Glossary for the APEC CBPR system
An entity, regulated by APEC economies, that certifies an organisation’s eligibility for participation in the Cross Border Privacy Rules (CBPR) system.
* Note: An Accountability Agent may be a public or private sector entity. The certification process involves a review and verification of the applicant’s privacy policies and practices by reviewing the applicant’s responses to the CBPR Intake Questionnaire and by undertaking additional appropriate steps to assess the applicant’s eligibility and ability to offer high-level privacy protections for consumers. In connection with its CBPR System, an Accountability Agent may either itself provide dispute resolution services or may delegate that function to an appropriate third-party dispute resolution provider.
The eligibility requirements that must be met by an Accountability Agent in order to be recognised by APEC economies.
* Note: See “Accountability Agent APEC Recognition Application – Annex A” for details
The body designated by the ECSG to perform the functions of the CPEA Administrator.
* Note: Cross-Border Privacy Enforcement Arrangement (CPEA), clause 5.1, provides that the ECSG may designate the APEC Secretariat or a Participant, or the Secretariat and a Participant jointly, as the Administrator. CPEA, clauses 5.3 and 5.4, sets out the Administrator’s core and additional functions.
* Note: Definition derived from CPEA, clause 4.1.
* Note: The inaugural Administrator comprised the APEC Secretariat jointly with participants from Australia, New Zealand and the USA.
The declaration required to be made by an organisation participating in the CBPR System to an Accountability Agent each year confirming the organisation’s continuing adherence to the Program Requirements.
* Note: See “Accountability Agent APEC Recognition Application – Annex A” for details.
An Accountability Agent that has been recognised by APEC economies to have met the Accountability Agent Recognition Criteria.
* Note: A list of current APEC-recognised Accountability Agents is maintained on the CBPR system website at www.CPBRs.org.
A framework for protecting personal information privacy adopted by APEC in 2005 and updated in 2016
* Note: The Framework is a principles-based document intended to promote a high-standard approach to information privacy protection across APEC member economies while avoiding the creation of unnecessary barriers to information flows. The Framework includes 9 information privacy principles and guidance for domestic and international implementation of the principles, including the adoption and use of the APEC CBPR System.
Abbreviation for Cross-Border Privacy Rules.
A description that an organisation fully complies with the CBPR Program Requirements, utilizes high-standard privacy practices, and is certified by an Accountability Agent as such to transfer and process information in line with CBPR system requirements.
An economy recognised by APEC as having met the requirements for participation in the CBPR system.
* Note: An economy commences the process to participate by submitting a letter indicating its intention to participate in the CBPR system with all required information outlining domestic privacy laws in compliance with CBPR System guidelines. This information must include confirmation that at least one Privacy Enforcement Authority in that economy is a Participant in the Cross-border Privacy Enforcement Arrangement (CPEA) and that the economy intends to make use of at least one APEC-recognised Accountability Agent. The economy must also provide a narrative description of the relevant domestic laws and regulations and administrative measures which may apply any CBPR certification-related activities of an Accountability Agent operating within the economy’s jurisdiction and the enforcement authority associated with these laws and regulations and administrative measures. The economy must also submit a completed CBPR System Program Requirements Enforcement Map outlining its enforcement procedure, law or regulation for each CBPR System requirement. The JOP, after conducting a thorough review and consultation, will notify the ECSG Chair when these requirements have been met at which point the economy will be considered a CBPR System participant. Participating Economies will be listed on the CBPR system website, at www.CBPRs.org.
A process through which an organisation is certified by an Accountability Agent as CBPR-Compliant.
A directory of organisations certified as CBPR-Compliant published by APEC economies and listed on the CBPR system website, at www.CBPRs.org.
A list maintained by the Administrator of the main point of contact of any body, whether or not Privacy Enforcement Authority or Participant, having a role to play in the protection of privacy.
* Note: The directory is not made publicly available but is available to privacy enforcement authorities on the CPEA website. The directory is maintained pursuant to CPEA, clauses 5.3, 5.4, 11 and Annex B.
APEC Cooperation Arrangement for Cross-border Privacy Enforcement
* Note: definition taken from CPEA, clause 4.1.
* Note: see fuller definition under “Cross-border Privacy Enforcement Arrangement”.
Abbreviation for Cross-border Privacy Enforcement Arrangement
A practical multilateral mechanism which enables Privacy Enforcement Authorities to cooperate in cross-border privacy enforcement by creating a framework under which authorities may share information and request and render assistance in certain ways.
* Note: The CPEA’s formal title is “APEC Cooperation Arrangement for Cross-border Privacy Enforcement”. The CPEA was endorsed by APEC Ministers in November 2009 and commenced on 16 July 2010.
The privacy policies and practices adopted by a CBPR-Compliant organisation for all Personal Information collected or received by it that is subject to cross border transfers.
A voluntary, multilateral privacy and data protection program governing cross border transfers of information by organisations operating in APEC member economies.
* Note: Organisations that choose to participate in the CBPR system should implement privacy policies and practices consistently with the CBPR Program Requirements for all personal information that they have collected or received that is subject to cross border transfers from participating APEC economies. These privacy policies and practices should be evaluated by an APEC-recognised Accountability Agent for compliance with the CBPR Program Requirements. Once an organisation has been certified for participation in the CBPR System, these privacy policies and practices will become binding as to that participant and will be enforceable by an appropriate authority to ensure compliance with the CBPR Program Requirements.
