Here at the Asia Pacific Economic Cooperation meetings in Lima, Peru, the Data Privacy Subgroup has been hard at work examining the APEC Privacy Framework and its attendant Cross Border Privacy Rules.

Endorsed by APEC in 2011, the CBPR program admittedly is still in its infancy. Just 14 companies have been through the process (one so recently its not on the official site yet); only Japan, Canada, Mexico, and the United States currently participate; and there is relatively little name recognition for the program. One participant here noted that a search of Singaporian media turned up just a single reference for CPBRs.

However, the companies that have been through the process are some of the world’s most prominent: Apple, HP, IBM, Merck, just to name a few. 

What’s the value that they see? Member economies heard an APEC-commissioned report from Information Integrity Solutions, that explored the answer to this question. Part of it is purely efficiency. One company reported that the CBPR process helped considerably in its application for binding corporate rules in the EU, shortening the time for BCR completion to nine months and reducing costs by nearly 10 percent.

Companies also reported a feeling of future-proofing, which has been borne out by the recent change in Japan’s Personal Information Protection Act, which says that personal data must not be transferred outside of Japan unless the Japanese data protection authority has deemed the data protection regime to be up to Japanese standards. It is widely thought that those with CBPRs or BCRs in place will qualify, regardless of country of origin, following a Japanese political statement to that effect, though that has not been officially codified yet.

[quote]A further indication of CBPR utility in Japan is reflected by the recent decision to make Japanese firm JIPDEC an accountability agent for the CBPR process, joining TRUSTe as the only two certified accountability agents.[/quote]

A further indication of CBPR utility in Japan is reflected by the recent decision to make Japanese firm JIPDEC an accountability agent for the CBPR process, joining TRUSTe as the only two certified accountability agents. Japanese companies can now join U.S. companies in getting certified to transfer data across borders.

However, there was acknowledgement already that the CBPR system needed tweaking. Officials discussed and implemented some small changes to the program and left others for further discussion. For instance, the Data Privacy Subgroup made a decision to allow accountability agents to be re-certified every two years, instead of annually, following a one-year initial certification period.

There was also discussion of a suggestion that those economies without an accountability agent–namely, Mexico and Canada–publish a timeline for when an accountability agent might be in place. However, as the nature of public-privacy partnerships like the CBPR process dictates that it is somewhat out of the hands of the member economies, economies will simply be asked to regularly provide updates as to the likelihood of an agent appearing.

Some changes to the CBPR program were largely perfunctory: making it clear that member economies can consult stakeholders as they evaluate accountability agents, codifying what information must be provided by accountability agents and certified companies, making it clear what should appear on the www.CBPRs.org web site.

There are stickier questions, too, however. What happens if an accountability agent goes out of business or is found not to be in compliance with the program? Are all the companies certified through that agent now out of compliance as well? Should that economy be suspended entirely from the program until a new agent is found?

Currently, it looks as though the economy would remain active, providing regular updates on when a new agent might be put in place, but the companies, indeed, would lose their certification. But this is still something that APEC is working through.

And what if a company that is not from an APEC economy would like to get certification for a subsidiary based in an APEC economy? Could you certify the entire company, as is possible with BCRs? Again, the Data Privacy Subgroup chose to explore that for future meetings.

These decisions were finalized earlier today, Feb. 25, but the general agreement seemed to be that small details may remain less important than getting the word out that the program exists. Without understanding and appreciation by consumers and the general public, and participation by companies looking to transfer data across borders and economies looking to expedite that data transfer in a safe manner, the CBPR program is largely an intellectual exercise.

That’s why the Data Privacy Subgroup also agreed to explore a new communications plan to spread the word of CBPRs’ utility and availability. Look for APEC to do much more to raise awareness of the program, with a CBPR conference this year in Vietnam, and potential conferences in Singapore and Australia before 2017.

We’ll have to wait and see whether participation follows, both by individual economies and global organizations.