Cross Border Privacy Rules: Uptake Increases as Heads of State Affirm Commitment


On November 20, the Heads of State for the 21 APEC member economies met in Lima, Peru at the annual APEC Leaders’ meeting.  In their Joint Declaration, APEC Leaders once again recognized “the importance of implementing the APEC Cross-Border Privacy Rules (CBPR) System, a voluntary mechanism whose participants seek to increase the number of economies, companies, and accountability agents that participate in the CBPR System.”  During his press conference in Lima, President Obama specifically called out the group’s endorsement as a way to advance the digital economy and “to protect the privacy of personal information as it crosses borders.”

High-level recognition of and commitment to the CBPR system comes as more APEC economies formulate plans to join.  Last week, Chinese Taipei announced its intention to join the system.  And in a recent readiness survey released in October by the Government of Vietnam, South Korea and the Philippines both indicated they intend to join the system.

For their part, Japan, who joined the system last year, has been finalizing regulations to implement their new data protection law.  The Government of Japan has indicated that it will specifically name the CBPRs as an approved transfer mechanism for data out of Japan.  These regulations are expected to be released by the end of this year.   More information on CBPRs and related trade initiatives can be found on the White House’s APEC outcomes fact sheet.

The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers. TRUSTe was named the first accountability agent for the system in June 2013. Learn more about obtaining a TRUSTe CBPR certification here.

APEC Cross Border Privacy Rules Advancing in Asia

Global Data TransfersOver the last three weeks, privacy-focused events in China, South Korea and Singapore have highlighted the growing momentum of APEC’s Cross Border Privacy Rules (CBPR) system in the region.

  • On June 29, China’s Ministry of Commerce, Foreign Ministry, General Administration of Customs and the China International Electronic Commerce Centre (CIECC) hosted the 6th APEC E-Commerce Business Alliance (ECBA) Forum in Jinjiang, Fujian province, China. The U.S. representatives to the ECBA are TRUSTe’s Director of Policy, Josh Harris, Markus Heyder, Vice-President of the Centre for Information Policy Leadership and Manuel Maisog, partner at Hunton & Williams, Beijing.   In his keynote address, APEC Secretariat Executive Director Alan Bollard emphasized the regional economic benefits to the free flow of data and encouraged government officials in attendance to join the CBPR system. At the closing of the forum, the ECBA released the Jinjiang Proposal, as drafted by ECBA members, which encouraged all APEC economies to participate in the CBPR system.
  • On July 13, the Korea Internet and Security Agency (KISA) hosted the 5th International Conference on Information Security in Seoul, South Korea where TRUSTe Policy Director Josh Harris and Professor Choi Kyoung Jin of Gachon University discussed the potential implementation of the CBPR system in South Korea.
  • On July 18, the Centre for Information Policy Leadership along with the Asia Pacific Economic Cooperation hosted a joint workshop, “Enabling Legal Compliance and Cross-Border Data Transfers with the APEC Cross-Border Privacy Rules (CBPR)” in Singapore. CBPR-certified companies, including Apple, Cisco, HP and Merck along with TRUSTe joined Singapore’s Assistant Privacy Commissioner Zee Kin Yeong in discussing the advancement of the regional system.
  • Finally, on July 19, the International Association of Privacy Professionals hosted the IAPP Asia Privacy Forum 2016 in Singapore. Panel discussions included “Preparing for and Executing CBPRs”, moderated by Ken Chia, Principal, Baker & McKenzie. Panelists included Grace Guinto, Digital Trust Manager at PwC, Australia, Professor Hiroshi Miyashita, Chuo University and New Zealand Assistant Privacy Commissioner Blair Stewart.

The increased focus on CBPRs in Asia comes as Japan recently put forward JIPDEC as the country’s first ‘Accountability Agent’ under the CBPR system. Japan’s Ministry of Economy Trade and Industry has confirmed that CBPR-certification will serve as a basis for transfer of personal data out of Japan under the implementing guidelines for Japan’s recently-reformed privacy law. TRUSTe has been an APEC-endorsed Accountability Agent since 2013. More information on CBPRs can be found at


Privacy Insight Series Webinar Recap: Solutions for Cross Border Data Transfers


If you missed today’s webinar covering solutions for Cross Border Data Transfers, the short clip below will give you an idea of just some of the material covered. Speakers were Hilary Wandall, AVP Compliance & Chief Privacy Officer at Merck & Co., Inc.; Josh Harris, Director of Policy at TRUSTe, and Melinda Claybaugh, Counsel for International Consumer Protection, Federal Trade Commission. To download the full webinar, click here.

Click here for a clip of the webinar.

White House Steps Up APEC-EU Interoperability Push


For the first time, the White House has called out the APEC-EU privacy interoperability project as one of its key initiatives APEC member economies will prioritize in order to enhance regional economic integration for the Asia Pacific region, wrote TRUSTe’s Director of Policy Josh Harris in an article for The Privacy Advisor.

The goal of the interoperability project is to provide a dual-certification approach to streamline global privacy practices without duplicating efforts – something that will appeal to many companies. It would establish mechanisms to facilitate a company’s simultaneous participation in the Cross Border Privacy Rules and Binding Corporate Rules systems.

Read the full article by clicking here.

Join Josh on Dec. 9, along with Hilary Wandall, Chief Privacy Officer at Merck and Melinda Claybaugh, Counsel for International Consumer Protection at the Federal Trade Commission, for a webinar on this topic titled, “Solutions for Cross-Border Data Transfers: APEC CBPRs, BCRs and Global Interoperability.”

Japan Amends Data Privacy Law & Proposed Implementing Regs Endorse CBPRs as Route to Compliance

By Josh Harris, Director of Policy

PersonalInformationEarlier today (Sept. 3), Japan’s Diet passed an amendment to the “Act on the Protection of Personal Information,” which has been in effect since April 2005. Under the amendment, which goes into effect in January 2016, Japan will establish a Personal Information Protection Commission. The Commission will be established as an independent authority in attempt to bolster Japan’s expected request for a determination of adequacy by the European Commission.

In addition, Article 24 of the amended law imposes restrictions on the transfer of personal information of Japanese citizens to third parties in foreign countries. Exemptions to these restrictions include express consent of the individual, transfer to foreign countries that the Personal Information Protection Commission determines have measures of protecting personal information equivalent to that of Japan, or where the third party has established a system which meets the Rules of the Commission to “continuously implement equivalent necessary measures.”

The draft rules for implementing Article 24 specifically call out a company’s APEC Cross Border Privacy Rules (CBPR) certification as satisfying this requirement. Japan joined the CBPR system in May 2014. TRUSTe has been an APEC-approved certifier under the CBPR system since 2013.