In February 2013, Mexico became the second approved participant in the Cross-Border Privacy Rules (CBPR) programme - a system for convenient cross-border data transfers introduced in 2011 by the Asia-Pacific Economic Cooperation (APEC). At the same time, APEC and EU Data Protection Authorities (DPAs) plan to create a unified cross-border system covering both regions. This will be a welcome development likely to stimulate global trade.
APEC operates as a forum, of 21 countries from the Asia-Pacific region, promoting a free and open market and encouraging economic integration. One of its recent initiatives is the CBPR system, which involves companies adopting internal privacy rules assessed by accountability agents. This promotes unified data privacy policies for businesses operating throughout APEC economies. APEC leaders pledged to implement the programme in November 2011. The first country to join the system in July 2012 was the United States.
At the same time, representatives of APEC and the EU have begun discussions on creating a unified cross-border system. Achieving this will be helped by the fact that APEC’s CBPR and the EU’s binding corporate rules (BCRs) are very similar. Both systems involve companies developing internal policies for international transfers that are approved by third party authorities. A key difference, however, is that BCRs ensure that EEA businesses can transfer data to affiliates outside the EEA without breaching EU law, whereas the CBPR system is designed to promote transfers of data within the Asia-Pacific region. The French DPA (CNIL), which represents the EU in these discussions, has studied the similarities and differences between the two systems and carried out preliminary work on developing the unified mechanism. An initial road map for the project will be prepared by the APEC and the Article 29 Working Party in the coming months. Once introduced, the new system promises to bring much needed certainty for businesses operating or planning to operate in both regions.