Mar 152018

Singapore Joins APEC Cross-Border Privacy Rules System and Privacy Recognition for Processors Program

Cameron F. Kerry, Nicholas Seng, John M. Casanova and Yuet Ming Tham
, , , , , ,

On March 6, 2018, Singapore announced that it has joined the APEC Cross-Border Privacy Rules (CBPR) system as well as the APEC Privacy Recognition for Processors (PRP) program. Singapore is the sixth member of the CBPR system, which includes Canada, Japan, Korea, Mexico and the United States, and is the second member of the PRP program after the US.

Faced with a diversity of privacy laws across APEC member countries, APEC established the CBPR program to facilitate the transmittal of personal data across national borders within and between companies and organizations. Companies and organizations in CBPR member countries that collect and use personal data (i.e. data controllers) will be able to obtain CBPR certification through a compliance review process by an independent evaluator. APEC aims through the program to ensure that participating companies will comply with standardized security and privacy measures, to increase consumer and business confidence in certified entities and to align APEC’s privacy framework to internationally accepted standards.

In order for an APEC member to join the CBPR program, it must demonstrate to the APEC Joint Oversight Panel that the country’s data security/privacy laws and enforcement process adhere to mutually agreed upon baseline privacy principles. The prospective member state must also show how it will fulfill the CBPR program requirements for companies seeking certification, including a commitment that the member country will appoint an APEC-approved Accountability Agent to confirm compliance by applicant companies.  The APEC PRP program seeks to accomplish similar goals for data processors (i.e. companies that possess data on behalf of data controllers). As with the CBPR, participating member countries must appoint an Accountability Agent to ensure that data processor companies seeking certification comply with program requirements and have adequate compliance measures in place.

The Singapore government noted that its Personal Data Protection Commission is currently working on a certification scheme incorporating both CBPR and PRP standards, with launch scheduled by the end of 2018.

Company participation in the certification process is voluntary. However, as the number of both CBPR program member countries and approved companies rise, companies likely will experience greater benefits from obtaining certification. In addition, APEC and EU regulators have worked closely to align the CBPR program with the EU’s Binding Corporate Rules (BCR) framework which allows for cross-border personal data transfers with entities located in EU member states. As evidenced by the recent Merck example, obtaining CBPR certification for the APEC region may facilitate the BCR authorization process for the EU.  As a final note, Australia is preparing to join the CBPR program; with Australia’s participation, CBPR member countries will constitute nearly two-thirds of overall APEC GDP (based on 2016 World Bank data), which arguably makes it even more attractive for companies to go through the CBPR process.

Cameron F. Kerry

ckerry@sidley.com

Nicholas Seng

nseng@sidley.com

John M. Casanova

London

jcasanova@sidley.com

Yuet Ming Tham

Singapore, Hong Kong

ytham@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.