Asia-Pacific Region at the Privacy Crossroads (2008)

7. Business Compliance

[ Galexia Dots ]

It is important to make an objective comparison between the business compliance requirements under the EU and US/APEC approaches.

A key motivating factor for the US/APEC approach is to simplify and streamline business compliance, in comparison with the perceived problems with the EU approach. For example, the Centre for Information Policy Leadership has stated:

A growing number of multinational businesses, including members of the Center, have expressed increasing interest in emerging information privacy and security legal regimes in East Asia. This heightened attention reflects a concern that East Asian nations may follow the lead of European countries in developing restrictive privacy laws or a wide range of privacy laws that unnecessarily burden multinational information flows. At the same time, there is hope that, following upon the success of APEC in developing moderate privacy principles, East Asia might be the first region to develop harmonised, moderate privacy laws that facilitate multinational commerce, trade and travel.[43]

For domestic business compliance there is little difference. The APEC Privacy Framework requires compliance with domestic legislation, and as we have seen the domestic legislation in the Asia-Pacific region is very similar to that in the EU.

However, business compliance for cross-border information flows is more complex.

In the EU, business compliance for cross-border information flows requires consideration of Article 25 of the EU Directive, which places conditions on the transfer of the personal information outside the EU. In the US/APEC approach, Principle 9 – Accountability, must be considered.

7.1. Business Compliance (EU)

Article 25 of the EU Data Protection Directive prohibits the transfer of data any country outside the EU, unless the country has been recognised as having an ‘adequate’ level of data protection in place. However, Article 26 lists several exceptions to this requirement:

1. ...Member States shall provide that a transfer... to a third country which does not ensure an adequate level of protection... may take place on condition that:
(a) the data subject has given his consent unambiguously to the proposed transfer; or
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken in response to the data subject's request; or
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or
(d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or
(e) the transfer is necessary in order to protect the vital interests of the data subject; or
(f) the transfer is made from a [public] register...
2. ... a Member State may authorise a transfer... to a third country which does not ensure an adequate level of protection... where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.

Binding Corporate Rules (BCRs) are one mechanism for meeting the Article 26(2) exception, allowing an organisation (or corporate group) with operations in multiple countries (some of which are outside the EU and lack ‘adequate’ status) to transfer data across borders, but within the organisation. The European Union’s Article 29 Data Protection Working Party publishes occasional guidance on the use of Binding Corporate Rules.

To date BCRs have had limited take-up. The approval process is complex and expensive, and approval may also be very restricted (for example, to human resources data only). In an effort to simplify and clarify the BCR approval process, the Working Party recently released a series of Working Documents setting out the requirements of a successful BCR application.[44]

However, these do not address the key difficulty in gaining approval for a BCR – BCRs must be approved by the data protection authority of every EU Member State out of which the organisation wishes to transfer data.

It is difficult to see any significant benefit offered by BCRs regarding business compliance. Their use is limited to situations where data is transferred within a corporate group, and the expense and complexity of the application process will deter many organisations.

Alternative means of business compliance are available that have less limitations and may ultimately be simpler and quicker to implement. These include the use of ‘appropriate contractual clauses’. The European Commission issued a set of model contract terms to satisfy this requirement in 2001. An improved set of model contract terms (known as Set 2) came into force in April 2005. Further revisions and improvements are expected to be released in late 2008.

One concern with the model contract terms is that some Data Protection Authorities in the EU still require contracts to be filed with their office. Other EU countries require that the agreement is pre-approved by the local regulator before the transfer occurs (although if the model terms have been used this is a formality).[45]

Fortunately this ‘registration’ approach has not been followed in any Asia-Pacific jurisdiction, and even in Europe the number of jurisdictions requiring registration is falling.

The use of model contract terms seems highly preferable to the use of BCRs, and since the improvements to the model contract terms came into force in April 2005, it is difficult to identify any significant outstanding business concerns with the compliance requirements in the EU. Obviously the simplest form of compliance remains available – sending data to countries that have been assessed as adequate – and hopefully this list will grow over time.

7.2. Business Compliance (APEC)

Business compliance under the APEC Privacy Framework is complex. Domestic compliance is not affected at all – so the focus is on cross-border compliance.

Unlike the EU there is no mechanism in APEC for the provision of model contract terms as a mechanism to assist business compliance. During the early development of the APEC Privacy Framework there was some discussion of developing model contract terms, but this is no longer on the agenda.

The APEC focus is on the development and recognition of an organisation’s Cross Border Privacy Rules (CBPRs). An organisation will prepare a draft privacy policy (their Cross Border Privacy Rules) that describe how they comply with privacy standards and how they manage complaints (Pathfinder Project 1 will provide a set of questions to assist in the development of this document).

