ITI has returned from the Asia-Pacific Economic Cooperation (APEC) forum meetings held in Lima, Peru, last week on data privacy and digital trade. Economies and stakeholders at the forum discussed how expansion of APEC’s Cross Border Privacy Rules system (CBPRs) can help facilitate trade in information and communications technology products and services in the region and promote the free flow of information across borders.
What are CBPRs? CBPRs comprise a voluntary system to enable data transfers while protecting privacy that sits on top of existing laws and regulations in participating economies. The CBPRs system thus promotes the principle of accountability at the organizational level to facilitate the interoperability of the system across participating economies - it asks companies to be accountable for their privacy practices, involves third-party accountability agents to certify that accountability, asks governments to provide oversight and enforcement mechanisms and recognize the concept of mutual recognition, and prevents participants from using data localization requirements as a means of protecting personal data.
We believe that the CBPRs are worth promoting and expanding in order to increase digital trade and economic growth for businesses in all sectors and all economies in the region, while building consumer, business, and regulator trust. In addition, we believe it could represent a more sustainable approach to developing privacy rules that truly reflect the global nature of commerce. For example, while ITI strongly supports the recently concluded EU-U.S. Privacy Shield Framework, we have broader concerns about the precedent of economies pursuing their own unilateral or bilateral solutions to what is ultimately a global policy challenge. The Privacy Shield sets out important principles for privacy protection, but its true promise lies in the extent to which it ultimately interacts with more global approaches – such as the CBPRs – to constitute a single, interoperable set of globally available rules.
In 2011, when APEC Leaders established the CBPRs, they committed to “implement the APEC Cross Border Privacy Rules System to reduce barriers to information flows, enhance consumer privacy, and promote interoperability across regional data privacy regimes.”
To date, four APEC members (the United States, Japan, Canada, and Mexico) have joined the CBPRs and several global companies (including ITI member companies Apple, Hewlett Packard Enterprise, HP Inc, and IBM) have joined as well. One company, Merck, even modeled its application for EU Binding Corporate Rules approval on its CBPRs application, describing in a blog this year on how it saved considerable amounts of time and money in the process.
Why haven't more APEC members and companies joined? We hear different reasons for the slow uptake, including that governments are waiting for companies to join, and companies are waiting for governments to join. We also hear that some governments haven't prioritized joining domestically or believe that it would be too burdensome to join. Some companies are also concerned about the relatively small number of accountability agents available for them to use and therefore hesitate to participate.
It is also notable that economies maintaining data localization requirements in their data privacy regimes or otherwise, like Russia, Indonesia, and China, are not taking the steps to join the CBPRs. The slow uptake may not pose serious problems for governments and larger companies, but it poses great opportunity and operational costs for small businesses and medium-sized enterprises (SMEs), particularly exporters from developing country markets, who will bear the brunt of data localization requirements in the region. Our take away from the forum is that APEC economies are working on addressing these technical and political issues being cited.
Just as the value of internet platforms grows with ever larger numbers of users due to network effects, the value of CBPRs will grow as the number of participants grows. With sufficient APEC economy participation, governments and companies outside of the Asia-Pacific region who are considering their approaches to data privacy and protection should look to the CBPRs as the best international option.
Indeed, at least one non-APEC country, India, has expressed interest in the CBPRs approach. A possible outcome could be that the CBPRs become the preferred global data privacy system for addressing concerns regarding cross-border data transfers, which would truly expand trade in technology products and services on a global scale. ITI will continue to work with APEC economies and other stakeholders to explore the potential of realizing that vision.