The Federal Communications Commission (“FCC”) has adopted rules to address two fraudulent practices that “bad actors use to take control of consumers’ cell phone accounts and wreak havoc on people’s financial and digital lives without ever gaining physical control of the consumer’s phone.”

In its recent Report and Order and Further Notice of Proposed Rulemaking released November 16, 2023, the Commission first addressed the practice where bad actors are able to swap a consumer’s subscriber identity module (“SIM”) card to a wireless device associated with a different SIM (i.e., SIM card swap fraud). The agency also acted on wireless number porting fraud, where bad actors impersonate a customer and convince the provider to port the real customer’s telephone number to a new wireless provider and a device that the bad actor controls (i.e., port-out fraud). 

Continue Reading FCC Acts to Protect Consumer Data by Strengthening Customer Proprietary Network Information and Number Porting Rules

Compliance with data protection laws is an issue of increasing complexity for most organizations these days. New laws and regulations are cropping up with increasing frequency, making companies’ compliance challenges more complicated all the time. As a result, many companies are seeking ways to simplify their compliance strategy while demonstrating compliance to individuals, clients, customers and regulators.

Since the EU-US and Swiss-US Data Privacy Frameworks (DPF) and the UK Extension to the EU-U.S. DPF were approved earlier this year, some international organizations are considering DPF certification to show compliance with the requirements of European and UK law. Such organizations may also want to consider certification to the Asia Pacific Economic Cooperation (APEC), Cross-Border Privacy Rules (CBPR) and the Privacy Recognition for Processors (PRP). The CBPR and PRP are voluntary frameworks under which companies can apply for certification.

Compared to the DPF which is bilateral between the EU and U.S. (see our FAQs here), the CBPR (and its forthcoming successor the Global CBPR) have a wider geographical reach that can facilitate more multilateral transborder data flows. However, certification to CBPR and PRP can be used not only as cross-border data transfer mechanisms, but also as comprehensive domestic privacy compliance and accountability programs.

In this blog post, we will outline the benefits of certification, and factors to consider in determining whether CBPR and PRP certifications are appropriate for your organization.

What Are the CBPR and PRP?

The CBPR and PRP are data protection frameworks which were adopted by participating APEC economies.

A CBPR or PRP certified company in a relevant participating economy can transfer personal data, to either: (a) a recipient within the same group of companies; or (b) to an external third party, even if that recipient is neither CBPR nor PRP certified and regardless of whether that recipient is based in a participating economy or not.

The CBPR certification is for data controllers, (i.e., companies that control the processing of personal data). Conversely, the PRP certification is for data processors, (i.e., companies that process personal data on behalf of controllers). The PRP is designed to help processors demonstrate their ability to assist controllers in complying with relevant data privacy obligations. The PRP also helps controllers identify qualified and accountable data processors. If a company is a controller under certain circumstances and a processor under others, that company may choose to become both CBPR and PRP certified.

Who Are the Participating Economies of the CBPR and the PRP?

Currently, there are nine members of the CBPR system, namely:

  • The US
  • Australia
  • Canada
  • Japan
  • Korea
  • Mexico
  • The Philippines
  • Singapore
  • Taiwan/Chinese Taipei

Of this nine, the CBPR has already been fully implemented and operationalized in:

  • The US
  • Japan
  • Korea
  • Singapore.

The remaining five members are in varying stages of implementation/operationalization. Other countries who have indicated that they will be joining the CBPR in due course include Chile, Indonesia, Malaysia, the UK and Vietnam. 

Currently, there are two members of the PRP system, namely:

  • The US
  • Singapore

What is the Process for Getting Certified?

An applicant company must apply to a recognized accountability agent, which is an external independent certification body appointed within the relevant APEC participating economy in which the company is primarily based/located. The applicant company can select an accountability agent from a list of accountability agents appointed by the relevant participating economy.

The procedure for applying for certification will begin with the applicant company contacting an accountability agent from the agents approved by the participating economy. Typically, some basic information will be requested and then the applicant company will be contacted by a representative from that accountability agent. Next, the applicant company will undergo a comprehensive assessment by the accountability agent, based on specified program requirements/assessment criteria discussed below.

