Last week, Canada became the fourth member of the Asia-Pacific Economic Cooperation (“APEC”) Member Economies to join APEC’s Cross-Border Privacy Rules (“CBPR”) system, following Japan in 2014, Mexico in 2013, and the USA in 2012. The system establishes a privacy framework, adopted by APEC in 2011, which aims to balance the requirement to facilitate the free-flow of information, while providing appropriate protection of personal information
What is the APEC Privacy Framework?
To Canadians, the principles contained in the APEC framework will appear to be a subset of those contained in the Personal Information Protection and Electronic Documents Act (“PIPEDA”), requiring, among other things, the limitation of the collection of information to that which is necessary, requiring privacy notices to individuals, and requiring that personal information be properly secured.
The principles do not replace the existing privacy requirements of each member jurisdiction. While the framework is meant to facilitate the flow of information as part of trade, if the information could not have flown between or among signatories to the CBPR prior to its adoption, the flow of information is not blessed as a result of the system. Rather, the existence of the system provides guidance to businesses in member economies on common privacy issues, encourages compatible approaches to privacy protection, and facilitates greater collaboration of enforcement agencies within each economy as permitted by applicable laws, to address violations of their domestic privacy laws, and, in turn, the framework.
Significance to Business
Canadian businesses may choose to become CBPR certified if they develop and implement data privacy policies that comply with the framework, and have those policies verified by a third party “Accountability Agent”. It is intended that such certification will provide comfort to parties doing business with each other, providing assurance of compliance with the framework. TRUSTe is currently the only Accountability Agent recognized to perform CBPR certification.
Aside from the opportunity to be certified, it remains unclear what the impact of the adoption of the CBPR system will be, given that Canadians already are subject to laws to protect personal information and regulate its use, and Canadian law enforcement already did participate in international efforts to enforce privacy breaches.
The progress of the CBPR and free flow of data as a driver of growth are expected to be key areas of discussion during the upcoming 2015 APEC Ministers Responsible for Trade Meeting on 23-24 May in Boracay, The Philippines. Additionally, since each of Canada, Mexico and USA have all joined the CBPR, any impact of the system will likely first be seen as part of the trade among NAFTA countries before its effects are seen among the APEC member countries more broadly.