This year, Asia-Pacific is set to surpass North America as the world’s largest e-commerce market. But while it drives the global growth in online transactions, the region has yet to see a similar push by domestic economies to beef up laws to protect consumer data. Privacy provisions in the region remain patchy, with most economies relying on disparate policies to govern the collection of personal information online.
The four-year old APEC Cross-Border Privacy Rules (CBPR), hailed as the first pan-global framework for data privacy, might be a step in the right direction. Based on the guidelines set by the APEC Privacy Framework, the CBPR is intended to provide a minimum layer of protection for online consumers: It places limits on the types and amount of personal data that commercial entities can gather, and requires that businesses notify customers before information about them is collected or shared with third parties.
The system is voluntary, and relies largely on businesses aligning their privacy programmes with its code of conduct. To participate, an economy must satisfy the conditions set by the Joint Oversight Panel, and must also put forward an accountability agent to review businesses for the CBPR stamp of approval.
While it does not cover the entire region, the CBPRs, if implemented properly, can provide a baseline for accountable data handling by companies operating in APEC member economies, 15 of which are in Asia-Pacific. It can also foster complementarity between domestic data protection regimes, as well as regional cooperation on privacy-related law enforcement.
The scheme is not without its limitations. To start, the CBPR system is self-regulatory, and applies only to the data collection practices of businesses—not governments and individuals—and only to data that moves across different jurisdictions. A government backstop is in place, the APEC Cross-Border Privacy Enforcement Arrangement, but only five countries in Asia-Pacific–New Zealand, Australia, Japan, Singapore and South Korea—have public enforcement authorities on the list.
Thus far, three economies, Japan, Mexico and the US, have opted into the CBPRs, but only one—the US—has an accountability agent, TRUSTe, which means that at the moment, only US-located businesses can apply for CBPR certification. As APEC observers have pointed out, the system is fraught with a ‘chicken and egg’ problem, with both companies and governments withholding their participation until the other signs up, or expresses enough interest to join. Businesses lament the lack of uniformity in the language used by regional bodies to define terms like ‘personal data’, which can hinder proper compliance. Meanwhile, civil society groups like Open Net Korea assert that CBPR-certified companies undermine the system through small-print exemptions in their privacy policies, particularly for personal data provided in mobile apps or ‘behind logins.’
The APEC Data Privacy Sub-Group, through venues like the bi-annual APEC Electronic Commerce Steering Group meetings, tries to iron out these wrinkles. This year’s first gathering, held in the Philippines last week, introduced potential improvements to the CBPRs: these included a proposed corollary certification system for commercial entities that process—in addition to those that control—data collected online; and increased interoperability between the CBPR and its European counterpart, the EU Binding Corporate Rules (BCR) system.
Undeniably, more work needs to be done on the ground. Companies must be made aware that such mechanisms, which can boost consumer trust in e-commerce and facilitate better regional trade, are worth taking up. Governments, for their part, need to be more proactive about developing and implementing domestic privacy laws, ensuring that these are consistent with emerging international standards.
The CBPR is not a perfect system, but it is a starting point—for strategy-building, inter-sectorial cooperation, and responsible data collection, all of which would be welcome advancements in the privacy landscape in Asia-Pacific.