Accountability agents are responsible for receiving an applicant company’s intake documentation, verifying its compliance with the requirements of the CBPR or PRP (as the case may be) and, where appropriate, assisting the applicant in modifying its policies and practices to meet the requirements of the CBPR or PRP (as the case may be). The accountability agent will certify those applicants that are deemed to have met the minimum criteria for participation, and will be responsible for monitoring their compliance with the CBPR or PRP (as the case may be), based on such criteria.

What Are the Criteria by Which Applicant Companies Will be Assessed?

Each of the CBPR and PRP contain its own set of program requirements, which are based on the following 9 Privacy Principles set forth in the 2005 Apec Privacy Framework.

  • Preventing harm
  • Notice
  • Collection limitation
  • Uses of personal information
  • Choice
  • Integrity of personal information
  • Security safeguards
  • Access and correction
  • Accountability

The program requirements and assessment criteria for the CBPR can be found here, and for the PRP here. The CBPR and PRP program requirements will assist the accountability agents in reviewing for compliance the practices adopted by an applicant company. These also ensure that the process is conducted consistently throughout all participating economies of the CBPR or PRP systems.

What are the Legal Implications of Becoming Certified?

Once a company becomes CBPR or PRP certified, it must comply with the CBPR and PRP which are imposed as enforceable obligations on it. The certification becomes legally enforceable by the privacy enforcement authority in the participating economy in which the company is based. For instance, if the company was based in the US, then the authority is the US Federal Trade Commission.

A certified company must implement complaint and redress mechanisms to address and respond to any individual complaints concerning potential violations. Such complaint and redress mechanism must accord with its APEC, CBPR and PRP dispute resolution procedure rules. The key features of such dispute resolution procedure (Procedure) are as follows. The accountability agent will be the dispute resolution provider that administers the Procedure for any complaints alleging that a certified company has failed to comply with the PRP program requirements. For a complaint to be eligible for resolution under the Procedure, it must:

  • Be made against a certified company
  • Allege that the certified company failed to comply with program requirements in relation to the complainant’s personal data
  • Include information to support the complainant’s allegations
  • Follow a good faith effort by the complainant to resolve the complaint directly with the certified company
  • Not have been previously resolved by the same dispute resolution procedure, or court action, arbitration or other form of dispute settlement
  • Not currently be the subject of litigation or other adjudicatory process (unless both the complainant and certified company agree otherwise)

Upon initial contact by a potential complainant, the accountability agent will:

  • Seek information about the complaint to determine its eligibility for resolution under the Procedure
  • Verify the identity of the complainant

The accountability agent will determine whether the complaint is eligible and will notify the complainant of its decision. The accountability agent will then issue a written decision to the parties after receipt of all information provided by the parties. The decision will state whether, and why, corrective action is or is not necessary and if it is, specify a commercially reasonable time frame for such action to be implemented. If the accountability agent determines that changes to the certified company’s privacy policies or practices are necessary to correct any non-compliance with the PRP program requirements, the certified company must submit a statement to the accountability agent indicating whether, and how, it will comply with the decision. The accountability agent will notify the parties once the required changes have been made and close the case. If no further action is required, it will notify the parties accordingly and close the case. The accountability agent is also entitled to suspend or withdraw certifications for non-compliant companies. It can also, in its sole discretion, report any non-compliance to the US Federal Trade Commission or other appropriate government agency.

Do Certifications Need to be Renewed?

As with the DPF, a CBPR or PRP certified company needs to renew its certification annually and is subject to a re-certification process every year. To get its CBPR or PRP certification renewed, the company must update and complete the intake questionnaire to reflect any changes since the initial certification. If there has been a material change, the accountability agent will perform a review process and issue an audit report with its findings on the company’s level of compliance with the program requirements. This report will also highlight areas of non-compliance, and rectifications that are needed to be made, as well as the timeframe within which they must be made to obtain re-certification. Once all requirements are in compliance, a final report will be issued to the company, and the company will be re-certified.

What are the Implications of being CBPR / PRP Certified on Enforcement?

