Support Centre

International: Status of privacy laws in APEC countries from the perspective of cross-border trade

In December 2020, the Asia-Pacific Economic Cooperation ('APEC') released a report on e-commerce capabilities across APEC Member States1 ('the Report'). The Report is the result of a study conducted by APEC which assessed a number of capacity-building activities that can be implemented by Member States to facilitate cross-border e-commerce and ultimately enhance global trade, including, most notably, the harmonisation of national laws. To this end, the Report provides a comparative analysis of national policies, laws, and regulations that have an impact on cross-border e-commerce across various focus areas, namely: cross-border data flows, consumer protection, data privacy, and cybersecurity.

Nikada / Signature collection / istockphoto.com

More specifically, the Report builds upon a comprehensive database of national laws and regulations contained in Annex A2 and provides a snapshot of the status of privacy and cybersecurity laws across APEC countries. Considering this, this article discusses the key findings within each focus area.

Cross-border data flows

Conditions for the cross-border transfer of personal data

According to the Report, the flow of data across borders is an integral element of international trade and within the e-commerce value chain, whether due to shipping logistics, payment processing, or data analytics, either by businesses operating centralised data centres, or by third-party service providers. However, in light of public policy concerns such as data protection and securityin the digital environment, the Report observed that almost all APEC countries have put in place requirements to restrict cross-border data flows, with the exception of Papua New Guinea.

Among the countries that have promulgated restrictions on the export of personal data to third countries, the conditions thereof can be categorised into the following four approaches:




Category APEC Member States

1. Transfers based on the consent of the data subject

There is an explicit requirement to obtain consent.

Chile, Mexico, South Korea

2. Transfers based on the consent of the data subject and/or the presence of similar levels of protection in the third country

In addition to obtaining consent of the data subject, the recipient of data must be subject to certain contractual requirements or be located in a country where there are comparable safeguards.

Brunei Darussalam, Japan, Malaysia, New Zealand, Peru, Russia, Thailand

3. Transfers based on the accountability of the data controller

The data controller bears the responsibility of ensuring the protection of personal data.

Australia, Canada, Philippines, Singapore
4. Other approaches
  • China: under the Cybersecurity Law of 2016, the transfer of data is subject to security assessments;
  • Chinese Taipei (Taiwan): there are restrictions in place where the transfer concerns public interests or where there is no comprehensive regulation in the recipient country which sets out data protection and data subject rights;
  • Hong Kong: the transfer of personal data is generally prohibited except in accordance with guidance which specifies certain countries that are whitelisted;
  • Indonesia: sector-specific regulations require data controllers to coordinate with, and report to, the relevant authorities;
  • United States: there are no restrictions at federal or state level but instead via sectoral legislation (e.g. Health Insurance Portability and Accountability Act of 1996); and
  • Vietnam: telecommunication service providers are required to store personal data onshore.

Table 1 Conditions for the cross-border transfer of personal data

Membership in international instruments

In view of the varying approaches to cross-border data flows, the Report highlighted the importance for APEC countries to reach an agreement on the rules governing the secure and free flow of data.

Indeed, the Report acknowledged several initiatives undertaken by APEC, including, most notably, the APEC Privacy Framework 2015 and the Cross-Border Privacy Rules ('CBPR') system, the latter of which provides a certification mechanism for organisations to transfer personal data between participating Member States. In this regard, the Report noted that only nine jurisdictions are currently participating in the CBPR system, namely: Australia, Canada, Chinese Taipei (Taiwan), Japan, Mexico, the Philippines, Singapore, South Korea, and the United States.

Separately, the study also looked into other international instruments that may be considered an effective basis for international data transfers, such as Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ETS No.108 ('Convention 108') and, in relation to the data transferred from the European Economic Area, adequacy decisions granted by the European Commission. Out of the 21 Member States, Mexico is the only country that has ratified Convention 108; whereas Canada, Japan, and New Zealand are the only countries that have been recognised by the European Commission has providing adequate protection.




  APEC CBPR system Convention 108 European Commission adequacy decision
Australia    
Brunei Darussalam      
Canada  
Chile      
China      
Chinese Taipei (Taiwan)    
Hong Kong      
Indonesia      
Japan  
Malaysia      
Mexico  
New Zealand    
Papua New Guinea      
Peru      
Philippines    
Russia      
Singapore    
South Korea    
Thailand      
United States    
Vietnam      

Table 2 APEC membership in international instruments

Data localisation requirements

Another element which has the effect of restricting cross-border data flows are the requirements on the location of computing and data storage facilities or 'data localisation' rules. Furthermore, the Report also noted that such limitations may constrain businesses in their choice of cloud computing services, and therefore, in the context of global trade, increase the cost of doing business.

Nevertheless, the study revealed that a number of APEC economies, including Canada, China, Indonesia, Russia, and Vietnam, have already established rules on data localisation to varying degrees. Canada and Indonesia, for example, have imposed specific requirements with regards to data that is collected by public sector entities; while the cybersecurity laws in China and Vietnam require operators of critical information infrastructure to store personal data within their respective territories. In a broader sense, federal laws in Russia also contain a general requirement on all data operators to process and store the personal data of Russian citizens using databases located in Russia.

In practice, however, especially within the financial services sector where there are strict requirements on localisation in relation to both personal and non-personal data, the Report indicated that there are mechanisms to relieve businesses from burdensome obligations. For instance, in Hong Kong, firms are permitted to retain records at external service providers, subject to an undertaking by the service provider that it will cooperate with the relevant authority where necessary. Furthermore, agreements, such as the Free Trade Agreement between the European Union and Vietnam or the Joint Statement on Financial Services Data Connectivity between Singapore and the United States, may also permit the cross-border supply of financial services, thereby facilitating international flows of financial data.

