Cross Border Privacy Rules
Feb 21, 2017
Cross Border Privacy Rules (CBPR)
What is it?
CBPR is a voluntary accountability-based system endorsed by APEC Leaders in 2011.
The purpose is to facilitate privacy-respecting data flows among APEC economies.
It has four main components:
An organization self-asses of its own data privacy policies and practices against the requirements of APEC Privacy Framework using an APEC recognized CBPR questionnaire. The questionnaire is provided by an APEC-recognized Accountability Agent.
The completed questionnaire and supporting documents is then sent to APEC-recognized Accountability Agent for confidential review. Company may ask some related questions. If Company is deemed compliant then it can be listed on an APEC-hosted website to demonstrate to stakeholders its certification.
(2) compliance review
APEC-recognized Accountability Agent review an organization’s privacy policies and practices as described in the self-assessment questionnaire. Program requirements are designed to provide the minimum standard for consistency across participating Economies. As a condition of APEC recognition, Accountability Agents are required to release anonymised case notes and complaint statistics. Complaint handling is an important element of the CBPR System.
APEC Economies will establish a publicly accessible directory of organizations with Company contact details.
(4) dispute resolution and enforcement
APEC plays a critical role in the Asia Pacific region by promoting a policy framework
designed to ensure the continued free flow of personal information across borders while
establishing meaningful protection for the privacy and security of personal information.
Accountability Agents should be able to enforce the CBPR program requirements
through law or contract.
Current situation and how does it relate to Japan?
As at February 2016, the process is in its infancy with only 14 companies that have been through the process. Japan, Canada, Mexico, and the United States are participants to the program and there is relatively little name recognition for the program.
There are two certified accountability agents – JIPDEC in Japan and TRUSTe in USA.
On December 20, 2016 IntaSect Communications, Inc., examined by JIPDEC, became the first CBPR certified business in Japan.
The main supporter for the system focus on its main merit – efficiency. One company reported that the CBPR process helped considerably in its application for binding corporate rules in the EU, shortening the time for BCR completion to nine months and reducing costs by nearly 10 percent.
Companies also reported a feeling of future-proofing, which has been borne out by the recent change in Japan’s Personal Information Protection Act, which says that personal data must not be transferred outside of Japan unless the Japanese data protection authority has deemed the data protection regime to be up to Japanese standards. It is thought that those with CBPRs or BCRs in place will qualify, regardless of country of origin, following a Japanese political statement to that effect, though that has not been officially codified yet.