What is the APEC CBPR?

What is the APEC CBPR?

In the modern world, the cross-border transfer of personal data has become integral to businesses all over the world. At the same time, the need for the protection of personal data has also risen. In reaction to this trend, various standards and systems have been introduced in order to ensure the safe transfer of personal data across borders. One such system is the APEC CBPR which this article will focus on.

1. What is the APEC CBPR?

CBPR stands for Cross Border Privacy Rules. It is a system developed by the Asia-Pacific Economic Cooperation (APEC) economies[1] with the purpose of ensuring safe cross-border transfer of personal data. The system was developed originally as a regional transfer mechanism for APEC countries. However, in 2022, a number of APEC economies established the Global CBPR Forum for the purpose of transforming CBPR into a global transfer mechanism and inviting participation from countries outside APEC.[2]

The system requires businesses participating in its regime to implement data privacy regulations and policies pursuant to the APEC Privacy Framework[3] to ensure safe cross-border transfers of personal data, thereby encouraging cooperation and economic growth among APEC countries. The CBPR system is for data controllers, for data processors, there is the Privacy Recognition for Processors (PRP) system which is a companion certification to the CBPR. The PRP has fewer requirements than the CBPR and mostly focuses on data security. This would make it easier for controllers to select appropriate processors. Currently, only the US and Singapore are participating in the PRP system.[4]

The APEC CBPR has 50 program requirements based on the APEC Privacy Framework which has 09 privacy principles: Accountability, Prevent Harm, Notice, Choice, Collection Limitation, Use of Personal Information, Integrity of Personal Information, Security Safeguards, and Access and Correction. The Framework was endorsed by 21 APEC economies.[5]

2. What are the benefits of the APEC CBPR?

Since APEC CBPR is based on the same principles as the OECD Guidelines and the GDPR, it can help businesses to align themselves with international privacy frameworks. This could in turn reduce compliance burden across different jurisdictions and increase client’s trust. Being CBPR certified can have many benefits such as:

• Ease of transfer of personal data across APEC CBPR countries. In some APEC countries, CBPR can serve as an official cross-border transfer mechanism for personal data. This helps lessen the burden regarding personal data transfer compliance for businesses. In Japan, companies with CBPR certifications can transfer data to another country without consent. Singapore also recognizes the APEC CBPR and PRP certifications for overseas transfers of personal data under the PDPA.[6] Having a CBPR certification also makes it easier for organizations to obtain the EU’s approval for their Binding Corporate Rules;[7]
• CBPR compliance can also help facilitate the compliance of the business with domestic privacy laws and international standards;
• CBPR system can serve as a privacy framework for SMEs that may not possess the capability to build their own privacy programs;
• Increase client, partner trust. In the modern world, consumers are becoming more aware of how their personal data is being processed. Having an assurance that their personal data will be protected could increase client’s trust and thus increase the business’s competitiveness. Furthermore, being CBPR-certified could also make it easier for companies who are looking for privacy-qualified vendors or business partners.

• With APEC CBPR, your company’s practice will be in line with other CBPR-certified organizations, thereby facilitating smooth data transfers and opening up a wide range of partners. Some companies with CBPR certification include: Apple Inc, Asurion LLC, Electronic Arts, Mastercard, General Electric Company, Johnson Controls Inc, etc.[8]

3. How to become APEC CBPR certified?

For a business to apply for CBPR certification, it must be primarily located in a country that has formally joined the APEC CBPR system. Currently, there are 9 APEC countries that have joined the CBPR system which include: the United States, Mexico, Canada, Japan, South Korea, Singapore, Chinese Taipei, Australia and the Philippines.[ix] CBPR certification is currently available to companies headquartered in Japan, Korea, Singapore and the United States.[x]

First of all, the business must apply to a recognized APEC Accountability Agent – a third-party certification body. The Accountability Agent will then evaluate whether a company’s privacy policies and practices comply with the CBPR (or PRP) program requirements. The Accountability Agent will assist the company to come into compliance with the requirments if they are currently not. Once a company is certified, complying with the CBPR (or PRP) becomes an enforceable obligation. Compliance with the certification will be monitored by the Accountability Agent and the business will be subject to annual recertification.

Criteria for assessment may include: [xi]

• Privacy statement that provides sufficient information on the processing;
• Data minimization and purpose limitation;
• How data is used, transferred and disclosed;
• Choice of the data subject regarding how their personal data is processed;
• Security safeguards;
• Accountability; etc.

Certified organizations must have effective privacy complaint and redress mechanisms to address client complaints of CBPR violations. Companies that don’t comply with their certification are subject to sanctions by their certifying Accountability Agent, including suspension or revocation of certification. They are also subject to enforcement actions by the Privacy Enforcement Authority in the jurisdiction in which they are certified.[xii]

[1] APEC was established in 1989 to promote trade, investment and economic development in the Asia Pacific region. It has 21 members which include: Australia, China, Canada, Indonesia, Japan, Korea, Singapore, Thailand, US, Vietnam, etc.

[2] Hunton Andrews Kurth, ‘Cross Border Privacy Rules, Privacy Recognition for Processors, and Global CBPR and PRP Frequently Asked Questions’ (Centre for Information Policy Leadership, July 2023) <https://www.informationpolicycentre.com/uploads/5/7/1/0/57104281/cipl_cbpr_prp_faq_updated_july23.pdf> accessed 5 June 2024.

[3] The APEC Privacy Framework was created in 2005 and updated in 2015 to create an accountability regime for the management of data protection, privacy and the flow of personal data across borders. The Framework was based on the OECD’s Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (OECD’s Guidelines)  first released in 1980.

[4] Kurth, n(2).

[5] Infocomm Media Development Authority, ‘About APEC Cross Border Privacy Rules (CBPR)’ <https://www.imda.gov.sg/how-we-can-help/cross-border-privacy-rules-certification#:~:text=The%20CBPR%20certification%20is%20based,Safeguards%20and%20Access%20and%20Correction.> Accessed 5 June 2024.

[6] ibid.

[7] Casey Kuktelionis, ‘5 Benefits of APEC CBPR Certification You Should Know About’ (TrustArc) <https://trustarc.com/resource/5-benefits-of-apec-cbpr-certification/#:~:text=The%20CBPR%20system%20works%20to%20protect%20personal%20data%20by%20requiring%3A&text=Risk%20based%20protections%20%E2%80%93%20companies%20must,between%20consumers%20and%20certified%20companies> accessed 6 June 2024.

[8] Ibid.

[ix] Kurth, n(2).

[x] CBPR, ‘Business’ < https://cbprs.org/business/> accessed 6 June 2024.

[xi] APEC, ‘APEC CROSS-BORDER PRIVACY RULES SYSTEM PROGRAM REQUIREMENTS’ (2019) < https://cbprs.org/wp-content/uploads/2019/11/5.-Cross-Border-Privacy-Rules-Program-Requirements-updated-17-09-2019.pdf> accessed 6 June 2024.

[xii] Kurth, n(2).