Asia-Pacific Economic Cooperation and Privacy
The Asia-Pacific Economic Cooperation (APEC ) Privacy Framework was developed by the APEC forum as the blueprint for greater regional cooperation on privacy rules and enforcement.
APEC's activity in privacy issues aims to promote consumer trust and business confidence in cross-border data flows.
Australia is a member of the APEC Data Privacy Sub (DPS) Group, which developed the framework and meets twice a year to work on privacy issues.
APEC Cross Border Privacy Rules system
In 2007, APEC approved a Data Privacy Pathfinder Initiative to put the privacy framework into practice. One of the significant outcomes of this initiative was developing the APEC Cross Border Privacy Rules (CBPR) system. The aim of the CBPR system is to build consumer, business and regulator trust in cross border flows of personal information.
On 23 November 2018, Australia became a participant in the APEC CBPR system.
The CBPR system requires participating businesses to develop and implement data privacy policies consistent with the APEC Privacy Framework. These policies and practices are assessed by an Accountability Agent, which is an independent APEC recognised entity, usually in the private sector. By applying a commonly agreed upon set of rules, the CBPR system bridges differences that may exist between different domestic privacy approaches across the region.
The rules need to comply with both the APEC Privacy Framework and the domestic laws of the economies where businesses operate. Additional oversight is provided by national privacy regulators through the APEC Cross Border Privacy Enforcement Arrangement.
Accountability is the key privacy principle underlying the CBPR system. A business will be accountable for the promises it makes to its customers, about the way in which it deals with their personal information.
Further information is available on the APEC Cross Border Privacy Rules - Australia's participation webpage.
APEC and European Union privacy systems
In 2012, APEC Senior Officials and officials of the European Union (EU) commenced discussions through the APEC Data Privacy Subgroup.
As a starting point, APEC and EU representatives discussed similarities and differences between the APEC CBPR system and the EU system of Binding Corporate Rules (BCR), to assist understanding of the respective systems.
This work led to the joint APEC-EU Common Referential for the Structure of the EU System of Binding Corporate Rules and APEC Cross Border Privacy Rules [PDF] system in 2014. The referential serves as an informal checklist for companies applying for BCR authorisation and certification under APEC's CBPR system. The referential outlines compliance and certification requirements, as well as common elements and additional requirements for each system.
In May 2018, the EU Directive 95/46 upon which the BCR aspects of the referential were based, was superseded by the General Data Protection Regulation. EU representatives have, however, continued to express a strong interest in working with APEC on cross-border privacy issues. The APEC Data Privacy Subgroup and the EU are working to develop a work plan to focus future efforts.