Posted: November 7th, 2023
Global Data Governance and Digital Policy: A case Study on Cross-Border Privacy Rules (CBPR)
Global Data Governance and Digital Policy: A Case Study on Cross-Border Privacy Rules (CBPR)
The global society is experiencing unprecedented transformations in connectivity and data flows. Digitalized networks underpin the current industrial revolution, incentivizing companies to focus on asset digitization and the establishment of digital ecosystems. Most considerations regarding the security and privacy of these networks focus on the U.S-E.U. General Data Protection Regulation (GDPR). The numerous studies and corporate reports often overshadow the fact that there are other privacy rules for different trade regions. The Cross-Border Privacy Rules (CBPR) serves the more economically complex Asia-Pacific region. The Asia-Pacific Economic Cooperation (APEC) introduced the digital policy in 2011 to govern cross-border data transfers between participant member states. However, unlike the GDPR, participation in the CBPR is voluntary with the regulatory framework extending to only APEC members. This report covers the CBPR as a case study of how digital policies are shaping regional media and trade in the Asia-Pacific with respect to the greater universal digital policy environment.
Asian countries are facing structural and governance challenges with the increased proliferation of data in business. The Asia-Pacific region is one of the largest and fastest-growing trade regions in the world. With over 2.1 billion people online, the continent is experiencing unparalleled demand for data and data networks (Meltzer & Lovelock, 2018). Monetary research outlines that cross-border data access, sharing and usage is critical for economic growth in the modern digital economy. The CBPR system ensures the protection of personal information while promoting increased cross-border data flow. Personal data should be able to move freely among corporations with minimal risk faced by the consumer (Meltzer & Lovelock, 2018). Through the CBPR system, individual countries do not obstruct the free flow of personal information, which accelerates regional economic growth. It is yet to be clear whether CBPR is as effective or better compared to other global digital policies due to its infancy. However, the policy will enhance the flow of information and digital trade between the Asia-Pacific regions and the United States.
A brief look into the history of APEC is necessary to highlight CBPR’s context. APEC was formed in 1989 by twelve Asian states as a multilateral economic trade agreement (Ayres, 2014). The agency grew to 21 member states and includes almost all of Asia-Pacific states, like Russia, China and the United States. APEC operates as a member economy because it emphasizes trade and economic integration. APEC provides the basis for the minimal restrictions in CBPR because it does not impose any binding commitments on member nations. Each country has an equal say and economic decisions are passed through a consensus. India has a two-decade pending membership request, which highlights the growing commercial tensions in Asia (Ayres, 2014). The exclusion of India from APEC also outlines why the trade potential between Asian countries remain well below their potential.
APEC endorsed the adoption of a regional privacy framework in 2005, establishing the foundation for the CBPR. APEC encouraged member states to implement national privacy laws guided by principles from its privacy framework (Greenleaf, 2014). However, while the 2005 model acknowledged the significance of cross-border data exchanges, the implementation process encouraged multilateral agreements. The model did not include a platform for stakeholders to create a regional mechanism for data sharing (Greenleaf, 2014). CBPR is the result of APEC’s initial attempt to establish a regional privacy framework. Established in 2011 and revised in 2015, the digital policy seeks to provide a solution for 21 economies in different stages of data compliance (Greenleaf, 2014). CBPR mirrors both the underlying objectives of APEC and the revised privacy framework. It is non-binding and responsibility-oriented.
Seven years since CBPR establishment, only four nations are known to have put it into operation. Japan, Canada, the United States and South Korea are spear-heading the adoption of CBPR (Wiley Law, n.d.). The four states are the only ones to establish accountability agencies based on CBPR guidelines. Australia, Hong Kong, the Philippines, Thailand and Vietnam all show genuine interest in forming regulatory bodies. The slow rate of implementation indicates how slow the CBPR system has started. The digital policy is yet to attain critical mass among APEC nations. The statistic raises the question whether society should remain optimistic about CBPR becoming the global solution for privacy protection.
