最优秀的中国互联网法律律师事务所之一

Understanding the Politics and Economics Behind the APEC Cross-Border Privacy Protection Rules System

Dr. HONG Yanqing   2018-02-01 17:16
China's governance system of cross-border data flow is gradually taking shape. During this process, we often receive various suggestions from foreign governments and organizations, especially those from the U.S.. One of their core suggestions, or more precisely demands, is to urge China to adopt the APEC-CBPR system and not to open another path of its own.
 
Not long ago, the delegation of the United States circulated a communication to the Members of the Council for Trade in Services of WTO concerning “measures adopted and under development by China relating to its cybersecurity law”, in which the U.S. recommended the APEC-CBPR system again, claiming it as a “less burdensome option” and being able to “achieve privacy objectives”.
 
In a nutshell, the basic logic by which the CBPR system promotes the cross-border flow of personal data consists of two steps. First, if different companies in different countries commit themselves to following the nine principles of personal information protection proposed by the APEC Privacy Framework, then personal data should be able to flow freely among these companies. Second, precisely because these companies all adopt the same set of principles to protect the personal information they hold, then their home countries, also participants of the APEC-CBPR system, should no longer obstruct the cross-border movement of personal information for the purpose of protecting these information.
 
In September 2017, during the 39th International Conference of Data Protection and Privacy Commissioners (ICDPPC) in Hong Kong, I discussed CBPR with many stakeholders. This op-ed is written to document my personal views on the CBPR system, and perhaps it could also serve as a response to the voice from the US government and business associations.
Is CBPR a successful attempt?
CBPR was established in 2011. At present, its official website claims that the United States, Japan, Mexico, Canada and South Korea have joined the system. Yet as a matter of fact, although Mexico decided to join the CBPR in 2013 and Canada in 2015, both countries have not yet designated an accountability agent. South Korea joined the CBPR in 2017, and KISA (Korea Internet & Security Agency) is now applying to become an accountability agency. Therefore these three countries have not yet actually put the CBPR system into operation. It should also be noted that at ICDPPC 2017, officials from Singapore's personal data protection authority made it clear that Singapore intended to join the CBPR.
 
To be exact, 6 years into CBPR’s establishment, only the US and Japan have put it to operation. It’s worth noting that Japan only designated an accountability agent in February 2016 - the Japan Institute for Promotion of Digital Economy and Community. In other words, it’s only been less than 2 years since the system was truly put into place in Japan. Back to the cases of Mexico and Canada, which decided to join the CBPR respectively in 2013 and 2015 but still haven’t designated their accountability agents. One may wonder, what took them so long?
 
Let us then look at the number of CBPR-certified companies: only 24 so far. Among them, there are 23 US companies and only one Japanese company-the Intasect Communications, Inc. In other words, only one Japanese company achieved CBPR certification ever since Japan began operating CBPR in early 2016. For the United States, in five years (from 2012 to present) only 23 companies have achieved the CBPR certification. Such a small number is by no means resulted from the difficulties in achieving the CBPR certification, a point that will be explained later.
 
Compared to other existing cross-border mechanisms for personal data, CBPR is by any standard an underperformer. The EU-US Safe Harbor Agreement that has been nullified by the CJEU boasted more than 4,400 companies as participants. Even the EU-US Privacy-Shield Agreement that’s only been there for 1 year now has over 2,500 companies signed up for it, as confirmed by officials from the United States and European both confirmed at the ICDPPC 2017 meeting.
 
Such a big difference in terms of the number of participating companies cannot be simply ascribed to the difference in trade volume. Otherwise, why would the Obama administration propose “pivot to Asia”? And why put forward the TPP that covers most APEC countries? On top of that, how do we account for the massive contrast, or gap, between the huge trade amount within the Asia-Pacific region and the little interest companies take in CBPR?
Does the APEC Privacy Framework match up with the trends?
In one recent study done by Professor Graham Greenleaf who has closely followed the development of personal information protection laws in various countries, the basic principle of personal information protection has evolved for two generations and is now likely to enter the third generation:
 
The first generation of personal information protection principles are the OECD Privacy Framework in 1980 and the Convention No.108 of the Council of Europe in 1981. Essentially, the two documents jointly defined the basic content of the Personal Information Protection law in the modern sense.
 
