The Journal The Authority on Global Business in Japan

High-profile incidents of personal information theft have become common. In one such case involving Yahoo! Inc., more than 1 billion accounts were affected. With our increasing reliance on the Internet and cloud-based services, it is difficult to avoid risk as an individual. It is, therefore, incumbent on companies to protect the personal information of clients. The global economy and e-commerce mean that data must be transferred across national borders, and this introduces a new level of complexity to security strategy and compliance.

For companies, a data breach can cause significant damage, but for consumers the danger is even greater. If the handling of their information is not secure, and the details are stolen or leaked, the result can be serious personal and financial hardship.

Obvious possibilities include the theft of credit card information resulting in unauthorized purchases or, if a consumer’s overall identity is borrowed, an unscrupulous character might take out a loan in their name.

Manuel E. Maisog, partner at global law firm Hunton & Williams LLP, resident in its Beijing office, and a principal of the Center for Information Policy Leadership, pointed out two less obvious possibilities. In the first, “a consumer could become aware that he might have personal information ‘out there’ that someone might not be handling carefully, and goes into a state of more or less permanent anxiety,” he said. In the second, “consumers could stop trusting institutions, such as banks and remittance service companies, and reduce their interactions with other people so as not to spread their personal information around, resulting in suppressed levels not only of commerce, but also of political, educational, and cultural interactions among the citizenry, resulting in turn in a less friendly, less trusting, and less dynamic society.”

To address the need for stronger protection of personal information in the modern e-commerce environment, the United States and Japan, together with the other 19 economies of the Asia–Pacific Economic Cooperation (APEC), have developed the Cross-Border Privacy Rules (CBPR) system.

On November 13, 2011, at the APEC Leaders’ Summit in Honolulu, Hawaii, the 21 economies of APEC agreed to implement the CBPR system. Since then, four nations have entered: The United States (2012), Mexico (2013), Japan (2014), and Canada (2015). South Korea became the latest to submit an application to participate, in January 2017, and Taiwan has announced an intention to apply.
As the Japan Institute for Promotion of Digital Economy and Community (JIPDEC) explained to The Journal: “With the globalization of economic activity centered on the Internet, the flow of personal information across borders will increase. To help this go more smoothly, it is necessary to establish a system such as APEC CBPR.”

The APEC CBPR system requires participating businesses to develop and implement data privacy policies consistent with the APEC Privacy Framework. This framework was updated in 2015 by the Data Privacy Subgroup (DPS) of the APEC Electronic Commerce Steering Group (ECSG) to address gaps in policies and regulatory frameworks on e-commerce, and the revision was endorsed by the ministers in November 2016.

Currently, 18 companies in the United States are CBPR-certified. These include American Chamber of Commerce in Japan members Apple Inc., Cisco Systems Inc., Hewlett-Packard, and IBM, which in August 2013 became the very first company to be certified. On December 20, 2016, IntaSect Communications, Inc., became the first Japanese company to be certified.

“The goal of the system,” a commercial official from the International Trade Administration (ITA), US Department of Commerce told The Journal, “is to strengthen consumer privacy protections and trust, and to facilitate trade across the Asia–Pacific region by minimizing unnecessary barriers to the cross-border flow of information due to differing levels of privacy protection regulations within the participating APEC economies.”

The APEC CBPR system takes some of the burden off governments by relying on Accountability Agents not only to certify applicant companies, but to handle disputes that may arise between certified companies and data subjects. Hunton & Williams’ Maisog explained: “The Accountability Agent is taking on much of the responsibility for policing, investigation, and enforcement. This allows governmental enforcement agencies to step back from mundane enforcement tasks, thereby helping to conserve government resources. The system is, therefore, in commercial parlance, ‘scalable.’”

He also pointed out that “the APEC CBPR system raises the level of privacy protection by requiring applicant companies to submit to an active and rigorous evaluation by an independent expert organization, in the form of the Accountability Agent, instead of merely requiring them to comply with a list of legal requirements.”

This review of the privacy practices for certified companies by an Accountability Agent, who is responsible for the compliance of a company as well as a business’s own internal standards, sets the CBPR system apart from other mechanisms.

Adaptiveness is also important. The CBPR system, like all regulatory regimes, must remain flexible and responsive to changes in laws, the marketplace, and business practices. To ensure this, APEC recently established the Accountability and Administration Study Group (AASG) within the Joint Oversight Panel for the CBPR system to review the framework and update it when appropriate. The AASG communicates regularly on the day-to-day running of the CBPR system as well as long-term enhancements. In addition, the CBPR system remains a key topic at the biannual meetings of the APEC’s ECGS DPS.

The APEC CBPR was developed and endorsed by all 21 APEC member economies. The US and Japan were among the first to join, so they have been taking an active role in expanding the system. A commercial official from the ITA explained: “The United States has played an active role in developing and growing the APEC CBPR system since the system’s inception in 2008, and in developing the APEC Privacy Framework, which outlines the nine high-level principles on which the system is based. The United States was the first country to join and fully implement the system, and has played an active role in encouraging other economies to participate.”

From the Japanese side, Shinji Kakuno, director of the International Affairs Office, Commerce and Information Policy Bureau, Ministry of Economy, Trade and Industry (METI) told The Journal: “As the second economy to introduce a CBPR certification system following the US, Japan will lead discussions in APEC for promoting the CBPR system with the United States. Also, we will share our experiences with and provide capacity-building cooperation programs to other APEC economies which have interests in participating in the CBPR system.” Kakuno is also vice-chair of the APEC ECSG.

