On March 6, 2018, Singapore announced that it has joined the APEC Cross-Border Privacy Rules (CBPR) system as well as the APEC Privacy Recognition for Processors (PRP) program. Singapore is the sixth member of the CBPR system, which includes Canada, Japan, Korea, Mexico and the United States, and is the second member of the PRP program after the US.
Faced with a diversity of privacy laws across APEC member countries, APEC established the CBPR program to facilitate the transmittal of personal data across national borders within and between companies and organizations. Companies and organizations in CBPR member countries that collect and use personal data (i.e. data controllers) will be able to obtain CBPR certification through a compliance review process by an independent evaluator. APEC aims through the program to ensure that participating companies will comply with standardized security and privacy measures, to increase consumer and business confidence in certified entities and to align APEC’s privacy framework to internationally accepted standards.
In order for an APEC member to join the CBPR program, it must demonstrate to the APEC Joint Oversight Panel that the country’s data security/privacy laws and enforcement process adhere to mutually agreed upon baseline privacy principles. The prospective member state must also show how it will fulfill the CBPR program requirements for companies seeking certification, including a commitment that the member country will appoint an APEC-approved Accountability Agent to confirm compliance by applicant companies. The APEC PRP program seeks to accomplish similar goals for data processors (i.e. companies that possess data on behalf of data controllers). As with the CBPR, participating member countries must appoint an Accountability Agent to ensure that data processor companies seeking certification comply with program requirements and have adequate compliance measures in place.
The Singapore government noted that its Personal Data Protection Commission is currently working on a certification scheme incorporating both CBPR and PRP standards, with launch scheduled by the end of 2018.
Company participation in the certification process is voluntary. However, as the number of both CBPR program member countries and approved companies rise, companies likely will experience greater benefits from obtaining certification. In addition, APEC and EU regulators have worked closely to align the CBPR program with the EU’s Binding Corporate Rules (BCR) framework which allows for cross-border personal data transfers with entities located in EU member states. As evidenced by the recent Merck example, obtaining CBPR certification for the APEC region may facilitate the BCR authorization process for the EU. As a final note, Australia is preparing to join the CBPR program; with Australia’s participation, CBPR member countries will constitute nearly two-thirds of overall APEC GDP (based on 2016 World Bank data), which arguably makes it even more attractive for companies to go through the CBPR process.