like Open Net Korea assert that CBPR-certified companies undermine the system through small-print exemptions in their privacy policies, particularly for personal data provided in mobile apps or ‘behind logins.’

The APEC Data Privacy Sub-Group, through venues like the bi-annual APEC Electronic Commerce Steering Group meetings, tries to iron out these wrinkles. This year’s first gathering, held in the Philippines last week, introduced potential improvements to the CBPRs: these included a proposed corollary certification system for commercial entities that process—in addition to those that control—data collected online; and increased interoperability between the CBPR and its European counterpart, the EU Binding Corporate Rules (BCR) system.

Undeniably, more work needs to be done on the ground. Companies must be made aware that such mechanisms, which can boost consumer trust in e-commerce and facilitate better regional trade, are worth taking up. Governments, for their part, need to be more proactive about developing and implementing domestic privacy laws, ensuring that these are consistent with emerging international standards.  

The CBPR is not a perfect system, but it is a starting point—for strategy-building, inter-sectorial cooperation, and responsible data collection, all of which would be welcome advancements in the privacy landscape in Asia-Pacific.

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

The Internet Society and African Union Commission Launch Personal Data Protections Guidelines for Africa
The Internet Society and African Union Commission Launch Personal Data Protections Guidelines for Africa
Building Trust8 May 2018

The Internet Society and African Union Commission Launch Personal Data Protections Guidelines for Africa

The Internet Society and the African Union Commission (AUC) today launched the Personal Data Protection Guidelines for Africa (“the Guidelines”)...

The Future of Online Privacy and Personal Data Protection in Africa
The Future of Online Privacy and Personal Data Protection in Africa
Privacy20 February 2018

The Future of Online Privacy and Personal Data Protection in Africa

African experts are gathered for two days (19-20 February 2018) in Addis Ababa, Ethiopia to contribute to the development of...

Pervasive Internet Surveillance - Policy ripples
Pervasive Internet Surveillance - Policy ripples
Improving Technical Security26 June 2014

Pervasive Internet Surveillance – Policy ripples

It has become clear in the past year that pervasive surveillance is a threat to all users of the Internet...

Join the conversation with Internet Society members around the world