Many consider the unrestricted flow of data as driving today’s digital economy. For private enterprises, cross border data flows “improve productivity and reduce costs by enhancing scalability, improving supply chain efficiency, facilitating data analytics, and enabling digital collaboration”.[1] They are particularly crucial in laying the foundations for economies seeking long-term competitiveness.[2] Their impact, however, has a far greater reach. By spurring technological innovations and making more efficient data processing possible, they enhance almost every aspect of life, thereby benefiting just about everyone.

Throughout the years, the world has seen cross border data flows enjoy a steady growth. From 2005 to 2015, global data streams increased 45 times.[3] Within that same time frame, the global GDP also saw an increase of over $2.8 trillion.[4] An amount that is expected to reach around $11 trillion by 2025.[5] In 2020, global data traffic hit 230 exabytes per month, with some predicting it to triple by 2026.[6] This surge has coincided with the evolution of data flows in terms of complexity, volume, and nature, nurtured by a variety of interrelated factors, like the increased economic importance of data processing and a conducive internet architecture.[7]

All these developments have also come to highlight the downside to transnational transactions. Apart from implementation-related challenges, they also expose organizations and individuals to a variety of risks:[8]

• • non-compliance with national laws
  • unauthorized disclosure of personal data
  • failure to uphold an individual’s data privacy rights, such as the right to access, correction, or erasure (of their personal data)
  • inability to cooperate with regulators in connection with complaints
  • regulators’ lack of capacity to investigate or enforce laws
  • inability to guarantee the protection of personal data in countries with a low protection level
  • conflicts between national and foreign laws
  • possible access to data by foreign government
  • overseas judicial decisions requiring the disclosure of data
  • problems with recovery or secure disposal of data
  • other harms, including loss of trust that results from the unlawful transfer and misuse of data

To address or at least minimize these negative consequences, governments have adopted an array of regulatory mechanisms that may be classified into three categories: (1) open safeguards; (2) pre-authorized safeguards; and (3) limited transfers.[9] The first is the most liberal in that it allows for some discretion in terms of how data transfers shall be secured, as long as prescribed guidelines are followed. The guidelines usually emanate from domestic statutes with extra-territorial application. In others, they consist of intergovernmental-level processes and multi-stakeholder participation across jurisdictions. The certification schemes envisioned under Article 42 of the European Union’s (EU’s) General Data Protection Regulation (GDPR), which encourages data controllers and data processors to voluntarily submit their data processing activities for assessment vis-a-vis the GDPR, are a prime example. Under the second model, government approval is typically required prior to data transfer, based on transparent criteria. China’s data export security assessment scheme is a case in point. The third is often characterized by strict and opaque requirements and a marked preference for data localization. Notable cases include regimes in Russia, Indonesia, and Vietnam.

The Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) Systems (collectively, “APEC Systems”) also represent the first type of regulation. They are certification systems which, although developed and maintained by governments of APEC economies, require private sector buy-in in order to work. More recently, a Global CBPR Forum (“Forum”) was also launched, but it is essentially an APEC Systems replica.

This report analyzes the APEC Systems and offers an assessment both in terms of its effectiveness (i.e., ability to deliver its promised benefits) and resilience (i.e., ability to overcome issues and survive). It checks on the implementation status of the participating jurisdictions after supplying a quick glance at other existing data transfer regimes as a necessary backdrop. A snapshot of the Forum is also provided, particularly since its ties to the APEC Systems inevitably shapes the latter’s long-term future. But with its implementation yet to commence, a more thorough assessment seems premature.

The aim is to provide essential information about today’s efforts to manage cross border data flows. The APEC Systems—and the Forum, to a lesser extent—occupy center stage. In addition to raising awareness, the Report hopes to facilitate more stakeholder engagements in future policy-making processes revolving around the protection of personal data as it travels from one corner of the world to the next.