Ever Heard of Cross-Border Privacy Rules? You Will

Posted on by Sam Pfeifle

global privacyHopefully, if you’re working at a business in a country that touches the Pacific Ocean, you’ve heard of the Asia Pacific Economic Cooperation. No? Well, they’re a group of 22 nations, including everyone from the United States and Canada to Japan and Singapore to China and Australia, focused on making commerce amongst the nations easier for everyone involved.

Part of that work involves e-commerce and free movement of data, which inevitably runs into issues of data security and data privacy.

One thing you’ll really want to pay attention to is the work being done by the Data Privacy Subgroup in creating the APEC Privacy Framework and its attendant Cross Border Privacy Rules. These “CBPRs” may end up being the best way for your company to move data around the region without running into serious privacy roadblocks.

Endorsed by APEC in 2011, the CBPR program admittedly is still in its infancy. Just 14 companies have been through the process (one so recently it’s not on the official site yet); only Japan, Canada, Mexico, and the United States currently participate; and there is relatively little name recognition for the program. One participant here noted that a search of Singaporian media turned up just a single reference for CPBRs.

However, the companies that have been through the process are some of the world’s most prominent: Apple, HP, IBM, and Merck, just to name a few. 

What’s the value that they see? Well, take a read of the APEC-commissioned report from Information Integrity Solutions, which explored the answer to this question.

Companies reported a feeling of future-proofing, which has been borne out by the recent change in Japan’s Personal Information Protection Act, which says that personal data must not be transferred outside of Japan unless the Japanese data protection authority has deemed the data protection regime to be up to Japanese standards. It is widely thought that those with CBPRs—or what are known as binding corporate rules (they’re an EU thing)—in place will qualify, regardless of country of origin, following a Japanese political statement to that effect, though that has not been officially codified.

A further indication of CBPR utility in Japan is reflected by the recent decision to make Japanese firm JIPDEC an accountability agent for the CBPR process, joining TRUSTe as the only two certified accountability agents. Japanese companies can now join U.S. companies in getting certified to transfer data across borders in the APEC region.

Why do you, as an infosecurity professional, care? Well, your company is going to want to transfer data freely throughout the APEC region, and part of the CBPR process is what’s known as “accountability.” To show that your company is accountable, your company will need to show a fundamental process for protecting data, understanding where the data lives, and understanding where the data travels.

Your privacy team will need your help with that.

If you’re interested in learning more, the week of RSA Conference in Singapore is ripe with opportunity. There is a free, day-long CBPRs event happening on July 18, which you can find here. Or you, or a colleague in privacy, can join us for the IAPP Asia Privacy Forum on July 19, 2016.

The International Association of Privacy Professionals is the world’s largest association of privacy professionals with more than 25,000 members across 83 countries. The IAPP is a not-for-profit association that helps to define and support the privacy profession globally. More information about the IAPP is available at www.iapp.org.

Sam Pfeifle

Content Director, International Association of Privacy Professionals


data security privacy

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs