You are here: Skip breadcrumbAttorney-General's Department >> Rights and protections >> Privacy >> Asia-Pacific Economic Cooperation privacy

Asia-Pacific Economic Cooperation privacy

A cross-border privacy framework developed by the Asia-Pacific Economic Cooperation (APEC) forum, is the blueprint for greater regional cooperation on privacy rules and enforcement.

APEC's activity in privacy issues recognises that personal and business information travels across borders. A goal is to promote consumer trust and business confidence in these cross-border data flows.

Australia is a member of the APEC Data Privacy Sub (DPS) Group, which developed the framework and meets twice a year to work on privacy issues.

APEC cross-border privacy rules

Australia will participate in the APEC Cross Border Privacy Rules (CBPR) system.

In 2007, APEC approved a Data Privacy Pathfinder Initiative to put the privacy framework into practice. One of the significant outcomes of this initiative was the development by the DPS of the APEC Cross Border Privacy Rules (CBPR) System. The aim of the CBPR System is to build consumer, business and regulator trust in cross border flows of personal information.

The CBPR System requires participating businesses to develop and implement data privacy policies consistent with the APEC Privacy Framework. These policies and practices are assessed against the minimum program requirements of the APEC CBPR system by an Accountability Agent (which is an independent APEC recognised entity, usually in the private sector). By applying a commonly agreed upon baseline set of rules, the CBPR system bridges differences that may exist between different domestic privacy approaches.

The rules need to comply with both the APEC Privacy Framework and the domestic laws of the economies where businesses operate. Accountability is the key privacy principle underlying the CBPR system. A business will be accountable for the promises it makes to its customers about the way in which it will deal with their personal information.

In July 2017, the Australian Government issued a public discussion paper and invited comment on the implications of Australia's possible participation in the CBPR system. As a result of this consultation, the government will take forward Australia's application to participate in the CBPR system.

More information is available on the APEC Cross Border Privacy Rules public consultation — Australia’s participation website.

Cross-Border Privacy Enforcement Arrangement

In July 2010, APEC endorsed the APEC Cross-Border Privacy Enforcement Arrangement (CPEA).

The CPEA was a significant outcome of the 2007 Data Privacy Pathfinder initiative. The CPEA creates a multilateral framework for regional cooperation in enforcing privacy laws. Participation in the CPEA is open to any privacy enforcement authority in an APEC member economy.

The CPEA aims to:

  • facilitate information-sharing among privacy enforcement authorities in APEC economies
  • provide mechanisms to promote effective cross-border cooperation between authorities in the enforcement of privacy law
  • encourage information-sharing and cooperation on privacy investigation and enforcement with privacy enforcement authorities outside APEC.

Australia strongly supports the CPEA and was instrumental in its establishment. Through the Office of the Australian Information Commissioner, Australia participates in the CPEA.

The United States Federal Trade Commission is currently the CPEA Administrator. The current CPEA participants are:

  • Office of the Australian Information Commissioner
  • Office of the Victorian Information Commissioner
  • New Zealand Office of the Privacy Commissioner
  • United States Federal Trade Commission
  • Office of the Privacy Commissioner for Personal Data, Hong Kong, China
  • Office of the Privacy Commissioner of Canada
  • Ministry of Interior – Korea
  • Korea Communications Commission
  • Federal Institute of Access to Information and Data Protection of Mexico
  • Personal Data Protection Commission, Singapore
  • Personal Information Protection Commission of Japan
  • National Privacy Commission – Philippines

For more information on the CPEA, visit the Asia-Pacific Economic Cooperation website.

APEC and European Union privacy systems

In September 2012, APEC Senior Officials and officials of the European Union (EU) Article 29 Working Party and the European Commission approved discussions between APEC and the EU through the DPS and under the auspices of the Electronic Commerce Steering Group (ECSG).

As a starting point, APEC and EU representatives discussed similarities and differences between the APEC CBPR System and the EU system of Binding Corporate Rules (BCR) to assist understanding of the respective systems, including for businesses that may be considering participation in both systems. 

This work lead, in January 2014, to the joint APEC-EU Common Referential for the Structure of the EU System of Binding Corporate Rules and APEC Cross Border Privacy Rules System.The goal of this referential is to serve as an informal pragmatic checklist for companies applying for BCR authorisation and certification under APEC’s CBPR system. In addition to outlining compliance and certification requirements of both APEC CBPR and EU BCR systems, the referential also identifies common elements and additional requirements for each. This will be useful for companies applying for certification under both systems.

EU representatives have continued to express a strong interest in working with the DPS and ECSG on cross-border privacy issues. The DPS and the EU are working to develop a work-plan to focus future efforts.