The eligibility requirements that must be met by an Accountability Agent in order to be recognised by APEC economies.
* Note: See "Accountability Agent APEC Recognition Application - Annex A" for details
Administrator
The body designated by the ECSG to perform the functions of the CPEA Administrator.
* Note: Cross-Border Privacy Enforcement Arrangement (CPEA), clause 5.1, provides that the ECSG may designate the APEC Secretariat or a Participant, or the Secretariat and a Participant jointly, as the Administrator. CPEA, clauses 5.3 and 5.4, sets out the Administrator's core and additional functions.
* Note: Definition derived from CPEA, clause 4.1.
* Note: The inaugural Administrator comprised the APEC Secretariat jointly with participants from Australia, New Zealand and the USA.
Annual Attestation
The declaration required to be made by an organisation participating in the CBPR System to an Accountability Agent each year confirming the organisation's continuing adherence to the Program Requirements.
* Note: See "Accountability Agent APEC Recognition Application - Annex A" for details.
APEC-Recognised Accountability Agent
An Accountability Agent that has been recognised by APEC economies to have met the Accountability Agent Recognition Criteria.
* Note: A list of current APEC-recognised Accountability Agents is maintained on the CBPR system website at www.CPBRs.org.
APEC Privacy Framework
A framework for protecting personal information privacy adopted by APEC in 2005 and updated in 2016
* Note: The Framework is a principles-based document intended to promote a high-standard approach to information privacy protection across APEC member economies while avoiding the creation of unnecessary barriers to information flows. The Framework includes 9 information privacy principles and guidance for domestic and international implementation of the principles, including the adoption and use of the APEC CBPR System.
CBPR
Abbreviation for Cross-Border Privacy Rules.
CBPR-Compliant
A description that an organisation fully complies with the CBPR Program Requirements, utilizes high-standard privacy practices, and is certified by an Accountability Agent as such to transfer and process information in line with CBPR system requirements.
CBPR Participating Economy
An economy recognised by APEC as having met the requirements for participation in the CBPR system.
* Note: An economy commences the process to participate by submitting a letter indicating its intention to participate in the CBPR system with all required information outlining domestic privacy laws in compliance with CBPR System guidelines. This information must include confirmation that at least one Privacy Enforcement Authority in that economy is a Participant in the Cross-border Privacy Enforcement Arrangement (CPEA) and that the economy intends to make use of at least one APEC-recognised Accountability Agent. The economy must also provide a narrative description of the relevant domestic laws and regulations and administrative measures which may apply any CBPR certification-related activities of an Accountability Agent operating within the economy's jurisdiction and the enforcement authority associated with these laws and regulations and administrative measures. The economy must also submit a completed CBPR System Program Requirements Enforcement Map outlining its enforcement procedure, law or regulation for each CBPR System requirement. The JOP, after conducting a thorough review and consultation, will notify the ECSG Chair when these requirements have been met at which point the economy will be considered a CBPR System participant. Participating Economies will be listed on the CBPR system website, at www.CBPRs.org.
Certification
A process through which an organisation is certified by an
Accountability Agent as CBPR-Compliant.
Compliance Directory
A directory of organisations certified as CBPR-Compliant published
by APEC economies and listed on the CBPR system website, at www.CBPRs.org.
Contact Point Directory
A list maintained by the Administrator of the main point of
contact of any body, whether or not Privacy Enforcement Authority or
Participant, having a role to play in the protection of privacy.
* Note: The directory is not made publicly available but is
available to privacy enforcement authorities on the CPEA website. The directory
is maintained pursuant to CPEA, clauses 5.3, 5.4, 11 and Annex B.
Cooperation Arrangement
APEC Cooperation Arrangement for Cross-border Privacy Enforcement
* Note: definition taken from CPEA, clause 4.1.
* Note: see fuller definition under "Cross-border Privacy
Enforcement Arrangement".
CPEA
Abbreviation for Cross-border Privacy Enforcement Arrangement
Cross-border Privacy Enforcement Arrangement
A practical multilateral mechanism which enables Privacy
Enforcement Authorities to cooperate in cross-border privacy enforcement by
creating a framework under which authorities may share
information and request and render assistance in certain ways.
* Note: The CPEA's formal title is "APEC Cooperation
Arrangement for Cross-border Privacy Enforcement". The CPEA was endorsed
by APEC Ministers in November 2009 and commenced on 16 July 2010.
* Note: Definition derived from CPEA, clause 2.1.
Cross-Border Privacy Rules
The privacy policies and practices adopted by a CBPR-Compliant
organisation for all Personal Information collected or received by it that is
subject to cross border transfers.
Cross-Border Privacy Rules System
A voluntary, multilateral privacy and data protection program
governing cross border transfers of information by organisations
operating in APEC member economies.
* Note: Organisations
that choose to participate in the CBPR system should implement privacy policies
and practices consistently with the CBPR Program Requirements for all personal
information that they have collected or received that is subject to cross
border transfers from participating APEC economies. These privacy policies
and practices should be evaluated by an APEC-recognised Accountability Agent
for compliance with the CBPR Program Requirements. Once an organisation has
been certified for participation in the CBPR System, these privacy policies and
practices will become binding as to that participant and will be enforceable by
an appropriate authority to ensure compliance with the
CBPR Program Requirements.
DPS
Abbreviation for Data Privacy Subgroup.
Data Privacy Subgroup
The subgroup of the ECSG primarily responsible for the APEC Privacy Framework, the APEC Cross Border Privacy Rules System, and APEC Privacy Recognition for Processors System.
