You’ve heard about the APEC CBPR Certification, but what is it? How does it help your business? What are the benefits of APEC CBPR Certification? And is it worth it?
Let’s start with the basics.
What is APEC?
Established in 1989, APEC stands for Asia-Pacific Economic Cooperation. It’s a forum for 21 Pacific Rim member economies that promotes trade, investment, and economic growth throughout the region.
Members include all countries with a coastline along the Pacific Ocean, including China, Japan, and the United States.
The 21 APEC members represent over 40% of the world’s population and over 60% of global GDP. Which is significant if you’re operating a global business.
- Australia
- Brunei Darussalam
- Canada; Chile
- People’s Republic of China
- Hong Kong
- China
- Indonesia
- Japan
- Republic of Korea
- Malaysia
- Mexico
- New Zealand
- Papua New Guinea
- Peru
- the Philippines
- the Russian Federation
- Singapore
- Chinese Taipei
- Thailand
- the United States of America
- Vietnam
APEC members work together to improve the business operating environment and reduce red tape between these economies.
Some of the ways members achieve this include faster customs procedures at borders, more favorable business climates behind the border, and aligning regulations and standards across the region.
All economies have an equal say and decision-making is reached by consensus. There are no binding commitments or treaty obligations and commitments are undertaken on a voluntary basis.
APEC also supports the multilateral trade negotiations underway in the World Trade Organization and complements the goals of the G20.
What is APEC CBPR System?
CBPR stands for Cross-Border Privacy Rules. And as you may be guessing, the APEC CBPR system seeks to facilitate compliant and safe cross-border data transfers between participating economies.
The system is administered by the Joint Oversight Panel and assisted by the CBPR Secretariat to consult with prospective APEC CBPR economies and determine whether an economy satisfies the participation requirements.
They also consult with and review applications for prospective Accountability Agents and handle Accountability Agent complaints.
The goal of the CBPR system is protect personal information while ensuring the delivery of innovative products without the barriers of different economy’s regulations through voluntary accountability.
This system helps establish standards for transferring data cross-border so that personal information is protected, and that the requirements are enforceable if violated in those jurisdictions.
It also sets the criteria for bodies to become recognized as CBPR system Accountability Agents, and a process for information controllers to be certified as compliant APEC CBPR system.
The CBPR system works to protect personal data by requiring:
- Enforceable standards – economies must demonstrate that CBPR program requirements will be legally enforceable against certified companies.
- Accountability – a company must demonstrate to an Accountability Agent that they meet the CBPR program requirements
- Risk based protections – companies must implement security safeguards for personal data
- Consumer friendly compliant handling – collaboration with Accountability Agents to resolve disputes between consumers and certified companies
- Consumer empowerment – companies must provide consumers with the opportunity to access or correct their personal data
- Consistent protections – all participants must agree to abide by the 50 CBPR program requirements
- Cross-border enforcement cooperation – regulatory authority cooperation on the enforcement of program requirements
An APEC economy must demonstrate that it can enforce compliance with the CBPR System’s requirements before joining.
There are currently nine participating APEC CBPR System economies: United States, Mexico, Japan, Canada, the Republic of Korea, Australia, Chinese Taipei, and the Philippines.
The APEC Privacy Framework
Created in 2005 and updated in 2015, the APEC Privacy Framework was designed to provide an accountable approach to managing data privacy protection and the flow of personal information across borders.
The APEC CBPR system requires participating businesses to implement data privacy policies consistent with the APEC Privacy Framework.
The preamble of the updated APEC Privacy Framework states,
”APEC economies realize that a key part of efforts to improve consumer confidence and ensure the growth of electronic commerce and innovation must be cooperation to promote both effective information privacy protection and the free flow of information in the Asia Pacific region, while respecting domestic laws and regulations, applicable international frameworks for information privacy protection, and strengthening information security in the Asia Pacific region.”
This framework is based on the OECD’s Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, which are recognized as the global minimum standard for privacy and data protection.
The APEC Privacy Framework establishes a multilateral mechanism that enables Privacy Enforcement Authorities to cooperate in cross-border privacy law enforcement.
This mechanism is the Cross-border Privacy Enforcement Arrangement (CPEA).
Any Privacy Enforcement Authority in any APEC member economy can participate.
Any public body that is responsible for enforcing Privacy Law, and has the power to conduct investigations or pursue enforcement proceedings is a Privacy Enforcement Authority.
Businesses can demonstrate their adherence to the APEC Privacy Framework by certifying their privacy practices to the following standards:
- Cross Border Privacy Rules (CBPR) System – which governs “data controller” privacy practices
- Privacy Recognition for Processors (PRP) System – which governs “data processor” privacy practices
You’ll notice the certifications differ based on whether the entity is a data controller or data processor.
APEC CBPR Certification
CBPR certification is currently available to companies headquartered in Japan, Korea, Singapore, and the United States. An independent Accountability Agent is needed to certify your organization’s compliance with the CBPR Program Requirements.
