ASR is leading discussions with the services industry about the operation of the APEC Cross Border Privacy Rules System and the opportunities for Australian services firms. A backgrounder is provided here (excerpt from a paper prepared by Tony Serone, Senior Counsel and AP Privacy Officer, IBM). To discuss or provide input please contact us.
The APEC Cross Border Privacy Rules System (CBPRS) introduces a degree of harmonisation in a region of otherwise uneven and diverse privacy protections. The CBPRS provides a mechanism/framework for participating economies.
ASR supports a unified approach which provides a level of certainty for industry. ASR is seeking industry support to encourage Australia to join the CBPRS. As at September 2015, the US, Mexico, Japan and Canada have been approved for participating in the CBPRS. When an economy has been approved companies in that economy can apply to participate.
The US Dept of commerce has recently committed to doubling the number of member economies in the system by the end of 2017, as well as increasing the number of participating US companies to 100 by the end of 2016.
Australia is well placed to lead and to be one of those additional economies.
There are benefits to Australia, and Australian firms, in joining and participating in the APEC CBPRS – as more countries join and the number of participants increase, and as the CBPRS integrates with other global systems, managing transfers of PI will become more efficient- this will reduce compliance costs for firms, and improve consumer confidence.
The need for harmonisation – a backgrounder
Australian companies who transfer personal information across borders to conduct their business are regularly faced with compliance challenges. They need to comply not only with local Australian requirements but also with the foreign requirements when personal information is being imported from those countries. In the case of multinational companies, they also need to comply with any requirements applicable to transfers between the countries in which they have subsidiaries. Such transfers have been necessary for business operations for many years, but are accelerating as operations globalize with collection and processing occurring in multiple locations, and as data volumes and uses increase exponentially.
The compliance challenges arise from the varied and incompatible approaches nations are adopting to regulate these transfers. 18 of the 21 Asia Pacific Economic Communities (APEC) Economies now have sectoral or general Privacy Laws, 17 of which impose conditions on cross border data flows.
The APEC Cross Border Privacy Rules System (CBPRS) introduces a degree of harmonisation in a region of otherwise uneven and diverse privacy protections. In summary, the System:
- requires organisations to implement a robust internal compliant privacy model certified by an independent agent to meet APEC privacy standards;
- provides a simple and effective enforceable mechanism to help meet regulatory requirements for protecting personal information in cross border transfers; and
- assists Australian multinational businesses to manage compliance with the diverse legal systems in APEC, including Australia.
Certification demonstrates a commitment to consumer privacy and provides credible evidence of trustworthiness which may also help to attract future business from individuals and organisations in other APEC economies and, indeed, anywhere in the world. in a region of otherwise uneven and diverse privacy protections. The CBPRS provides a mechanism/framework for participating economies.