The APEC CBPR System: An Overview

People depend on technology and the internet to study, work, purchase goods, and pay for services. These acts often process the personal data of consumers. The collection, use, and transfer of data also becomes increasingly crucial with digital technologies continuing to evolve and innovate.

The Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System helps meet citizens’ privacy expectations while supporting the free flow of information. Established by the APEC in 2011, the system is a voluntary, enforceable, and accountability-based certification scheme based on the APEC Privacy Framework that facilitates the responsible transfer of personal data across borders.

The Philippines formally joined the CBPR system in 2020, led by the National Privacy Commission, with the goal of paving the way for Filipino businesses to enter larger markets within the Asia-Pacific by minimizing dataflow barriers and adopting data privacy standards consistent with other jurisdictions.

Organizations that choose to participate in the CBPR System should implement privacy policies and practices that are consistent with the CBPR program requirements for all personal information that they have collected or received that are subject to cross-border transfer to other participating APEC economies. These privacy policies and practices would then be evaluated by an APEC-recognized Accountability Agent for compliance with the CBPR program requirements. Once an organization has been certified for participation in the CBPR System, these privacy policies and practices will become binding as to that participant and will be enforceable by an appropriate privacy enforcement authority to ensure compliance with the CBPR program requirements.

CBPR’s market power for companies and organizations

Being CBPR-certified can be a competitive advantage for companies and organizations. The CBPR builds trust among customers by demonstrating an organizational commitment to privacy. Having a CBPR certification is an indication that appropriate technical and organizational measures to safeguard personal data are well in place.

Likewise, a CBPR certification can be useful for companies in assessing third parties to whom they transfer personal data. A CBPR certification holder is able to show that it can meet the privacy and data protection standards within the participating economies.

Benefits to governments

Growing public concern about data breaches and misuse of personal data presents a challenge to any country. Thus, government leaders are prompted to push for strategies and policies for data privacy and protection. By joining the CBPR system, a government can protect their citizens’ privacy, especially when their personal data are transferred across other jurisdictions. The CBPR System provides for baseline privacy and data protection standards and facilitates the cooperation of privacy enforcement authorities through the Cross-border Privacy Enforcement Arrangement (CPEA).

Attaining consumer trust requires commitment and investment. The CBPR system assists governments, businesses, and organizations in giving the public better privacy experiences while making the most out of the global trade of data

Global CBPR Forum

In April this year, member economies of the APEC CBPR System, including the Philippines, declared to institute a new, independent forum based on the APEC CBPR and Privacy Recognition for Processors (PRP) Systems. The Global CBPR Forum intends to establish an international certification system supporting interoperable privacy regulations and providing effective and enforceable data privacy protections for governments, regulators, and companies globally.

With the growing digital economy and the need for the movement of data across borders to support global trade, the Global CBPR Forum would be helpful in achieving trustworthy data flows across different jurisdictions.