On 17 August 2022, the Australian Government announced that Australia joined the Global Cross-Border Privacy Rules (Global CBPR) Forum.[1] The Forum, launched in April 2022, establishes a certification system to help companies in participating jurisdictions demonstrate compliance with internationally-recognised privacy standards, with the aim of fostering interoperability and international data flows.[2]
The Global CBPR Forum will replace the existing APEC Cross-Border Privacy Rules (APEC CBPR) and Privacy Recognition for Processors (PRP) certification systems, enabling non-APEC countries to participate.
Key takeaways
The potential benefits of such a global certification system and increased interoperability are especially relevant for tech companies and other data driven businesses that rely heavily on being able to seamlessly transfer customer data internationally, including by:
- signalling to customers and business partners that the organisation can be trusted to handle their data;
- providing a framework to develop privacy compliance programs and integrated solutions meeting international standards; and
- helping Australian organisations form a reasonable belief that an overseas based recipient may be subject to a law or binding scheme that protects information in a substantially similar way to the Australian Privacy Principles (APPs) in Australia’s Privacy Act.
How does certification work and what are the baseline requirements?
The Global CBPR will be modelled after the baseline requirements under the APEC CBPR and PRP systems. There is no formal timeline for when the APEC CBPR and PRP systems will transition to the Global CBPR. In the meantime, the APEC CBPR and PRP systems will remain in place.
The APEC CBPR system is aimed at ‘data controllers’, to certify that they have adequate measures in place to protect personal information in line with baseline requirements. These requirements are broadly comparable with the APPs and include:
- ensuring individuals understand, and (where appropriate) providing them with a mechanism to exercise choice in relation to, how their personal information may be used or disclosed (similar to APPs 3 and 5 and Australian regulatory guidance around consent);
- limiting use of personal information to the specific purposes stated at the time of collection and other compatible or related purposes (similar to APP 6);
- keeping data accurate, complete and up to date (similar to APP 10);
- ensuring individuals can access and correct their data (similar to APP 12); and
- implementing reasonable security safeguards to protect data (comparable with APP 11).[3]
The PRP system is aimed at ‘data processors’, to certify their capacity to process a controller’s data in compliance with the controller’s obligations under the APEC CBPR.[4] Requirements for PRP certification include the implementation of appropriate measures and safeguards to ensure data is protected, processing is limited to the purposes specified by controllers, and controllers are kept informed about the handling of their data. This will be relevant for many cloud providers that only process data on behalf of their customers.
To date, numerous companies including key tech players have obtained certification under the APEC CBPR and PRP systems.[5]
Like the existing mechanism under the APEC CBPR and PRP systems, entities will be able to obtain annual certification by submitting a self-assessment questionnaire to a certified ‘accountability agent’.
The accountability agent will audit the entity’s privacy policies and practices to determine if they are compliant with the requirements.
One key feature of the certification systems is that consumers in participating jurisdictions may direct privacy complaints against certified entities to an accountability agent in the first instance. Disputes which are not resolved by an accountability agent are referred to the privacy enforcement authority in the relevant jurisdiction. This is intended to promote the more efficient resolution of disputes.
What are the next steps and challenges to implementation?
The actual operation of the Global CBPR, will, as with the previous systems, vary in each participating jurisdiction. For example, each jurisdiction has discretion in determining the types of entities that can certified as accountability agents: the US has certified 5 third party private companies, while in Singapore the only certified agent is a government agency.
Questions also remain about how widely the Global CBPR will be taken up by non-APEC jurisdictions.[6]
Australia’s application to participate in the APEC CBPR system, was endorsed by APEC in November 2018, however Australia has not to date enacted any legislation or other instrument to give effect to the APEC CBPR.
The announcement of Australia’s participation comes as Australia’s Government is working on broader reforms of Australian privacy laws, including several changes to rules on overseas disclosure.[7] These included propositions to implement the APEC CBPR in Australian law through the adoption of an APP code,[8] and to recognise the certification as a basis for transferring personal information outside Australia.[9] The Government also acknowledged recommendations to introduce into the Privacy Act the concepts of data controllers and data processors, at the core of the APEC CPBR and PRP systems, and the privacy/data protection laws of many other countries such as the European Union, but noted this may present challenges including due to the small business exemption.
The Australian Government’s final report on the proposed reforms will hopefully provide greater clarity on the extent to which the Global CBPR may be implemented in Australia.
[1] Announcement available here: https://www.trademinister.gov.au/minister/don-farrell/media-release/australia-joins-global-cross-border-privacy-rules-forum.
[2] Global Cross-Border Privacy Rules Declaration, which is available here: https://www.globalcbpr.org/.
[3] The APEC CBPR system program requirements are available here: http://cbprs.org/wp-content/uploads/2019/11/5.-Cross-Border-Privacy-Rules-Program-Requirements-updated-17-09-2019.pdf.
[4] The PRP system program requirements are available here: http://cbprs.org/wp-content/uploads/2021/05/PRIVACY-RECOGNTION-FOR-PROCESSORS-SYSTEM-PROGRAM-REQUIREMENTS-1.pdf.
[5] A list of all APEC CBPR certified organisations is available here: http://cbprs.org/compliance-directory/cbpr-system/. A list of all PRP certified organisations is available here: http://cbprs.org/compliance-directory/prp/.
[6] The current members of the Global CBPR Forum are Australia, the United States of America, Mexico, Japan, Canada, Singapore, the Republic of Korea, Chinese Taipei, and the Philippines. These are the same current members of the APEC CBPR system.
[7] Our detailed briefing on the proposed reforms, including the discussion paper released by the Australian Government detailing those proposed reforms (Discussion Paper) is available at https://www.herbertsmithfreehills.com/latest-thinking/online-privacy-bill-and-privacy-act-discussion-paper-stricter-enforcement-online.
[8] Discussion Paper pg. 168 (available here: https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/user_uploads/privacy-act-review-discussion-paper.pdf).
[9] Discussion Paper pg. 161.
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.