The APEC CBPR Framework has become the model for ensuring interoperability across privacy regimes. Over the past year, more APEC economies, such as South Korea, Australia, and Singapore, have announced participation in the framework enhancing the ability for companies to seamlessly move data across borders.
TrustArc will be co-hosting an event with the U.S. Chamber of Commerce and ITI on March 26, 2018 from 1:00 PM – 5:00 PM ET at 1615 H Street Northwest, Washington, District of Columbia, 20062.
Keynotes will be given by U.S. Secretary of Commerce Wilbur Ross and acting FTC Chair Maureen Ohlhausen.
Join us for a discussion with U.S. government leaders, APEC leaders, and industry representatives to better understand how the framework works and the benefits it provides to both companies and countries that participate and adopt its principles.
There will be a networking reception after the discussion; you can see the full agenda here.
The CBPR and PRP systems continue to build momentum in the Asia Pacific region, with Singapore becoming the sixth APEC economy to join the CBPR system and the second to join the PRP system. This follows on the heels of South Korea’s announcement late last year.
In the digital economy, data-related economic activities often straddle borders, as services – particularly digital services – can easily scale regionally if not globally. As a globally connected digital economy, Singapore supports open data flows across borders and robust data protection standards to ensure that data is exchanged and used in a responsible way. – Office of the Personal Data Protection Commission (PDPC)
Singapore submitted its Notice of Intent to participate in the APEC CBPR and PRP systems in July, and was approved by the APEC Joint Oversight Panel in February.
As described by Singapore’s Ministry of Communications and Information in Tuesday’s press release, “[t]he APEC CBPR and PRP systems are multilateral certification mechanisms that ensure certified organisations have in place data protection policies consistent with the APEC Privacy Framework. CBPR applies to data controllers, which include organisations that control the collection, holding, processing, or use of data. PRP applies to data processors, which include organisations that process data on behalf of other organisations at their instruction.”
It is the second economy to join the PRP system, alongside the USA, and joins the following APEC economies in CBPR participation: USA, Mexico, Canada, Japan and the Republic of Korea. The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers. Participating in the APEC system offers benefits to companies because it allows transfer of personal data across borders, while mitigating risk by raising privacy standards.
TRUSTe was named the first Accountability Agent for the system in June 2013. Learn more about obtaining a TRUSTe CBPR certification here.
TrustArc GDPR Privacy Workshop
Boston, New York, Chicago & Washington DC
The GDPR Privacy Workshops are free events that feature informative guidance, peer discussions and practical solutions to achieve GDPR compliance.
Topics discussed will include Data Mapping, Records of Processing Activities, Article 30 Reports, DPIAs / PIAs, Article 35 Reports, Individual Rights Management, GDPR HR Data Considerations, and GDPR Technology Solution & Tool Demonstrations.
> Reserve your seat to a March GDPR Privacy Workshop today
Appointing and Supporting the DPO role. What Tools do you Need?
March 14 @ 9AM PT / 12PM ET / 5PM GMT
One of the most common concerns among companies preparing for the GDPR is how to address the Data Protection Officer (DPO) requirements. Do I need a DPO? Do they have to be based in Europe? Can they also be the Chief Privacy Officer?
The webinar will provide guidance on how to address Article 37 as well as:
- Review GDPR requirements
- Receive guidance on how to address Article 37
- Hear commentary from DPOs as to how they plan to provide the role and the tools they need to be successful
> Register here
Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) Discussion
The APEC CBPR Framework has become the model for ensuring interopaberaiblity across privacy regimes. Over the past year, more APEC economies, such as South Korea, Australia, and Singapore, have announced participation in the framework enhancing the ability for companies to seamlessy move data across borders. Join us for a discussion with APEC leaders and industry representatives to better understand how the framework works and the benefits it provides to both companies and countries that participate and adopt its principles.
TrustArc will be co-sponsoring the event.
> Learn more here
IAPP Global Privacy Summit 2018
The world’s premier privacy and data protection conference focuses on international topics, policy and strategy. Recognized as a leading forum for discussion, the Summit features expert speakers and top regulators, and delivers unmatched education and networking opportunities.
