Global Cross Border Privacy Rules and the new initiatives to support data free flow with trust
Browse this blog post
Just over a year ago, on 21 April 2022, the seven economies (Canada, Japan, the Republic of Korea, the Philippines, Singapore, Taiwan, and the USA) participating in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System announced the launch of the Global CBPR Forum (the Forum). My colleague Jane Finlayson-Brown blogged about the initiative at the time. Since that launch Australia and Mexico have also joined the Forum and it is now meeting bi-annually.
In this blog, we introduce the background, explore the likely direction and consider the potential business case for companies to certify under a new Global CBPR System.
The most eye-catching development to date has been the granting of the UK’s Associate status under the Forum following its application in April 2023. The UK also hosted the April 2023 Forum meeting in London. The implications of this are covered in more detail below.
How will the Global CBPR System work?
Work is still ongoing to develop a new Global CBPR System and transition from the APEC CBPR System.
The APEC CBPR System implements the APEC Privacy Framework to protect privacy across borders and to enable regional transfers of personal information. It also has a companion, the Privacy Recognition for Processors (PRP) System, which is designed for processor organisations to demonstrate the ability to effectively implement controller privacy requirements. This PRP System will transition too.
As it stands the APEC CBPR System continues to operate and we need to look at how this works in practice, as the objectives of the Forum make clear APEC CBPR System will still form the base of the new Global approach.
As with the APEC CBPR System the Global CBPR System will be a voluntary and accountability-based. The certification will allow organisations to demonstrate their compliance with data protection and privacy standards and facilitate the transfer of data across borders to certified companies.
Given its global nature, jurisdictions from outside APEC can apply to join the Forum and establish the operation of the Global CBPR System in their countries. The Forum now has a governance structure in place to take forward the work of transition. A new Global Forum Assembly is established as a policy and strategy making body of the Forum, with three committees sitting underneath: membership, communications and stakeholder engagement and accountability agent oversight and engagement. There is also new website. In addition, the relevant data protection and privacy enforcement authorities work together in a group that sits alongside the Forum – enabling their engagement and independence.
Key components of the APEC CBPR System
The current APEC CBPR System comprises four aspects: self-assessment by a company as against APEC Privacy Principles, a compliance review, recognition criteria for Accountability Agents and dispute resolution and enforcement. The principles are drawn from international frameworks such as the OECD Privacy Guidelines (the Guidelines were first agreed in 1980 and last updated in 2013, they were also reviewed in 2020) and Member countries’ data protection and privacy laws. They incorporate elements of rights we see in other laws as well and are:
- Preventing harm
- Collection limitation
- Uses of personal information
- Integrity of Personal Information
- Security safeguards
- Access and Correction
The APEC CBPR System notes that there should be flexibility in implementing the privacy principles given the social, cultural, economic and legal backgrounds of each Member economy. It also addresses a set of definitions.
An APEC CBPR System Member economy should refrain from restricting cross border flows of personal information between itself and another Member where: (a) the other Member has in place legislative or regulatory instruments that give effect to the APEC CBPR System, or (b) sufficient safeguards exist, including effective enforcement mechanisms and appropriate measures (such as certification under the APEC CBPR System) put in place by the personal information controller to ensure a continuing level of protection consistent with the APEC Privacy Framework and the laws or policies that implement it.
How does certification and enforcement work?
Following its self-assessment against the APEC Privacy Principles, a company wishing to rely on the APEC CBPR System must obtain a certification that its privacy policies and practices are compliant with a set of APEC CBPR System or PRP Systems program requirements based on these principles. The certification is undertaken by third party organisations called Accountability Agents. There are currently nine Accountability Agents, in five jurisdictions.
The Accountability Agents must themselves meet certain criteria, including being subject to the jurisdiction of a privacy enforcement authority in a participating economy and being free of conflicts of interest. They must also have effective policies and procedures in place for the certification process and use standard APEC CBPR System questions and criteria to assess certification applications from companies. They must also carry out on-going monitoring and compliance review, recertification and annual attestation.
Controllers can use data protection and privacy management programmes to demonstrate how they comply with the APEC Privacy Principles.
The certifications issued must be legally enforceable by the privacy enforcement authority in that jurisdiction, including through imposition of appropriate remedies for data protection and privacy violations.
