Korea Next to Join Cross Border Privacy Rule (CBPR) System



The CBPR system continues to build momentum in the Asia Pacific region, with S. Korea becoming the latest APEC economy to submit their Intent to Participate. This follows on the heels of Taiwan’s announcement to follow suit later this year.

Korea offers significant market opportunity for American exporters. Korea’s participation in the APEC CBPR System will promote digital trade, benefit companies in the United States and around the region, and drive uptake of higher privacy standards for consumers in the Asia-Pacific, said Acting Assistant Secretary for Industry and Analysis, Ted Dean in response to this week’s announcement.

On Monday, an APEC-sponsored readiness survey, showed that more than 57% of APEC members planned to join or are considering joining the system, including The Philippines, Australia, Hong Kong, China, Russia, Singapore and Viet Nam.

In addition to the submission by S. Korea and the announcement from Taiwan, current members include the United States, Mexico, Canada and Japan. The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers. Participating in the APEC system offers benefits to companies because it allows transfer of personal data across borders, while mitigating risk by raising privacy standards. TRUSTe was named the first Accountability Agent for the system in June 2013. Learn more about obtaining a TRUSTe CBPR certification here.


Cross Border Privacy Rules: Uptake Increases as Heads of State Affirm Commitment


On November 20, the Heads of State for the 21 APEC member economies met in Lima, Peru at the annual APEC Leaders’ meeting.  In their Joint Declaration, APEC Leaders once again recognized “the importance of implementing the APEC Cross-Border Privacy Rules (CBPR) System, a voluntary mechanism whose participants seek to increase the number of economies, companies, and accountability agents that participate in the CBPR System.”  During his press conference in Lima, President Obama specifically called out the group’s endorsement as a way to advance the digital economy and “to protect the privacy of personal information as it crosses borders.”

High-level recognition of and commitment to the CBPR system comes as more APEC economies formulate plans to join.  Last week, Chinese Taipei announced its intention to join the system.  And in a recent readiness survey released in October by the Government of Vietnam, South Korea and the Philippines both indicated they intend to join the system.

For their part, Japan, who joined the system last year, has been finalizing regulations to implement their new data protection law.  The Government of Japan has indicated that it will specifically name the CBPRs as an approved transfer mechanism for data out of Japan.  These regulations are expected to be released by the end of this year.   More information on CBPRs and related trade initiatives can be found on the White House’s APEC outcomes fact sheet.

The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers. TRUSTe was named the first accountability agent for the system in June 2013. Learn more about obtaining a TRUSTe CBPR certification here.

APEC Cross Border Privacy Rules Advancing in Asia

Global Data TransfersOver the last three weeks, privacy-focused events in China, South Korea and Singapore have highlighted the growing momentum of APEC’s Cross Border Privacy Rules (CBPR) system in the region.

  • On June 29, China’s Ministry of Commerce, Foreign Ministry, General Administration of Customs and the China International Electronic Commerce Centre (CIECC) hosted the 6th APEC E-Commerce Business Alliance (ECBA) Forum in Jinjiang, Fujian province, China. The U.S. representatives to the ECBA are TRUSTe’s Director of Policy, Josh Harris, Markus Heyder, Vice-President of the Centre for Information Policy Leadership and Manuel Maisog, partner at Hunton & Williams, Beijing.   In his keynote address, APEC Secretariat Executive Director Alan Bollard emphasized the regional economic benefits to the free flow of data and encouraged government officials in attendance to join the CBPR system. At the closing of the forum, the ECBA released the Jinjiang Proposal, as drafted by ECBA members, which encouraged all APEC economies to participate in the CBPR system.
  • On July 13, the Korea Internet and Security Agency (KISA) hosted the 5th International Conference on Information Security in Seoul, South Korea where TRUSTe Policy Director Josh Harris and Professor Choi Kyoung Jin of Gachon University discussed the potential implementation of the CBPR system in South Korea.
  • On July 18, the Centre for Information Policy Leadership along with the Asia Pacific Economic Cooperation hosted a joint workshop, “Enabling Legal Compliance and Cross-Border Data Transfers with the APEC Cross-Border Privacy Rules (CBPR)” in Singapore. CBPR-certified companies, including Apple, Cisco, HP and Merck along with TRUSTe joined Singapore’s Assistant Privacy Commissioner Zee Kin Yeong in discussing the advancement of the regional system.
  • Finally, on July 19, the International Association of Privacy Professionals hosted the IAPP Asia Privacy Forum 2016 in Singapore. Panel discussions included “Preparing for and Executing CBPRs”, moderated by Ken Chia, Principal, Baker & McKenzie. Panelists included Grace Guinto, Digital Trust Manager at PwC, Australia, Professor Hiroshi Miyashita, Chuo University and New Zealand Assistant Privacy Commissioner Blair Stewart.

