Cross-Border Privacy Rules System Moves Forward

The United States recently received approval as the first formal participant in the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules System (“CBPR”). The APEC’s CBPR is a self-regulatory code of conduct designed to create more consistent privacy protections for consumers when their data moves between countries with different privacy regimes in the APEC region (the APEC countries include the United States, as well as Australia, Brunei, Canada, Chile, China, Hong Kong, Indonesia, Japan, Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, the Philippines, Russia, Singapore, Taiwan, Thailand, and Vietnam). The CBPR is a voluntary code of conduct, and businesses that participate will have compliance enforced by an “Accountability Agent.” The Department of Commerce has now published a notice that it will soon begin seeking applications from independent entities that wish to be certified as Accountability Agents. Accountability Agents will review companies’ applications to participate in the CBPR system, and serve as the first level in the dispute resolution procedures. For disputes that cannot be resolved, the Federal Trade Commission will serve as the reviewing body, serving, in essence, as the final stop in the CBPR’s enforcement process. Under the CBPR, participating businesses must develop their own internal business rules on cross-border privacy procedures. These rules will then be reviewed, approved and certified by an Accountability Agent. The review process will investigate whether the company’s privacy practices are in line with the nine “Privacy Principles” set out in APEC’s Privacy Framework. If the Accountability Agent certifies the company as compliant, the company should then be able to transfer personal data among all participating countries without running afoul of local laws. So far, the United States is the only participating country.

TIP: We will continue to monitor the development and implementation of the Cross-Border Privacy Rules System. This program could serve as a streamlined way for international organizations to more easily transfer personal data around the globe.