Australians are increasingly doing business with counterparts overseas and in tandem trans-border data flows are growing exponentially. In order to navigate multiple laws across multiple jurisdictions, Australian companies have to be more aware of overseas data protection laws, standards and practices.
On 23 November 2018, Australia became a participating member of the Asia-Pacific Economic Cooperation (APEC
) Cross Border Privacy Rules (CBPR
) System (APEC CBPR System
) which provides a single framework for the exchange of information and cross-border privacy protections. The APEC CBPR System bridges differing national laws on privacy and data protection within the APEC region. It is a system that enables businesses to demonstrate compliance with an internationally-recognised set of rules providing a common minimum level of protection of personal information transcending borders. At the same time, APEC aims to align its privacy framework with the European General Data Protection Regulation.
The APEC CBPR are a set of rules which build on the APEC Privacy Framework and Information Privacy Principles (IPPs
). The Australian Privacy Principles as defined under the Privacy Act 1988
) were also developed based on the IPPs.
When is the APEC CBPR System expected to be implemented in Australia?
No official implementation date has been set. It is anticipated that over the coming months the Office of the Australian Information Commissioner and businesses that deal with cross border data transfers will collaborate to develop an industry code for cross-border transfers of personal information. In order to do this, they will need to carry out an in-depth analysis of how the APEC CBPR System requirements measure up against the APPs. That code will set out the Australian specific requirements that businesses will need to meet to become APEC CBPR System certified in accordance with Australian federal laws.
What are Accountability Agents and what is their role?
For Australian businesses that wish to become APEC CBPR System certified, an independent APEC-recognised and authorised Accountability Agent will, in the first instance, ask you to complete a CBPR Intake Questionnaire. It will then assess your business’s data privacy policies against the minimum program requirements of the APEC CBPR System and provide guidance for compliance if you do not meet the APEC CBPR standards. Once certified, they will monitor and verify your ongoing compliance with the CBPR. CBPR certification must be renewed annually. So far, there are no identifiable Accountability Agents in Australia offering this service.
How to get the APEC CBPR certification?
An Accountability Agent will ask you a series of questions to assess whether your company:
What are the benefits of being APEC CBPR certified?
- has personal information policies which clearly state: i) when personal information is collected; ii) details of to whom the personal information may be transferred; and iii) the purpose for which the personal information may be used, and can be understood by individuals;
- limits the collection of information to the specific purposes stated at the time of collection;
- has collection methods which are lawful and fair;
- limits the use of personal information to fulfilling the specific purposes of collection and other compatible or related purposes;
- provides individuals with choice in relation to collection, use, and disclosure of their personal information;
- maintains accurate, up to date and complete records;
- will implement reasonable security safeguards to protect individuals’ information from loss, unauthorised access or disclosure, or other misuses;
- allows individuals to access and correct their information;
- has adequate security requirements requiring proof of identity prior to providing individuals with access to their information for the purposes of correcting it; and
- is accountable for: i) complying with measures that give effect to the above stated principles; and when transferring information, ii) ensuring that the recipient will protect the information consistently with these principles.
By adopting CBPR compliant security and privacy measures in your business, you will find it easier to maneuver your cross-border compliance issues within the APEC CBPR framework. You will also:
What you can do now to qualify for APEC CBPR seal?
- achieve compliance in a more time-cost efficient manner;
- build customer and regulator trust in relation to your cross-border use of personal information;
- demonstrate your good faith commitment to consumer privacy in the online marketplace;
- advertise that your company has attained a global interoperability standard and level of consistency in its policies; and
- showcase your company’s adherence to the APEC CBPR System best practices.
In anticipation of the new code, if you want to start taking steps towards APEC CBPR certification, you need to ensure your company:
- complies with the APPs;
- understands the implications of a data breach where multiple data protection regimes are at play; and
- has a clear privacy statement on its website setting out your practices and policies (That statement needs to include information such as, but not limited to, the name of your company and location, how your company collects, handles, uses and manages personal information, the purposes for which the personal information is collected, whether an individual’s personal information may be disclosed to third parties and for what purposes, who to contact regarding your company’s practices, information on how an individual can access and correct their information and how your company responds to data breaches including cross-border data breaches).
At this point, there is no information in relation to whether small to medium sized enterprises which are not APP entities will be able to obtain APEC CBPR certification in Australia without having to opt in to becoming an APP entity.
The challenges your company may face?
Under the Privacy Act, the basic principle in relation to overseas recipients’ handling of personal information is set out in APP 8.1. The requirement is that an APP entity must, prior to disclosing personal information about an individual, take reasonable steps in the circumstances to ensure that the overseas recipient will not breach the APPs.
One of the exceptions listed in APP 8.2 is that APP 8.1 will not apply if:
a) the APP entity reasonably believes that the recipient of the information is subject to a law, or binding scheme, that has the effect of protecting the information in a way that, overall, is at least similar to the way the APPs protect the information; and
b) there are mechanisms in the overseas country which can be accessed by the individual to enforce that protection of the law or binding scheme.
A second exception is where a disclosing party informs the individual whose information is to be transferred that APP 8.1 will not apply if he or she provides consent and he or she consequently consents.
By submitting to the APEC Cross Border Rules System, it is expected that the same standard will apply to all companies that opt in as well as overseas recipients of those companies’ customers’ personal information. The APEC CBPR requirements state that you should take reasonable steps to ensure information is protected once it has been transferred. The requirements also recognize that in some circumstances, such due diligence may be impractical or impossible, for example where there is no ongoing relationship with your company and the recipient party. In such circumstances, the APEC CBPR requirements suggest obtaining prior consent from the individuals whose information is to be transferred.
If you are opting into compliance with the APEC CBPR System, this may mean your company has to make some adjustments in its contractual arrangements with its overseas counterparts in order to accommodate the APEC CBPR requirements.
In addition, you will need to consider the size of your business, make projections as to the impact on individuals of any breach of the APEC CBPR requirements, ensure your staff are adequately trained to address privacy issues and incidents, and develop internal safeguards to ensure your company has sustainable and streamlined privacy practices.
How much will it cost?
There is no public information at present on what it will cost to obtain the APEC CBPR seal in Australia. What can be expected though is that having the APEC CBPR certification will mean you can automatically save your business from incurring the hefty costs of compliance in the multiple jurisdictions to which your company transfers personal information.