South Korea poised to join Apec cross-border privacy system

South Korean Flag

14 December 2016. By Danbee Lee and Mike Swift. 

South Korea is expected to file an application to join the Asia Pacific Economic Cooperation Cross Border Privacy Rules system, or APEC CBPR, as early as the end of this year, MLex has learned.

The date has yet to be fixed, but it should happen very soon, MLex was told.

The APEC CBPR is an international data-transfer system that was put in place in 2011. Its objective is to facilitate international data transfers among Apec countries through a voluntary, accountability-based system. US officials have said they hope it will become the global privacy standard and will also boost the availability of digital goods and services throughout the region.

At the moment, however, the data transfer system counts just four members: the US, Canada, Mexico and Japan. Only the US and Japan have designated accountability mechanisms in place to certify that companies are complying with the system’s rules. Taiwan has noted its intention to become the fifth country to come aboard.

For South Korea, the CBPR will be positive, helping to reduce the gaps between individual Apec countries’ levels of personal data protection. It will provide a minimum threshold and a general framework to which Apec countries can refer to when dealing with data privacy issues. It will also benefit South Korean companies that have operations abroad, as it will give them a clear idea of the protection they will receive.

Proponents of the Apec system, particularly US officials, who have promoted it heavily in recent months, see it as a more workable global privacy alternative to Europe’s more proscriptive system.

Although Europe enforces privacy as a fundamental human right, the Apec system is intended also to promote commerce and international transfers of data to provide digital goods and services, while protecing data privacy. While the Apec system offers regional rules, the EU approach evaluates each individual country to which data is to be transferred and has to determine that the receiving country’s system is adequate.

South Korea and the Philippines have previously signaled their intent to join the Pacific Rim system, but their timetable for joining is not known.

In part because South Korea has such strong privacy and data protection rules, US officials have seen the country’s potential addition to the CBPR as a huge boost to the system, because it would bolster the case for businesses to become certified. Only a handful of US companies have been certified to transfer data internationally under the CBPR system, although the group includes large multinationals such as Apple, IBM and Cisco Systems.

US officials are also concerned about moves by individual nations to restrict international flows of data, such as through laws that require personal data to be stored on servers physically located within a country, and see the CBPRs as a way to blunt those data-localization laws. The now apparently doomed Trans-Pacific Partnership, for example, provided that “each party should encourage the development of mechanisms to promote compatibility between these different regimes” for personal information protection.

An official from the Korea Communications Commission told MLex that it had taken some time before the agency was able to finalize the decision to join the CBPR system. Due to the complexity of the issue, the KCC had to meet with agencies, parliament and associations to explain the CBPR concept and how it would benefit South Korea.

The KCC is the telecommunications agency in charge of filing the CBPR application.

Under the CBPR rules, a country that wishes to join must have an enforcement authority for privacy, which would be required to participate in a cross-border privacy enforcement arrangement. Fourteen APEC economies satisfy that requirement. In the US, the CBPR system is enforced by the Federal Trade Commission.

A further requirement for joining the system is confirmation of an intention to use a trust-mark provider, or Apec-recognized accountability agent, to certify that the privacy policies and practices of participating companies are compliant with the CBPR system.

A report by Apec in October found that of the 21 member nations surveyed, only Malaysia and Chile had no intention of joining the international data transfer system.

Receive MLex Editor's Picks in Your Inbox

Complete this form to receive emails from MLex with selected highlights from our global coverage of regulatory risk and opportunity, as well as upcoming events, special reports and exclusive interviews.