Privacy & Information Security Law Blog

On July 14, 2016, the Federal Trade Commission issued warning letters to 28 companies relating to apparent false claims of participation in the APEC Cross-Border Privacy Rules (“CBPR”).

The warning letters state that the companies’ websites represent APEC CBPR certification even though the companies do not appear to have undertaken the necessary steps to claim certification, such as a review and approval process by an APEC-recognized Accountability Agent.

The letters further inform the companies that falsely claiming participation in an international privacy program such as the CBPR may subject them to an enforcement action under the FTC’s deception authority pursuant to Section 5 of the FTC Act. The letters also request that the companies remove the apparent misrepresentations or contact the FTC with confirmation that they have, in fact, undergone the appropriate certification process.

This APEC CBPR enforcement initiative follows on the FTC’s May announcement of its first APEC CBPR enforcement matter against a company falsely claiming CBPR certification.

The APEC CBPR system is a regional, multilateral, cross-border data transfer mechanism and enforceable privacy code of conduct developed for businesses by the 21 APEC member economies. The CBPRs implement the nine high-level APEC Privacy Principles set forth in the APEC Privacy Framework. Currently, the U.S., Mexico, Canada and Japan are participants in the APEC CBPR framework. Other APEC economies are in the process of determining how and when they may join.