At the beginning of March, representatives of the EU Article 29 Working Party and the Asia-Pacific Economic Cooperation (which includes, among others, the United States and the People’s Republic of China) announced the introduction of a new Referential on requirements for binding corporate rules (the Referential).
Both the EU and Asia-Pacific Economic Cooperation (APEC) regimes place restrictions on the transfer of data across borders. Under the EU regime, implementing a set of binding corporate rules (BCR) that have been approved in advance by national authorities will allow a company or group of companies to transfer data outside of the EEA without breaching the EU Data Protection Directive. Under the APEC regime, Cross-Border Privacy Rules (CBPR) serve the same purpose, allowing data to be transferred between participating economies. Both regimes require the rules to be approved in advance by regulators before they can be relied on.
The Referential does not achieve mutual recognition of both the EU and APEC systems, but it is intended to be a “pragmatic checklist for organizations applying for authorization of BCR and/or certification of CBPR”. The Referential acts as a comparison document, setting out a “common block” of elements that are shared by both systems, and “additional blocks” which list their differences. For example, while both systems require appropriate training to be given to employees, the EU regime requires only that this training is given to employees with permanent or regular access to personal data. In contrast, the APEC regime appears to extend to all employees.
Work on the referential began early in 2013, with Lourdes Yaptinchay stating that cooperation between APEC and the EU “is an important next step towards better protecting personal data and could provide a foundation for more fruitful exchange between companies with a stake in the two regions.”
The comparative nature of the Referential highlights the challenges that face organisations that want to satisfy both the EU and APEC regimes in a single set of rules. By drafting a set of rules that complies with the most stringent regime on any one point, organisations can use the document to navigate the approval process with more ease.