Overview of the CBPR System
CBPR does not strive to achieve the mutual recognition of privacy systems but rather double certification of the different systems. The privacy system achieves this function using a number of steps. Foremost, APEC requires that each member state follow the outlined CBPR steps and form at least one government agency for cyber enforcement (Wiley Law, n.d.). For instance, the Federal Trade Commission (FTC) is the United States’ enforcement agency whereas TrustArc is its accountability agency. For a company to acquire CBPR compliance certification, it must prove to the accountability agent that it meets the data privacy policies. On May 2016, The FTC announced a settlement with Very Incognito Technologies (Vipvape) for misleading consumers about its CBPR participation and certification (Nekhoroshkov et al. 2022). The case highlights CBPR’s reliance on domestic authority for enforcement.
Secondly, CBPR identifies relevant domestic authorities that can enhance the enforcement of data privacy regulations (Wiley Law, n.d.). Even though CBPR subjects’ member states to one privacy regime, it does not replace national laws. Companies that are CBPR compliant must also meet domestic privacy laws, even if they have stricter standards. China, Russia, Indonesia and Canada already have data localization laws (Wiley Law, n.d.). For instance, Russia requires that cross-border data containing the personal information of Russians be stored in servers located in Russia. Even though CBPR provides a singular privacy platform, compliance benefits vary from business to business and from country to country. Businesses in finance will still have to comply to stricter localization requirements.
CBPR acknowledges that not all countries have domestic data privacy laws. In such instances, the policy requires the local companies to identify third-party certifying organizations (Wiley Law, n.d.; Nekhoroshkov et al. 2022). APEC must recognize the selected data privacy agency. The three approaches help the CBPR system address none or variable adoption of privacy frameworks within the Asia Pacific region. Because it does not replace national laws, CBPR requires that member states acknowledge that other privacy systems are adequate based on the countries joining APEC (Wiley Law, n.d.). Instead, CBPR provides minimum privacy standards that enable the harmonization of privacy systems. Companies can use CBPR certification as a marketing tool indicating their reliability and compliance.
Does the CBPR Privacy Framework Meet the Trends?
Existing companies considering CBPR certification need to acknowledge the limited implications of the regulatory qualification. Certification implies that a company can deal with personal information as long as it is in accordance with the APEC framework. The policy does not have any tangible effect on the company, such as structural modification (Greenleaf, 2014b). If the country relocates the another APEC country, the initial certification becomes irrelevant. The organization will be required to acquire separate certifications in each country participating in the data transfer. CBPR qualification does not imply businesses are free to transfer data to any APEC economy (Greenleaf, 2014b). Each country must permit the data exchanges based on national laws. If the domestic law has a higher privacy and security standards, there is no benefit in companies acquiring CBPR certification. Overall, CBPR has no direct effect on a company’s ability to import and export data from republics outside APEC. All these certification gaps outline CBPR’s slow pace in matching other global digital policies.
Despite the United States pivoting towards Asia for increased trade, not many companies from APEC are looking for CBPR certification. As of 2017, there were only 24 CBPR certified countries in the world (Solove & Schwartz, 2017). 23 are located in the United States, while one is in Japan (Intasect Communications Inc.). The small number of companies is not associated with difficulties in meeting CBPR standards. Instead, Solove and Schwartz (2017) argue that CBPR is still in its first-generation while other digital policies are on the second or third generation. The authors use findings published during the 2016 Asian Privacy Scholar Network. According to the institution, a comparative study of 20 non-European countries with comprehensive data privacy laws found that a considerable number of the republics are in the late stages of the second generation of privacy guidelines (Solove & Schwartz, 2017). CBPR could be increasing the level of discordance between APEC states.