Erick Kish, commercial attaché and digital trade officer at the US Embassy in Tokyo, highlighted the importance of this collaboration: “The US Department of Commerce cooperated closely with METI within APEC to develop the APEC CBPR system. Now that Japan is implementing the APEC CBPR system, Commerce and the US Embassy in Tokyo are collaborating closely with JIPDEC, METI, and the PPC [Personal Information Protection Commission of Japan] as they promote the system and enroll companies.”

A 2016 letter released by influential business groups from the United States, Japan, and Latin America stressed the importance of the system for business. “By creating a certification system that bridges the privacy regimes of each participating economy in a cost-effective and scalable way,” the letter said, “the CBPRs allow participating companies to focus their time and resources on innovating, serving customers, and pursuing their business objectives.”

METI’s Kakuno explained, “If such a system is introduced in many countries, companies do not need to adjust their privacy policies to the requirements of countries in which they are doing their business.” Indeed, this streamlining of the security process can potentially free up significant resources for businesses.

A commercial official from the ITA spoke of how, in recent years, concerns over privacy, cybersecurity, and the strength of domestic industry have led to policies that threaten to divide the Internet and stifle innovation, saying, “We are working to grow the system before new barriers to data flows take hold in APEC economies, building confidence in the data flows that businesses and consumers rely on.”

Clearly APEC CBPR was designed and is being implemented with the needs of business in mind, but with the privacy of consumers at its core.

Presently, only four of the 21 APEC economies have joined the CBPR. But the US Department of Commerce is optimistic about the future. “We are enthusiastic about the prospects for the system’s expansion in 2017 and in the years ahead,” an official told The Journal. “[South] Korea recently submitted its official application to participate, and in late 2016 Chinese Taipei [Taiwan] announced its intention to undertake domestic reforms that would enable their participation. With the addition of these two economies, six of the largest economies in APEC would be participating. The system is clearly gathering steam, which we expect will continue to build moving forward.”

According to Maisog, Vietnam is exploring the option to join soon and the Philippines has informally said they will join within the next two years. There’s also an expectation that Singapore, and perhaps Hong Kong, will join soon. “When enough countries have joined,” Maisog said, “the system could achieve a ‘network effect’ under which countries that have not yet joined will feel disadvantaged in comparison to those that have already joined.”

These views are supported by an APEC ECSG report released on January 16, Survey on the Readiness for Joining Cross Border Privacy Rules System, which found that more than 57 percent of APEC members planned to join or are considering joining the system. These include Australia, China, Hong Kong, the Philippines, Russia, Singapore, and Vietnam.

While the CBPR system was developed for the APEC region, it is flexible enough to expand to other regions, offering the potential for a global framework for data flows. Whereas the EU model is strictly bilateral, APEC has established a regional framework with global applicability. An expansion of the APEC system and increased interoperability with other data transfer systems would allow businesses to save on compliance costs by operating with a single global privacy and data protection policy.

Europe has taken a different approach to guarding personal information that is transferred across borders. The European Union (EU) Binding Corporate Rules (BCR), as METI’s Kakuno explains, “are internal rules adopted by a multinational group of companies that define its global policy with regard to the international transfers of personal data to the entities within the same corporate group and are located in countries which do not provide an adequate level of protection.”

Essentially, under EU law, personal data may not be transferred to a country outside the European Economic Area unless the receiving country has proven an adequate level of protection and therefore has been white listed by the European Commission.
EU BCR certification is something like a company-specific white list. Notwithstanding the normal EU prohibition against cross-border data transfers, once a company or corporate group of companies has achieved EU BCR certification, they are allowed to transfer personal data from the EU to one of their offices outside the EU because their internal personal data-handling practices have been examined and approved.

Currently, about 80 companies have obtained EU BCR certification.

EU BCR is seen by some as too restrictive for business or insufficient for governing the sharing of data with parties outside of the certified group of companies, and thus a door could open for interoperability with APEC CBPR.

There are differences between the two frameworks. EU BCR is a way to enable cross-border data transfer within group companies and does not cover cross-border transfer to third party companies. On the other hand, APEC CBPR builds consumer, business, and regulator trust in cross-border flows of personal information.

An official from the US Department of Commerce added that “while EU BCR limits transfers to intracorporate activities, the CBPR system covers the transfer of information throughout supply chains and transactions processing, offering protections for consumer information at every level.”

Maisog at Hunton & Williams spoke of the efficiency of the Asia–Pacific approach. “If there is a difference worth highlighting, it is that the APEC CBPR System has an approval process that is more efficient than that of the EU BCR,” he explained. “A company can get certification, and can get started executing actual cross-border transfers of information, in significantly more expedient fashion under the APEC CBPR system than under the EU BCR.”

The flexibility of the CBPR system also allows for interoperability with other recognized transfer mechanisms, such as the US–EU Privacy Shield and the EU BCR. In fact, the new EU General Data Protection Regulation includes certain facets of the APEC regime, further linking the two models.

Kakuno told The Journal: “METI desires to share its understanding among other multilateral fora, such as OECD [the Organisation for Economic Co-operation and Development] and G20/G7, on the effectiveness and usefulness of APEC CBPR-like-schemes as a tool of balancing the protection and utilization of personal information in its cross-border transfer.”

According to Maisog, there is an effort underway between the EU’s Article 29 Working Party and APEC to explore interoperability between the BCR and CBPR systems, recognizing that, ultimately, global businesses need global solutions for their data transfers. JIPDEC said that, with such efforts, they expect that CBPR and BCR may evolve into a more global framework.

Christopher Bryan Jones is Editor-in-chief of The Journal. Originally from Birmingham, Alabama, he has lived in Japan since 1997.
APEC CBPR builds consumer, business, and regulator trust in cross-border flows of personal information.