The increased focus on CBPRs in Asia comes as Japan recently put forward JIPDEC as the country’s first ‘Accountability Agent’ under the CBPR system. Japan’s Ministry of Economy Trade and Industry has confirmed that CBPR-certification will serve as a basis for transfer of personal data out of Japan under the implementing guidelines for Japan’s recently-reformed privacy law. TRUSTe has been an APEC-endorsed Accountability Agent since 2013. More information on CBPRs can be found at https://www.truste.com/business-products/apec-accountability/.


Going for Olympic Gold Data Practices in Latin America

Screenshot 2016-06-28 09.54.55

Latin America is in the summer spotlight with the hosting of the International Olympic Games in Brazil and the 100th anniversary of the Copa América futbol tournament, making this a timely moment to take stock of where data privacy regimes stand in Latin America.

Powered by new education initiatives and increased investment in telecom network infrastructure, Internet usage in Latin America is burgeoning. Public-private partnerships, evolving finance laws, and an explosion in mobile broadband adoption has led to an environment in which, since 2008, Internet usage has more than doubled. Observers estimate that sixty percent of Latin Americans will have Internet access in 2016.

However, before an organization seeks to establish its presence in Latin America, it would do well to recognize that the vast region is not a monolith. On the contrary, the region is comprised of a multiplicity of languages, cultures and privacy laws. Given the absence of any omnibus regional law or EU-like set of directives, companies must assess their business models and data monetization strategies in the context of each country’s framework.

Screenshot 2016-06-26 11.28.21

The July TRUSTe Client Advisory Note was prepared by Darren Abernethy J.D., CIPP/US, CIPM, Privacy Solutions Manager at TRUSTe, and provides an overview of some of the key privacy themes and differences across the region for enterprises considering their involvement in these developing markets.

Key themes and requirements covered in the Advisory include:

  • Data Protection Authority (DPA) registration requirements
  • Adequacy and cross-border data transfers
  • Recent DPA enforcement actions
  • Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules
  • Data security & data breach notification requirements
  • Appointment of a Data Protection Officer (DPO)
  • The “Right To Be Forgotten” (RTBF)

The Advisory also includes a list of key takeaways for companies seeking to comply with Latin American privacy requirements.

If you would like a copy of this latest Client Advisory Note then look out for your copy via e-mail today or contact TRUSTe at 1-888-878-7830.


TRUSTe Named First Accountability Agent for APEC Cross Border Privacy

This week, TRUSTe announced that it is the first approved Accountability Agent for the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) System. The primary goal of APEC is to support sustainable economic growth and prosperity in the Asia-Pacific region. The APEC CBPR System is a self-regulatory initiative that addresses cross border data flows between the United States and other APEC Member Economies, through voluntary and enforceable codes of conduct adopted by participating businesses.

The APEC CBPR system is the first framework approved for the transfer of personal data between all 21 APEC Member Countries. The United States is the first formal participant in the CBPR system, and the Federal Trade Commission is the system’s first enforcement authority.

U.S. Acting Secretary of Commerce Cameron Kerry congratulated TRUSTe on becoming the first accountability agent to be endorsed to participate in the APEC Cross Border Privacy Rules system.

“This is a critical first step in implementing a groundbreaking new system which will facilitate data flows and support trade throughout the APEC region,” said Kerry. “It also represents a concrete example of how we are implementing the Administration’s Privacy Blueprint to further interoperability of privacy frameworks all over the world. We look forward to seeing more accountability agents join the APEC CBPR system, and to realizing fully all the benefits that this initiative will bring in the near future.”

The Electronic Commerce Steering Group (ECSG) is responsible for data protection issues, including the CBPR framework. (more…)