CBPR is pushing countries into improving and reinforcing their domestic privacy laws as opposed to focusing on the harmonized privacy system. The CBPR system has experienced modest to null growth since the coronavirus pandemic (Cooper et al. 2021). While more territories, including Bermuda and Singapore, have recognized CBPR as a certification mechanism for international data exchanges, no country has initiated enforcement actions since 2020 (Cooper et al. 2021). It can be said that APEC countries with stronger levels of protection are not getting closer to CBPR guidelines. The trend does not explain why companies from such countries are not receiving CBPR certification. The perception is many companies do not see the worth of CBPR accreditation. The success of foreign digital policies lies in its ability to transfer benefits across borders. It becomes difficult to envision the future success of the CBPR given the distinct data privacy laws in China and India.
CBPR might be succeeding in harmonizing digital protection systems by pushing APEC states and other non-European countries towards European privacy directives. Major countries with comprehensive data privacy legislation offer a level of protection near the 1995 EU directive (Cooper et al. 2021). The European guidelines were a second-generation revision of OECD provisions established in 1981. Over two decades old, CBPR does not provide a level of protection better than the 1995 directives. The gap explains the increased inclination towards the GDPR. As more countries tailor their domestic laws based on EU guidelines, their national privacy systems become more compatible with those in European nations (Cooper et al. 2021). This fact is seen in the establishment of the Common Referential for the Structure of the EU System of Binding Corporate Rules. The referential acts as a checklist for corporations applying for CBPR certification under APEC (Cooper et al. 2021). Increased harmonization translates into more opportunities for data transfer and digital trade. CBPR could end up being a stepping stone for the Asia-Pacific region when it shifts to implementing the GDPR framework.
CBPR is failing to guarantee compliance by negating foreign sovereignty in the enforcement of privacy regulations. One of the main arguments presented by advocates of the CBPR system is that it is compatible with the domestic laws governing data privacy (Cory & Dascoli, 2021). The subtext of the advocacy was a criticism of Europe’s GDPR, which requires member states to align their national laws to match the higher standards set by the digital policy. While CBPR is presented as compatible, the actions of member states suggest it is not. The Korean Communication Commission included an amendment of Article 17 of the PIPA for the country to adapt CBPR (Cory & Dascoli, 2021). Japan had to amend its articles on cross-border movement to fully integrate the CBPR system in 2016. Japan and South Korea are two examples of CBPR impeding sovereignty in data protection. APEC participating states have to amend domestic laws to meet the requirements of CBPR. Modifying local laws could have a negative implication on the level of protection a country provides its citizens.
CBPR pushes states with strict data privacy laws to lower their protection standards, discouraging participation. In order to adopt CBPR, Japan and Korea had to change their data privacy laws. However, the amendments do not provide the countries with the autonomy required to maintain high levels of information protection (Cory & Dascoli, 2021). For instance, Japan can mandate local companies to offer a level of protection consistent with existing laws. Companies can be required to meet certain data safety scores, perhaps a 9 out of a scale of one to ten. The same demands are inapplicable when the data transfers overseas. Japan cannot command the recipient to offer the same degree of protection. Such a scenario increases cyber risks for Japanese citizens when their personal information goes outside the country. CBPR is ineffective because it does not incentivize member states to all adopt high levels of data protection (Cory & Dascoli, 2021). Instead, it encourages them to lower them to a uniform level.
CBPR merits discussions on the international stage because it is an underperformer. Unlike GDPR, the digital policy is yet to result in increased information exchanges between countries. Since the establishment of the E.U-U. S Privacy Shield, over 4000 companies have completed compliance with GDPR (Sullivan, 2019). CBPR has less than 30 certified companies. Part of the policy’s failure stems from the rise in data localization and protectionism. Apart from the United States, major economies are inclining towards localization. For instance, despite being an APEC member, China has never shown interest in adopting CBPR (Sullivan, 2019). Vietnam introduced a new cybersecurity bill that includes provisions for data localization requirements. India is heavily considering adopting a domestic system that is based on the GDPR. The heightened isolation of major economies contributes to the slow uptake of CBPR by APEC member states.
