For an APEC member to join the CBPR program, it must demonstrate to the APEC Joint Oversight Panel that the country’s data security/privacy laws and enforcement process adhere to mutually agreed-on baseline privacy principles. The prospective member state must also show how it will fulfill the CBPR program requirements for companies seeking certification, including a commitment to appoint an APEC-approved accountability agent to confirm compliance by applicant companies. The APEC PRP program seeks to accomplish similar goals for data processors (i.e., companies that possess data on behalf of data controllers). As with the CBPR, participating member countries must appoint an accountability agent to ensure that data processor companies seeking certification comply with program requirements and have adequate compliance measures in place.
The Singapore government noted that its Personal Data Protection Commission is working on a certification scheme incorporating both CBPR and PRP standards, with launch scheduled by the end of 2018.
Company participation in the certification process is voluntary. However, as the number of both CBPR program member countries and approved companies rise, companies likely will experience greater benefits from obtaining certification. In addition, APEC and EU regulators have worked closely to align the CBPR program with the EU’s Binding Corporate Rules (BCR) framework, which allows for cross-border personal data transfers with entities located in EU member states. As evidenced by the recent Merck example, obtaining CBPR certification for the APEC region may facilitate the BCR authorization process for the EU. As a final note, Australia is preparing to join the CBPR program; with Australia’s participation, CBPR member countries will constitute nearly two-thirds of overall APEC GDP (based on 2016 World Bank data), which arguably makes it even more attractive for companies to go through the CBPR process.