Privacy & Information Security Law Blog

On October 21, 2016, the Vietnam e-Commerce and Information Technology Agency and APEC co-hosted an APEC Cross-Border Privacy Rules (“CBPR”) system capacity-building workshop in Da Nang, Vietnam, on the heels of last week’s bilateral affirmation of commitment between the U.S. and Japan to implement and expand the CBPR system. The workshop further signals the continuing growth of the CBPR system.

The workshop, Readiness for the Cross-Border Privacy Rules System in APEC, was organized under the auspices of APEC’s “CBPR Multi-Year Project” which is dedicated to providing funding to APEC countries that wish to join the CBPR system. The workshop brought together Asia-Pacific-based government officials, privacy and data governance experts, third-party certifiers and online dispute resolution providers, as well as Vietnamese private sector stakeholders, to discuss the state of CBPR implementation in Vietnam and other APEC economies.

Featured prominently in the workshop was a draft report conducted by the Vietnam e-Commerce and Information Technology Agency entitled, “Survey on the Readiness for Joining CBPRs.” The report surveyed APEC member countries about their intent to join Canada, the U.S., Mexico and Japan in the CBPR system. The responses were highly promising; Korea, Singapore and the Philippines reported that they “plan to join,” and Australia, Hong Kong, Russia, Taiwan and Vietnam are “considering” joining. The comments on the ground were even more promising. For example, the representative from the Philippines predicted that his country will join the CBPR system within one to two years. Of course, several workshop participants cautioned that there are various unresolved issues that need to be addressed before their countries could join. The issues include, for example, which government agency would lead the application process or be responsible for enforcement of the CBPR, and how to structure the certification process to ensure its scalability to companies of all sizes. To address these issues and others, the workshop brought in a number of international experts, some of whom have been significantly involved in either the creation or implementation of the CBPR system, or have other relevant experience in the governance of cross-border data flows, organizational accountability and data protection management.

Developed by the 21 APEC member economies, the APEC CBPR system is a regional, multilateral, cross-border data transfer mechanism and enforceable privacy code of conduct developed for businesses. The CBPRs implement the nine high-level APEC Privacy Principles set forth in the APEC Privacy Framework. Currently, the U.S., Mexico, Canada and Japan are participants in the APEC CBPR framework.