Special Webinar Event! The Path to U.S.- Japan Data Transfer Compliance

TrustArc is excited to host a special webinar event with speakers from the U.S. Department of Commerce and Cisco next Wednesday, February 13th at 9AM PT / 12PM ET / 5PM GMT. Register today!

Are you a U.S. company doing business in Japan? Japan is home to many subsidiaries of U.S.- headquartered companies that need to transfer data out of Japan to other parts of the world, including the United States. Japan’s data protection law, the Act on the Protection of Personal Information (APPI) requires receiving organizations to demonstrate that sufficient data protections are being used for data transfers out of Japan. Since APPI went into effect in May 2017, companies have been liable for any violation and are subject to enforcement.

APPI recognizes that the APEC Cross-Border Privacy Rules (CBPR) system is one mechanism to demonstrate that required data protections are in place. An APEC CBPR Certification can support your compliance efforts with APPI and show your customers and partners you are committed to secure U.S.- Japan data transfer.

During this webinar, learn how an APEC CBPR Certification can support U.S – Japan data transfer compliance. The webinar will cover:

  • International data transfer requirements under APPI, who they apply to and how the APEC CBPR system fits in with these requirements
  • Introduction to APEC CBPR certification, including its benefits in the context of APPI requirements
  • Real-world examples from industry experts on how APEC CBPR certification can fit in with your global compliance strategy


  • Shannon Coe, Director, Global Data Policy, U.S. Department of Commerce
  • Harvey Jang, Senior Director, Global Data Protection & Privacy Counsel, Cisco
  • Josh Harris, Director, International Regulatory Affairs, TrustArc

Can’t make the webinar? Register anyway – we’ll send you a follow-up email with the slides and recording after the webinar!

Workday and Envestnet | Yodlee Demonstrating Best Privacy Practices for Processors through APEC PRP Certification

Global companies are increasingly more concerned with ensuring the privacy and security of the information they hold. Not only is complying with international privacy regulations and frameworks important to avoid fines, but it is also critical for building trust with customers, mitigating risks, and protecting the company’s reputation. One way that companies can demonstrate compliance is by adhering to a recognized international privacy framework, such as the Asia-Pacific Economic Cooperation (APEC) framework as demonstrated by the  APEC Privacy Recognition for Processors (PRP) certification.

Like the APEC Cross Border Privacy Rules (CBPR) system (which applies to data controllers), the APEC PRP system is a voluntary, enforceable program designed to ensure the continued free flow of personal information while maintaining meaningful protection for the privacy and security of personal information for data processors. The U.S. became the first formal participant in the PRP system with  the Federal Trade Commission (FTC) serving as the first enforcement authority in 2018 with more expected to follow.

A significant portion of the world’s economy is based in the region represented by the Asia-Pacific Economic Cooperation (APEC). Companies acting as data processors in the Asia Pacific region can comply with the  PRP program requirements in order to process personal data efficiently, securely, and safely while respecting data privacy. In addition, the PRP system enables businesses that operate as data processors to demonstrate their commitment to global privacy standards.

Two examples of companies who have achieved this certification are Workday and Envestnet | Yodlee.

Workday and Envestnet | Yodlee have worked with TrustArc to demonstrate compliance with the APEC PRP certification standards.

Barbara Cosgrove, Chief Privacy Officer at Workday said: “Maintaining the privacy and security of customers’ data in compliance with privacy laws is of critical importance to our business. By partnering with TrustArc to achieve the APEC CBPR and APEC PRP certifications, we’ve been able to further demonstrate our commitment to privacy and qualifications to process data in compliance with the APEC privacy framework.”

“Envestnet | Yodlee wanted a way to demonstrate the rigor of our privacy programs to our clients, prospects and the market. Security-focused certifications, like the APEC PRP, provide objective reliable evidence that Envestnet | Yodlee adheres to applicable privacy standards,” said Brian Costello, Chief Information Security Officer at Envestnet | Yodlee. “TrustArc is a trusted advisor for our entire global privacy program – we leverage their expertise for general certification as well as the APEC certifications.”

TrustArc Solution

To prepare companies for an APEC PRP (and/or CBPR) Certification, TrustArc works in partnership with clients following a three-phase process leveraging a combination of in-house privacy experts and proven assessment methodology powered by the TrustArc Privacy Platform that accelerates and assists in documenting compliance.

  • Phase I – A review of the company’s privacy practices against the APEC requirements and creation of a detailed privacy findings report.  
  • Phase II – A collaborative review of the findings, implementation of remediation recommendations, and documentation of action item resolution.
  • Phase III – Certification activation of the TRUSTe APEC PRP (and/or PRP) Privacy Seal and Dispute Resolution Services.  

