This week, it was officially announced that South Korea has become the fifth country to join the Asia-Pacific Economic Cooperation’s (APEC) Cross Border Privacy Rules (CBPR) system. This system was developed by APEC in 2011 to “build consumer, business and regulator trust in cross border flows of personal information” and thus facilitate e-commerce among APEC countries. The Ministry of Interior and the Korea Communications Commission stated on Monday that approval for joining the CBPR had been secured. In order for countries to opt in to the system, their legal systems and privacy protection must meet APEC’s standards.
APEC is an economic forum comprised of countries throughout Asia-Pacific. APEC’s importance should be noted: its 21 member economies comprise 54 per cent of the world’s GDP and 40 per cent of world trade. It exists to assist in trade through faster customs procedures and initiatives to synchronise regulatory systems across its member countries. The CBPR is a voluntary accountability-based system that facilitates the safe transfer of personal information across the APEC region.
South Korea joins the U.S., Mexico, Japan and Canada in the CBPR system; and so far, 20 companies, including Apple and IBM, have been CBPR-certified. Following the admission of South Korea, over 500 million internet users are now represented under the CBPR system, with additional countries, including Singapore and the Philippines, planning to join in the near future.
There are some similarities between the CBPR and the EU’s Binding Corporate Rules (BCRs), but the main difference is that the BCRs apply to inter-company overseas data transfers while the CBPR defines geographical spaces between which data transfers may occur. We reported on the Article 29 Working Party’s review of the CBPR system in 2015, which resulted in long-term aims to map the two systems together and create a common application which may allow companies, if successful, to become dual-certified under the regulatory requirements of both the BCRs and CBPR. While numerous companies have now become dual-certified, the process for approval for both the BCRs and CBPR remains as two entirely separate applications.