Consumer protection and data privacy

In addition to the flow of personal data, the Report identified consumer protection as an important consideration for actors involved in global trade, as policies and laws in this area prescribe obligations and minimum standards to protect consumers from harmful commercial practices. In this regard, the Report emphasised that all APEC Member States have already enacted consumer protection laws and regulations, albeit to varying extents and concerning different types of commercial activities.

Similarly, the study considered the use of customer data in the digital economy for marketing purposes and, in more general terms, to enhance business operations. For example, data analytics and related technology now enable organisations to personalise and target products and services in accordance with the preferences and behaviour of customers, in view of increasing sales. However, the Report recognised that the growing reliance on data analytics also necessitates robust measures to protect such data and to prevent misuse and breaches of the same, as elaborated below.

Direct marketing

According to the Report, many APEC Member States have enacted regulations pertaining to direct marketing and spam to govern the sending of commercial or promotional messages.

Such regulations typically require at least one of three types of consent. Firstly, regulations may require express or 'opt-in' consent where consent is signified by the active actions of the recipient. Member States such as the Philippines and the United States have adopted this approach. Secondly, consent may be implied or, in other words, inferred from the actions of the recipient or from existing business relationships between the recipient and the sender. Economies that have permitted this kind of consent within their laws include China, Hong Kong, and New Zealand. Finally, regulations may also refer to assumed or 'opt-out' consent in which consent is presumed, unless the recipient opts out of further communication, though this approach is less common.

In terms of the scope, the study revealed that regulations on direct marketing tend to be either technology-specific (i.e. regulating a certain type of messaging technology) or technology-neutral. On one hand, technology-neutral laws provide a wide definition to 'communication' and can be found in China, Hong Kong, and Australia; whereas technology-specific laws concerning, for example, SMS and MMS broadcast messages can be seen in the Philippines.

Data protection and privacy

As reported by the study, principles of data protection and privacy carry significant implications in the context of global trade and e-commerce, as it often involves large volumes of information shared between platforms and service providers. The Report observed that, in response to the growing need to protect personal data in the course of such activities, all APEC Member States have introduced data protection laws, with the exception of Papua New Guinea.

While not all of these laws apply equally to both public and private actors, the study indicated that similar elements and concepts can be found. Nevertheless, key differences include:

  • the definition of 'personal information' and whether this encompasses non-identifiable information;
  • the definition of and level of protection for 'sensitive data';
  • the establishment of a centralised data protection authority vs. the sharing of responsibility among several agencies;
  • the privacy principles on which data processing must be based;
  • the requirement to notify data breaches to the supervisory authority and/or data subjects; and
  • the requirement to appoint a data protection officer.

Cybersecurity

Another focus area that has an impact on cross-border e-commerce, as identified by the study, is cybersecurity or, more specifically, cybersecurity-related regulations. Notably, these regulations often overlap with privacy regulations in its aim to ensure a minimum level of protection to safeguard the confidentiality and integrity of information as well as information systems.

Indeed, the Report highlighted that many of the regulations found in APEC countries are also motivated by the increasing risk of cyber threats and cybercrimes, including internet fraud, malware, ransomware, and Distributed Denial-of-Service. Such laws can therefore be distinguished as follows: cybercrime laws and cybersecurity laws. According to the study, the former category tends to deal with more traditional offences and computer-related crimes, while the latter concerns a larger set of issues in relation to connected networks.

In this regard, the Report revealed that all APEC economies have at least some laws dedicated to cybercrime, often accompanying legislation which provides for criminal sanctions. Cybersecurity legislation, on the other hand, is less prevalent. Nevertheless, among the eight APEC Member States that have introduced cybersecurity legislation, such legislations contain, at minimum, requirements for monitoring, preventing, and handling cyber risks (typically on a risk-based approach).





  Cybercrime laws Cybersecurity laws Cybersecurity strategy
Australia  
Brunei Darussalam  
Canada  
Chile  
China
Chinese Taipei (Taiwan)
Hong Kong    
Indonesia
Japan  
Malaysia  
Mexico  
New Zealand  
Papua New Guinea  
Peru  
Philippines  
Russia  
Singapore
South Korea
Thailand
United States
Vietnam  

Table 3 Cybercrime and cybersecurity legislation3

Final remarks

The analysis undertaken by APEC indicates that there are diverging approaches to addressing international trade and cross-border e-commerce, not least in terms of national laws that aim to protect its citizens, but nevertheless significantly impacts how information and data are processed, shared, and protected across the global value chain.

In response to these findings, APEC has proposed a number of capacity-building activities in order to achieve a better balance between the protection of individual rights and the interests of businesses in cross-border trade. These include, among other things:

  • adopting of international standards, practices, and guidelines at national level;
  • improving mutual recognition and interoperability among national laws;
  • strengthening international cooperation; and
  • establishing new approaches to regulations.

Karan Chao Privacy Analyst
[email protected]


1. Available to download at: https://www.apec.org/-/media/APEC/Publications/2020/12/Assessment-of-Capacity-Building-Needs-to-Support-WTO-Negotiation/TOC/Main-Report.pdf.
2. Available to download at: https://www.apec.org/-/media/APEC/Publications/2020/12/Assessment-of-Capacity-Building-Needs-to-Support-WTO-Negotiation/TOC/Annex-A.pdf.
3. See the Report on page 117.