One of the most important developments for the Asia-Pacific region (APAC) in 2015 was theTrans-Pacific Partnership (TPP), which is the largest regional free trade agreement to date, reached between twelve countries from both sides of the Pacific (Australia, Brunei Darussalam, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, United States and Vietnam) that together represent 40% of global GDP.
TPP on personal data in the digital economy
Having taken more than five years to realise, the TPP is focused on increasing open trade and regional integration in APAC. Apart from offering new market access and investment opportunities, a striking feature of the TPP is a dedicated Chapter 14 on provisions for electronic commerce, which manifests the collective interest of the twelve member countries to ensure freedom of cross-border data and information flows which are the pulse of the digital economy, together with a commitment to protect personal data.
Protection of personal information
The bedrock provision on the protection of personal data is Article 14.8, where each member country will be required to “adopt or maintain a legal framework that provides for the protection of personal information of the users of electronic commerce”, and member countries should“endeavour” to develop mechanisms and suitable arrangements “to promote compatibility between different regimes”. The TPP has defined “personal information” in Article 14.1 broadly to mean “any information, including data, about an identified or identifiable natural person”, which is similar to the position in the European Union.
With the exception of Brunei and Vietnam which are in the process of implementing their respective legal frameworks for the protection of personal data, the other member countries already have established laws that address personal data protection and cross-border data transfers in one way or another.
Cross-border transfers of personal information
Where cross-border data transfers are concerned, Article 14.11,while recognising that each member country would have its own regulatory requirements concerning the transfer of information (by electronic means), obliges each member country to “allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business…”. Notably, “conduct of the business” has been left undefined, so this requirement could conceivably cover all manner of business, whether for a commercial or non-commercial purpose.
Freedom of data and information flows
Information that fuels the digital economy, including personal data, will inevitably involve the use of computing technology residing physically in a territory. To prevent localisation of “computer servers and storage devices for processing or storing information for commercial use”, Article 14.13 ensures that no member country shall require companies “to use or locate computing facilities in that [member country’s] territory as a condition for conducting business in that territory”.
In light of the growing cyber threat landscape that could disrupt the digital economy, Article 14.16 recognises the importance of capability building at the domestic level for computer security incident response, and also collaboration in terms of identifying and mitigating malicious intrusions or dissemination of malicious code that affect the electronic networks of member countries.
How the data protection provisions of the TPP will affect businesses
The opportunity that the TPP presents, is the potential for member countries to harmonise their personal data protection laws APAC-wide to reduce the cost of compliance and the cost of operations across a patchwork of national data protection laws, for collecting or processing personal data in member countries, and/or cross-border transfers of personal data between member countries.
We could see a more uniform approach and concerted effort towards the protection of personal data, which will help build trust and confidence between businesses and consumers in TPP markets.
Businesses will also have the freedom and flexibility of storing and processing personal data across different TPP markets. In particular, businesses will be able to rely on economies of scale to serve multiple TPP markets using computing and data (centre) storage facilities from fewer locations, without the need to build or invest in such infrastructure in every TPP market that the business seeks to serve.
A Safe Harbour for APAC?
With the United States and the European Union still reeling from the Court of Justice of the European Union (CJEU) decision to invalidate the Safe Harbor framework for cross-border data transfers across the Atlantic, the TPP gives data protection authorities in member countries the opportunity to chart their own set of principles and standards for the transfer and processing of personal data for APAC. Whereas the current sentiment in the EU, in reaction to the CJEU decision with respect to data transfers to the US, is seemingly one of restriction and data localisation, the TPP by contrast, is generally against such arrangements (with the exception of financial services).
In light of the overall drive for openness and collaboration under the TPP, including obligations on member countries under Article 14.15 to “exchange information and share experiences on regulations, policies, enforcement and compliance regarding electronic commerce, including personal information protection and security in electronic communications”, and to “encourage development by the private sector of methods of self-regulation that foster electronic commerce, including codes of conduct, model contracts, guidelines and enforcement mechanisms”, an APAC Safe Harbour could very well be on the horizon.
With the successful conclusion of negotiations, member countries must now begin the process of ratifying and implementing the TPP, which is expected to come into force within two years when domestic legislative procedures have been completed. It will certainly be interesting to see how the TPP pans out for APAC.