To date there are no examples of formal enforcement action by privacy enforcement authorities under the APEC CBPR System.
To become a member of the Global CBPR Forum a jurisdiction must have least one privacy enforcement authority that is a participant in the Global Cooperation Arrangement for Privacy Enforcement.
What are the differences between the GDPR and the APEC CBPR System?
As it stands, there are some significant differences between the EU/UK GDPR and the APEC CBPR System. Some of the most important differences are as follows:
- Publicly available data. The APEC CBPR System has limited application to publicly available information, including “personal information about an individual that the individual knowingly makes or permits to be made available to the public”. The GDPR doesn’t contain such a limitation. This a particularly relevant issue given the use of publicly available personal data in the process of developing large language models in generative AI systems.
- The right not to be subject to automated-decision making. There is no equivalent to Article 22 GDPR in APEC CBPR System; this will also be a key issue given the growing use of AI.
- Special Category data. The APEC CBPR System contain no provisions that are equivalent to the GDPR Article requirements related to the use of special category data.
- Children’s data. There are no equivalents in the APEC CBPR System to the GDPR requirements for parental consent.
- Breach notification to a data protection authority and to individuals. The APEC CBPR System also lacks an equivalent to these provisions(although there is a security principle)
- Data Protection Impact Assessments (DPIAs). The APEC CBPR System does not require the use of DPIAs or a similar assessment of risk.
The European Commission has also been clear that the APEC CBPR System is not essentially equivalent to the standards in the GDPR. The EU GDPR adequacy decision for Japan stated “This will be the case, for instance, of the APEC Cross Border Privacy Rules (CBPR) System, of which Japan is a participating economy), as in that system the protections do not result from an arrangement binding the exporter and the importer in the context of their bilateral relationship and are clearly of a lower level than the one guaranteed by the combination of the Act on the Protection of Personal Information and the Supplementary Rules”. This means that APEC CBPR System cannot not be used for onward transfers of personal data that had been transferred from the EU to Japan under the GDPR.
In 2014 the EU Article 29 Working Party of Data Protection Authorities (the forerunner for the European Data Protection Board (the EDPB)) worked with the APEC CBPR System Members to develop a ‘referential’ between the CBPR and the EU Binding Corporate Rules system, as it then operated under the EU Data Protection Directive 95/46. This was seen as a positive step and a practical tool to use to help map interoperability between the systems. It also laid out the level of work that would be needed to work across both.
A small number of companies now hold GDPR Binding Corporate Rules approval and APEC CBPR certification. Hewlett Packard was the first to achieve this and Merck became the first company to achieve approval for its Binding Corporate Rules following APEC CBPR approval.
Focus on the EU GDPR implementation and the disruption caused by the Schrems I and II CJEU judgments then reduced opportunities to build on the agreement of the 2014 referential. The GDPR came into full effect in 2018 and creates some further opportunities for interoperability. The GDPR also enables companies to use codes of conduct or certification to demonstrate their compliance and accountability and it is possible to use them as a tool to enable compliant transfers of personal data (the EDPB has issued guidance on this). Although the APEC CBPR System works as a certification system, the standards needed for certification conformity under the GDPR are different and based on ISO standards. As such, there may be potential for better alignment between the APEC CBPR System and the codes of conduct under GDPR. The number of approved codes under GDPR are starting to grow, though to-date the focus of their use-case has been on demonstrating compliance rather than data transfers, though this may change following EDPB guidance.
It is worth monitoring developments as new Global CBPR System emerges. There is clearly an opportunity to move the two systems much closer together and create greater lines of interoperability between them.
How successful has the APEC CBPR System been?
Spring 2023 figures indicate that there were 62 APEC CBPR and 47 PRP System certifications covering some 1,800 entities. Companies currently certified under the APEC CBPR System include Apple, MasterCard, Cisco and Yahoo Japan. In 2022, Google announced their intention to certify under the Global CBPR System and support Google customers to certify, especially small and medium enterprises.
The business case for companies to certify under Global CBPR System
The business case for Global CBPRs must face the reality of data protection and privacy compliance costs, incentives, and motivations. There is data protection and privacy compliance fatigue emerging. AI governance will also place an increasing call on companies’ budgets. The EU GDPR Transfer Impact Assessments have drawn resource and continue to do so, though this should hopefully ease for EU/UK-US data transfers now that the EU-US Data Privacy Framework has been adopted and the adequacy decisions of the EU and UK are in place.
