For organizations headquartered in the US and operating globally, there is a myriad of security and privacy requirements (standards, frameworks, and regulations) they must comply with. Each varies in the level of audit rigor, compliance oversight, and ongoing requirements. For businesses trying to demonstrate the highest level of privacy, APEC CBPR is the only choice. APEC CBPR is designed to enhance consumer privacy. In the US, businesses wanting to demonstrate that high bar of security under APEC CBPR need to go through a rigorous third-party audit by a recognized Accountability Agent.
The APEC Cross-Border Privacy Rules (CBPR) System, endorsed by the Asia-Pacific Economic Cooperation in 2004, is a voluntary, enforceable, international, accountability-based system that facilitates privacy-respecting data flows among APEC economies. CBPR provides a standard set of principles designed to enhance electronic performance, facilitate trade and economic growth, and strengthen consumer privacy protections.
To date, CBPR is one of the few frameworks and certification processes in the world, and it’s the only framework with independent accountability oversight elements. Unlike its counterparts, CBPR has real, enforceable requirements and, thus, is a powerful means of demonstrating dedication to protecting customers’ data.
How does the APEC CBPR work?
The APEC Cross Border Privacy Rules System is for personal information controllers (referred to as “controllers”) and is enforced through a country's enforcement authority (such as the Federal Trade Commission in the US) as part of the program’s Cross Border Privacy Enforcement Arrangement (CPEA). Any organization handling personal data could seek certification; however, the organization can only receive certification from a recognized accountability agent within a country that is subject to an enforcement authority.
CBPR has four main components:
- Recognition criteria for organizations seeking to become an APEC CBPR System certified Accountability Agent.
- An intake questionnaire for organizations seeking to be certified as APEC CBPR System compliant by a third-party CBPR system certified Accountability Agent.
- Assessment criteria for use by APEC CBPR System certified Accountability Agents when reviewing an organization’s answers to the intake questionnaire.
- A regulatory, cooperative arrangement (referred to as the CPEA) to ensure each of the APEC CBPR system program requirements can be enforced by participating APEC members and economies.
There are several bodies involved in ensuring independent accountability both within the framework and of certified organizations, making this one of the most unique privacy programs available.
Should an organization in the US decide to pursue APEC CBPR certification, they would first reach out to one of the four recognized Accountability Agents in the US (one of which is NCC Group) and complete a self-assessment intake questionnaire. The Accountability Agent reviews the intake, completes an examination and analysis, and works with the applicant on improving their privacy program.
Once the process of certification is completed and they earn the Accountability Agent’s certification, they join the CBPR Directory of recognized companies. Recognition includes the ability to add the certification seal to their website and materials.
Should a customer or concerned individual have a complaint about how the organization handles data protection, they could locate them in the directory and report them to the Accountability Agent on file. From there, the Accountability Agent, independent from the organization, could launch an investigation into the practices and mitigate the situation through dispute resolution.
What are the CBPR Requirements?
APEC CBPR has 50 controls that expand across 9 Privacy Principles, including the following: Accountability, Preventing Harm, Notice, Choice, Collection Limitation, Use of Personal Information, Integrity of Personal Information, Security Safeguards, and Access and Correction.
The APEC Cross Border Privacy Rules System is for personal information controllers (referred to as “controllers”) and is enforced through a country's enforcement authority (such as the Federal Trade Commission in the US) as part of the program’s Cross Border Privacy Enforcement Arrangement (CPEA). Any organization handling personal data could seek certification; however, the organization can only receive certification from a recognized accountability agent within a country that is subject to an enforcement authority.
Accountability
This section is directed towards ensuring the organization is accountable for complying with the measures mentioned above. Additionally, it outlines how they stay in direct contact with their Accountability Agent to meet due diligence.
Preventing Harm
This section ensures that information collected or maintained does not harm an individual and is utilized for the sole purpose for which it was collected in the first place.
Notice
This section ensures that individuals understand the applicant’s personal information policies (subject to any qualifications), including to whom the personal information may be transferred and covers the purpose for which the personal information may be used.