Nothing in the CBPR or PRP systems change the allocation of responsibility including in the controller-processor relationship under applicable national data privacy laws. Under the accountability principle in the APEC Framework and the CBPR system, controllers continue to be responsible for the activities that data processors perform on their behalf and they will remain so even when contracting with a PRP-recognized processor. Accordingly, processor activities remain subject to enforcement through enforcement against the controllers. This means that CBPR-certified controllers must apply due diligence in selecting their processors and engage in appropriate oversight over their processors, regardless of whether the processors are PRP-recognized. Note, there is no requirement that a CBPR-certified controller must engage a PRP-recognized processor to perform information processing to comply with the accountability principle in the APEC Framework and the CBPR system.

How Can CBPR or PRP Certification Benefit My Organization?

The CBPR and PRP can function as comprehensive privacy compliance and accountability programs and are widely recognized globally as a way to validate robust data protection practices.

As indicated above, the CBPR and PRP can be used to as an international transfer mechanism to enable permissible personal data transfers from a participating economy to any other country. However, the CBPR and PRP go beyond just facilitating cross-border transfers and are also comprehensive privacy frameworks that can help organizations demonstrate compliance with generally recognized privacy principles and privacy laws in participating jurisdictions.

For processors, PRP certification can help demonstrate robust data protection practices to clients. Objective third-party verification of compliance by an accountability agent is helpful for this purpose.

Additionally, with the myriad privacy requirements organizations are obligated to follow, CBPR or PRP certification will help an organization establish a data protection baseline which can be adjusted where necessary to satisfy unique jurisdictional requirements. Accordingly, CBPR and PRP certifications can be used to establish a good data protection standard, generally. This standard can be subsequently developed and refined as your organization grows and matures.

What is the Global Cross-Border Privacy Rules (Global CBPR) Forum and How is it Related to the APEC CBPR and PRP?

The Global CBPR Forum was established in 2022 and builds on the APEC CBPR system as a framework that supports the effective protection and flow of data internationally. The Global CBPR Forum intends to establish an international certification system based on the APEC CBPR and PRP, but the system will be independently administered and separate from the APEC Systems.

There will be consultations with accountability agents and companies certified under the APEC CBPR and PRP to formally transition operations to the Global CBPR Forum. Any pre-existing accountability agents will be provided with at least 30 days’ notice. For companies that are already certified or interested in becoming APEC CBPR or PRP certified, these certifications will continue to be provided through APEC-approved accountability agents until further notice. All APEC CBPR or PRP certified companies, as well as their approved accountability agents, will automatically be recognized in the new Global CBPR Forum based on the same terms that they are recognized within the APEC CBPR and PRP Systems.

Presently, the Global CBPR counts the US, Canada, Mexico, Japan, South Korea, the Philippines, Singapore, Chinese Taipei and Australia as members, with the UK granted associate status in July 2023. With its broad geographical footprint and expanding take up, the Global CBPR has the potential for facilitating more multilateral cross-border transfer arrangements over a wider region, compared to the bilateral approach adopted by the EU for instance. For more information on the upcoming Global CBPR Forum, see:


With the increasingly global nature of business and increasingly complex data protection compliance obligations, certifications like the CBPR and PRP can be helpful tools to ensure that your organization is equipped to satisfy those requirements.

Companies that certify to CBPR and PRP can use such certifications to demonstrate commitment to data protection principles. As a result, such certifications can help to distinguish your organization in an increasingly competitive market. Additionally, certifications like CBPR and PRP can help to demonstrate good faith efforts to comply with applicable data protection requirements. Showing good faith efforts are often a crucial defense against regulatory enforcement actions. Compliance with robust data protection standards can also help companies defend against allegations of failure to implement adequate data protection controls.

To this end, individuals who are unsatisfied with the ways that a company handles its data protection obligations are given the opportunity to settle the matter under the CBPR and PRP’s independent redress mechanism. Disputes resolved pursuant to the independent redress mechanism are less likely to be elevated to the relevant data protection authority or result in lawsuit.

