APEC Cross-Border Privacy Rules Certification

APEC Cross-Border Privacy Rules Certification

Overview

The APEC Cross-Border Privacy Rules (CBPR) system is a government-backed data privacy certification that enables the free flow of personal information across APEC economies while ensuring effective protection of that information. Established in 2011, the CBPR system implements the nine APEC Privacy Framework principles (updated in 2015) through a certifiable set of program requirements that organizations self-assess against and submit to an APEC-recognized Accountability Agent for review and certification.

As of 2024, the CBPR system has evolved into the Global Cross-Border Privacy Rules (Global CBPR) Forum, expanding beyond APEC member economies. The Global CBPR Forum was established in April 2022 by Canada, Japan, the Republic of Korea, the Philippines, Singapore, Chinese Taipei, and the United States, with additional economies joining subsequently. Organizations certified under the APEC CBPR system are transitioning to Global CBPR certification.

Sentinel Compliance Group holds CBPR certification through TRUSTe (TrustArc), the US-recognized Accountability Agent, covering its customer data processing operations across APEC economies.

APEC Privacy Framework Principles

The CBPR system is built on the nine principles of the APEC Privacy Framework (2015 revision):

Principle 1: Preventing Harm

The organization develops policies and procedures to prevent misuse of personal information and to mitigate the risk of harm to individuals. Harm includes physical, financial, reputational, psychological, and other forms of damage arising from the collection, use, or disclosure of personal information.

CBPR Requirements:

• Conduct privacy risk assessments proportionate to the sensitivity and volume of personal information processed
• Implement technical and organizational safeguards to prevent unauthorized access, use, or disclosure
• Establish incident response procedures for data breaches
• Maintain privacy complaint resolution mechanisms

Principle 2: Notice

The organization provides clear, conspicuous, and accessible notice of its privacy practices.

CBPR Requirements:

• Publish a privacy policy that describes: categories of personal information collected, purposes of collection and use, categories of recipients, data subject rights, complaint mechanisms, policy effective date
• Provide notice prior to or at the point of collection
• Notify individuals of material changes to privacy practices before the changes take effect
• Make the privacy policy available in an easily understandable format

Principle 3: Collection Limitation

Personal information collection is limited to that which is relevant to the purposes of collection and obtained by lawful and fair means with the knowledge or consent of the individual.

CBPR Requirements:

• Limit collection to personal information relevant to identified purposes
• Obtain personal information by lawful means
• Obtain consent for collection of sensitive personal information (health, financial, children's data)
• Document the categories of personal information collected and the purposes for each

Principle 4: Uses of Personal Information

Personal information is used only to fulfill the purposes of collection and other compatible purposes.

CBPR Requirements:

• Use personal information only for purposes identified in the privacy notice or compatible purposes
• Obtain consent before using personal information for materially different purposes
• Document the uses of personal information and ensure consistency with disclosed purposes
• Implement purpose limitation controls in data systems

Principle 5: Choice

Individuals are provided with choice regarding the collection, use, and disclosure of their personal information.

CBPR Requirements:

• Provide opt-out mechanisms for marketing communications and non-essential processing
• Provide opt-in mechanisms for collection and use of sensitive personal information
• Ensure that opt-out mechanisms are clear, conspicuous, and easy to use
• Honor choice preferences in a timely manner

Principle 6: Integrity of Personal Information

Personal information is accurate, complete, and kept up-to-date to the extent necessary for the purposes of use.

CBPR Requirements:

• Implement data quality processes at the point of collection
• Provide mechanisms for individuals to request correction of inaccurate information
• Process correction requests in a timely manner
• Maintain audit trails for corrections

Principle 7: Security Safeguards

Personal information is protected by reasonable security safeguards against unauthorized access, use, modification, disclosure, or destruction.

CBPR Requirements:

• Implement technical safeguards proportionate to the sensitivity of the data (encryption, access controls, logging)
• Implement organizational safeguards (security policies, employee training, background checks)
• Implement physical safeguards (access-controlled facilities, secure disposal)
• Conduct periodic security assessments
• Maintain incident response and breach notification procedures

Principle 8: Access and Correction

Individuals have the ability to access and correct their personal information.