CBPR could be failing because of its political underpinnings. Sullivan et al. (2019) argues that the digital policy is more of a political message on the United States’ strategic interests as opposed to a technical mechanism. With GDPR and increased data localization, the United States is losing opportunities for cross-border data exchanges in Europe and Asia. The low level security standards in CBPR establish a much clearer message to businesses that the United States is committed to developing channels for cross-border data flows (Sullivan et al. 2019). The rise in data localization highlights that some countries are opposed to America’s political message. The United States is using CBPR as a competitive digital system counter to the cross-border data structure advocated by the European Union (Nekhoroshkov et al. 2022). The collision of two major political ideologies for data sharing incentivizes major economies outside Europe and North America to develop independent data protection systems.
The Internet of Things outlines the need for secure and effective digital policies to facilitate cross-border data flows. Even though the internet provides individuals, businesses and countries many benefits, data protection and privacy risks increase when data crosses borders. CBPR is a digital policy meant to facilitate data exchanges within the APEC region. However, the slow uptake of the policy raises questions on whether the mechanism strikes the right balance between data protection and trade objectives. It remains unclear if CBPR is the solution for cross-border data exchanges in Asia-Pacific. The policy’s lower level of standards incentivizes data localization or the adoption of GDPR guidelines. The policy does not add value to a company’s data privacy mechanism. Therefore, it is more likely that the E. U’s data protection model with continue to set global data protection standards. If Canada and Mexico establish CBPR enforcement agencies, then North American can send a strong message to other APEC members. The success of CBPR will be determined by its ability to transfer benefits of increased cross-border data exchanges to a high number of APEC economies.
Ayres, A. (2014, June 25). Bringing India inside the Asian trade tent. Council on Foreign Relations, https://www.cfr.org/report/bringing-india-inside-asian-trade-tent
Cooper, E., Austin, S. & Rockwell, S. (2021, October 26). The privacy, data protection and cybersecurity law review: APEC. The Law Reviews, https://thelawreviews.co.uk/title/the-privacy-data-protection-and-cybersecurity-law-review/apec-overview
Cory, N. & Dascoli, L. (2021, July 19). How barriers to cross-border data flows are spreading globally, what they cost and how to address them. Information Technology and Innovation Foundation, https://itif.org/publications/2021/07/19/how-barriers-cross-border-data-flows-are-spreading-globally-what-they-cost
Greenleaf, G. (2014). APEC’s cross-border privacy rules system: A house of cards? Privacy Laws and Business International Report, 42, 27-30.
Greenleaf, G. W. (2014b). Asian data privacy laws: Trade and human rights perspectives. Oxford University Press.
Meltzer, J. & Lovelock, P. (2018, March 20). Regulating for a digital economy: Understanding the importance of cross-border data flows in Asia. Brooking Global Working Papers, https://www.brookings.edu/research/regulating-for-a-digital-economy-understanding-the-importance-of-cross-border-data-flows-in-asia/
Nekhoroshkov, V. P., Aroshidze, A. A., Nekhoroshkov, E. V., Yuchzhong, K., Avdokushin, E. F., Kotenko, A. G., & Timukhin, K. M. (2022). Logistics efficiency of APEC economies: diagnosis, interconnections and digital experience for Russia. Transportation Research Procedia, 61, 118-124.
Solove, D. & Schwartz, P. (2017). Information privacy law. Wolters Kluwer.
Sullivan, C. (2019). A comparative analysis of the approach of the EU and APEC to cross-border data transfers and protection of personal data in the IoT era. Computer Law& Security Review, 35(4), 380-397.
Wiley Law. (n.d.). APEC’s cross border privacy rules system: privacy protection for the Asia-Pacific and beyond. Wiley: Privacy, Cyber & Data Governance, https://www.wiley.law/newsletter-Oct_2017_PIF_APECs_Cross_Border_Privacy_Rules_System
Place an order in 3 easy steps. Takes less than 5 mins.