Applications are sent to APEC-recognized Accountability Agents who will begin the compliance review process to verify compliance with the CBPR system.
If an applicant meets the minimum criteria required, the Accountability Agent will be responsible for monitoring its compliance with the CBPR system criteria.
This criteria assesses an applicants:
- Notice of personal information and privacy policies
- Collection limitations to specific purposes stated at time of collection
- Use, transfer, and disclosure of personal information
- Choice for individuals in relation to the collection, use, and disclosure of their personal information
- Integrity of personal information maintained by the controller
- Security safeguards to protect individuals’ personal information from loss, unauthorized access or disclosure, or other misuses
- Access and correction for individuals to update their information when reasonable
- Accountability to complying with measures that make the other criteria operational
While this is just intended to be a summary, you can review the complete APEC Cross-Border Privacy Rules System Program Requirements.
5 Benefits of APEC CBPR Certification
Alignment with Global Frameworks and Global Trade Facilitation
An APEC CBPR certification is based on the same principles that inform the OECD Guidelines, the Fair Information Practice Principles, the EU-U.S. Privacy Shield, and the General Data Protection Regulation.
As such, a CBPR certification will help align your organization’s policies to various international privacy frameworks.
This will lower the compliance burden and save your employees time to implement a patchwork of privacy regulations.
If you haven’t started a privacy program yet, completing the necessary actions within the CBPR certification process will create a data privacy roadmap for your business.
Using a baseline of standard privacy protections for personal information, businesses can become a trusted entity for protecting consumer data.
An APEC CBPR certification makes conducting business in participating economies easier and helps to facilitate the increasing trade relationship between APEC economies.
The United States, Mexico, Canada Agreement, which substituted the North America Free Trade Agreement to mutually benefit employees and businesses and grow the North American Economy, also formally recognizes the APEC CBPR System to further facilitate global trade.
Using vendors, outsourcing operations, or partnering with APEC economies can reduce your business costs through access to labor, materials, and new supply chains. All of which is beneficial to the growing global economy.
Jurisdiction-Specific Data Transfer Benefits
This cohesive set of privacy rules allows the responsible transfer of data between participating economies. Rather than spending time and money sorting every individual jurisdiction, participants have an approved network for cross-border transfers.
The CBPR certification gives companies and employees confidence that the transaction will adhere to data protection standards while eliminating unnecessary burdens.
In Japan, companies that have a CBPR certification do not have to obtain consent to transfer data to another country, which is otherwise required under Japanese law.
An APEC CBPR certification may also make it easier for an organization to obtain approval for its Binding Corporate Rules in the European Union.
Since 2013, APEC member Economies and EU officials have been collaborating to promote interoperability between the two regional transfer mechanisms.
In-Network Transactional Streamlining
If you have an APEC CBPR certification, the privacy practices of your organization will be in line with other CBPR-certified organizations, thereby facilitating transactions between participants.
The certification opens businesses up to a wide range of partners and new locations to support your business growth goals.
Some of the companies included in the CBPR certification are:
- Apple Inc
- Asurion LLC
- Electronic Arts
- Expedia Inc
- General Electric Company
- Hewlett Packard Enterprise Company
- International Business Machines Corporation
- Johnson Controls Inc
- Mastercard
- PGA Tour Inc
- Rackspace Technology Global Inc
- Workday Inc
Create Competitive Differentiation and Increase Consumer Trust
Consumers globally are standing up to companies that don’t establish transparent data practices, or adhere to privacy regulations such as GDPR. Alignment with global privacy frameworks and a certification seal demonstrate that a business values consumer privacy.
People still want a relationship with businesses, they just want more control over how their data is collected, used, and shared. Enabling this control generates consumer trust in your business.
It helps your marketing and communications teams as well. If consumers can better communicate their preferences to businesses, you can respond with more relevant messages to better meet their needs.
Rather than spending time and effort on mass promotions, messages can be more personalized and generate a better ROI.
And because not every business has been forced to catch on (through regulations in their region), consumer first data practices can set you apart from your competition. At least, it’s worked for Apple, anyway.
Compliance and Resolution Efforts
Part of maintaining consumer trust is giving data subjects a method for resolving disputes with your organization.
Obtaining a CBPR certification means your Accountability Agent will handle the frontline consumer complaints and dispute resolution. This helps to ensure key issues are addressed before they become larger problems.
Facilitate the compliant transfer of data among participating APEC economies
TRUSTe, a subsidiary of TrustArc, was unanimously approved to be the first Accountability Agent to certify data transfer practices under the CBPR framework for data controllers and the APEC PRP framework for data processors.
First, TrustArc will assess your privacy program’s operations to understand and work with you to remediate any compliance risks. You’ll receive expert guidance through the process with our powerful technology.
Based on the information gathered from the assessment, you’ll be guided through the remediation process with support to ensure the required changes are complete.
As proof of the TRUSTe Certification, an official Letter of Attestation can be shared with your business partners, providing your organization with competitive differentiation.
