On November 13, 2011, Asia-Pacific Economic Cooperation ("APEC") leaders endorsed the APEC Cross-Border Privacy Rules ("CBPR") system at an APEC meeting in Honolulu, Hawaii. The leaders agreed, among other things, to "[i]mplement the APEC Cross Border Privacy Rules System to reduce barriers to information flows, enhance consumer privacy and promote interoperability across regional data privacy regimes." Businesses need to understand the opportunities and challenges offered by the CBPR system.

This article explains what the CBPR system is and, perhaps more importantly, what it is not. As a preliminary issue, it should be noted that the leaders' endorsement does not mean that the economies they represented are committed to participate in the CBPR system. The endorsement only means that the leaders were satisfied with APEC's work in developing the system. Participation will be a totally separate decision to be made by the economies as they see fit.


The CBPR system is the newest addition to APEC's data privacy projects, which started with the APEC Privacy Framework in November 2004. The Privacy Framework, among other things, called for cross-border cooperation in privacy law enforcement and recognition of businesses' cross-border privacy rules across the APEC region. The former call led to the APEC Cross-Border Privacy Enforcement Arrangement (CPEA) and the latter the CBPR system.

CPEA is an arrangement where participating economies are expected to help each other with extraterritorial investigations and enforcement of domestic data privacy laws. It was endorsed by APEC Ministers in November 2009 and commenced on July 16, 2010. The operation is based on mutual agreements rather than legal obligations; whether to accept a request for assistance is within a participant's sole discretion. Even with such a non-binding approach, to date CPEA has only five participants: Australia, Canada, Hong Kong, New Zealand and the United States. It should be noted that an economy must be a part of CPEA in order to participate in the CMPR system.

The CBPR System

While CPEA is an agreement among participating economies, the CBPR system is designed to bring in more involvement by the business community. Generally speaking, the CBPR system is where businesses voluntarily request to be certified as compliant with APEC's minimum privacy requirements. The name of the system, Cross-Border Privacy Rules, does not mean a set of privacy laws enacted by APEC, but rather refers to businesses' own internal cross-border privacy rules. The system only applies to data that moves across borders.

The CBPR system involves four categories of players: APEC, through a CBPR Joint Oversight Panel (JOP); Accountability Agents (AAs); participating businesses; and participating economies. The JOP authorizes AAs, which are from either the public or the private sector, to evaluate, certify and monitor participating businesses. By participating in the CBPR system, a business is essentially entering a contract that requires the business to act according to the CBPR it offered for certification, even if the CBPR is more stringent than domestic data privacy laws. In return, once certified, the business will be listed in an online directory accessible to the public. This directory serves a dual purpose. First, consumers are more likely to trust a business with their personal data if it is listed in the directory. Second, the directory provides concerned consumers contact information of the AA that certified the business and of relevant participating economies. The AA will then investigate the complained matter and attempt to correct any violation. If the violating business refuses to comply, participating economies will step in by holding violation of the business's own CBPR as a violation of domestic data privacy laws. CPEA will facilitate cross-border enforcement when necessary.

As to the substantive standards, the DPS has compiled a set of baseline requirements against which an AA will assess a business's CBPR. Notice is generally required before collection of personal data, and businesses can only use collected data for the stated purpose. In many circumstances, a choice must also be provided to the individual. Businesses are responsible for personal data's integrity and need to offer individuals the ability to access and correct their personal information. Further, while individual's consent is not necessary for data transfer, the transferor is accountable for ensuring that the recipient will protect the information consistently with APEC's requirements. The requirements are subject to numerous exceptions, and businesses are generally free to satisfy a requirement through multiple ways.

A proposal on interoperability recognition has also suggested that certain privacy regulatory regimes should be deemed interoperable with the CBPR system, and businesses already under regulation of those regimes should therefore be automatically certified. The proposal identified, among others, the EU Binding Corporate Rules and the U.S. Gramm-Leach-Bliley Act as potential candidates. However, this proposal is still under study and has not been adopted as a part of the CBPR system.


Does the CBPR system make life easier for businesses by "promoting interoperability across regional data privacy regimes" as the leaders promised? The answer depends on your perspective. The system itself does not provide interoperability because it does not harmonize or take the place of economies' domestic laws. Participating businesses still need to comply with relevant domestic laws and regulations of the economies in which they operate. On top of that, they now also need to comply with the requirements of the CBPR system for personal information that moves across borders, and the CBPR system's requirement can often be more stringent than domestic laws, given that many Asian economies do not have comprehensive privacy regulations in place yet. On the other hand, exactly because of this lack of privacy laws in many APEC economies, the CBPR system might shape their future legislations and thus help to harmonize the laws in the long run. Specifically, the United States and China are co-sponsoring a CBPR case study, which at least shows the two powers' interest in the model. APEC has agreed to a five-year project, commencing in 2012, to support the implementation of the CBPR system.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.