APEC Steps Up Promotion of Cross-Border Privacy Rules
Singapore, 12 September 2019
APEC economies, data privacy regulators, and other stakeholders are exploring ways to bolster the Cross-Border Privacy Rules (CBPR) system. Endorsed by APEC leaders in 2011, the CBPR system establishes enforceable, binding commitments to safeguard consumers’ personal information and foster growth of the digital economy.
Data protection is an increasingly important public policy issue, partly due the massive growth of the digital economy. Online retail activity continues to surge, growing more than 9 per cent in 2017. Every year, consumers across APEC’s 21 economies purchase approximately USD 1 trillion in goods and services online – about half of global e-commerce.
The CBPR system enables companies to certify compliance with the commonly agreed rules – 50 specific program requirements - based on the APEC Privacy Framework. CBPR expansion already includes 8 APEC economies and three members have fully implemented the system with approved Accountability Agents. Economies appoint Accountability Agents to work closely with companies seeking certification and facilitate dispute resolutions with consumers.
At a recent workshop, CBPR stakeholders agree that greater participation, both from newly joined economies and accountability agents, enhances the program’s value.
CBPR adherents attest that membership promotes public trust and strengthens a company’s data management system. Certification requires a robust review by an independent third party of a company’s internal processes and detailed mapping of a company’s data, its use, and its users.
Stakeholders say that the CBPR helps firms prepare for a digital future and the public’s increasing concerns about data privacy. “Certification does not necessarily ensure compliance with the law. But it does ensure some due diligence as companies spend considerable resources on pursuing compliance,” said Jill Paterson, Senior Policy Advisor at Canada’s Department of Innovation, Science and Economic Development.
In the event of a data breach, this demonstration of efforts to protect data can help a company’s standing with regulators. Though data breach is not specifically covered, the point was made during the workshop as an example of how certification can be helpful to demonstrate reasonableness in a company’s compliance efforts.
“There is a very real practical benefit for companies (joining CBPR) as they undertake due diligence. In going through that process, they will catch problems and will be less likely to violate the law,” said Peder Magee, Senior Attorney in the Division of Privacy and Identity Protection at the United States Federal Trade Commission.
To broaden private sector uptake, some economies suggest streamlining both CBPR participation and certification for domestic data privacy systems. Additionally, at least one economy already reduces CBPR application fees for MSMEs to encourage participation.
As the CBPR should reflect changing economic conditions, participants also encourage periodic updating of CBPR program requirements and adoption of technology to simplify the certification process. Lastly, members continue to strive for greater regulatory inter-operability beyond APEC.
For more information on the CBPR, please visit www.cbprs.org.
# # #
For further details, please contact: