Privacy & Information Security Law Blog

On January 26, 2021, BBB National Programs announced that it has been endorsed as an Accountability Agent for the APEC Cross-Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) systems. This makes BBB National Programs the seventh CBPR and PRP Accountability Agent worldwide and the first ever U.S. non-profit to be approved by APEC.

BBB National Programs is a non-profit that creates a fairer playing field for businesses and a better experience for consumers through the development and delivery of effective third-party accountability and dispute resolution programs. Through its approval by APEC, BBB National Programs adds the CBPR and PRP systems to its arsenal of other certification programs, including its newly established Vendor Privacy Program and its EU Privacy Shield dispute resolution program.

BBB National Programs will now be able to independently assess and certify the compliance of U.S. companies under the APEC CBPR and PRP programs. BBB National Programs’ newly launched Global Privacy Division will manage this function.

The APEC CBPR system is a regional, multilateral and cross-border data transfer mechanism and enforceable privacy code of conduct developed for businesses by the 21 APEC-member economies. The CBPR implements the nine high-level APEC Privacy Principles set forth in the APEC Privacy Framework. In order to participate in the CBPR, individual APEC economies must officially express their intent to join and satisfy certain requirements. To date, nine APEC economies have formally joined the CBPR: the U.S., Mexico, Canada, Japan, South Korea, Singapore, Australia, Chinese Taipei and the Philippines, some of which are still in the process of fully operationalizing the requirements. All APEC economies have endorsed the CBPR system.

The APEC PRP system is an adjunct to the CBPR that allows information processors to demonstrate their ability to effectively implement an information controller’s privacy obligations. The PRP also enables information controllers to identify qualified and accountable processors, as well as assist small or medium-sized processors that are not widely known in gaining visibility and credibility. The process for joining the PRP is similar to that of joining the CBPR. So far, the U.S. and Singapore have joined the PRP system.