Apec’s new data privacy rules
The Asia-Pacific Economic Cooperation (Apec) has embarked on a journey to establish a region-wide data privacy framework. It’s called the Cross-Border Privacy Rules (CBPR), and the Philippines is about to enter this process. It’s a set of privacy rules that will facilitate the sharing of data across borders within Apec, a region of 21 economies that make up more than half of the world’s gross domestic product, trade and foreign direct investments.
While voluntary today, the system may become the de facto “rules of the game” for cross-border data sharing in Apec, in the same way that Europe’s General Data Protection Regulation (GDPR) has become the standard for companies doing business with European companies.
What exactly is CBPR? Apec defines CBPR as a voluntary certification scheme that allows companies to transfer personal data (inter- and intra-company) in a safe manner across Apec economies. Participation in CBPR allows businesses to demonstrate their organizational accountability and create more consumer trust in data privacy. It is a flexible system, since companies can adjust their privacy policies to suit their business requirements. But because there is some standardization taking place across borders, it can reduce compliance costs with respect to data transfers and sharing. For consumers, it enhances data protection and streamlines the customer complaint process. For the government, it can improve trade facilitation (important since we are a service-driven economy) and can lower enforcement cost since certification can be done by the private sector.
How do we join CBPR? There are basically two stages to joining, and the Philippines has started that process. It’s worth noting that the country passed a Data Privacy Act in 2012, which created the National Privacy Commission (NPC). It sets the rules and regulations for data-handling and privacy within the country and establishes the NPC as the lead agency for policy formulation and enforcement.
To join CBPR, the Philippines had to confirm its participation in the Cross-Border Privacy Enforcement Agreement (CPEA) and designate a Privacy Enforcement Authority (PEA). It did those in 2017 and assigned the NPC to be the authority. The next step is to submit its letter of intent at the next Apec Senior Officials Meeting in Chile. This letter is a collaborative effort between NPC, the Department of Trade and Industry and the Department of Foreign Affairs.
The second stage requires the creation of an “Accountability Agent.” This is the body that will certify that private corporations meet the standards for data privacy and sharing across borders. This can be a government agency or a private corporation. For the Philippines, this will likely be a private corporation since the government is already the regulator. If an Accountability Agent does not exist in the Philippines, then companies would have to be certified by another agent overseas, facing similar inconvenience and expense that manufacturers currently face when they send their products abroad for testing.
Who else has joined CBPR? Eight out of 21 Apec members have joined CBPR: Australia, Canada, Chinese Taipei, Japan, South Korea, Mexico, Singapore and the United States. The Philippines will be the ninth. Getting in relatively early gives us time to learn the process and refine our strategy.
Why joining is important. The global economy has become digital. Virtually every transaction can be boiled down to data, which can be shared within or across borders. Given the importance and size of the business process outsourcing industry, the Philippines is basically a “data-receiving” country. We receive, process and transmit data. It also applies to banking, health, e-commerce and a host of other industries. Data-intensive industries will want to work with companies (large or small) that follow basic privacy and security standards. The same will go for consumers.
So why haven’t you heard anything about CBPR? Apec works on a wide range of policy topics, and this one is still in its early stages. But if you look at how quickly Europe’s GDPR gained traction, you will appreciate how fast a practice becomes a standard. Which is why Abac (Apec Business Advisory Council) Philippines and the Makati Business Club will be hosting a forum on CBPR and its implications for businesses in the Philippines.
Guillermo M. Luz is an alternate member of the Apec Business Advisory Council Philippines and chief resilience officer of the Philippine Disaster Resilience Foundation.
Business Matters is a project of the Makati Business Club ([email protected]).
