APEC Cross-Border Privacy Rules

Cross-Border Privacy Rules (CBPRs) are rules developed by businesses that set out their practices in relation to any personal information they may collect from their customers. In broad terms, CBPRs are developed by businesses to operate both as internal business rules on privacy procedures as well as being their promise to consumers about how they will deal with their personal information. Most businesses that collect personal information and transfer that information across borders would already have practices and procedures in place for their staff to understand their obligations in relation to personal information, particularly if the business works in an economy that already has domestic privacy laws. A system that permits the wider use of CBPRs acknowledges that businesses already recognise that it is essential to protect the personal information of their customers. Developing a scheme that provides guidance on how CBPRs can meet the APEC-wide standards of the APEC Privacy Principles means that business CBPRs can be recognised across APEC economies. CBPRs need to comply with both the APEC Privacy Framework but also domestic laws of the economies where businesses operates, so it is expected that this will naturally push standards to the highest in the region.

Accountability is the key Privacy Principle underlying the CBPR system. A business will be accountable for the promises it makes to its customers about the way in which it will deal with their personal information. Accountability requires that there must be effective guidance for both business and consumers and effective enforcement of obligations throughout APEC economies. This means that any CBPR system must be developed through broad consultation with all interests – business, consumers, regulators and governments. Regulators will be a key part of the system.

Top

Role of privacy trustmarks

It will also be important to recognise the role of privacy trustmarks. Privacy trustmarks can have a role in ensuring that CBPRs developed by businesses comply with the APEC Privacy Framework. They can also have a role in providing a simple, low cost and speedy mechanism for dispute resolution between businesses and consumers. Regulators would oversee the work of privacy trustmark bodies and it would always be possible for consumers to choose to lodge a complaint directly with a regulator. However, if privacy trustmarks are widely used to resolve simple complaints this ensures that the limited resources of regulators can be more effectively used elsewhere.

APEC is not working in isolation on cross-border privacy. We are actively collaborating with the OECD Working Party on Information Security and Privacy, which is also working on these issues, particularly the enforcement of privacy laws across borders. 2007 has seen more formal arrangements put into place with the OECD, with the granting of observer status to them at meetings of the Data Privacy Sub-Group.

Recent Data Privacy Sub-Group meetings focused on the development and implementation of Cross Border Privacy Rules. The Data Privacy meeting dates for APEC 2007 were 22-26 January 2007 in Canberra and 25‑29 June 2007 in Cairns. Further information on each of the Data Privacy seminars is available at:

The most significant outcome of the Data Privacy Sub-Group’s work in 2007 was the development of an APEC Data Privacy Pathfinder, which is a plan agreed to by all economies for the implementation of an initiative within or between all economies.

Top
Last Updated: 22 May 2008