Should you require assistance or support, please contact the authors of this blog post or your relationship partner at our firm.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor our firm accepts responsibility for any errors or omissions. The content of this article is for general information only and is not intended to constitute or be relied upon as legal advice.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Privacy Challenges for Digital Advertising, Particularly in Europe

The Online Safety Act: Does this present a difficult balancing act for online service providers?

Simplified Sanction Procedure Used by the CNIL To Sanction Geolocation and Video Surveillance of Employees in France

Scott Warren and Kristin Bryan to Speak at the Society for the Policing of Cyberspace (POLCYB) Conference

Two Significant AI Announcements:  Spooky for AI Developers?

Last Chance to Register for In-Person CLE: The Important Role Legal Plays in an Era of Growing Data Risks: Key Findings From the 2023 ACC CLO Report

Cyber and AI talks in Tokyo

Join us for a Roundtable: Preparing for the EU Artificial Intelligence Act – Brussels

UPDATED BLOGPOST: Online Safety in Digital Markets Needs a Joined-Up Approach with Competition Law in the UK

FTC Amends GLBA Safeguards Rule to Require Reporting of Certain Data Breaches

Unclear on AI Contracting in the EU – the European Commission Is Pleased to Help

Today at a panel before the International Association of Privacy Professionals (“IAPP”) – Europe Data Protection Congress in Brussels, leading European Union (“EU”) data protection authority commissioners cast doubt on the notion that there could ever be a lawful basis for targeted advertising based on behavioral profiling, referred to often as interest-based advertising (“IBA”).

Continue Reading Privacy Challenges for Digital Advertising, Particularly in Europe


The Online Safety Act (“OSA”) aims to make the internet a safer place, protecting adults and children from illegal and harmful content by making online service providers such as social media companies more accountable for content published on their sites[1]. Despite the positive intentions, the OSA may have unintended consequences. In particular, service providers will face the difficult task of balancing the duty to protect users from illegal and harmful content against the duty to protect freedom of expression.

The OSA became law on 26 October 2023.

Continue Reading The Online Safety Act: Does this present a difficult balancing act for online service providers?

In November 2023, the National Commission on Informatics and Liberty (CNIL), the French data protection authority, has announced having issued 10 new sanctions under its new simplified procedure following complaints with respect to geolocation of vehicles and video surveillance of employees, data minimization, right to object and lack of response to CNIL requests.

The New Simplified Sanction Procedure

The simplified sanction procedure was introduced in 2022, to simplify and accelerate the sanction procedure for cases “which do not present a particular difficulty”. The purpose of this new procedure is to “increase the effectiveness” of the CNIL’s enforcement action, in particular in response to complaints it receives (there were more than 12,000 complaints in 2022).

The sanctions that may be imposed under this procedure are (i) a fine of up to €20,000, (ii) an injunction with a penalty capped at €100 per day of delay and (iii) a call to order. These sanctions cannot be made public. The decision is taken by the president of the sanction formation (or one of the members of this formation) ruling alone, and no public session is organized, unless the organization requests to be heard.

Under this new procedure, the CNIL has sanctioned private and public organizations over the last two months for a total amount of €97,000 in fines.

Focus on Use of Devices That May Lead to Constant Employee Monitoring

Among the 10 decisions, the CNIL has singled out the recuring topic of excessive and disproportionate employee monitoring and, more particularly:  

  • Geolocation of employee vehicles – The CNIL reminds that the continuous recording of geolocation data, without the possibility for employees to stop or suspend the system during break times, is, unless specifically justified, an excessive infringement of freedom of free movement and the right to privacy of employees.
  • Video surveillance of employees – The CNIL reaffirms its position against continuous video surveillance of workstations, which is often disproportionate, even when used for purposes such as prevention of workplace accidents or evidence of business transactions.

By issuing sanctions under the simplified procedure, the CNIL is sending the message that it will not limit its enforcement action to large organizations and complex matters. All organizations are potentially at risk of an enforcement action, in particular in cases where a complaint is filed with the CNIL. Moreover, an organization for which a simplified procedure has been initiated faces the risk that the CNIL uses its ability to switch, at any time, to the ordinary procedure, which allows it to issue the maximum level of fines under GDPR and a publication of the decision.

