INCA Blog
Most developed countries have enacted privacy legislation with the intent to protect their citizens from bad corporate practices that may either deliberately or inadvertently release their personally identifiably information (PII) to unauthorised persons. While this is obviously a well-intentioned activity it does have a commercial impact. Companies wanting to transact across sovereign borders must ensure they adhere to privacy legislation in the countries in which they do business and individuals providing their PII to foreign companies need to be confident that their private data is being adequately protected in the foreign jurisdiction.

Europe has addressed these issues via the General Data Protection Regulation (GDPR) initiative which harmonises privacy legislation across European Union countries. The main driver for the GDPR is protection of individuals’ privacy. The legislation requires organisations to establish data controllers for repositories of PII and to seek consent for the use of PII within their business processes. GDPR also provides for recourse in the event of contravention of the regulation. Indeed the penalties can be quite severe with enforcement agencies in each country ready to investigate, and if necessary prosecute, those that violate the legislation.

In the Asia Pacific Region the approach has been quite different. It is unrealistic to expect a harmonisation of privacy regulation across countries in the region so the Asia-Pacific Economic Cooperation (APEC) established the Cross-border Privacy Rules (CBPR) system. Countries joining the CBPR must evaluate their privacy legislation against the 9 principles of the APEC Privacy Framework and then provide a mechanism for companies to be ‘certified’ by an Accountability Agent as being compliant with the CBPR.

While both initiatives seek to protect private data they are very different in their approach. GDPR relies on a legislative mandate that enjoins member countries in a prescriptive solution. It is based on homogenised legislation that ensures similar treatment of infractions regardless of where they occur in the European Common Market. By contrast participation in the CBPR system is entirely voluntary, it is based on self-assessment with 3rd party verification. It relies on negotiated settlement of alleged contravention and imposes no restriction on member countries regarding their local privacy laws. In order to participate a country must have enacted privacy legislation; it is a pre-requisite because member countries must map their local law to the CBRP Privacy Framework as a step in their application to join the initiative. Some Asian countries are not in a position to consider CBPR because they lack the legislative framework to participate.

So – GDPR is predicated on tight coupling between member states that enables a strong legislative response to the task of data protection. CBPR accommodates a loose coupling of member countries imposing a framework that enhances cross-border trade and provides some recourse for individuals in the case of privacy regulation contravention by a foreign participant.

 

GDPR

CBPR

Program Characteristics

Tight-coupling of European member states

Loose-coupling of APEC member countries

Legislative Framework

Prescriptive, based on a single privacy legislation

Guidance, accommodating multiple privacy laws

Recourse for contravention

Punitive, with significant penalties

Negotiated, with local agreements for redress

Table 1 - Comparison GDPR & CBPR

While GDPR and CBPR, by necessity take different approaches, both serve to raise awareness of privacy issues and raise trust in the Internet as a vehicle for digital commerce.