The second generation is represented by the EU Data Protection Directive in 1995. It expanded the first-generation principles to include elements such as "data minimization" "right to delete" "sensitive information," and "independent personal information protection authority".
 
The third generation of personal information protection legislation is again dominated by the EU, with its General Data Protection Regulation (GDPR). In GDPR, new elements have been added in comparison to the second generation, including "Data Protection Officer within the Enterprise," "Data Protection Impact Assessment," "Breach notification" and so on.
 
In addition to the EU-led evolution, the OECD released a new version of the privacy framework in 2013 with no major changes, mainly adding the requirement of “breach notification”.
 
If we examine the 9 major principles in the APEC Privacy Framework against the three-generation evolution, we could see that the APEC principles are still at the first generation.
 
Of course, one could think that it is only the EU that’s driving the evolution of personal information protection, and other countries all think that the first-generation protection level is good enough. However, empirical studies have proved otherwise. At the 2017 Asian Privacy Scholar Network annual meeting, Professor Greenleaf gave an interesting presentation. He has selected top 20 non-EU countries and regions by GDP with comprehensive personal information protection law and found that a considerable number of those countries and regions are aligning to the second generation of personal information protection law. He rated them in a scale of 1 to 10, with 10 being fully matched with the second generation, and the result is as follows:
 
Peru (10) South Africa (9) South Korea (9) Argentina (8) Colombia (8) Malaysia (8) Canada (7) Taiwan (7) Australia (6) Hong Kong New Zealand (6), Philippines (6), Israel (5), Japan (5), Mexico (5), Singapore (5), India (4), Vietnam (3), Indonesia (2), Chile (1).
 
According to Professor Greenleaf’s study, Chile, Indonesia and New Zealand are drafting new personal information protection laws, and if these draft laws are passed, the average point of concordance between the 20 non-EU countries and regions and the second-generation principles will be brought to close to 6.5. Taking into consideration that the Supreme Court of India recently made the judgment that "privacy is a basic human right," and demanded that the Indian government draft a new law on the protection of personal information, the average score could be even higher.
 
That is to say, major countries and regions outside the EU with comprehensive privacy protection legislation in place are moving closer to the EU 1995 directive, providing a level of protection of personal information much higher than those of the OECD and APEC Privacy Framework.
 
This point is also confirmed in my conversation with officials and scholars from Canada, Mexico, South Korea, Singapore, Hong Kong and other countries and regions, who all consider their countries’ personal data protection laws clearly outperforming the level of protection provided by the nine principles of APEC Privacy Framework. This also indirectly explained that it is not that difficult for companies to obtain CBPR certification. They just decided it’s not worth the while.
Does CBPR put constraints on a country's sovereignty?
In various workshops and side-events of the 2017 ICDPPC meeting, U.S. officials strongly advocate the CBPR system. According to them, one of the major benefits of this system is that the participating countries do not need to pass new laws, or to amend the existing laws; and CBPR is fully compatible with countries’ domestic laws governing personal information protection. The subtext of U.S. officials’ advocacy is that the CBPR system is not like the European approach that requires other countries to align their laws to the high standard of the EU for successful “adequacy decision” or bilateral data flow agreements.
 
However, a speech given by one Japanese official, in my opinion, told quite a different story. Japan amended its own personal information protection law in 2015, which came into effect in 2017. The clause on the cross-border movement of personal information has been changed into the following:
It can be seen that there are three scenarios where cross-border movement of personal information is allowed by the Japanese government: the first is the recipient country is on a whitelist of countries and regions identified by a competent Japanese authority; and the second is that the recipient of data in a foreign country abides by the "protection standards specified by Japan's Personal Data Protection Law"; and the third is the cross-border flow of data is consented by the data principal.
 
In the second scenario, the Japanese Personal Information Protection Committee explicitly included the APEC privacy framework and the CBPR system in its interpretation of its "prescribed standards by the PPC rules." In other words, in order to fully implement the CBPR system in 2016, Japan has specifically amended the articles on cross-border movement of personal information. Overseas companies that have CBPR certification are considered to have adopted a "proper and reasonable method" for personal information protection, so that personal information can freely flow from Japan to these overseas companies.
 
Similarly, officials of South Korean shared with me that the current Korean law (Article 17 of the PIPA) requires individual consent for personal information to flow overseas. In order to operate the CBPR system, KCC (Korean Communication Commission) of South Korea submitted a proposal to amend this article to the National Congress of South Korea in March 2017, but so far the proposal hasn’t received any feedback.
 
