Privacy & Information Security Law Blog

On July 23, 2019, APEC issued a press release announcing the recent appointment of the Infocomm Media Development Authority (“IMDA”) as Singapore’s Accountability Agent for the APEC Cross-Border Privacy Rules (“CBRP”) and APEC Privacy Recognition for Processors (“PRP”). This makes Singapore the third APEC economy that has fully operationalized its participation in the CBPR system, following the United States, which has two CBPR Accountability Agents, and Japan, which has one CBPR Accountability Agent.

The APEC CBPR system is a regional, multilateral, cross-border data transfer mechanism and enforceable privacy code of conduct developed for businesses by the 21 APEC member economies. The CBPRs implement the nine high-level APEC Privacy Principles set forth in the APEC Privacy Framework. In order to participate in the CBPR, individual APEC economies must officially express their intent to join and satisfy certain requirements. To date, eight APEC economies have formally joined the CBPR: the U.S., Mexico, Canada, Japan, South Korea, Singapore, Australia and Chinese Taipei. Some of them are still in the process of fully operationalizing the requirements. All APEC economies have endorsed the CBPR system and it is expected that additional APEC economies will join the CBPR system in the near future.

The APEC PRP system is an adjunct to the CBPR that allows information processors to demonstrate their ability to effectively implement an information controller’s privacy obligations. The PRP also enables information controllers to identify qualified and accountable processors, as well as to assist small or medium-sized processors that are not widely known to gain visibility and credibility. The process for joining the PRP is similar to that of joining the CBPR. So far, the U.S. and Singapore have joined the PRP system.