Privacy & Cybersecurity Law Blog

The APEC Cross-Border Privacy Rules (“CBPR”) system for information controllers received a significant boost during the recent APEC privacy meetings in the Philippines when APEC finalized a corollary certification scheme for information processors, the APEC Privacy Recognition for Processors (“PRP”). As we previously reported, the PRP allows information processors to demonstrate their ability to effectively implement an information controller’s privacy obligations related to the processing of personal information. In addition, the PRP enables information controllers to identify qualified and accountable processors, as well as assist small or medium-sized processors that are not widely known to gain visibility and credibility. Combined, the CBPR for controllers and PRP for processors now covers the entire information ecosystem, promising to motivate additional APEC economies to join both the CBPR and PRP systems, as well as incentivizing larger numbers of controllers and processors to seek certification.

The APEC Data Privacy Subgroup (“DPS”) and its parent committee, the Electronic Commerce Steering Group (“ECSG”), finalized the PRP during their latest round of meetings from August 25 to August 31, 2015, in Cebu, Philippines. The Centre for Information Policy Leadership ("CIPL") at Hunton & Williams participated as an official “guest” of APEC. Completing the PRP system was one of the principal goals at these meetings. Although the substantive program requirements had already been finalized by APEC in early February this year, the PRP governance structure, as well as the details of how APEC economies could join and implement the PRP system, remained to be developed intersessionally in the months leading up to the August meetings in Cebu. Now that both the substantive requirements and the operational aspects of the PRP have been completed and officially endorsed by APEC, individual APEC economies and third party certifiers, or “Accountability Agents,” may join the PRP system. Following that step, information processors seeking PRP certification also can apply to Accountability Agents, similar to the current process under the CBPR system.

Other APEC items

Other key items on the DPS and ECSG agendas included (1) ongoing implementation of the CBPR across the APEC region, including adding more APEC economies and Accountability Agents to the system; (2) continuing the collaboration between APEC and the Article 29 Working Party to develop processes to streamline “dual certification” under the CBPR and EU Binding Corporate Rules; and (3) updating certain portions of the APEC Privacy Framework.

CIPL CBPR/PRP workshop

CIPL also held a well-attended, half-day workshop in the margins of the APEC meetings on “The Ins and Outs of the APEC Cross-Border Privacy Rules (CBPR) and their Role in Enabling Legal Compliance and International Data Transfers – A Workshop for Controllers, Processors and Regulators in the Asia-Pacific Region.” During the workshop, panelists from industry, governments and APEC privacy enforcement authorities, as well as audience members, discussed the benefits of the CBPR and PRP systems to Asia-Pacific-based information controllers and processors and the roles these codes of conduct and cross-border transfer mechanisms can play in an organization’s domestic and international compliance strategies.

Next APEC Privacy meetings

The next round of meetings will be held in Peru at the end of February 2016.