CBPR Requirements:

• Provide mechanisms for individuals to access their personal information
• Verify the identity of individuals making access requests
• Respond to access requests within a reasonable timeframe
• Provide mechanisms for individuals to request correction
• Communicate reasons for denying access or correction requests

Principle 9: Accountability

The organization is accountable for complying with measures that give effect to the above principles.

CBPR Requirements:

• Designate a privacy contact person or office
• Implement privacy training for employees who handle personal information
• Develop and implement privacy policies and procedures
• Conduct periodic privacy assessments
• Ensure that processors and third parties provide equivalent protection
• Cooperate with supervisory authorities and accountability agents

Self-Assessment Process

Step 1: Eligibility Determination

Determine eligibility for CBPR certification:

• The organization must be located in or subject to the jurisdiction of a CBPR-participating economy
• The organization must process personal information of individuals in APEC economies
• The organization must be willing to submit to the jurisdiction of an Accountability Agent
• The organization must be willing to cooperate with cross-border enforcement actions

Participating Economies (APEC CBPR as of 2024): United States, Mexico, Japan, Canada, Republic of Korea, Singapore, Chinese Taipei, Philippines, Australia

Global CBPR Forum Members (expanding): United States, Canada, Japan, Republic of Korea, Philippines, Singapore, Chinese Taipei, Bermuda, Jersey, United Kingdom (observer)

Step 2: Accountability Agent Selection

Select an APEC-recognized Accountability Agent for the relevant economy:

Economy	Accountability Agent	Website
United States	TRUSTe (TrustArc)	truste.com
United States	BBB National Programs	bbbprograms.org
Japan	JIPDEC (Japan Institute for Promotion of Digital Economy and Community)	jipdec.or.jp
Republic of Korea	Korea Internet & Security Agency (KISA)	kisa.or.kr
Singapore	Infocomm Media Development Authority (IMDA)	imda.gov.sg
Philippines	National Privacy Commission (NPC)	privacy.gov.ph
Chinese Taipei	Institute for Information Industry (III)	iii.org.tw
Mexico	Autoridad Nacional de Protección de Datos (INAI)	inai.org.mx

Step 3: Intake Questionnaire Completion

The Accountability Agent provides an intake questionnaire based on the APEC CBPR Program Requirements. The questionnaire maps to the nine Privacy Framework principles and requires the organization to:

Section A: Organization Information

• Legal entity name, address, and jurisdiction
• Contact information for privacy officer
• Description of business activities involving personal information
• Economies where personal information is collected, processed, and transferred
• Number of individuals whose personal information is processed
• Categories of personal information processed
• Categories of sensitive personal information processed

Section B: Privacy Practices Self-Assessment

For each of the 50 CBPR program requirements, the organization must:

1. Describe its current practice
2. Identify the policy, procedure, or technical control that implements the requirement
3. Provide evidence of implementation
4. Identify any gaps and planned remediation

Key Self-Assessment Questions (representative subset):

Requirement ID	Principle	Requirement	Evidence Type
CBPR-1	Preventing Harm	Does the organization conduct privacy risk assessments?	Risk assessment methodology, completed assessments
CBPR-5	Notice	Does the organization provide clear and conspicuous notice of its privacy practices?	Privacy policy, collection point notices
CBPR-12	Collection Limitation	Does the organization limit collection to personal information relevant to identified purposes?	Data inventory, purpose-to-data mapping
CBPR-18	Uses	Does the organization limit use to purposes identified in the notice?	Purpose limitation controls, audit results
CBPR-23	Choice	Does the organization provide opt-out mechanisms for marketing?	Opt-out mechanism screenshots, preference records
CBPR-30	Integrity	Does the organization maintain data accuracy?	Data quality processes, correction mechanisms
CBPR-35	Security	Does the organization implement security safeguards proportionate to data sensitivity?	Security assessment results, encryption evidence
CBPR-42	Access	Does the organization provide access to personal information upon request?	Access request process, response records
CBPR-48	Accountability	Does the organization have a designated privacy contact?	Privacy contact information, organizational chart

Step 4: Accountability Agent Review

The Accountability Agent reviews the self-assessment:

1. Completeness Check: Verify all questions are answered with sufficient detail
2. Evidence Review: Evaluate submitted evidence against each requirement
3. Gap Identification: Identify requirements not fully met and communicate to the applicant
4. Remediation Window: Allow the applicant time (typically 60-90 days) to remediate identified gaps
5. Follow-Up Review: Re-evaluate remediated areas