If reforms to the Global CBPR System emerge in the next few years, and this brings the systems closer, the incentives will undoubtedly increase. The ultimate prize would of course be EU approval of CBPR as a code of conduct under the GDPR but this would appear to have a number a significant hurdles to pass.
There is business appetite for global solutions that can bridge between frameworks such as the GDPR and CBPR Systems but the synergies need to be clearly practical and tangible, otherwise companies may tend to stick to trusted methods such as standard clauses. Companies will need to consider how the Global CBPR System fits as part of wider approach to accountability and personal data transfer mechanisms.
The CBPR System is an accountability system and companies will need to consider the wider benefits of certifying under an accountability based system, where this fits into their privacy management programme and how this can enable trust benefits with key customers, suppliers and partners.
Companies should monitor for interest in their sector, discuss in trade bodies and consider the value in supply chains - with suppliers and corporate customers. The main base in the APEC region will also continue to a key factor in the short-medium term, and as new global members join this case may evolve.
UK as an Associate Member of the Global CBPR Forum
The UK’s new status as an Associate Member is an important step forward for the Global CBPR as it is the first country outside the region to demonstrate an interest in joining. The UK has signalled its policy concern that the approach of using adequacy decisions to enable personal data transfers may be hard to sustain. A multi-lateral solution, such as CBPR, may be the more sustainable solution to scale. The UK has a useful position to potentially bridge between the EU and APEC, though this could require some careful balancing to preserve the highly valuable data adequacy decision for EU-UK data transfers
The Forum terms of reference state that, whilst not a full Member of the CBPR Forum (with the associated participation in the Global CBPR and/or PRP Systems and setting of the Forum’s strategy and policy), Associates participate in the Forum to prepare for their potential participation in the Global CBPR or PRP Systems as Members. To qualify as an Associate, a jurisdiction must support the principles and objectives of the Forum as set out in the Global CBPR Declaration and Framework. An Associate jurisdiction must have laws and regulations that protect personal information and a public body responsible for enforcing the same.
The UK Data Protection and Digital Information Bill (no2) currently before the UK Parliament creates a mechanism for the Secretary of State to approve transfers under regulations (replacing the previous GDPR adequacy regime) - it also includes a provision that can identify transfers of personal data by these means: “relevant legislation, schemes, lists or other arrangements or documents, as they have effect from time to time” (new UK GDPR Article 45A(4)(c)(vi)). The Global CBPR System could be classed as a scheme or arrangement that falls with the definition. The Global CBPR System would then need to be assessed against the “Data Protection Test” set out in the Bill. This test uses the term “not materially lower” rather than “essential equivalence” in the GDPR.
Given the position of Japan mentioned above, the UK will have to carefully consider its approach related to the EU adequacy decision. It seems unlikely that the UK can consider approval of the Global CBPR System under regulations until reforms are made.
Overall, this represents a positive indication of the UK’s future intention to support global interoperability, though it is likely to take some time to come to fruition.
Other jurisdictions have started to recognise CBPR
It is also worth recognising that some smaller jurisdictions have recognised that APEC CBPR System as a valid tool to use for transfers of personal data from their jurisdiction to certified companies in member countries. These smaller jurisdictions have decided to do this despite not yet being members of the Global CBPR System. So far, Bermuda and the Dubai International Finance Center have announced this.
As noted in our previous blog “Global policy makers take further steps to support data free flow with trust” there is now some real momentum behind initiatives to reduce friction in international data flows, alongside enabling high standards to maintain trust. The G7 and OECD initiatives sit alongside this move to globalise the CBPR System. The UK’s Associate Membership gives some tangible support to the vision of a new global system, beyond APEC, though more Members will still be needed to give the system global credibility.
Companies will need to consider specific business benefits before using the Global CBPR System – this will include consideration of the global regions most ready to leverage the framework, the sectors and industries where the benefits can be realised. Industries such as cloud computing and data analytics industries may see particular benefits across their supply chains.
We now await further news of how the Global CBPR System will evolve and how much closer it becomes to the GDPR. For many companies it will be a case of monitoring and considering when the business case will mature. There should be opportunities to engage through consultations as it develops.