On August 22, 2017, in Ho Chi Minh City, Vietnam, the APEC Electronic-Commerce Steering Group’s Data Privacy Subgroup (DPS) held its meeting with the European Commission (the Commission) to discuss issues related to personal data protection regimes and the facilitation of global data flows.

The DPS and the Commission exchanged information on the APEC Cross-Border Privacy Rules (CBPR) System and the EU’s General Data Protection Regulation (GDPR), which goes into effect in May 2018, with the aim of exploring interoperability between the two systems. The Commission explained that the reform facilitates data flows by simplifying the use of existing transfer mechanisms and introducing new tools for transfer. The Commission also informed the DPS about ongoing work with Asian-Pacific  countries on possible adequacy findings with a view to fostering regulatory convergence and facilitating trade, and expressed its interest in strengthening enforcement cooperation between data protection authorities in the APEC region and the EU.

Industry representatives from around the APEC region presented on the benefits of interoperability between data protection regimes to assist in complying with differing regulations while preserving cross-border data flows that underpin global commerce. 

The working group explored options for collaboration and a future work plan, including discussing mechanisms established under the GDPR such as certifications and codes of conduct.

The discussions are a continuation of work that began in 2012, when the DPS created a working group including representatives from the EU Article 29 Working Party of Data Protection Authorities with the aim of exploring interoperability between the CBPR and EU systems.

The working group developed a referential mapping the requirements of the CBPR System and the EU Binding Corporate Rules (BCR), an EU mechanism for facilitating global intra-corporate transfers.

The referential, which was endorsed in 2014, identified common elements of the two systems as well as divergent requirements to help inform companies seeking to develop policies and practices in compliance with both systems.

This meeting is the first reengagement of the working group with the EU since 2015, when the group last met on these issues.

The working group held productive discussions on ways to build on the previous work related to CBPR-BCR interoperability, with a view to the upcoming implementation of the GDPR in the EU.

The working group agreed to continue discussions intersessionally to endeavor to develop a joint work plan and continue discussions in Papua New Guinea in 2018.