Insight: Should there be a similar APEC Cross-Border Privacy Rules ("CBPR") System in Hong Kong?
I. What is APEC Cross-Border Privacy Rules (CBPR) System?
In November 2004, 21 APEC economies endorsed the APEC Privacy Framework (the “Framework”). Under the Framework, a system of voluntary cross-border privacy rules for APEC economies was established. In order to protect personal information that moves across APEC economies, the Data Privacy Pathfinder (the “Pathfinder”) was built.
The Pathfinder developed a voluntary certification system, namely, the APEC Cross-Border Privacy Rules (CBPR) system where organisations may participate in an assessment process by APEC recognized Accountability Agent for compliance with the CBPR requirements.
Once certified under the CBPR system, privacy policies and practices consistent with the CBPR requirements will bind the organisation and will be enforceable by appropriate regulator.
II. How does the CBPR System work?
The CBPR system has 4 stages:
2. Compliance review;
3. Recognition/Acceptance; and
4. Dispute Resolution and Enforcement
At the ‘self-assessment’ stage, the business or organisation is self-assess their data privacy policies and practices against the 2015 APEC Privacy Framework CBPR recognized questionnaire.
A recognized Accountability Agent (the “Agent”) (i.e. an agent that meets the recognition criteria to the satisfaction of APEC members) will then ‘review’ the questionnaire against the ‘CBPR baseline standard’. The ‘CBPR baseline standard’ is to ensure the assessment process is uniformed across APEC member states.
If the organisation passes the ‘review’ stage, it would be recognised as compliant with the CBPR and the Agent will certify it, and publishes the certification in a compliance directory, where consumers and participants will be able to check (i.e. ‘contact point information’). The ‘contact point information’ includes information relating the Agent that certified the organisation. The directory is hosted by the APEC Secretariat.
Once the organisation is ‘listed’ in the compliance directory, the Agent and the host APEC member’s privacy authority may enforce the CBPR requirements against the organisation or business via contractual or regulatory means.
III. Should Hong Kong adopt a similar version of the CBPR System?
In Hong Kong, transfer of personal data is regulated under section 33 of the Personal Data (Privacy) Ordinance (Cap. 486) (“PDPO”). However, section 33 is currently not in operation yet. This is because, back in 2012, the Privacy Commissioner for Personal Data, Hong Kong (PCPD) worried that section33 might increase the compliance costs for SMEs and that businesses in Hong Kong were simply not ready yet.
The requirements under the current section 33 of the PDPO is burdensome in that transfer of personal data outside Hong Kong is prohibited except it meets one of the prescribed circumstances under section 33(2): -
1. transfer to places specified in the so-called ‘White List’ (i.e. where the PCPD has reasonable grounds for believing that the place outside Hong Kong has privacy law substantially similar to or serves the purpose similar to the PDPO);
2. transfer to places that have adequate data protection regime in the jurisdiction;
3. the data subject has consented in writing to the transfer;
4. the transfer is for the avoidance or mitigation of adverse action against the data subject;
5. the use of the personal data is exempted under Data Protection Principle (3) by virtue of the exemptions listed in Part 8 of the PDPO; or
6. the data user has taken all reasonable precautions and exercised all due diligence to ensure that the data will not be used or processed in contravention of the PDPO.
Although the so-called ‘White List’ approach provides certainty to the regulatory system on cross-border transfer of data, the issue is the PCPD will have to allocate a lot of resources to maintain the list. Even if the PCPD can maintain it, it is important to note that the data regulatory landscape is evolving fast and the stiff ‘White List’ approach may find itself to be obsolete very quickly.
Should the PCPD consider to amend the section 33 requirement, they should get rid of the ‘White List’ approach and introduces something similar to the CBPR system.
The CBPR system is self-regulatory, it outsources the assessment and review functions to market participants, and thus, lowering the costs for the PCPD. It provides other means of enforcement other than simply relying on PCPD’s regulatory tools.
The CBPR system provides flexibility to market participants and enhances the quality of the certifying Agents and certified businesses, by assessing the quality of the certifying Agents and in turn, provide better enforcement and assessment quality.
However, the downside of implementing similar to the CBPR system in Hong Kong is that privacy law and regulatory regime of other systems may be very different from that of Hong Kong, and this may be problematic in terms of criteria of assessment and recognition of standards. It would even be more complicated if the two states have different legal systems, e.g. Hong Kong and PRC, and this may also be problematic in terms of enforcement.
A successful certification system such as the CBPR system will take years to build, and by the time the CBPR system is implemented, it may already be obsolete. Having compared the two approaches, the CBPR system is perhaps the lesser evil of the two. However, there are many technicalities to be ironed out, and difficulties lie ahead.
For more information regarding APEC CBPR system and section 33 of the PDPO advisory works, please contact ADG at firstname.lastname@example.org or Tel +852 3725 4806.