APEC CBPR (Cross-Border Privacy Rules)
The APEC CBPR system is a voluntary certification system for cross-border data transfers in the Asia-Pacific region based on the APEC Privacy Principles.
Summary
The APEC Cross-Border Privacy Rules (CBPR) System is a voluntary, market-driven mechanism designed to facilitate cross-border data transfers between APEC member economies. It is based on the APEC Privacy Principles of 2004 and was operationalized in 2011. Companies that obtain CBPR certification commit to meeting privacy standards verified by recognized Accountability Agents.
- Voluntary Certification: Companies apply to accredited Accountability Agents.
- Nine Principles: Based on APEC Privacy Principles (Notice, Choice, Access, etc.).
- Cross-Border Recognition: Certified companies can more easily transfer data between participating economies.
- PRP System: Complementing CBPR, the Privacy Recognition for Processors (PRP) system exists for data processors, also forming part of the APEC privacy framework.
- Global CBPR Forum: Since 2022 expanded as an independent international forum beyond APEC.
History
The foundation was laid in 2004 with the APEC Privacy Framework, which established nine privacy principles for all 21 APEC member economies. In 2005, the APEC Data Privacy Subgroup began developing the CBPR system as a practical instrument for business. After a multi-year development process, the CBPR system was formally endorsed by APEC trade ministers in 2011. The United States joined as the first economy in 2012, followed by Mexico (2013), Japan (2014), Canada (2015), Singapore (2017), the Republic of Korea (2017), Australia (2018), the Philippines (2019), and Chinese Taipei (Taiwan) (2019). In 2022, the Global CBPR Forum was established to extend the system to non-APEC countries and strengthen its global character. Since its founding, additional members have expressed interest or joined, including the United Kingdom, Bermuda, the Cayman Islands, and Jersey.
Scope
The APEC CBPR system targets companies that transfer personal data across borders within the APEC region. It applies to:
- Private companies of any size in participating APEC economies.
- Data exporters and importers seeking to demonstrate legally sound cross-border data transfers.
- Multinational corporations implementing consistent privacy standards across the APEC region.
Currently participating economies in the APEC CBPR system (as of 2024): USA, Mexico, Japan, Canada, Singapore, Republic of Korea, Australia, Philippines, and Chinese Taipei (Taiwan). Since 2022, non-APEC countries can also join through the Global CBPR Forum; the Forum's members additionally include the United Kingdom, Bermuda, the Cayman Islands, and Jersey.
Key Requirements
- Notice: Transparent information to individuals about data collection and use.
- Collection Limitation: Collect only data necessary for the stated purpose.
- Uses of Personal Information: Use data only for stated or compatible purposes.
- Choice: Individuals have the opportunity to object to the use of their data.
- Integrity of Personal Information: Ensuring data accuracy and currency.
- Security Safeguards: Appropriate technical and organizational protective measures.
- Access and Correction: Individuals can view and have their data corrected.
- Accountability: Organizations are responsible for compliance with the principles and must demonstrate this. Recognized Accountability Agents include TrustArc (USA), JIPDEC (Japan), and IMDA (Singapore).
- Preventing Harm: Protective measures to avoid harm to individuals.
Related Frameworks
Corrections & Errata
4 corrections:
- Philippines missing as participating economy
- Singapore joining date potentially wrong (2016 instead of 2017)
- Mexico joining date wrong: 2013, not 2012
- Taiwan/Chinese Taipei joining date potentially wrong (2020 instead of 2019)
1 update:
- Global CBPR Forum members after 2022 missing
5 clarifications.
1 note.