Step 5: Certification Decision

The Accountability Agent makes a certification decision:

Decision	Criteria	Next Steps
Certified	All 50 program requirements substantially met	Issue certification, add to CBPR directory
Conditionally Certified	Minor gaps with committed remediation plan	Issue certification with conditions, follow-up within 90 days
Not Certified	Material gaps in multiple principles	Provide detailed feedback, applicant may reapply after remediation

Step 6: Certification Maintenance

Upon certification:

• Display the APEC CBPR certification mark on the organization's website and privacy notice
• Submit to annual recertification review
• Report material changes in privacy practices to the Accountability Agent within 30 days
• Cooperate with the Accountability Agent in investigating and resolving privacy complaints
• Participate in cross-border enforcement cooperation when required

Annual Recertification

Recertification Process

1. Annual Self-Assessment Update: Update the intake questionnaire to reflect any changes in privacy practices, processing activities, or organizational structure
2. Evidence Refresh: Provide updated evidence for controls that have changed
3. Compliance Attestation: Senior management attests to continued compliance with CBPR program requirements
4. Accountability Agent Review: The Accountability Agent reviews the updated self-assessment (typically lighter-touch than initial certification)
5. Recertification Decision: Renewal of certification or identification of remediation needs

Recertification Triggers (Outside Annual Cycle)

The organization must notify the Accountability Agent and may be subject to interim review when:

• Material changes to privacy practices or privacy policy
• Significant data breach affecting APEC-economy individuals
• Regulatory enforcement action related to privacy
• Major organizational restructuring (merger, acquisition, divestiture)
• Expansion to new APEC economies not covered by original certification

Global CBPR Forum Transition

Transition from APEC CBPR to Global CBPR

Organizations certified under the APEC CBPR system are transitioning to the Global CBPR Framework:

Aspect	APEC CBPR	Global CBPR
Governance	APEC Electronic Commerce Steering Group	Global CBPR Forum (independent body)
Membership	9 APEC economies	Open to non-APEC economies
Standards	APEC Privacy Framework (2015)	Global CBPR Framework (based on APEC, updated)
Certification Mark	APEC Privacy CBPR mark	Global CBPR mark
PRP Component	Privacy Recognition for Processors (PRP)	Integrated into Global CBPR

Transition Steps

1. Review Global CBPR program requirements against current APEC CBPR certification
2. Identify any new or modified requirements in the Global CBPR framework
3. Complete the Global CBPR self-assessment through the Accountability Agent
4. Obtain Global CBPR certification
5. Update certification marks and references in privacy notices and marketing materials

Complaint Resolution and Enforcement

Complaint Process

1. Individual files complaint with the certified organization's privacy contact
2. If unresolved within 30 days, individual may escalate to the Accountability Agent
3. Accountability Agent investigates and mediates between the individual and the organization
4. If the organization fails to remediate, the Accountability Agent may:
   • Require corrective action
   • Suspend or revoke certification
   • Refer to the relevant privacy enforcement authority

Cross-Border Enforcement Cooperation

The CBPR system leverages the APEC Cross-Border Privacy Enforcement Arrangement (CPEA) for cross-border enforcement cooperation. When a privacy complaint involves cross-border data flows:

1. The Accountability Agent in the organization's economy coordinates with the enforcement authority in the complainant's economy
2. Enforcement authorities share information and coordinate investigations under the CPEA
3. Enforcement actions may be taken in the organization's economy, the complainant's economy, or both

Sentinel Compliance Group CBPR Certification

• Certification Date: March 2023 (initial); March 2024 (annual recertification)
• Accountability Agent: TRUSTe (TrustArc)
• Scope: Customer data processing for SaaS platform operations across US, Japan, Singapore, Australia, and Republic of Korea
• Categories of PII: Customer contact information, usage data, billing information, support interaction records
• Individuals Covered: Approximately 2.1 million data subjects across certified economies
• Complaints Received (2024): 12 complaints filed through the CBPR mechanism; 11 resolved within 30 days; 1 escalated to Accountability Agent and resolved within 60 days
• Global CBPR Transition: Application submitted December 2024; certification expected Q1 2025