Stop by TrustArc Booth #12 to say hi or attend one of the sessions we’re speaking on:
- TrustArc James Koons will be speaking on a panel alongside representatives from IBM, HCL Technologies & IAPP on “Operationalizing Privacy Tech: A Practitioner’s Perspective” on 3/27 at 2pm
- TrustArc Janalyn Schreiber will be speaking at the Little Big Stage session “Follow the Data: Best Practices & Tips on Meeting GDPR Article 30 Requirements” on 3/27 at 3:55pm
- TrustArc Hilary Wandall will be speaking on a panel alongside representatives from UK ICO, IAF and Bristows on “Demonstrating Responsible Use Through Legitimate Interests” on 3/28 at 9:30am
> Learn more here
In September 2016, Japan passed the “Amended Act on the Protection of Personal Information (APPI)” with implementing regulations released in January, 2017. The final revised law is set to go into effect on Tuesday, May 30, 2017. Key changes under the new law include:
- Establishment of the Personal Information Protection Commission (PPC): The new PPC serves as the central supervisory authority for the APPI. Previous authority was divided across multiple regulatory authorities by sector.
- Establishment of a Legal Framework for Anonymously Processed Information: The revised APPI provides specific guidance on the use of anonymized data (including approved methods for anonymizing data).
- Response to Globalization of Data Flows: New restrictions on international transfers, PPC enforcement and investigative cooperation with foreign enforcement authorities and the extraterritorial application of the APPI have also been included.
The Role of APEC CBPRs in the APPI
Article 24 of the APPI imposes restrictions on the transfer of personal information of Japanese citizens to third parties in foreign countries. Exemptions to these restrictions include when a third party has established a system which meets the Rules of the Commission to “continuously implement equivalent necessary measures.” The regulations for implementing Article 24 specifically call out a company’s APEC Cross Border Privacy Rules (CBPR) certification as satisfying this requirement. Most importantly, the APPI allows either the data controller or the data processor to meet this requirement through CBPR certification. As such, your company’s CBPR certification will permit you to both transfer and receive personal information pursuant to the APPI.
In March, 2016, the Japanese Institute for the Promotion of Digital Economy and Communication (JIPDEC) was approved to serve as an accountability agent under the CBPR system, joining TRUSTe, named the first accountability agent for APEC Cross Border Privacy compliance in June 2013.
The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers. CBPR implementation has continued to gain momentum recently with South Korea submitting its application to join the system in January, and Singapore and the Philippines announcing their intention to do the same later this year. TRUSTe was named the first accountability agent for the system in June 2013. The next meeting of APEC’s Data Privacy Subgroup will take place in August, in Ho Chi Minh City, Vietnam.
To learn more about obtaining a TRUSTe CBPR certification click here.
1) Jurisdiction-Specific Transfer Benefits: In Japan, companies that have a CBPR certification do not have to obtain consent to transfer data to another country, which is otherwise required under Japanese law.
2) Facilitation of APEC-European Interoperability: An APEC CBPR certification may make it easier for an organization to obtain approval of their Binding Corporate Rules in the European Union. Since 2013, APEC member Economies and EU officials have been collaborating to promote interoperability between the two regional transfer mechanisms.
3) Alignment with Global Frameworks: An APEC CBPR certification is based on many of the same principles that inform the OECD Guidelines, the Fair Information Practice Principles, the EU-U.S. Privacy Shield, and the General Data Protection Regulation. As such, a CBPR certification will help align your organization’s policies to a range of international privacy frameworks.
4) In-Network Transactional Streamlining: If you have an APEC CBPR certification, the privacy practices of your organization will be in line with other CBPR-certified organizations, thereby facilitating transactions between participants
5) Global Trade Facilitation: An APEC CBPR certification makes conducting business in participating economies easier, and helps to facilitate the increasing trade relationship between APEC economies:
The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers. TRUSTe was named the first accountability agent for the system in June 2013. To learn more about obtaining a TRUSTe CBPR certification click here.