Compliance with data protection laws is an issue of increasing complexity for most organizations these days. New laws and regulations are cropping up with increasing frequency, making companies’ compliance challenges more complicated all the time. As a result, many companies are seeking ways to simplify their compliance strategy while demonstrating compliance to individuals, clients, customers and regulators.
Since the EU-US and Swiss-US Data Privacy Frameworks (DPF) and the UK Extension to the EU-U.S. DPF were approved earlier this year, some international organizations are considering DPF certification to show compliance with the requirements of European and UK law. Such organizations may also want to consider certification to the Asia Pacific Economic Cooperation (APEC), Cross-Border Privacy Rules (CBPR) and the Privacy Recognition for Processors (PRP). The CBPR and PRP are voluntary frameworks under which companies can apply for certification.
Compared to the DPF which is bilateral between the EU and U.S. (see our FAQs here), the CBPR (and its forthcoming successor the Global CBPR) have a wider geographical reach that can facilitate more multilateral transborder data flows. However, certification to CBPR and PRP can be used not only as cross-border data transfer mechanisms, but also as comprehensive domestic privacy compliance and accountability programs.
In this blog post, we will outline the benefits of certification, and factors to consider in determining whether CBPR and PRP certifications are appropriate for your organization.
What Are the CBPR and PRP?
The CBPR and PRP are data protection frameworks which were adopted by participating APEC economies.
A CBPR or PRP certified company in a relevant participating economy can transfer personal data, to either: (a) a recipient within the same group of companies; or (b) to an external third party, even if that recipient is neither CBPR nor PRP certified and regardless of whether that recipient is based in a participating economy or not.
The CBPR certification is for data controllers, (i.e., companies that control the processing of personal data). Conversely, the PRP certification is for data processors, (i.e., companies that process personal data on behalf of controllers). The PRP is designed to help processors demonstrate their ability to assist controllers in complying with relevant data privacy obligations. The PRP also helps controllers identify qualified and accountable data processors. If a company is a controller under certain circumstances and a processor under others, that company may choose to become both CBPR and PRP certified.
Who Are the Participating Economies of the CBPR and the PRP?
Currently, there are nine members of the CBPR system, namely:
- The US
- The Philippines
- Taiwan/Chinese Taipei
Of this nine, the CBPR has already been fully implemented and operationalized in:
- The US
The remaining five members are in varying stages of implementation/operationalization. Other countries who have indicated that they will be joining the CBPR in due course include Chile, Indonesia, Malaysia, the UK and Vietnam.
Currently, there are two members of the PRP system, namely:
- The US
What is the Process for Getting Certified?
An applicant company must apply to a recognized accountability agent, which is an external independent certification body appointed within the relevant APEC participating economy in which the company is primarily based/located. The applicant company can select an accountability agent from a list of accountability agents appointed by the relevant participating economy.
The procedure for applying for certification will begin with the applicant company contacting an accountability agent from the agents approved by the participating economy. Typically, some basic information will be requested and then the applicant company will be contacted by a representative from that accountability agent. Next, the applicant company will undergo a comprehensive assessment by the accountability agent, based on specified program requirements/assessment criteria discussed below.
Accountability agents are responsible for receiving an applicant company’s intake documentation, verifying its compliance with the requirements of the CBPR or PRP (as the case may be) and, where appropriate, assisting the applicant in modifying its policies and practices to meet the requirements of the CBPR or PRP (as the case may be). The accountability agent will certify those applicants that are deemed to have met the minimum criteria for participation, and will be responsible for monitoring their compliance with the CBPR or PRP (as the case may be), based on such criteria.
What Are the Criteria by Which Applicant Companies Will be Assessed?
Each of the CBPR and PRP contain its own set of program requirements, which are based on the following 9 Privacy Principles set forth in the 2005 Apec Privacy Framework.
- Preventing harm
- Collection limitation
- Uses of personal information
- Integrity of personal information
- Security safeguards
- Access and correction
The program requirements and assessment criteria for the CBPR can be found here, and for the PRP here. The CBPR and PRP program requirements will assist the accountability agents in reviewing for compliance the practices adopted by an applicant company. These also ensure that the process is conducted consistently throughout all participating economies of the CBPR or PRP systems.
What are the Legal Implications of Becoming Certified?
Once a company becomes CBPR or PRP certified, it must comply with the CBPR and PRP which are imposed as enforceable obligations on it. The certification becomes legally enforceable by the privacy enforcement authority in the participating economy in which the company is based. For instance, if the company was based in the US, then the authority is the US Federal Trade Commission.
A certified company must implement complaint and redress mechanisms to address and respond to any individual complaints concerning potential violations. Such complaint and redress mechanism must accord with its APEC, CBPR and PRP dispute resolution procedure rules. The key features of such dispute resolution procedure (Procedure) are as follows. The accountability agent will be the dispute resolution provider that administers the Procedure for any complaints alleging that a certified company has failed to comply with the PRP program requirements. For a complaint to be eligible for resolution under the Procedure, it must:
- Be made against a certified company
- Allege that the certified company failed to comply with program requirements in relation to the complainant’s personal data
- Include information to support the complainant’s allegations
- Follow a good faith effort by the complainant to resolve the complaint directly with the certified company
- Not have been previously resolved by the same dispute resolution procedure, or court action, arbitration or other form of dispute settlement
- Not currently be the subject of litigation or other adjudicatory process (unless both the complainant and certified company agree otherwise)
Upon initial contact by a potential complainant, the accountability agent will:
- Seek information about the complaint to determine its eligibility for resolution under the Procedure
- Verify the identity of the complainant
The accountability agent will determine whether the complaint is eligible and will notify the complainant of its decision. The accountability agent will then issue a written decision to the parties after receipt of all information provided by the parties. The decision will state whether, and why, corrective action is or is not necessary and if it is, specify a commercially reasonable time frame for such action to be implemented. If the accountability agent determines that changes to the certified company’s privacy policies or practices are necessary to correct any non-compliance with the PRP program requirements, the certified company must submit a statement to the accountability agent indicating whether, and how, it will comply with the decision. The accountability agent will notify the parties once the required changes have been made and close the case. If no further action is required, it will notify the parties accordingly and close the case. The accountability agent is also entitled to suspend or withdraw certifications for non-compliant companies. It can also, in its sole discretion, report any non-compliance to the US Federal Trade Commission or other appropriate government agency.