For more information about TrustArc privacy tools and solutions, click here.

Japan’s Amended Privacy Law to Go into Effect May 30, 2017 – CBPRs Recognized as an Approved Transfer Mechanism

In September 2016, Japan passed the “Amended Act on the Protection of Personal Information (APPI)” with implementing regulations released in January, 2017.  The final revised law is set to  go into effect on Tuesday, May 30, 2017.  Key changes under the new law include:

  • Establishment of the Personal Information Protection Commission (PPC): The new PPC serves as the central supervisory authority for the APPI.  Previous authority was divided across multiple regulatory authorities by sector.
  • Establishment of a Legal Framework for Anonymously Processed Information: The revised APPI provides specific guidance on the use of anonymized data (including approved methods for anonymizing data).
  • Response to Globalization of Data Flows:  New restrictions on international transfers, PPC enforcement and investigative cooperation with foreign enforcement authorities and the extraterritorial application of the APPI have also been included.

The Role of APEC CBPRs in the APPI

Article 24 of the APPI imposes restrictions on the transfer of personal information of Japanese citizens to third parties in foreign countries. Exemptions to these restrictions include when a third party has established a system which meets the Rules of the Commission to “continuously implement equivalent necessary measures.” The regulations for implementing Article 24 specifically call out a company’s APEC Cross Border Privacy Rules (CBPR) certification as satisfying this requirement.  Most importantly, the APPI allows either the data controller or the data processor to meet this requirement through CBPR certification.   As such, your company’s CBPR certification will permit you to both transfer and receive personal information pursuant to the APPI.

In March, 2016, the Japanese Institute for the Promotion of Digital Economy and Communication (JIPDEC) was approved to serve as an accountability agent under the CBPR system, joining TRUSTe,  named the first accountability agent for APEC Cross Border Privacy compliance in June 2013.

The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers. CBPR implementation has continued to gain momentum recently with South Korea submitting its application to join the system in January, and Singapore and the Philippines announcing their intention to do the same later this year.  TRUSTe was named the first accountability agent for the system in June 2013.  The next meeting of APEC’s Data Privacy Subgroup will take place in August, in Ho Chi Minh City, Vietnam.

To learn more about obtaining a TRUSTe CBPR certification click here.

5 Benefits of APEC CBPR Certification You Should Know About

1) Jurisdiction-Specific Transfer Benefits: In Japan, companies that have a CBPR certification do not have to obtain consent to transfer data to another country, which is otherwise required under Japanese law.

2) Facilitation of APEC-European Interoperability: An APEC CBPR certification may make it easier for an organization to obtain approval of their Binding Corporate Rules in the European Union. Since 2013, APEC member Economies and EU officials have been collaborating to promote interoperability between the two regional transfer mechanisms.

3) Alignment with Global Frameworks: An APEC CBPR certification is based on many of the same principles that inform the OECD Guidelines, the Fair Information Practice Principles, the EU-U.S. Privacy Shield, and the General Data Protection Regulation. As such, a CBPR certification will help align your organization’s policies to a range of international privacy frameworks.

4) In-Network Transactional Streamlining: If you have an APEC CBPR certification, the privacy practices of your organization will be in line with other CBPR-certified organizations, thereby facilitating transactions between participants

5) Global Trade Facilitation: An APEC CBPR certification makes conducting business in participating economies easier, and helps to facilitate the increasing trade relationship between APEC economies:

The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers. TRUSTe was named the first accountability agent for the system in June 2013. To learn more about obtaining a TRUSTe CBPR certification click here.

Korea Next to Join Cross Border Privacy Rule (CBPR) System



The CBPR system continues to build momentum in the Asia Pacific region, with S. Korea becoming the latest APEC economy to submit their Intent to Participate. This follows on the heels of Taiwan’s announcement to follow suit later this year.

Korea offers significant market opportunity for American exporters. Korea’s participation in the APEC CBPR System will promote digital trade, benefit companies in the United States and around the region, and drive uptake of higher privacy standards for consumers in the Asia-Pacific, said Acting Assistant Secretary for Industry and Analysis, Ted Dean in response to this week’s announcement.

On Monday, an APEC-sponsored readiness survey, showed that more than 57% of APEC members planned to join or are considering joining the system, including The Philippines, Australia, Hong Kong, China, Russia, Singapore and Viet Nam.

In addition to the submission by S. Korea and the announcement from Taiwan, current members include the United States, Mexico, Canada and Japan. The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers. Participating in the APEC system offers benefits to companies because it allows transfer of personal data across borders, while mitigating risk by raising privacy standards. TRUSTe was named the first Accountability Agent for the system in June 2013. Learn more about obtaining a TRUSTe CBPR certification here.