Taking stock of privacy in APEC

January 7, 2016

christineBy Christine Runnegar, Director of Public Policy, The Internet Society

APEC has been leading the way with an innovative approach to privacy protection for cross border transfers of personal data: an approach that has also attracted the attention of the EU.

While other countries and regions are still focusing on the differences between their privacy laws, APEC economies, having agreed on a set of general privacy principles (the APEC Privacy Framework), found a way to bridge their diverse legal environments to enable privacy-respecting cross border personal data flows. Additionally, they shifted the principal resource burden from enforcement (public authorities) to compliance (data controllers, processors, and those who certify them). The result is the APEC Cross Border Privacy Rules (CBPR) system and the APEC Privacy Recognition for Processors (PRP). (Please see www.cbprs.org.)

Participation in both systems is voluntary. Economies choose whether they wish to participate, accountability agents (i.e. those who certify that organisations are compliant with the APEC CBPR program requirements) choose to be recognised, and organisations choose to be certified as APEC CBPR system and/or PRP compliant. The foundational feature of both systems is accountability for personal data collection and handling. Organisations wishing to be certified must demonstrate that their privacy policies and practices meet the required standard, accountability agents must verify and monitor compliance, and economies must provide the necessary “backstop” enforcement.

There are currently:

  • 4 participating economies: USA, Mexico, Japan and Canada
  • 1 accountability agent: TRUSTe (with another entity’s application currently pending)
  • 12 certified organisations

It’s still early days, but the EU has also taken an interest in this work. In 2014, the APEC Data Privacy Subgroup and the EU Article 29 Working Party published a common referential on the APEC CBPR system and the European Binding Corporate Rules (BCRs). Politically, this is an important step forward towards privacy framework interoperability between APEC and the EU. Next steps include the development of a common application form for dual certification.

But, the work does not stop there …

2015 marks the 10 year anniversary of the APEC Privacy Framework – a good time to take stock of the privacy landscape and see whether any updates are needed. The APEC Data Privacy Subgroup is currently reviewing the APEC Privacy Framework, using the revisions to the OECD Privacy Guidelines as a starting point, and finalising some proposed amendments. Spoiler alert! The core privacy principles are likely to remain unchanged. As for the other changes, you’ll have to wait until they are published next year.

Back to Table of Contents