Balancing Data Flow and Privacy

Taiwan is preparing to join APEC’s Cross-Border Privacy Rules system.

Last year Taiwan (or “Chinese Taipei” as it is known within APEC, the Asia Pacific Economic Cooperation forum) announced plans to prepare to join the group’s Cross-Border Privacy Rules (CBPR) system designed to facilitate the flow of data across the Asia-Pacific region. To participate in CBPR, a country’s data-privacy protection laws must be shown to adhere to a set of common principles, with an effective enforcement mechanism in place.

Once an APEC member economy has been accepted within CBPR, companies in that country may apply for certification of their data-security systems. Certification then allows them to freely transfer their data to other CBPR-participating countries without having to prove adherence to those jurisdictions’ own privacy laws. (Subsidiaries of multinational companies are generally covered by the certification of the parent entity).

Of the 21 APEC entities, five – the United States, Canada, Mexico, Japan, and South Korea – have already joined the CBPR, and Singapore has submitted an application. Besides Taiwan, the Philippines and Vietnam have expressed their intention to take part. “For a trade-oriented economy like Taiwan, it’s vital both to ensure a free flow of data and to support the growing international trend of privacy protection,” explains Susan Hu, director of the Multilateral Trade Affairs Division at the Bureau of Foreign Trade, which has been assigned to coordinate Taiwan’s efforts toward CBPR readiness.

“This year was dedicated to capacity building,” says Hu. The government organized two workshops to acquaint domestic stakeholders, including both government agencies and members of the private sector, with the workings of the CBPR system. Last month Taiwan also played host to a seminar that provided opportunities for the exchange of ideas among APEC-wide privacy-law specialists and participants from 19 APEC countries.

The priority for the coming year will be to enhance awareness of the CBPR requirements among small and medium enterprises (SMEs). In other markets, most of the companies that have become CBPR-certified are large corporations, but in Taiwan SMEs constitute the backbone of the economy. “CBPR can enable SMEs to reduce their compliance costs when operating in other countries,” says Hu. “They can’t afford to pay huge legal fees, but with CBPR it will be easier for them to integrate into global value chains.”

When Taiwandata formally applies for CBPR membership, it will need to designate the government agency or agencies that will act as the enforcement authority. In the United States, it is the Federal Trade Commission. Under Taiwan’s Personal Information Protection Act (PIPA), however, enforcement is divided among different government bodies according to industry sector – the National Communications Commission for telecom companies, Ministry of Health and Welfare for hospitals, Financial Supervisory Commission for financial institutions, and so on. Before Taiwan is in a position to submit its application, “we will need to coordinate internally to clarify the role of each agency to ensure that the system functions well,” Hu says.

In its application, Taiwan will also need to specify an “accountability agent” to verify companies’ compliance with CBPR. It has not yet decided whether to appoint one of the two existing recognized accountability agents – an American firm and a Japanese – or create one of its own.

There is no fixed timetable for Taiwan to complete its preparatory work. “The most important thing is for it to be done well,” says Hu.