On June 26, 2012 the U.S. Department of Commerce announced the United States' participation in the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules ("CBPR") System.1 The United States is the first non-Asian-Pacific country to join the organization. Now, businesses in the United States may voluntarily comply with the CBPR System and engage in data sharing with Member Economies in APEC, without additional data privacy protection hurdles.2 The CBPR System is entirely voluntary and does not affect Federal or State laws; thus, organizations in the United States must still comply with relevant Federal and State statutes. The CBPR System, rather, supplements data privacy protections for organizations in the United States that do business in or share information with APEC member economies.3
On July 26, 2012, Acting U.S. Secretary of Commerce Rebecca Blank stated that "This system will enable participating companies in the United States and other APEC member economies to more efficiently exchange data in a secure manner and will enhance consumer data privacy by establishing a consistent level of protection and accountability in the APEC region."4
APEC was founded in 1989, and is an inter-governmental group, which promotes non-binding commitments to increase economic growth in the Asia Pacific region.5 APEC Member Economies represent more than 50% of the world's GDP. APEC members include Australia, Brunei, Canada, Chile, China, Hong Kong, Indonesia, Japan, Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, the Philippines, Russia, Singapore, Taiwan, Thailand, the United States and Vietnam.6
The CBPR System was developed by APEC with assistance from the Federal Trade Commission and the Department of Commerce, as a voluntary, certification-based system.7 The CBPR System provides a minimum level of data privacy practices for companies doing business in participating APEC Member Economies.8 The CBPR System aims to ensure information privacy protection, increase the free flow of information in the Asia Pacific region, and improve customer confidence while growing electronic commerce.9
The CBPR System consists of four elements: (1) Self-Assessment, (2) Compliance Review, (3) Recognition/Acceptance and (4) Dispute Resolution and Enforcement.10 In order to comply with the CBPR System, organizations must first conduct a Self-Assessment of their data privacy policies, in comparison with the APEC Privacy Framework. This is done with an APEC-recognized questionnaire.11 The completed questionnaire and any associated documents are then submitted to an APEC-recognized Accountability Agent to review. The Agent then conducts the Compliance review, to ensure that the organization does not fall below the minimum CBPR program requirements.12 If compliant, APEC will certify the organization, and the organization will be eligible for Recognition/Acceptance.13 Under this third element, the organization's business details will be published in an APEC-hosted website for consumers and stakeholders to reference.14 Finally, Enforcement and Dispute Resolution is administered through the Cross-Border Privacy Enforcement Authority.15 In the United States, enforcement will be handled by the Federal Trade Commission; the FTC was also approved as the CBPR System's first enforcement authority.16
Consumer data privacy and protection continue to be an active area of the law, both domestically and internationally. As the economy becomes more globalized, the trend is towards harmonizing data privacy standards to increase efficiency and consistency in the global economy. To keep ahead of such changes, companies should regularly assess their privacy policies and data handling protocols in light of recent prosed legislation and international cooperative agreements, and ensure that they comply with the minimum standards established.