Implications for business when Australia implements APEC’s Cross Border Privacy Rules System next year

18 December 2018

After consultation with business and stakeholders, the Australian Government recently applied to the Asia-Pacific Economic Cooperation economic forum (APEC) to participate in its Cross Border Privacy Rules system (CBPR System). APEC endorsed the application on 23 November 2018.

What is the CBPR system?

Under the CBPR System, businesses are required to implement appropriate privacy protection and control measures (i.e. data privacy policies) consistent with the ‘APEC Privacy Framework’. The APEC Privacy Framework contains a set of principles about the protection and use of personal information.

An entity can be certified as compliant with the CBPR System when it satisfies those principles. The entity’s compliance with the CBPR System is monitored and enforced if complaints are made.

What is the CBPR System supposed to do?

The system is supposed to foster trust and give consumers and businesses confidence that when they give their personal information to a CBPR System-certified entity, this information will be properly protected (i.e. against hacking by third parties) and not misused (i.e. by the entity itself).

Consumer confidence and trust are seen as critical to:

(a) encourage innovation

(b) derive benefit from electronic commerce

(c) participate in the information-driven global economy.

CBPR System-certified entities can promote their data security credentials and commitment to consumer privacy as a means of gaining that consumer confidence and trust.

The CBPR System also supports the broader APEC Privacy Framework objective, which is to make it easier and cheaper for entities that transfer personal information across borders (including multi-nationals with subsidiaries in different countries) to comply with the privacy laws of multiple jurisdictions. It promotes and encourages safe and accountable cross-border flow.

Will the CBPR system apply to you?

The CBPR System applies to ‘Personal Information Controllers’. According to APEC, these are persons or organisations in the public and private sectors who control or instruct the collection, holding, processing, use, transfer or disclosure of personal information.

Personal information is defined in the APEC Privacy Framework as:

(a) information that can be used to identify an individual; or

(b) information that would not meet this criterion alone, but when put together with other information would identify an individual (e.g. when certain types of metadata is aggregated to reveal personal information that can give an insight into an individual’s behaviour, social relationships, private preferences and identity).

Australia’s implementation of the CBPR System could result in minor amendments to these definitions.

What next?

The Australian Government will now work with the Australian Information Commissioner and businesses to implement the CBPR System here in Australia.

When the CBPR System is implemented, ‘Accountability Agents’ (independent APEC-recognised and authorised entities) will offer to certify Australian Personal Information Controllers if they adhere to APEC Privacy Framework principles and the CBPR System. The Accountability Agents will also monitor and enforce compliance by certified entities.

Australian businesses that deal with personal information can take preparatory steps (such as seek legal advice about how to make their processes compliant with the likely CBPR System) to ensure they are ready for CBPR System certification. CBPR System certification will provide a powerful way for entities to:

(a) assure consumers that their business takes the consumer’s privacy rights seriously

(b) enhance consumer trust and confidence in their business.

How will the CBPR system come into effect?

The specific requirements for CBPR system certification in Australia are still a work in progress. However, we can reasonably infer what requirements will be, based on the APEC Privacy Framework.

We expect that Australia’s implementation of the CBPR System will encourage businesses to develop ‘privacy management programmes’ which:

(a) are tailored to the structure and scale of the business, as well as the volume and sensitivity of the personal information it controls

(b) assess risk of harm to individuals and provide appropriate safeguards

(c) establish internal oversight

(d) require personnel that are properly trained on privacy matters to respond to enquiries and incidents

(e) are consistent with the APEC Information Privacy Principles (see Part III of the APEC Privacy Framework).

The CBPR System is designed to be implemented flexibly and accommodate different enforcement models (including by privacy enforcement authorities, multi-agency enforcement bodies, a network of designated industry bodies, and Courts and tribunals).

The System will encourage the implementation, research and development of appropriate technical safeguards and measures.

In order to be effective, the CBPR System and general privacy protections will also need to be publicised and policed with penalties.

Moving forward

Businesses should closely watch this space as the Australian Government gives details of how it will implement the CBPR System in 2019. In preparation, businesses may also consider reviewing and strengthening their current privacy systems and procedures in accordance with certification requirements.

Contact Mahoneys for advice on what you can do to prepare your organisation’s privacy systems and procedures for CBPR System implementation in 2019.