Today, data can be transferred around the world instantaneously, making the global marketplace seem almost borderless. As any multinational company knows, however, compliance with each country’s data transfer and privacy laws can be onerous. As the U.S. contemplates data protection legislation, the FTC last week announced a joint initiative with agency officials from the European Union’s Article 29 Working Party and Asia-Pacific Economic Cooperation (APEC), designed to help companies comply with cross-border data transfer and privacy laws in both regions. The coalition created the “Referential,” a new tool that maps the APEC Cross-Border Privacy Rules (“CBPRs”) to the EU’s Binding Corporate Rules (“BCRs”). It is designed to be a practical reference guide for companies that seek “double certification” under both EU and APEC systems. This new tool is an important step towards mutual-recognition, interoperability and the seamless cross-border transfer of personal information between the U.S., EU and Asia-Pacific region.
Under EU law, to transfer personal data from EU member states outside of the EU, a company must create BCRs and have them approved by national EU Data Protection Authorities (“DPA”). BCRs are internal rules that define a company’s global policy regarding international transfers of personal data within the same corporate group to entities located in countries that do not provide an adequate level of protection. Similarly, APEC – through the Data Privacy Subgroup, consisting of 21 member countries called “Member Economies” – requires companies to create CBPRs that are certified by APEC CBPR Accountability Agents. Both frameworks require organizations to file applications for certification.
While there is much overlap between the two systems, there are also key differences, clearly explained in the Referential. The Referential is a checklist that breaks down each framework by element, highlighting commonalities and identifying additional or different requirements of each system. It is important to note that the tool is currently designed to compare and contrast, not to create a mutual-recognition system. “There is no judgment between the two systems, no legal assessment of a certain level of protection, no adequacy-finding mechanism,” Isabelle Falque-Pierrotin, chairwoman of the French Data Protection Authority (CNIL) and president of the Article 29 Working Party, said of the tool. “It is just about being pragmatic for companies by developing a common checklist of our specific requirements.”
An important principle of the APEC Privacy Framework, however, is to “give effect to cross-border privacy rules, encouraging Member Economies to work with appropriate stakeholders to develop frameworks or mechanisms for the ‘mutual-recognition’ or acceptance of such cross-border privacy rules between and among the economies.” Thus, mutual-recognition is a foreseeable and desirable goal of the two systems.
Under the EU BCR and APEC CBPR systems, policymakers have indicated that companies must be accountable, to ensure that personal data protection policies are compliant with each of the systems. Organizations using the Referential should follow these best practices:
- To avoid conflict with any applicable laws, make the scope of your personal data protection and privacy rules very clear.
- In your applications for certification, clearly distinguish in which cases your organization will apply EU data protection laws and/or APEC CBPR program requirements.
- Tailor your data protection and privacy rules to reflect the structure, policies and procedures of the Group to which you apply.
- Remember: DPAs in the EU and CBPR Accountability Agents in APEC will not accept a pure copy and paste of the Referential template.
In addition to the Referential, the FTC last week signed a Memorandum of Understanding with the UK’s privacy enforcement agency, the Information Commissioner’s Office (ICO). Under the MOU, both countries agreed to share information, provide investigative assistance, and coordinate enforcement against cross-border privacy violations.
These developments signify the growing interoperability among the U.S., EU, and Asia-Pacific region, and represent an important step towards a global governance framework for the secure and efficient transfer of personal information.