The Asian Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) systems establish a harmonised set of data protection standards consistent with APEC Privacy Framework to enable cross-border flows of personal data. CBPR systems apply to data controllers whereas PRP systems apply to data processors. These certifications are comparable to the Binding Corporate Rules (BCR) established in the EU under the GDPR but with a much broader scope.
How do organisations gain certification?
Obtaining this certification is voluntary, enforceable, and international, offering an accountability-based system that facilitates privacy, respecting data flows among APEC economies. Once a country has joined the APEC CBPR, an organisation located in the country can apply for CBPR or PRP certifications. This is followed by an independent assessment of the organisation’s privacy policies & procedures which is carried out by an accountability agent.
To obtain CBPR certification, your organisation must be certified in the participating APEC economy in which it is primarily located. You can include all or some of your global corporate affiliates in the certification. Once certified, your organisation will be subject to enforcement by an accountability agent or your country’s privacy enforcement authority (such as the Federal Trade Commission in the US).
CBPR is one of the only privacy frameworks that includes a certification element as an essential component of their privacy programme. CBPR certification provides a recognition that the organisation has been reviewed by an independent accountability agent and that it is abiding by their privacy rules. Furthermore, CBPR certification may be seen by many as a government-approved seal on privacy practices.
In short, being CBPR-certified lowers existing and future compliance burdens and reduces potential friction for trade. For example, in Japan, companies with CBPR certification do not have to obtain consent to transfer data to another country; something which is otherwise required by Japanese law.
What are the benefits of CBPR?
- Recognised mechanism for data transfers
CBPR serves as a formally recognised cross-border transfer mechanism for personal data and can be used for intra-company transfers: transfers between unaffiliated companies; and transfers to non-CBPR certified companies anywhere in the world.
- Demonstrates compliance
In addition to serving as a cross-border transfer mechanism, CBPR is also a comprehensive domestic privacy compliance and accountability programme.
- Assessment tool
Companies can use CBPR as a risk management tool when selecting qualified third-party vendors, processors, and business partners. This will facilitate transactions with other CBPR certified organisations.
- Mitigating factor in enforcement
In the case of a data privacy incident, where the supervisory authority steps in, CBPR certification demonstrates a good-faith effort to ensure compliance.
- Brand image enhancement
CBPR certification can enable companies to demonstrate corporate digital responsibility to consumers, potential business partners and privacy enforcement authorities.
Global CBPR Forum
In April 2022, the US Department of Commerce announced the launch of the newly created Global CBPR Forum, along with Singapore, Canada, Korea, Japan, Chinese Taipei, and the Philippines. This forum will facilitate multinational cooperation in establishing and promoting free flow of data over international borders, while promoting effective and robust data protection mechanisms. One of the key objectives of the forum, is the pursuit of interoperability with different approaches to data protection and privacy by developing an international certification system based on the existing APEC CBPR and PRP systems.
This is a significant development for organisation with international operations, as it has the potential to facilitate cross-border data transfers across more economies, including non-APEC jurisdictions, while applying the same high standards of data protection and privacy as the APEC Systems. Businesses that are CBPR certified must closely follow the compliance obligations required to transition from APEC CBPR to the certification standards set by the Global CBPR forum. Although the new international certification system will be administered separately from the existing APEC CBPR and PRP systems, it will eventually involve a formal transition of operation under the APEC CBPR and PRP systems in their jurisdictions to the Global CBPR and PRP.
As the Global CBPR system further develops, it will be interesting to follow how it capitalises on its potential for interoperable systems, encouraging more economies to participate in the forum.