Choice
Controls falling under “Choice” help ensure that individuals are provided with choice related to data collection, use, and disclosure of said personal information. This principle recognizes through the words “where appropriate” that there are certain situations where consent may be implied. More details on the specifics of these situations can be found in part II of the CBPR Self-Assessment Guidelines for Organizations.
Collection Limitations
Collection limitation controls are evaluated to ensure that the collection of user information is limited to the specific purpose stated by the organization at the time of collection. Information collection must be relevant, clearly expressed, and proportional to the organization’s service fulfillment. Moreover, all instances of information collection are required to be both lawful and fair.
Uses of Personal Information
Personal information can only be used to fulfill the specific purposes disclosed by the organization. This section of the evaluation covers the use, transfer, and disclosure of personal information. Namely, it determines whether a purpose is compatible with or related to the stated purpose of use, and judges whether it’s fair and legal.
Integrity of Personal Information
The questions in this section are directed toward ensuring that the personal information controller implements systems that maintain the accuracy and completeness of records to keep them up to date. This is also recognized only up to the extent necessary for use.
Security Safeguards
This section asks how the organization ensures they have implemented reasonable safeguards to protect individuals’ personal data and will continue to do so to protect it from loss, unauthorized access, or disclosure.
Access and Correction
The questions in this section help ensure that individuals can access and correct their information. There are specific conditions listed that would be considered reasonable in providing access, which will also be conditioned by security requirements (precluding the provision of direct access to information and requiring sufficient proof of identity).
The details of the procedures change depending on the nature of the data and other interests, which is why in certain circumstances, it may even be impossible, impractical, or utterly unnecessary to change, suppress, or delete records.
While the ability to change and access personal information is generally regarded as a central aspect of privacy protection, it is not an absolute right. Organizations should always make reasonable faith efforts to provide access, but it may be necessary to deny claims for access or correction. This section also outlines the procedures for this circumstance.
Is APEC CBPR Specific to Asian Economies or Corporations Working with Them?
No. While APEC is an intergovernmental forum for 21 member economies which promotes free trade throughout the Pacific Rim, CBPR is fully international. It is currently active between the USA, Mexico, Japan, Canada, Singapore, the Republic of Korea, Australia, Chinese Taipei, and the Philippines, with more expected to join soon.
Additionally, the APEC Electronic Commerce Steering Group (ECSG) and the EU Article 29 Working Party have produced a common referential for the requirements of the APEC CBPR system and the EU Binding Corporate Rules.
Is the APEC CBPR framework right for my organization?
The APEC privacy framework is thorough, international, and maintains a component of continued oversight once certification is maintained. As a process, it meets not only a large number of GDPR controls but also several US-specific compliance regulations.
One of the key CBPR principles is “Preventing Harm” which requires a business to have systems designed to prevent harm to individuals from wrongful collection and misuse of information. Therefore, privacy protections need to be in place to meet local laws, regulations, and enforcement mechanisms. When you certify under APEC CBPR, you will not only have to demonstrate how you achieve this but, more broadly, demonstrate your overall commitment to consumer privacy.
Applicant Intake Documents for NCC Group's APEC CBPR & PRP Certification
APEC CBPR for Data Controllers
For data controllers, the APEC CBPR Certification represents a voluntary, enforceable, international, accountability-based system that facilitates privacy-respecting data flows among APEC economies. CBPR provides a standard set of principles designed to enhance electronic performance, facilitate trade and economic growth, and strengthen consumer privacy protections.
APEC PRP for Data Processors
For data processors, the APEC PRP Certification represents the requirements a data processor must meet in order to demonstrate the ability to assist data controllers in meeting their APEC CBPR privacy requirements.
For even more information, please visit www.cbprs.org.
Want to learn more about the APEC CBPR?
Read more about why you may want to verify your third-party vendors with CBPR, or reach out to an NCC Group expert to see if APEC CBPR is a good fit for your business.
NCC Group is one of four Accountability Agents in the United States (and one of eight globally) recognized to perform CBPR certifications on US organizations. We work in coordination with the Federal Trade Commission (FTC) to ensure that the certification performed is thorough.