APEC's Cross-Border Privacy Rules System: A House of Cards?
(2014) 128 Privacy Laws & Business International Report, 27-30
6 Pages Posted: 21 Jul 2014 Last revised: 21 Jul 2015
Date Written: April 20, 2014
APECs Cross-border privacy rules system (CPBRs) has been under development at least since 2007, after the APEC Privacy Framework was completed in 2005. The proponents of APEC CBPRs present it as having a major role in the Asia-Pacific, and in transfers of personal data globally, particularly between the EU and the Asia-Pacific. Different views are possible, but it needs to be examined and debated in considerable detail. I suggest scepticism, and that APEC CBPRs may turn out to be a house of cards.
The article starts by noting that the EU’s Article 29 Working Party Opinion in February 2014 in the form of a ‘referential’ on EU BCRs (Binding Corporate Rules) and APEC’s CBPRs does not aim at achieving mutual recognition of the two systems but only ‘a basis for double certification’. There are such wide differences between the two, identified in the Opinion, that a lengthy period of study is required even to understand them, let alone build bridges to overcome them. In contrast, a report by a consultancy firm concludes, with what seems unjustifiably optimistic, when read against the Working Party’s later Opinion, that these differences can be overcome, and a resulting global system for ‘low friction cross-border transfers’ (otherwise known as ‘interoperability’) can emerge based on something resembling APEC’s CBPRs.
These contrasting studies make clear is that it is necessary for businesses and their advisers to obtain a very clear and detailed understanding of what APEC CBPRs does and does not do, and the foundations on which it is built. This article aims to provide such an analysis, in a 12 point summary of how APEC CBPRs is supposed to work, followed by a critique of the limited (if any) benefits it will provide for consumers, and the dubious business case it presents for any businesses, other than perhaps a small number of US-based companies.
The second part of this article will examine how APEC CBPRs has operated to mid-2014.
Keywords: privacy, data protection, APEC, Asia, cross-border
Suggested Citation: Suggested Citation