NCAPEC Policy Director for Digital Policies Mia Reyes was recently in Washington D.C. for the APEC Cross Border Privacy Rules System (CBPR) event hosted by the U.S. Department of Commerce. Below is a high-level recap of the event and FAQ about CBPR.
HIGHLIGHTS FROM D.C. EVENT
The event opened with keynotes from Commerce Secretary Wilbur Ross and Acting Chairman of the U.S. Federal Trade Commission (FTC) Maureen Olhausen who discussed the benefits of CBPR for the Asia-Pacific region, and noted it as a major initiative of Commerce.
Panels throughout the day included an APEC Regulator Panel featuring regulators from the U.S. and Japan, a panel featuring companies who participate in CBPR or who are interested in participating (IBM, Cisco, CA Technologies), and closed with a panel discussing CBPR next steps and interoperability options for other frameworks such as Europe’s General Data Protection Regulation (GDPR) and Binding Corporate Rules (BCR).
The event was held March 26 in Washington, D.C. at the U.S. Chamber of Commerce’s Hall of Flags.
Highlights included businesses discussing the value they have found in joining CBPR, which include:
- Legal and privacy documents are already ‘pre-packaged’ for the FTC if they ever needed to be submitted
- Showing consumers a company has hired an independent third-party agent to assess privacy standards is stronger than just saying ‘trust that our company has done all we can to protect your information’
- The data ecosphere is getting more complicated, and a single certification for the Asia-Pacific region is more efficient for companies
- Gives customers comfort and confidence in companies’ level of privacy protection, as companies have to publicly state they are willing to comply with CBPR guidelines
- Doesn’t change what many companies are already doing in terms of privacy and data protection. It primarily increases a company’s privacy protection program maturity.
- Prepares companies to expeditiously participate in Privacy Shield or GDPR
- One of the more (if not the most) flexible privacy frameworks in existence
- The fact that it is a voluntary system shows consumers that a company is going ‘above and beyond’ to protect their data
Other notable points of discussion include:
- The FTC has already pursued companies making false claims about their participation in CBPR
- On average companies say it takes about two months to go through the CBPR certification process
- CBPR could potentially be a model for trade agreements
- CBPR would be even stronger if it can be interoperable (as possible) with other privacy regimes, such as GDPR and BCR
- CBPR seems to be at the beginning of achieving a critical mass
- Several organizations (including NCAPEC ) have explored barriers to companies joining CBPR, which APEC is trying to address. These include:
- Cost of audit and compliance
- Knowledge about CBPR
- Clearer explanations of CBPR benefits
GENERAL INFO ABOUT CBPR
What is CBPR?
The APEC Cross-Border Privacy Rules (CBPR) System was endorsed by APEC Leaders in 2011. It is a voluntary, accountability-based system that facilitates privacy-respecting data flows among APEC economies.
Which companies participate in CBPR?
Around 20 U.S. companies: Adaptive Insights, Inc.; Apple Inc.; Asurion; Box, Inc.; Cisco Systems; Hewlett Packard Enterprise Company; Hightail, Inc.; HP Inc.; IBM; lynda.com, Inc.; Mashable; Merck and Co., Inc.; Rackspace; Rimini Street, Inc.; Saba Software, Inc.; The Ultimate Software Group; Workday, Inc.; Yodlee, Inc.; Ziff Davis, LLC.
One Japanese company: Intasect Communications, Inc.
Which economies participate in CBPR?
There are currently six participating economies: U.S., Mexico, Japan, Canada, Singapore, and the Republic of South Korea.
What do businesses have to do to comply?
The CBPR System requires participating businesses to implement data privacy policies consistent with the APEC Privacy Framework. These policies must be assessed as compliant with CBPR program requirements by an Accountability Agent and be enforceable by law. Organizations that are certified by an Accountability Agent may display a seal or Trustmark indicating that they participate in the CBPR System.
What are the benefits businesses receive from becoming certified?
The CBPR System bridges national privacy laws within APEC, reducing barriers to the flow of information for global trade. By promoting business’ adherence to an enforceable standard of best practices, businesses also demonstrate their commitment to consumer privacy.