Privacy & Cybersecurity Law Blog

On April 30, 2014, the Asia-Pacific Economic Cooperation (“APEC”) released the Findings Report of the Joint Oversight Panel of the APEC Cross-Border Privacy Rules (“CPBR”) system, confirming that Japan has met the conditions for participation in the CBPRs. Accordingly, Japan has now joined the U.S. and Mexico as a participant in the APEC CBPRs. Canada recently expressed its intent to join the system soon, and other APEC economies are in the process determining how and when they may join.

Japan submitted its “Notice of Intent to Participate in the CBPR System” to the Joint Oversight Panel in June of 2013. As required by the applicable CBPR governance rules, Japan included in its Notice of Intent a list of 15 Japanese “Privacy Enforcement Authorities” that are members of the APEC Cross-border Privacy Enforcement Arrangement (“CPEA”), and indicated that it intends to make use of at least one APEC-recognized “Accountability Agent.” Accountability Agents are third party organizations that review and certify businesses for participation in the CBPRs. Finally, Japan also provided a description of its domestic laws and enforcement mechanisms that would apply to a Japanese Accountability Agent’s CBPR-related activities, as well as the required “APEC CBPR System Program Requirements Enforcement Map,” which describes how the CBPRs are enforceable under Japanese law.

The APEC CBPR system is a regional, multilateral cross-border data transfer mechanism and enforceable privacy code of conduct developed for businesses by the 21 APEC member economies. The CBPRs implement the nine high-level APEC Privacy Principles set forth in the APEC Privacy Framework. Although all APEC economies have endorsed the system, in order to participate individual APEC economies must officially express their intent to join and satisfy certain requirements.