Last week, Canada became the fourth member of the Asia-Pacific Economic Cooperation
("APEC") Member Economies to join APEC's
Cross-Border Privacy Rules ("CBPR") system, following
Japan in 2014, Mexico in 2013, and the USA in 2012. The system
establishes a privacy framework, adopted by APEC in 2011,
which aims to balance the requirement to facilitate the free-flow
of information, while providing appropriate protection of personal
What is the APEC Privacy Framework?
To Canadians, the principles contained in the APEC framework
will appear to be a subset of those contained in the Personal
Information Protection and Electronic Documents Act
("PIPEDA"), requiring, among other things, the
limitation of the collection of information to that which is
necessary, requiring privacy notices to individuals, and requiring
that personal information be properly secured.
The principles do not replace the existing privacy requirements
of each member jurisdiction. While the framework is meant to
facilitate the flow of information as part of trade, if the
information could not have flown between or among signatories to
the CBPR prior to its adoption, the flow of information is not
blessed as a result of the system. Rather, the existence of the
system provides guidance to businesses in member economies on
common privacy issues, encourages compatible approaches to privacy
protection, and facilitates greater collaboration of enforcement
agencies within each economy as permitted by applicable laws, to
address violations of their domestic privacy laws, and, in turn,
Significance to Business
Canadian businesses may choose to become CBPR certified if they
develop and implement data privacy policies that comply with the
framework, and have those policies verified by a third party
"Accountability Agent". It is intended that such
certification will provide comfort to parties doing business with
each other, providing assurance of compliance with the framework.
TRUSTe is currently the only Accountability Agent recognized to
perform CBPR certification.
Aside from the opportunity to be certified, it remains unclear
what the impact of the adoption of the CBPR system will be, given
that Canadians already are subject to laws to protect personal
information and regulate its use, and Canadian law enforcement
already did participate in international efforts to enforce privacy
The progress of the CBPR and free flow of data as a driver of
growth are expected to be key areas of discussion during the
upcoming 2015 APEC Ministers Responsible for Trade Meeting on 23-24
May in Boracay, The Philippines. Additionally, since each of
Canada, Mexico and USA have all joined the CBPR, any impact of the
system will likely first be seen as part of the trade among NAFTA
countries before its effects are seen among the APEC member
countries more broadly.
Potential damages of up to $1 million per day may be imposed. I refer to the blog by Aaron Baer "Are You Compliant With Canada's Anti-Spam Law? If Not, Expect Lawsuits Starting on July 1 of This Year."
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).