APEC Cross Border Privacy Rules

The Asia-Pacific Economic Cooperation (APEC) is a forum that includes 21 Pacific Rim countries, including Japan, Russia, the United States, Australia, South Korea, Indonesia, Canada, and Mexico. The leaders of the member countries meet annually to address issues raised by the economic interdependence of the countries.


APEC has a Cross Border Privacy Rules (CBPR) system which confirms that countries have complied with the data privacy laws of the member countries.


Companies can become certified by taking the following measures:

- Confirm with an Accountability Agent that they are enforcing the requirements of the CBPR system on an ongoing basis.

- Arrange for the Accountability Agent to resolve disputes between it and its customers.

- Implement safeguards for personal data that are proportional to the risk involved.

- Allow customers to correct their personal data.


There are 50 individual requirements of the CBPR system. The program requirements posted here, show the areas in which APEC wants to confirm that a company has taken steps to protect privacy, and how the Accountability Agent can confirm the adequacy of these steps, or assist the company in implementing new measures. For example, a company will need to show that it has protected personal information from unauthorized use or destruction by the use of the following measures:

- User authentication

- Encryption

- Firewalls

- Audit logging

- Vulnerability scans


A company must demonstrate that it has written policies and procedures to confirm that personal information used by third parties on its behalf is adequately protected.



A list of CBPR certified companies and their accountability agents can be found here: http://cbprs.org/compliance-directory/cbpr-system/ .