ability to exchange information across country borders is a fundamental tool
for business in the global digital economy. This can be particularly
challenging as privacy laws differ from country to country. The APEC Cross
Border Privacy Rules (CBPR) system helps bridge those differences by providing
a single framework for the exchange of personal information among participating
economies in the APEC region.
There are currently four participating APEC CBPR system economies:
USA, Mexico, Japan and Canada, with more expected to join soon. Additionally, the APEC
Electronic Commerce Steering Group (ECSG) and the EU Article 29 Working Party have produced a common referential for the requirements of the APEC CBPR system and the EU Binding Corporate Rules.
Only organizations currently certified by an
APEC-recognized Accountability Agent may display a seal, trustmark, or otherwise
claim to participate in the CBPR System. False representations of CBPR system participation
may subject the organization to applicable law enforcement action.
How can the APEC CBPR system help your business?
APEC CBPR system bridges differing national privacy laws within the APEC
region, reducing barriers to the flow of information for regional trade. Also,
by promoting your adherence to a standard of best practices, you can
demonstrate your commitment to consumer privacy.
Interested in becoming
APEC CBPR certified?
CBPR certifications are conducted by APEC CBPR system recognised Accountability
Agents, which certify that organisations comply with the CBPR Program Requirements.
In the process, Accountability Agents will use either the CBPR Intake Questionnaire
OR, if it is using its own approved procedures, another intake document.
To be APEC CBPR
certified, your company (or other entity) must be subject to the laws of one or
more APEC CBPR system participating economies. There must also be at least one
Accountability Agent offering its services in your participating economy or
economies. There are currently four participating APEC economies: USA, Mexico, Japan and Canada.
How can personal information processors demonstrate their accountability?
The APEC Cross Border Privacy Rules (CBPR) system, finalised in 2011, only applies to personal information controllers ("controllers"), as the APEC Privacy Framework (the Framework), pursuant to which the CBPR system was created, also applies only to controllers.
The Privacy Recognition for Processors (PRP) is designed to help personal information processors ("processors") demonstrate their ability to assist controllers in complying with relevant privacy obligations. The PRP also helps controllers identify qualified and accountable processors. The PRP intake questionnaire sets forth the baseline requirements of the PRP against which an APEC-recognised Accountability Agent will assess a processor seeking recognition. To receive such recognition, the processor must meet this baseline set of requirements.
The PRP system was endorsed by APEC in February 2015, and will be operationalised in the coming months with further guidance for potential participating Member Economies and domestic Accountability Agents. For more information about this system, please see the Purpose and Background document.
system certification is for personal information transfers between
participating APEC economies. Please note that some economies may have higher
internal privacy standards and impose additional requirements on businesses
that are subject to their jurisdiction.