The Case for the APEC Cross-Border Privacy Rules System
A significant number of APEC economies are joining up.
Digital disruption is opening up trade in the Asia-Pacific like never before. But maximizing its potential to revolutionize growth hinges on keeping surging cross-border data flows moving while safeguarding the sensitive personal information of billions of consumers against heightened security risks.
In an interview with the APEC Bulletin, James Sullivan, Acting Chair of the APEC Electronic Commerce Steering Group, and Colin Minihan, Chair of the APEC Data Privacy Sub-Group, explained how the emerging APEC Cross-Border Privacy Rules system can support this balance and a stronger, inclusive digital economy.
APEC Bulletin: What’s your view of digital development in the APEC region and its capacity to level the playing field when it comes to trade?
Sullivan: E-commerce, digital trade and the digital economy, in general, continue to grow rapidly in the APEC region, driven by the access businesses have now to more and better data that is allowing them to gain all sorts of insights into how to improve efficiencies and productivity.
All that data is providing fuel for emerging technologies—from self-driving cars to artificial intelligence and robotics to precision medicine. At the end of the day, it also empowers consumers and puts more people in a position to participate in global markets through these online platforms.
Today individuals and small businesses can reach markets abroad in a way they never could before. Two people in Papua New Guinea can sell their goods in Viet Nam in the same way a global company in Canada can sell its products in Malaysia. That’s a tremendous leveler in terms of trade opportunities.
APEC Bulletin: What are the biggest barriers to opening up e-commerce and the digital economy?
Sullivan: Data doesn’t stop at the border and, unfortunately, in recent years we’ve seen a rise in digital protectionism. This includes restrictions such as data localization where you have to store data and, in many instances, process data inside the borders of the economy that imposes it.
Sometimes, data localization laws are put in place to address cybersecurity or privacy. There are legitimate concerns there. But restrictions like these reduce the benefits of e-commerce because it becomes more expensive and serve only to hurt entrepreneurs and small businesses, in particular, who can’t afford to comply with a wide variety of different laws. It’s just not possible.
APEC Bulletin: What is needed to ease these digital barriers and where does APEC fit in?
Sullivan: In APEC, there’s a great solution called the Cross-Border Privacy Rules system. On the one hand, there are privacy and data protections under the system, but they’re balanced against the need for cross-border flows of information that facilitate all the technologies that we use every day. That’s a very pragmatic approach to these issues that you don’t always see in every part of the world.
APEC Bulletin: How does the APEC Cross-Border Privacy Rules system work?
Minihan: The APEC Cross-Border Privacy Rules system is voluntary for APEC economies and businesses to take part in. But the bottom line is, if you give your information to a firm that has joined, when they use that information, they’re required under domestic law to protect it. It is a baseline, as well.
Some participating APEC economies may want stricter standards for certain transactions and that’s recognized by the system’s privacy framework. Companies can also adopt higher standards if they wish. Some may do so to match standards in a range of regions around the world, not just the APEC region.
APEC Bulletin: What recourse is there for consumers if their data is mishandled under the system?
Minihan: To provide support for consumers, the APEC Cross-Border Privacy Rules system is backed up by an APEC Cross-Border Privacy Enforcement arrangement where regulators can share information about cross-border privacy issues and direct consumer complaints to the appropriate jurisdiction.
A customer in Australia, for example, could file a complaint to what’s called an Accountability Agent if they have problems with how a company is handling their personal information. Their complaint could then be addressed by the regulator in the jurisdiction where the company is based.
APEC Bulletin: What is the level of participation in the system among APEC economies?
Minihan: A significant number of APEC economies are joining up. It is a diverse group too. Japan, Korea and the United States are already firmly taking part in the system. Singapore most recently joined. Canada and Mexico are looking at how to implement their engagement domestically. Australia just submitted their documentation to participate and there are others working on their applications too.
APEC Bulletin: What kinds of firms does the system cover and what is their response so far?
Minihan: The APEC Cross-Border Privacy Rules system can apply to any kind of business or personal information. Because it’s voluntary, it’s a matter for businesses to join the system. At present, firms in the IT and health sectors are taking part as well as in manufacturing, service provision and other areas.
Participating APEC economies are at different levels of business engagement. Given that the system is voluntary, encouraging participation is important. Japan’s privacy regulator has done a lot of work in reaching out to businesses there through many seminars, with thousands of attendees in the past year, to provide information about the APEC Cross-Border Privacy Rules system and what it means for them.
As the system continues to grow and we get more engagement from companies in APEC economies taking part, it should drive greater interest among other economies. Of course, some may not be in a position to take part at this time. The work of the APEC Data Privacy Sub-Group is to continue capacity building and address issues APEC economies might have in considering engagement with the system.
APEC Bulletin: How equipped is the APEC Cross-Border Privacy Rules system for technological change?
Sullivan: Technology is evolving so rapidly. Often times, companies themselves are not keeping up, let alone privacy laws and regulation which can become outdated very quickly. The APEC Cross-Border Privacy Rules system allows firms to address data management issues in a flexible and responsive way. That speaks to the value of it.
Quite frankly, with everything going on in the privacy world, we’re even getting inquiries about the Cross-Border Privacy Rules system from economies outside the APEC region that find it appealing because it isn’t a top-down, prescriptive approach to addressing these issues. It’s flexible and it can be tailored to domestic laws of any economy.
APEC Bulletin: How does the APEC Cross-Border Privacy Rules System compare with the European Union’s General Data Protection Regulation, or GDPR, and how might they fit together?
Minihan: The APEC Cross-Border Privacy Rules system is focused on cross-border data transfers. The General Data Protection Regulation – GDPR – is comprehensive data privacy regulation in Europe, which provides prescriptive rules for all those members of the EU to put in their domestic laws. Obviously, it’s a very different scale of operation.
That said, the GDPR has a system underneath it called Binding Corporate Rules which allow transfers of information across borders from certified companies in Europe to their subsidiaries outside Europe. It’s a similar kind of cross-border data flow arrangement to the APEC Cross-Border Privacy Rules system which is really based on certification.
We’ve done work with European colleagues on recognizing the similarities and engage with the EU in our meetings. We hope to continue that engagement on the issue of certification, in particular, to determine whether it’s possible to have some commonality and, possibly, interoperability between those elements in our systems.
APEC Bulletin: What are the next steps towards building the APEC Cross-Border Privacy Rules system and the digital economy?
Sullivan: With all the attention now on data privacy issues, it’s a great time to raise awareness about the APEC Cross-Border Privacy Rules system as well. We want consumers to know about it, we want companies to know about it and we would like to see more APEC economies join.
It could go a long way towards integrating the APEC region and building on what it’s already done in terms of innovation. It could also help the 2 billion people online in this region leverage the digital economy and grow their economies.