CBPR regains its mojo as South Korean tech companies consider its benefits

If take-up rates are anything to go by, the Cross-Border Privacy Rules, or CBPR, have been a flop. Over the past 10 years, a mere 48 companies have signed up to the Asia-Pacific regional data-transfer system. And indeed, benefits of it are so far not tangible.

That may be about the change. Last month, the South Korean privacy regulator began to promote the CBPR certification to the country's businesses, and South Korean tech companies, including NC Soft, Yanolja and Naver, are now looking at the CBPR as a way of enhancing their business prospects in Asia.

“We have 100 percent interest [in getting the CBPR certification], and will make sure to get it first,” Park Euiwon, head of the data privacy division at the South Korean game company NC Soft, told MLex at a recent privacy conference in Seoul. NC Soft offers game services in more than 50 countries worldwide.

But what has changed? Why is it that the CBPR, which has largely been unused for the past decade, has become the must-have certification for companies offering services in the Asia-Pacific region?

The answer may be that the CBPR certification is seen by South Korean businesses operating in major places in the Asia-Pacific such as Japan and Singapore as an important way to gain consumer trust and show that their company values data privacy.

And with the system set to expand globally with a recent rebranding from APEC CBPR to Global CBPR, South Korea — and Asia more broadly — can expect to see the CBPR system emerge as a necessary benchmark to prove a business organization’s level of data protection and security.

Rebranding to Global CBPR

The CBPR is one of a few international data-transfer mechanisms. It was created in 2011 under the APEC Privacy Framework, but the system has not been so successful in getting bloc-wide support among APEC countries.

Over the course of a decade, only nine countries, the US, Mexico, Japan, Canada, South Korea, Australia, Singapore, Taiwan and the Philippines, out of 21 APEC members joined the system. And only 48 companies, with 39 of them located in the US, six in Singapore and three in Japan, applied and received the CBPR certification, according to the official CBPR website.

The low participation among members meant that the system needed an overhaul.

The US wanted to expand the system globally while other members of APEC, such as China and Russia, were against the idea of having personal data move freely across borders, because the countries mandate that businesses store their citizens’ data in their countries. In April, the US brought together some of the current members of the CBPR system, including Canada, Japan, South Korea, the Philippines, Singapore and Taiwan, to Hawaii to announce the launch of Global CBPR. The event was also attended by non-APEC members, including the UK, Brazil and Chile, according to officials familiar with the development.

“There has been a discussion [among the participating jurisdictions] about formally withdrawing from APEC. The purpose is to have the system overcome the regional limit and expand more globally,” said Jung Tae-in from the personal data cooperation team at the Korea Internet & Security Agency, or KISA, during a recent online talk to introduce the CBPR to local businesses, where some 50 South Korean businesses signed up to listen to the talk.

Benefits

In South Korea, the CBPR is a voluntary system and it’s entirely up to businesses to join or not.

In contrast, Japan and Singapore recognize the CBPR certification in their privacy law. Japan, which adopted the system in 2014, requires businesses to be certified with the CBPR when transferring personal data to a third party located in a foreign country. Singapore adopted the system in 2018 and revised its data-protection law last year to recognize the CBPR legally as one of the modes for transfers of data overseas. South Korea joined the system in 2017.

But with the CBPR system remaining voluntary in South Korea, the prospect that South Korean businesses would join the system remained uncertain, some privacy experts said. But major tech companies, especially those that operate services in Japan and Singapore, the CBPR can be used as an important tool to gain trust and credibility from customers.

“There is nothing like the CBPR that could provide trust to customers when we do business in Japan and Singapore,” said Park.

Naver’s messaging service Line and Naver Cloud are also considering applying to get CBPR certification to reduce some of the concerns that Japanese customers have over data transfers to overseas locations, MLex understands. Line, owned and run by the South Korean portal giant Naver, is the most popular messaging app in Japan.

“[The] CBPR is something that can be used widely in Asia, and it’s something that intersects with other global data-transfer systems too,” Kim Chang-oh, chief privacy officer at Yanolja, told MLex at the recent privacy conference. Yanolja has regional offices in Singapore and Vietnam.

Will the process of getting the certification be troublesome? CBPR compliance means that a company meets all 50 requirements under the six principles that assess how the companies are collecting, managing and processing customers’ data.

Yanolja’s Kim said that the CBPR has loose requirements compared to other privacy certifications such as the global certification ISO 27001 or South Korea’s ISMS-P. It isn't a lengthy and complex process to get one because companies can easily meet the list of requirements under the CBPR if they are already certified with one of the two privacy mechanisms, he said.

Outlook

KISA, which is a South Korean accountability agent for the CBPR, said it will keep the assessment process simple so that it doesn’t put heavy demands on companies. The agency plans to complete assessments within three months after the submission of an application.

“We will also simplify the process, and it will only take two-thirds of what it usually takes for the ISMS-P assessment,” said Jung from KISA.

Businesses will have another reason to consider applying for the CBPR — it won’t cost a dime to apply for the certification up to the end of this year. KISA charges around 10 million won ($7,700) to 15 million won ($11,623) to businesses applying for the local privacy system ISMS-P but decided not to charge fees to encourage more businesses to apply for the CBPR.

But the benefits may not have a long-lasting effect in bringing more local businesses to the CBPR as long as the system remains voluntary.

It appears that it will be a long time before the CBPR is formally included under the South Korean privacy law, especially when currently pending revisions of the privacy law have been sitting at the National Assembly without much progress since September last year.

Still, it looks like more businesses will follow suit if the CBPR can prove to be a real differentiator for businesses wanting to prove the level of privacy they can offer Asian customers.