Abbreviation for Data Privacy Subgroup.
The subgroup of the ECSG primarily responsible for the APEC Privacy Framework, the APEC Cross Border Privacy Rules System, and APEC Privacy Recognition for Processors System.
Abbreviation for Electronic Commerce Steering Group.
A forum under the Committee on Trade and Investment that promotes the development and use of electronic commerce and the digital economy in the APEC region.
* Note: The ECSG seeks to create legal, regulatory and policy environments that are predictable, transparent and consistent. It performs a coordinating role for APEC’s e-commerce activities based on principles in the 1998 APEC Blueprint for Action on Electronic Commerce and its mandate has been updated and guided by direction from APEC actions and priorities.
The principles set out in Part III of the APEC Privacy Framework.
* Note: The principles include: (1) Preventing Harm; (2) Notice; (3) Collection Limitation; (4) Uses of Personal Information; (5) Choice; (6) Integrity of Personal Information; (7) Security Safeguards; (8) Access and Correction; and (9) Accountability.
A detailed self-assessment questionnaire based on the Information Privacy Principles for use by an organisation seeking to participate in the CBPR system, which will be reviewed and confirmed by an approved Accountability Agent.
A three-member panel that assists the ECSG with the implementation of the CBPR System. For more information, see the “CBPR System Documents” page on this website.
* Note: This panel consists of nominated representatives from three APEC economies appointed by the ECSG. The current JOP consists of the Republic of Korea, Japan and the United States.
Abbreviation for Joint Oversight Panel.
A Privacy Enforcement Authority in an APEC member economy that participates in the CPEA.
* Note: Definition taken from CPEA, clause 4.1.
Any information about an identified or identifiable individual.
A person or organisation who controls the collection, holding, processing, use, disclosure or transfer of personal information. It includes a person or organisation who instructs another person or organization to collect, hold, process, use, transfer or disclose personal information on his or her behalf, but excludes a person or organisation who performs such functions as instructed by another person or organisation. It also excludes an individual who collects, holds, processes or uses personal information in connection with the individual’s personal, family or household affairs.
* Note: Definition taken from APEC Privacy Framework, clause 10.
An organisation that, at the instruction of a Personal Information Controller, collects, holds, processes, uses, transfers or discloses Personal Information on the controller’s behalf.
Any public body that is responsible for enforcing Privacy Law and that has powers to conduct investigations and/or pursue enforcement proceedings.
* Note: Definition taken from CPEA, clause 4.1.
Laws and regulations of an APEC member economy, the enforcement of which have the effect of protecting Personal Information consistent with the APEC Privacy Framework.
* Note: Definition taken from CPEA, clause 4.1.
Those operational rules and procedures adopted by an organisation to guide decisions made by it and its employees related to the ongoing protection of Personal Information collected, stored, used, transferred or disclosed by them.
Actions regarding the protection of Personal Information that are taken by an organisation and its employees pursuant to that organisation’s privacy policies.
A public declaration of an organisation’s Privacy Policies and Privacy Practices.
* Note: A privacy statement is required under the CBPR program requirements. It should be clear and accessible.
A set of baseline program requirements based on the nine Information Privacy Principles against which an APEC-recognised Accountability Agent will assess an organization’s completed Intake Questionnaire.
A template which provides the baseline program requirements of the CBPR System in order to guide an APEC economy to explain how each CBPR System requirement may be enforced in that economy.
* Note: Annex B to the Template Notice of Intent to Participate in the APEC Cross Border Privacy Rules system.
Personal Information about an individual that the individual knowingly makes or permits to be made available to the public, or is legally obtained and accessed from government records that are available to the public, journalistic reports, or information required by law to be made available to the public.
* Note: definition taken from APEC Privacy Framework, clause 11.
A process through which an Accountability Agent is recognized by APEC Economies to have met the Accountability Agent Recognition Criteria. After an initial one-year review period, Accountability Agents undergo this process every two years.
* Note: See “Accountability Agent APEC Recognition Application – Annex A” for details
A CPEA Participant that has received a “Request for Assistance” from another Participant.
* Note: Definition taken from CPEA, clause 4.1.
An annual process through which an organisation is re-certified by an Accountability Agent as being CBPR-Compliant.
Includes, but is not limited to, a referral of a matter related to the enforcement of Privacy Law, a request for cooperation on the enforcement of Privacy Law, a request for cooperation on the investigation of an alleged breach of Privacy Law, and a transfer of a privacy complaint.
* Note: Definition taken from CPEA, clause 4.1.
A CPEA Participant that has made a Request for Assistance of another Participant.
* Note: Definition taken from CPEA, clause 4.1.
The physical, technical and administrative measures implemented and maintained by an organisation in order to protect against risks, such as loss or unauthorised access to personal information, or unauthorised destruction, use, modification or disclosure of personal information or other misuses.
Those rules and procedures adopted by an organisation related to the implementation and maintenance of measures to protect against risks, such as loss or unauthorised access to personal information, or unauthorised destruction, use, modification or disclosure of personal information or other misuses.