This article By Alex Wall, CIPP/E, CIPP/US was originally published in the IAPP Privacy Tracker.
In this Privacy Tracker series, we look at laws from across the globe and match them up against the EU General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this installment, Alex Wall, CIPP/E, CIPP/US, compares the principles of the APEC Privacy Framework with the principles expressed by the GDPR.
What are the APEC Privacy Framework and the Cross-Border Privacy Rules?
The APEC Privacy Framework is a set of principles and implementation guidelines that were created in order to establish effective privacy protections that avoid barriers to information flows, and ensure continued trade and economic growth in the Asia Pacific Economic Cooperation region of 27 countries. The APEC Privacy Framework set in motion the process of creating the APEC Cross-Border Privacy Rules system.
The CBPR system has now been formally joined by the United States, Canada, Japan and Mexico, with more nations soon to follow. The CBPR program is analogous to the EU-U.S. Privacy Shield in that they both provide a means for self-assessment, compliance review, recognition/acceptance and dispute resolution/enforcement. Both systems require the designation by each country of a data protection authority (the U.S. enforcement authority is the Federal Trade Commission).
The APEC CBPR system requires participating businesses like Apple, Box, HP, IBM, Lynda.com, Merck, Rimini Street, Workday, and Intasect to develop and implement data privacy policies consistent with the APEC Privacy Framework. These policies and practices must be assessed as compliant with the minimum program requirements of the APEC CBPR system by an accountability agent (the only U.S.-based accountability agent is TRUSTe) and be enforceable by law.