Privacy & Information Security Law Blog

On April 15, 2015, the Asia-Pacific Economic Cooperation (“APEC”) Electronic Commerce Steering Group issued a press release announcing Canada’s participation in the APEC Cross-Border Privacy Rules (“CBPR”) System. The U.S. Department of Commerce’s International Trade Administration also released an official press statement.

The Findings Report of the Joint Oversight Panel for the APEC CBPR system, which confirmed that Canada had met the conditions for participation, was released earlier on April 1, 2015. Canada now joins the U.S., Mexico and Japan as a participant in the APEC CBPR system. Other APEC economies are in the process of determining how and when they may join.

Canada submitted its Letter of Intent to participate in the CBPR system to the Joint Oversight Panel in August 2014. As required by the applicable CBPR governance rules, Canada confirmed in its Letter of Intent that the Privacy Commissioner of Canada is a participant in the APEC Cross-Border Privacy Enforcement Arrangement, and indicated that it intends to make use of at least one APEC-recognized “Accountability Agent.” Accountability Agents are third party organizations that review and certify businesses for participation in the CBPRs. Canada also provided a description of its domestic laws and enforcement mechanisms that would apply to a Canadian Accountability Agent’s CBPR-related activities, as well as the required “APEC CBPR System Program Requirements Enforcement Map,” which describes how the CBPRs are enforceable under Canadian law.

The APEC CBPR system is a regional, multilateral, cross-border data transfer mechanism and enforceable privacy code of conduct developed for businesses by the 21 APEC member economies. The CBPRs implement the nine high-level APEC Privacy Principles set forth in the APEC Privacy Framework. Although all APEC economies have endorsed the system, in order to participate, individual APEC economies must officially express their intent to join and satisfy certain requirements.