TOKYO -- The U.S. has proposed separating a key international framework for data protection from the Asia-Pacific Economic Cooperation forum in its growing rift with China on technology.
APEC's Cross-Border Privacy Rules system is a certification that companies can join to prove they meet internationally recognized data protections, allowing them to transfer such personal information as names and payment histories across borders without the onerous requirements that normally apply.
At a working-level meeting in June, the U.S. proposed separating the CBPR from APEC and allowing countries outside of the forum, like Brazil, to participate, multiple sources said. By moving the framework out from under APEC, of which China is part, the U.S. is seen trying to keep valuable data from making its way to Beijing.
The cross-border flow of data has played an increasing role in economic activities across the world, from helping companies tailor online ads based on users' online shopping histories to automating driving.
Nine countries and regions, including the U.S., Japan, Australia and Singapore, currently participate in the CBPR. But the framework is still in its early stages. Few Japanese companies have obtained the certification, for example.
Separating the data privacy framework from APEC early on would enable Washington to shape it without Chinese involvement. The U.S. seeks freer data flows, while China has sought to maintain a tight grip on data at home. This rift has meant that "talks at APEC came to a head many times," a Japanese government source said.
APEC members have not officially responded to the American proposal.
The U.S. is urging countries to shut out such Chinese companies as Huawei Technologies from telecommunications networks, as well as pressing China's ByteDance to unload U.S. operations of its popular TikTok short-video app. Washington aims to further pressure Beijing using the CBPR.
China has its own restrictions, blocking Google and many other U.S. internet services on the mainland. Cybersecurity legislation that took effect in 2017 requires internet service providers to cooperate with law enforcement.
A new data security law in the pipeline would punish acts deemed harmful to China's national security. It would not only constrain foreign companies operating in the country, but also restrict the transfer of Chinese data overseas.
Not all Western countries are fully on the same page with the U.S. on data transfers. The European Court of Justice in July struck down the Privacy Shield agreement between the U.S. and the European Union, citing concerns about American surveillance programs. The EU also adopted its General Data Protection Regulation in 2018.