Disclaimer: While every effort has been made to ensure that the information contained in this article is accurate, neither its authors nor Squire Patton Boggs accepts responsibility for any errors or omissions. The content of this article is for general information only, and is not intended to constitute or be relied upon as legal advice.

Partners Scott Warren (Tokyo/Shanghai) and Kristin Bryan (New York/Cleveland) will be presenting at the upcoming POLCYB ( hybrid conference (Vancouver and online) entitled “Thought Leadership on Managing Public Safety and Corporate Security in the AI-Driven Era”. The event is on November 21, 2023 from 8:00 to 3:30 pm (PST)/4:00 pm to 11:30 pm (GMT). This free conference will discuss how:

  • AI and technology are affecting law enforcement and government services both positively and negatively (speakers include global experts on the latest in cyber-threats across Canada, APAC/EMEA and the Ukraine)
  • The law is developing as to AI regulation and mechanisms for sharing data in investigations, along with the impact on companies dealing with cyber-attacks (presenters include the Council of Europe, Canadian Public Prosecutors and SPB’s Kristin and Scott)
  • Public-Private partnerships and community capacity-building can be essential steps (featuring UK and Canadian police, AML, gaming investigators, information sharing and supporters)

For more information, please see Society for the Policing of Cyberspace (POLCYB).  For registration, please contact Ms. Bessie Pang at and indicate you were notified by SPB.

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Two Significant AI Announcements:  Spooky for AI Developers? | Privacy World

Last Chance to Register for In-Person CLE: The Important Role Legal Plays in an Era of Growing Data Risks: Key Findings From the 2023 ACC CLO Report | Privacy World

Cyber and AI talks in Tokyo | Privacy World

Join us for a Roundtable: Preparing for the EU Artificial Intelligence Act – Brussels | Privacy World

UPDATED BLOGPOST: Online Safety in Digital Markets Needs a Joined-Up Approach with Competition Law in the UK | Privacy World

FTC Amends GLBA Safeguards Rule to Require Reporting of Certain Data Breaches | Privacy World

Unclear on AI Contracting in the EU – the European Commission Is Pleased to Help | Privacy World

Congress’ Growing Focus on AI Policy | Privacy World

California Attorney General Appeals Federal Court Ruling That Online Child Safety Act Is Likely Unconstitutional | Privacy World

On Devil’s Night Day, two significant AI developments were announced. First, the White House’s Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (“AI EO”)Second, the Group of 7 (“G-7”) announced its International Guiding Principles on Artificial Intelligence (“G-7 Principles”) and companion Code of Conduct for AI Developers (“G-7 Code”). All are three broad strokes – the devil will be in the details. 

Following is a short summary of each but please check back soon for more analysis and key takeaways for businesses and their AI governance programs.

Continue Reading Two Significant AI Announcements:  Spooky for AI Developers?

According to the 2023 ACC CLO Survey, legal teams are facing unique and growing data-related challenges in this ever-changing regulatory and threat landscape. Data requirements for privacy and compliance continue to become more complex and confusing and the risk of resulting litigation continues to rise.

Join team SPB, in partnership with Exterro, in a lively luncheon that will explore key areas of risks and provide tools and tips to mitigate these risks and establish defensible compliance to help insulate your organization in the event of a privacy breach, regulatory action or litigation. This in-person CLE program will be held next Wednesday, November 8, from 12:00 to 2:00 pm MST (AZ) in SPB’s Phoenix, Arizona office.

Topics include:

  1. Insight into best practices for managing your company’s compliance, risks and data defensibility
  2. Data from the 2023 ACC CLO Survey, exploring how CLOs/GCs are shifting their focus to effectively managing these data-related challenges
  3. Important updates on how laws governing data are evolving


  1. Dan Christensen, Data Protection Officer, PrivaCyber, LLC
  2. Rebecca Perry, Director of Strategic Partnerships, Exterro
  3. Elizabeth Spencer Berthiaume, Data Privacy, Cybersecurity & Digital Assets Associate, Squire Patton Boggs

This program is approved or pending approval for 1.0 general credit hour of CLE in Arizona, California, New Jersey, New York, and Utah.

Registration is available here.