APEC helps the primary US non-profit accountability agent
On January 26, 2021, BBB National Programs announced that it had been recognized as an Accountability Agent for the APEC Cross-Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) systems. This makes BBB National Programs the seventh CBPR and PRP accountability agent in the world and the first not-for-profit US provider to be approved by APEC.
BBB National Programs is a not-for-profit organization that creates a fairer playing field for businesses and a better experience for consumers by developing and delivering effective third party accountability and dispute resolution programs. With APEC approval, BBB National Programs is expanding the CBPR and PRP systems into its arsenal of other certification programs, including the newly established Vendor Privacy Program and the EU Privacy Shield Dispute Settlement Program.
BBB National Programs will now be able to independently assess and certify US corporation compliance under the APEC CBPR and PRP programs. The newly established Global Privacy Division of BBB National Programs will take over this role.
The APEC CBPR system is a regional, multilateral and cross-border data transfer mechanism and an enforceable data protection code developed for businesses by the 21 APEC member countries. The CBPR implements the nine high-level APEC data protection principles set out in the APEC data protection framework. In order to participate in the CBPR, individual APEC economies must officially express their intention to join and meet certain requirements. To date, nine APEC economies have officially joined the CBPR: the United States, Mexico, Canada, Japan, South Korea, Singapore, Australia, Chinese Taipei, and the Philippines, some of which are still in the process of fully operationalizing the requirements. All APEC economies have approved the CBPR system.
The APEC PRP system is a complement to the CBPR that information processors can use to demonstrate that they are able to effectively implement the data protection obligations of an information controller. The PRP also enables information controllers to identify qualified and accountable processors and to support small or medium-sized processors that are not generally known to gain visibility and credibility. The procedure for joining the PRP is similar to that for joining the CBPR. So far, the USA and Singapore have joined the PRP system.