Multinational organisations inevitably need to establish compliant data protection mechanisms for their overseas transfers of personal data.
Where an organisation processes personal data in the EU, the requirements of EU data protection law will apply to any transfers of that data. Those organisations looking to implement a tailored solution for complex group transfers of personal data out of Europe, may look to apply for authorisation from National Data Protection Authorities (DPAs) in the EU of Group-wide Binding Corporate Rules (BCR). Yet where personal data is processed and transferred from an APEC economy, any data protection laws of the relevant APEC jurisdiction will equally apply and BCR will not be the only consideration.
In 2011, the APEC economies Data Privacy Group implemented a Cross Border Privacy Rules (CBPR) system. The CBPR are intended to provide protection for flows of consumer data moving between APEC countries. As with the EU BCR system, the CBPRs rely on organisations developing internal group rules on cross border transfers of personal data. Under the CBPR system, the rules rely on accountability agents to verify that the standards set meet the APEC CBPR system requirements. An organisation looking to establish a group policy for all personal data processed within the group, may, therefore, wish to reference both EU and APEC systems requirements.
With this in mind and in order to promote inter-regional cooperation, experts from the EU Article 29 Working Party and the APEC economies have been working together to map the BCR and CBPR systems against each other. In February 2014, the Working Party published an 'Opinion on a referential for requirements for Binding Corporate Rules submitted to national Data Protection Authorities and Cross Border Privacy Rules submitted to APEC CBPR Accountability Agents' The referential is intended to act as an "informal pragmatic checklist" of the main requirements of the EU DPAs and the bodies in the APEC economies relevant to applications for authorisation under BCR or CBPR.
The checklist is not intended to deliver mutual recognition of the systems, rather it sets out the rules common to both systems and highlights the additional requirements that apply to one or other system, in order that it is easier for organisations who wish to seek dual approval and certification to build these elements into their group binding rules.
The checklist covers 27 different requirement areas and identifies for each the elements common to both BCR and CBPR. Additional requirements specific to BCR and to CBPR are then listed separately. These requirement areas cover matters such as the system's scope, enforcement within the organisation, and the remedies and rights for data subjects and enforceable obligations on transfers (including those made to third parties or group processors or onwards transfers). Further requirements that are addressed include, among others, the rules around the collection, use and quality of processed personal data, arrangements for the security of the data and those requirements around programs for training, review and audit as well as the relationship between the rules and with local data protection laws.
It is worth noting that whilst there are areas of common approach, there are also significant differences in the objectives, scope, processes and enforcement between the EU and APEC data protection laws as well as differences in approach between individual APEC countries. For this reason, using the checklist will not enable an organisation easily to reconcile the differences in a single group-wide set of rules. Those organisations considering incorporating the checklist elements in their internal rules as the basis for a dual certification under BCR and CBPR will need to make clear in their policies when the specific rules apply to EU data protection laws or to APEC CBPR requirements.
One key area of difficulty relates to the relative youth of the CBPR system and the fact that participation by APEC economies in the system is voluntary. At present only three APEC economies, the USA, Japan and Mexico, participate and as CBPR can only be used by those organisations that operate within an APEC economy that is participating in the CBPR system, the value of the system for organisations with businesses across the full 21 APEC economies will remain limited until participation in the CBPR system across the APEC region increases.
In addition the limitation of the scope of the CBPR system to transfers flowing within the APEC region means that certification will not deliver legal certainty for transfers outside the APEC region where the data protection law of a participating APEC economy includes wide restrictions on international transfers.
There is also the challenge of aligning differences between the approach of EU models based on mandatory requirements, legal authorisation and enforcement, alongside an APEC system based on choice, private sector assessment for certification and, enforcement based on principles of accountability.
However, despite these current limitations, it is not enough that organisations consider their data transfers purely through the blinkers of EU data protection law obligations. In this respect, the checklist is a helpful tool for those seeking to adopt more of a 'world view' of their data protection compliance and in their development of workable group-wide procedures and controls.