ECSG
Abbreviation for Electronic Commerce Steering Group.
Electronic Commerce Steering Group
A forum under the Committee on Trade and Investment that promotes
the development and use of electronic commerce and the digital economy in the APEC region.
* Note: The ECSG seeks to create legal, regulatory and policy
environments that are predictable, transparent and consistent. It performs a
coordinating role for APEC's e-commerce activities based on principles in the
1998 APEC Blueprint for Action on Electronic Commerce and its mandate has been updated and guided by direction from APEC actions and priorities.
Information Privacy Principles
The principles set out in Part III of the APEC
Privacy Framework.
* Note: The principles include: (1) Preventing Harm; (2) Notice;
(3) Collection Limitation; (4) Uses of Personal Information; (5) Choice; (6)
Integrity of Personal Information; (7) Security Safeguards; (8) Access and
Correction; and (9) Accountability.
Intake Questionnaire
A detailed self-assessment questionnaire based on the Information
Privacy Principles for use by an organisation seeking to participate in the
CBPR system, which will be reviewed and confirmed by an approved Accountability Agent.
Joint Oversight Panel
A three-member panel that assists the ECSG with the implementation
of the CBPR System. For more information, see the "CBPR System Documents" page on this website.
* Note: This panel consists of nominated representatives from
three APEC economies appointed by the ECSG. The current JOP consists of the Republic of Korea, Japan and the United States.
JOP
Abbreviation for Joint Oversight Panel.
Participant
A Privacy Enforcement Authority in an APEC member economy that
participates in the CPEA.
* Note: Definition taken from CPEA, clause 4.1.
Personal Information
Any information about an identified or identifiable individual.
Personal Information Controller
A person or organisation who controls the collection, holding,
processing, use, disclosure or transfer of personal information. It includes a person or organisation
who instructs another person or organization to collect, hold, process, use,
transfer or disclose personal information on his or her behalf, but excludes a
person or organisation who performs such functions as instructed by another
person or organisation. It also excludes an individual who collects, holds,
processes or uses personal information in connection with the individual's
personal, family or household affairs.
* Note: Definition taken from APEC Privacy Framework, clause 10.
Personal Information Processor
An organisation that, at the instruction of a Personal Information
Controller, collects, holds, processes, uses, transfers or discloses Personal
Information on the controller's behalf.
Privacy Enforcement Authority
Any public body that is responsible for enforcing Privacy Law and
that has powers to conduct investigations and/or pursue enforcement
proceedings.
* Note: Definition taken from CPEA, clause 4.1.
Privacy Law
Laws and regulations of an APEC member economy, the enforcement of
which have the effect of protecting Personal Information consistent with the
APEC Privacy Framework.
* Note: Definition taken from CPEA, clause 4.1.
Privacy Policies
Those operational rules and procedures adopted by an organisation
to guide decisions made by it and its employees related to the ongoing
protection of Personal Information collected, stored, used, transferred or disclosed by
them.
Privacy Practices
Actions regarding the protection of Personal Information that are
taken by an organisation and its employees pursuant to that organisation's
privacy policies.
Privacy Statement
A public declaration of an organisation's Privacy Policies and
Privacy Practices.
* Note: A privacy statement is required under the CBPR program requirements.
It should be clear and accessible.
Program Requirements
A set of baseline program requirements based on the nine
Information Privacy Principles against which an APEC-recognised Accountability
Agent will assess an organization's completed Intake Questionnaire.
Program Requirements Map
A template which provides the baseline program requirements of the
CBPR System in order to guide an APEC economy to explain how each CBPR System requirement may be enforced in that economy.
* Note: Annex B to the Template Notice of Intent to Participate in
the APEC Cross Border Privacy Rules system.
Publicly Available Information
Personal Information about an individual that the individual
knowingly makes or permits to be made available to the public, or is legally
obtained and accessed from government records that are available to the public,
journalistic reports, or information required by law to be made available to
the public.
* Note: definition taken from APEC Privacy Framework, clause 11.
Re-attestation
A process through which an Accountability Agent is recognized by APEC Economies to have met the Accountability Agent Recognition
Criteria. After an initial one-year review period, Accountability Agents undergo this process every two years.
* Note: See "Accountability Agent APEC Recognition
Application - Annex A" for details
Receiving Authority
A CPEA Participant that has received a "Request for
Assistance" from another Participant.
* Note: Definition taken from CPEA, clause 4.1.
Re-certification
An annual process through which an organisation is re-certified by
an Accountability Agent as being CBPR-Compliant.
Request for Assistance
Includes, but is not limited to, a referral of a matter related to the enforcement of Privacy Law, a request for cooperation on the enforcement of Privacy Law, a request for cooperation on the investigation of an alleged breach of Privacy Law, and a transfer of a privacy complaint.
* Note: Definition taken from CPEA, clause 4.1.
Requesting Authority
A CPEA Participant that has made a Request for Assistance of another Participant.
* Note: Definition taken from CPEA, clause 4.1.Security Safeguards
The physical, technical and administrative measures implemented and maintained by an organisation in order to protect against risks, such as loss or unauthorised access to personal information, or unauthorised destruction, use, modification or disclosure of personal information or other misuses.
Security Policies
Those rules and procedures adopted by an organisation related to the implementation and maintenance of measures to protect against risks, such as loss or unauthorised access to personal information, or unauthorised destruction, use, modification or disclosure of personal information or other misuses.