These draft Cross Border Privacy Rules will be assessed by an approved accountability agent against a set of common criteria (the criteria are being developed in Pathfinder Project 3). The accountability agents will vary per jurisdiction – they could be Privacy Commissioners or perhaps trust-mark scheme operators. If an organisation’s CBPRs are assessed as compliant they will be added to a public directory of compliant organisations.[46]

Cross Border Privacy Rules are proposed as a solution to a perceived compliance issue in the region:

...difficulties for companies in having to seek approval from different agencies in a number of economies for the same proposal for information flows.[47]

The claimed benefit of CBPRs is that they will be ‘recognised across APEC’:

A system that permits the wider use of CBPRs acknowledges that businesses already recognise that it is essential to protect the personal information of their customers. Developing a scheme that provides guidance on how CBPRs can meet the APEC-wide standards of the APEC Privacy Principles means that business CBPRs can be recognised across APEC economies.[48]

In practice, an organisation will possibly be listed on an APEC website as compliant, but it appears unclear what effect this has on individual jurisdictions. One US commentator has argued that each jurisdiction will then be bound to ‘recognise’ the organisation as compliant if it has been approved by any other jurisdiction:

The rules must be approved by an accountability agent, and a national authority must submit the name of the approved entity to the APEC Secretariat to be posted to a Web site. Once a company’s cross-border rules are approved by one economy, they must be recognised by all other participating economies.[49]

This seems to be a bizarre conclusion to reach, and it is not supported by any evidence in the Asia-Pacific region. No jurisdiction in the Asia-Pacific has an up-front registration requirement for an organisation’s privacy policies. Each jurisdiction would currently only assess a privacy policy in relation to a complaint. In order for this to work, every jurisdiction would have to introduce new legislation providing regulators with an ‘approval’ or ‘recognition’ power (and the appropriate new resources to implement this) – this appears completely unnecessary and is not in keeping with the legislative approach taken in any Asia-Pacific jurisdiction.

Within APEC, there is also some recognition that Cross Border Privacy Rules may only be relevant for a small number of businesses:

This arrangement will not be practicable for the vast majority of companies operating in APEC, but it is an option for leading global corporations to show their bona fides as ‘good corporate citizens’.[50]

Perhaps the APEC CBPR approach is more closely aligned with trust-mark developments in the region. There is some interest in trust-marks in the Asia-Pacific and they are currently in use in Japan and Singapore (and proposed in Vietnam). Trust-mark schemes do include registration and pre-approval requirements.

However, great care should be taken before placing any reliance on trust-mark schemes as a form of cross-border privacy protection:

  • In practice trust-mark schemes are effectively restrained to domestic companies. For example, trust-mark scheme information in Japan and Vietnam is largely available only in local languages. In Japan the list of trust-mark members is not available in English and the trust-mark logo itself is written in Japanese characters.
  • Trust-mark schemes also tend to provide broader coverage than privacy – for example the Singapore trust-mark is a generic e-commerce trust mark, with only minor references to privacy.
  • Trust-mark schemes have virtually no coverage beyond consumer-facing websites – they are simply not used for the majority of cross-border data transfers in the region.
  • Trust-mark schemes have very little support from consumer and non-government organisations, primarily because voluntary trust-mark schemes have had no impact in any jurisdiction on the type of behaviour that causes consumer problems.

It is very difficult to see how trust-mark schemes can even begin to offer cross-border privacy protection in comparison with legislation, and it is surprising to see how much effort has gone into accommodating trust-mark schemes within the APEC Privacy Framework.

In the EU the Binding Corporate Rules are a pragmatic workaround for data being sent out of the EU, but within a corporate group. They have been rightly criticised as expensive and cumbersome. In APEC the CBPRs are more ambitious, but there is no guarantee it will be simpler or cheaper than the EU process.

Organisations still need to comply with local domestic requirements, including relevant conditions on transborder data flows. No jurisdiction currently includes pre-approval of privacy policies as a condition, and it is extremely doubtful that any Asia-Pacific jurisdiction would introduce such a requirement.

For businesses in the region, a more attractive proposition will be transferring data to ‘adequate’ countries or using contracts and other accountability mechanisms to meet the conditions in local legislation. Over time the number of jurisdictions assessed as adequate by the EU and/or other Asia-Pacific jurisdictions should increase. Standard contract terms are already in wide use and there may be further guidance on this from regulators in the future.[51]

Despite these concerns, work on the APEC Privacy Framework continues and some commentators expect Cross Border Privacy Rules to be in use (and presumably ‘recognised across APEC’) in the near future:

The Pathfinder Projects should be completed in early 2009. It can be expected that a number of companies will begin to use APEC cross-border privacy rules in the latter part of 2009.[52]

Perhaps this will be true in the Americas or elsewhere in APEC (this Article has not analysed developments in Russia and the Americas). In the Asia-Pacific region it is extremely unlikely that CBPRs will ever become a significant part of the privacy landscape, and there is little chance of their recognition in the region in 2009.

[43] The Center for Information Policy Leadership, East Asia Privacy Leadership Project, Hunton & Williams LLP, August 2005, <>.

[44] The Working Documents are available from the Article 29 Working Party: <>.

[45] Refer to Boschee K, International Data Protection Law Restrictions On International Transfers Of Personal Data, Faegre & Benson LLP, 2005, <>.

[46] Asia-Pacific Economic Cooperation, The Cross-Border Privacy Rules – Implementation and Operating System, 2006/SOM3/ECSG/DPM/009, September 2006, <>.

[47] Peter Ford, APEC Privacy Framework June 2005 Domestic Implementation, 1-2 June 2005, <>.

[48] <>

[49] Abrams M, How does ‘privacy’ translate abroad?, The National Law Journal, 31 March 2008, <>.

[50] Malcolm Crompton, APEC Symposium on Information Privacy Protection in E-Government and E-Commerce, 20-22 February 2006, <>.

[51] ALRC Report 108, recommendation 31-7; refer to footnote 20.

[52] Abrams M, How does ‘privacy’ translate abroad?; refer to footnote 49.