From Regional to Global: Profiling the Expansion of CBPR
Sep 6, 2022 by Rebecca Knight, CIPP/E, CIPP/US, Counsel, Policy Privacy Initiatives, BBB National Programs
On April 21, 2022, the United States, Canada, Japan, the Republic of Korea, the Philippines, Singapore, and Chinese Taipei published a Declaration establishing the Global Cross-Border Privacy Rules Forum (Global Forum).
The objectives of the Global Forum are to:
- Establish an international certification system based on the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) Systems;
- Support the free flow of data, data protection, and privacy through the CBPR and PRP Systems;
- Provide a forum for the exchange of information and cooperation;
- Provide periodic review of data protection and privacy standards to ensure alignment with the CBPR and PRP requirements and best practices; and
- Promote interoperability with other privacy frameworks.
Since the April 2022 announcement, Australia has joined the Global Forum.
In this series, we are going to explore how the newly formed Global Forum came to be and how it will complement other privacy frameworks to promote the free flow of data internationally. We begin with the origins of CBPR and the creation of the CBPR System.
First, what is APEC?
To understand the CBPR System and the Privacy Framework it is based on, a brief history of APEC is necessary. APEC was founded in 1989 as an “informal ministerial-level dialogue group.” The founding members included: Australia, Brunei Darussalam, Canada, Indonesia, Japan, Korea, Malaysia, New Zealand, the Philippines, Singapore, Thailand, and the United States.
Since 1989, APEC has grown to 21 total members and encompasses nearly all Asia-Pacific economies. Each country in APEC is referred to as a “member economy” due to the forum’s primary focus on “trade and economic issues, with members engaging with one another as economic entities.” However, there are no binding commitments or treaty obligations on the member economies. Instead, all economies have an equal say in decisions and commitments are adopted on a voluntary basis.
The APEC Privacy Framework
With the primary focus on trade and economic issues, the APEC member economies quickly recognized that a widely accepted and practical international standard was needed for e-commerce to thrive, especially in the APEC region.
The APEC economies represent 45% of the world’s internet users with nearly two billion people. After hosting workshops in Mexico (2002) and Thailand (2003), the leaders of APEC expressed the need to develop data privacy principles. The development of these principles led to the creation of the APEC Privacy Framework (Framework) in 2004. The Framework was created to “promote a consistent approach to information privacy protection across APEC member economies, while also avoiding the creation of unnecessary barriers to information flows.”
The Framework outlines nine Principles. The Principles are intended to be interpreted as a whole, rather than individually, and provide guidance and direction on common privacy issues and the impact of privacy issues on individuals, businesses, and governments.
- Preventing Harm: Recognizes an individual’s expectation of privacy and seeks to prevent misuse of personal information and the resulting harm.
- Notice: Requires the controller to “provide clear and easily accessible statements” regarding what personal information is collected and why.
- Collection Limitations: Requires the information be limited to what is relevant to the purposes of collection. Additionally, the collection methods must be lawful.
- Uses of Personal Information: Requires that collection of personal information should only be used to fulfill the purposes of collection and compatible purposes, except: (a) with consent from the individual; (b) when necessary to provide a requested service or product; or (c) if the law permits.
- Choice: Where appropriate, individuals must be given clear, prominent, easily understandable, accessible, and affordable mechanisms to exercise choice over the collection, use, and disclosure of personal information.
- Integrity of Personal Information: Personal information should be accurate, complete, and kept up to date as necessary to fulfill the purposes of the use.
- Security Safeguards: Requires the controller to use appropriate safeguards against risks.
- Access and Correction: Requires the controller to supply the individual, upon request and within a reasonable time and for a reasonable fee, if any, confirmation of what personal information it has collected. Additionally, the individual may be entitled to have their inaccurate information rectified, completed, amended, or deleted.
- Accountability: Requires the controller “be accountable for complying with measures that give effect” to the Principles.
The Principles rely heavily on core values established by the Organisation for Economic Co-Operation and Development (OECD) Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines). The OECD Guidelines were first published in 1980 and served as the inspiration for the General Data Protection Regulation (GDPR). As such, many of the Principles outlined above are similar to those found in the GDPR.
The CBPR System
Since 2011, the Framework has been implemented by the CBPR System. The CBPR System is a government-backed certification program that permits organizations to join and demonstrate compliance with the Framework and facilitates cross-border data transfers.
Current member economies participating in the CBPR System include Australia, Canada, the Philippines, the Republic of Korea, Japan, Mexico, Singapore, Chinese Taipei, and the United States. However, all APEC economies have endorsed CBPR and an intention to join. Once an economy joins the CBPR System, it may certify organizations seeking participation in the System. The United States joined the CBPR System on June 26, 2012.
To be certified, organizations must implement privacy policies and practices consistent with the CBPR System requirements and operationalize those policies and practices. The privacy policies and practices must be evaluated by an Accountability Agent (AA). AAs are APEC-recognized entities located in the same economy (i.e., country) where the organization seeking certification is located. Organizations in an economy without an AA cannot be certified.
Once an organization is certified by an AA, the privacy practices and policies become binding and are enforceable. Additionally, in the United States, the AA will inform the Department of Commerce of the organization’s certification for inclusion in the CBPR System Directory.
On January 26, 2021, BBB National Programs became the first nonprofit AA in the United States, making us the seventh AA in the CBPR and PRP Systems. In addition to our CBPR (applies to personal information controllers) and PRP (applies to personal information processors) Programs, which support U.S.-based businesses, we also created the Vendor Privacy Program (VPP) to support personal information processors headquartered outside of the United States.
UP NEXT . . . We’ll be discussing the transition from the CBPR System to the Global Forum.