What do the examples of Japan and South Korea illustrate? Let's think it through step by step. Generally speaking, one country's data protection regime can be divided into two parts-the protection of data at home and the governance of cross-border data flow. For the domestic protection, a CBPR-participating country has full autonomy to require a high level of personal information protection. However, in designing a cross-border data governance system, the CBPR-participating country cannot demand that the protection level of a foreign country be consistent with its domestic level. For example, South Korea and Japan can demand very high level of protection of personal information within their own country, perhaps at level 9 or 10 from a scale of 1 to 10. However, they can not demand that data can only flow overseas on the condition that the recipient provides for the same level of protection; instead, personal information has to be released as long as the recipient reached level 6 protection required by APEC CBPR system.
 
This is why Japan and South Korea must amend their domestic laws governing cross-border data flow to meet the requirements of CBPR. Therefore, the advocacy of US officials intentionally blurred a very important point: indeed CBPR does not require participating countries to modify or lower their level of domestic protection of personal data to the level guaranteed by the APEC Privacy Framework, but it does take away the participating-country’s right, when governing cross-border flow of personal information, to demand that the oversea data recipient provide more protection than the relatively low level required by the CBPR system.
 
Obviously, this is a significant constraint on a country’s sovereignty.
What is the relationship between CBPR and TPP?
In my opinion, CBPR, like the TPP, has clearly demonstrated the strategic interests of the U.S. government. By forcing participating States to agree on a system of cross-border movement of personal information that offers low-level protection, personal data from the world is conveniently brought to the United States.
 
Let us look at the relevant provisions of the TPP e-commerce chapter. Firstly, TPP Chapter 14, Section 11, "Cross-Border Transfer of Information by Electronic Means," requires signatories to allow the free movement of personal information across borders unless the restriction is justified by a legitimate public policy goal. In this regard, many people will certainly consider that the protection of personal information is clearly a "legitimate public policy goal."
 
This is indeed the case. Let us then look at TPP Chapter 14, Article 8 "Personal Information Protection." On the surface, the article states that the protection of personal information is very important for the conduct of electronic commerce and that all signatories are obliged to protect personal information. However, the actual effect of this article is that although the ways, methods and levels of protection of the signatories are inconsistent, as long as a certain low baseline is met, the protection of personal information is achieved.
 
Why is it a low baseline? The devil is in the details. The footnote No. 6 of Chapter 14of the TPP states: “a Party may comply with the obligation in this paragraph by employing or maintaining measures such as comprehensive privacy, personal information or personal data protection laws, sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy”. Through this footnote, signatories gain autonomy to protect their personal information in ways that they prefer. Take the United States as an example, with this autonomy permitted by this footnote, the US does not need to stipulate comprehensive privacy protection legislation as South Korea and Japan do, but still can claim that its domestic systems have already protected personal information sufficiently. And since U.S. law has already provided protection for personal information, other signatories should no longer restrict the flow of personal information to the United States for personal information protection reasons.
 
It is also exactly for this reason that the EU repeatedly emphasize in the TTIP negotiations with the United States that the protection of personal information is a fundamental human right and must therefore not be bargained away in trade negotiations. The EU stance is resolutely preventing the United States from adopting a similar article in the TTIP, demanding that the EU relinquish the high level of protection required for the export of personal information.
 
In other words, the United States strives to achieve its strategic interests through popularizing of the CBPR system with a low-level protection for personal information, and by compelling signatories of the TPP to recognize the level of protection of personal information under US law, all of which have the effects of facilitating the free flow of personal information across borders, or more precisely, to the United States.
Summary
At the moment, the EU is strategically using the legal tools provided in the GDPR and the 1995 Data Protection Directive to bring other countries closer to the EU personal data protection standards, whereas the U.S. government is vigorously advocating the CBPR system and encourages its strong allies to join it, the essence of which is to ensure that other countries will not be able to use the ground of "high level of protection at home" as a reason to limit the export of personal information, and ultimately to facilitate the flow of personal information to the United States. In this sense, the CBPR is clearly being used by the US as a rival regime against the cross-border data flow regime promoted by the EU.
 
In the collision of the two major trends mentioned above, why can’t China make its own independent choice based on its own interests?