Welcome to the third issue of NetMission’s news and policy digest, where we transform some tech news and policy updates of the month into a bite-size reader for you. This edition sheds light upon the data privacy governance system developed by the Asia Pacific Economic Cooperation (APEC) and its advancements.
Accounting for more than 60% of the world’s GDP in 2022, APEC is home to nearly 40% of the world’s population. Data about nearly three billion individuals comes from the 21-member economic bloc, its discussions and approach to data privacy cooperation are therefore consequential.
The APEC Development
As the APEC Leaders’ Summit concluded on 17 November 2023, the 21 economic leaders endorsed the Golden Gate Declaration to continue “encourag[ing] all economies to accelerate efforts to implement the APEC Internet and Digital Economy Roadmap (AIDER), including in the areas of data privacy”. Additionally, all APEC member-states vowed again to “cooperate on facilitating the flow of data and strengthening business and consumer trust in digital transactions, including through cooperation on regulatory approaches”. Across Public-Private Dialogues, Economic Impact Analyses and Senior Officials’ Meeting (SOM) Reports that led up to the Leaders’ Summit in November 2023, the facilitation of cross-border privacy management was constantly emphasized.
A key part of realising the call is the advancement of APEC’s Cross-Border Privacy Rules (CBPR) System, which implements the APEC Privacy Framework endorsed by all 21 economies. Recognising the importance of protecting privacy while maintaining the free flow of personal information across borders for trade and economic development, the voluntary system prescribes seven program requirements, namely (1) Enforceable standards, (2) Accountability, (3) Risk-based protections, (4) Consumer-friendly complaint handling, (5) Consumer empowerment, (6) Consistent protections, and (7) Cross-border enforcement cooperation. A prerequisite for economies to join the system is a satisfactory demonstration of their capabilities to certify companies and enforce compliance with the CBPR system.
However, since the 2011 Privacy Framework and its CBPR System only pertain to personal information controllers, a similar certification system was subsequently developed for personal information processors in 2015. While the Privacy Recognition for Processors (PRP) System does not directly implement the APEC Privacy Framework, the PRP System assures data is processed consistently with the requirements that controllers are subject to under the CBPR System.
The Global Advancement
Alongside the existing nine participating APEC economies — Australia, Canada, Japan, the Republic of Korea, Mexico, the Philippines, Singapore, Chinese Taipei, and the United States, Malaysia is en route to becoming the 10th participating APEC economy, following its letter of intent to participate being accepted in 2023.
Meanwhile, recognition of the CBPR mechanism is growing in other jurisdictions such as Bermuda and the Dubai International Finance Centre amidst the urge for a more globally interoperable data governance system. The Global Cross-Border Privacy Rules Forum was then established in April 2022 to expand the government-backed data privacy certification system to non-APEC economies. The United Kingdom became the first Associate of the Forum in July 2023, while other non-APEC economies like the United Arab Emirates (UAE) have expressed interest in exploring opportunities presented by the Forum.
The Global CBPR Forum builds on both APEC CBPR and PRP Systems to facilitate the protection and free flow of data, as well as to promote the interoperability and best practices of data governance and privacy frameworks.
The Road Ahead
While the APEC-originated privacy certification mechanism attempts to enhance global data governance interoperability, its voluntary, accountability-based nature limits its ambition. Such an approach is overshadowed by privacy legislations such as the European Union’s General Data Protection Regulation (GDPR) and the 70+ jurisdictions that have powers to limit free flows of data based on the level of adequacy rules of recipient third countries.
With such constraints, the work on promoting best practices and interoperable privacy governance becomes salient. In support of APEC leaders and ministerial statements, panel discussions on data standardization and digital fragmentation were held at various working levels including in this year’s Digital Economy Steering Group (DESG) meetings and Committee on Trade and Investment (CTI) meetings, alongside other dialogues and ongoing literature reviews and initiatives. These engagements consider how the CBPR approach should fit into the global mechanisms of accountability and personal data transfers. For instance, the World Economic Forum called for a conducive regulatory environment in digital trade with commitments to (1) modernize legal infrastructure, (2) build an interoperable regulatory system, (3) international cooperation, and (4) multi-stakeholder engagement.
Looking ahead, the Global CBPR Forum’s 2023/2024 Annual Work Program envisages “necessary elements” to be ready for issuing Global CBPR and Global PRP certifications by the end of 2023. Following the conclusion of APEC 2023 in November, we shall expect more updates on the certification mechanisms soon. In the meantime, recent developments including the withdrawal of U.S.’ positions on supporting data free flow and prohibiting software source code reviews before the World Trade Organization (WTO) and ongoing operationalization of the Japan-initiated Data Free Flow with Trust (DFFT) amongst G7 members have set up for an intricate discussion on cross-border privacy governance in the new year.
Fun Fact: Was APEC EPIC?
I was welcomed by banners that read “APEC will be EPIC” when I landed in San Francisco during the week of the APEC Leaders’ Summit. The week was undoubtedly an eventful one.
Against the backdrop of the ongoing Russia-Ukraine and Hamas-Israel conflicts (which the 21 APEC leaders could not reach a consensus on), the highly-anticipated U.S.-China Leaders’ Summit was candid and constructive (until U.S. President Biden’s “dictator” comment over Chinese President Xi), and an “overarching agreement” on 3 out of 4 pillars of the 14-member Indo-Pacific Economic Framework for Prosperity (IPEF) was issued (after falling short of reaching an expected Framework-wide agreement).
While leaving the verdict on whether APEC 2023 is “impressive” open, what led up to this year’s APEC week “involved a lot of action and difficulty”. By the latter definition, APEC is surely EPIC.
By Kenneth Leung (Reviewed and edited by Jenna Manhau Fung and Vicente Arias González)