Do Certifications Need to be Renewed?
As with the DPF, a CBPR or PRP certified company needs to renew its certification annually and is subject to a re-certification process every year. To get its CBPR or PRP certification renewed, the company must update and complete the intake questionnaire to reflect any changes since the initial certification. If there has been a material change, the accountability agent will perform a review process and issue an audit report with its findings on the company’s level of compliance with the program requirements. This report will also highlight areas of non-compliance, and rectifications that are needed to be made, as well as the timeframe within which they must be made to obtain re-certification. Once all requirements are in compliance, a final report will be issued to the company, and the company will be re-certified.
What are the Implications of being CBPR / PRP Certified on Enforcement?
Nothing in the CBPR or PRP systems change the allocation of responsibility including in the controller-processor relationship under applicable national data privacy laws. Under the accountability principle in the APEC Framework and the CBPR system, controllers continue to be responsible for the activities that data processors perform on their behalf and they will remain so even when contracting with a PRP-recognized processor. Accordingly, processor activities remain subject to enforcement through enforcement against the controllers. This means that CBPR-certified controllers must apply due diligence in selecting their processors and engage in appropriate oversight over their processors, regardless of whether the processors are PRP-recognized. Note, there is no requirement that a CBPR-certified controller must engage a PRP-recognized processor to perform information processing to comply with the accountability principle in the APEC Framework and the CBPR system.
How Can CBPR or PRP Certification Benefit My Organization?
The CBPR and PRP can function as comprehensive privacy compliance and accountability programs and are widely recognized globally as a way to validate robust data protection practices.
As indicated above, the CBPR and PRP can be used to as an international transfer mechanism to enable permissible personal data transfers from a participating economy to any other country. However, the CBPR and PRP go beyond just facilitating cross-border transfers and are also comprehensive privacy frameworks that can help organizations demonstrate compliance with generally recognized privacy principles and privacy laws in participating jurisdictions.
For processors, PRP certification can help demonstrate robust data protection practices to clients. Objective third-party verification of compliance by an accountability agent is helpful for this purpose.
Additionally, with the myriad privacy requirements organizations are obligated to follow, CBPR or PRP certification will help an organization establish a data protection baseline which can be adjusted where necessary to satisfy unique jurisdictional requirements. Accordingly, CBPR and PRP certifications can be used to establish a good data protection standard, generally. This standard can be subsequently developed and refined as your organization grows and matures.
What is the Global Cross-Border Privacy Rules (Global CBPR) Forum and How is it Related to the APEC CBPR and PRP?
The Global CBPR Forum was established in 2022 and builds on the APEC CBPR system as a framework that supports the effective protection and flow of data internationally. The Global CBPR Forum intends to establish an international certification system based on the APEC CBPR and PRP, but the system will be independently administered and separate from the APEC Systems.
There will be consultations with accountability agents and companies certified under the APEC CBPR and PRP to formally transition operations to the Global CBPR Forum. Any pre-existing accountability agents will be provided with at least 30 days’ notice. For companies that are already certified or interested in becoming APEC CBPR or PRP certified, these certifications will continue to be provided through APEC-approved accountability agents until further notice. All APEC CBPR or PRP certified companies, as well as their approved accountability agents, will automatically be recognized in the new Global CBPR Forum based on the same terms that they are recognized within the APEC CBPR and PRP Systems.
Presently, the Global CBPR counts the US, Canada, Mexico, Japan, South Korea, the Philippines, Singapore, Chinese Taipei and Australia as members, with the UK granted associate status in July 2023. With its broad geographical footprint and expanding take up, the Global CBPR has the potential for facilitating more multilateral cross-border transfer arrangements over a wider region, compared to the bilateral approach adopted by the EU for instance. For more information on the upcoming Global CBPR Forum, see: https://www.commerce.gov/global-cross-border-privacy-rules-declaration.
With the increasingly global nature of business and increasingly complex data protection compliance obligations, certifications like the CBPR and PRP can be helpful tools to ensure that your organization is equipped to satisfy those requirements.
Companies that certify to CBPR and PRP can use such certifications to demonstrate commitment to data protection principles. As a result, such certifications can help to distinguish your organization in an increasingly competitive market. Additionally, certifications like CBPR and PRP can help to demonstrate good faith efforts to comply with applicable data protection requirements. Showing good faith efforts are often a crucial defense against regulatory enforcement actions. Compliance with robust data protection standards can also help companies defend against allegations of failure to implement adequate data protection controls.
To this end, individuals who are unsatisfied with the ways that a company handles its data protection obligations are given the opportunity to settle the matter under the CBPR and PRP’s independent redress mechanism. Disputes resolved pursuant to the independent redress mechanism are less likely to be elevated to the relevant data protection authority or result in lawsuit.
Should you require assistance or support, please contact the authors of this blog post or your relationship partner at our firm.
Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor our firm accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.