Tech & Sourcing @ Morgan Lewis


As the European Union (EU) and Asia-Pacific Economic Cooperation (APEC) issue new rules on data protection, companies need to ensure their policies comply with the applicable regulations in this ever-changing landscape. The increasing requirements placed on companies bring to mind a famous quote: “With great power comes great responsibility.” Yes, Spiderman’s Uncle Ben said that, but the quote has particular applicability to the circumstances faced by multinational companies that have now been equipped with technology to transmit and access data across the world in the blink of an eye. Various data protection requirements have accompanied this “great power” of data transfer, particularly with respect to the transfer of personal data.

Through the adoption of the Binding Corporate Rules (BCRs) and the Cross-Border Privacy Rules (CBPRs), the EU and APEC, respectively, have implemented frameworks to facilitate the transfer of personal data within such regions. Both sets of rules aim to ensure that companies’ privacy and personal data protection policies comply with laws and regulations within the applicable region, thus enabling a free flow of information.

While the frameworks utilized by the EU and APEC set forth requirements for companies’ personal data protection and privacy policies, there are still some unanswered questions. In particular, companies formulating such policies have been left to guess whether their policies are sufficient to be both authorized under the EU framework and certified under the APEC framework. To assist with this challenge, experts from the European Commission’s Article 29 Working Party and from APEC Member Economies have worked together to issue a referential document to “serve as an informal pragmatic checklist for organizations applying for authorization of BCR and/or certification of CBPR.”

For each essential principle and element of the BCRs and CBPRs, the referential document sets forth both a “common block” that describes common elements between the BCRs and CBPRs and “additional blocks” that describe different elements between the BCRs and CBPRs, which should help companies seeking applicable authorization and/or certification.