Skip to Main Content
Main Menu

APEC Cross Border Privacy Rules

The Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) System is a voluntary, accountability-based, enforceable privacy program. It’s designed to ensure the continued free flow of personal information across APEC member economy borders, while establishing meaningful protection for the privacy and security of personal information.

Are you subject to the APEC CBPR?

Although the APEC CBPR system is a voluntary privacy program, organizations who choose to participate are required to incorporate policies and procedures that adhere to CBPR program standards for all personal information collected or received and intended for cross-border transfer to other participating APEC economies.

Organizations can showcase their commitment to the APEC CBPR system by certifying their privacy protocols against the Cross Border Privacy Rules (CBPR) System, which oversees the privacy practices of “data controllers”.

Obligations & rights under the APEC CBPR System


Choice and consent in relation to the collection, use, and disclosure of personal information must be ensured with certain situations where consent may be clearly implied or where it would not be necessary to provide a mechanism to exercise choice.

Policies and notices

Organizations must ensure that the individuals understand its personal information policies (subject to any qualifications), including parties to whom the personal information may be transferred and the purpose for which it may be used.

Individual rights & requests

Organizations must ensure that individuals have access to and can correct their personal information. Specific conditions for reasonable access and correction must be outlined. Requests will also be subject to security requirements that prevent direct access to information and will necessitate adequate proof of identity before it is granted. The procedures for request fulfillment may vary depending on the nature of the information requested or other interests.

Data security

Personal information must be protected by implementing reasonable security safeguards against loss, unauthorized access or disclosure, or other misuses.

Achieve compliance with APEC CBPR Certification

Establishes and facilitates secure and privacy-respecting cross-border data transfers among participating economies. Build trust with clients and partners.


Your Guide for Smooth Cross-Border Data Transfers and Global CBPRs

Global data transfers can be tricky due to different regulations and individual protections in each country. Sharing data with vendors has become such a normal part of business operations that some may not even realize they’re conducting a cross-border data transfer!


  • What is the Cross-Border Privacy Rules (CBPR) system?

    The CBPR system, established in 2011 by the Asia-Pacific Economic Cooperation (APEC) member economies, is a government-supported certification program for data privacy and security. It encompasses 50 program requirements that put into practice the nine Privacy Principles outlined in the APEC Privacy Framework.

  • How can my organization get certified in the APEC CBPR system?

    Organizations must seek accreditation from an officially recognized APEC accountability agent, which serves as a third-party certifying body located within an APEC economy that has formally joined the APEC CBPR system. A company seeking certification must primarily operate within the participating CBPR economy where it is located. This designation allows a company to cover all or some of its global corporate affiliates within the certification scope.

    The accountability agent, such as TrustArc, assesses whether a company’s privacy policies and practices align with the CBPR Program Requirements and assists the company in achieving compliance if necessary.

    It is worth noting that the APEC CBPR system is currently transitioning its operations to the Global CBPR system and is open to membership across all regions. Once established, the Global CBPR system will enable organizations to apply for accreditation from a recognized accountability agent in a participating jurisdiction where they are primarily located, even if that jurisdiction is not an APEC economy.

  • What is the benefit of my organization in joining the CBPR system?

    The CBPR System establishes fundamental privacy and data protection standards that enable data to be shared throughout different regions with strong and trustworthy privacy protections, and demonstrate commitment to strong privacy values.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top