Singapore joins APEC cross-border privacy rules for data controllers and processors
According to a press release from the Personal Data Protection Commission (PDPC) of Singapore, the country has become the sixth APEC (Asia-Pacific Economic Cooperation) economy to participate in the Cross-Border Privacy Rules System (CBPR) alongside USA, Mexico, Canada, Japan and the Republic of Korea. Singapore has also become the second APEC economy to participate in the Privacy Recognition for Processors (PRP) System alongside USA.
Singapore submitted a Notice of Intent on 26 July 2017 to participate in the APEC CBPR and PRP systems. With approval from the APEC Joint Oversight Panel, on 20 February 2018, Singapore joined the PRP system.
CBPR applies to data controllers, which include organisations that control the collection, holding, processing, or use of data. PRP applies to data processors, which include organisations that process data on behalf of other organisations at their instruction. Together, the CPBR and PRP systems establish a harmonised set of data protection standards across the Asia-Pacific.
These multilateral certification mechanisms require organisations to develop and implement data protection policies consistent with the APEC Privacy Framework. These will facilitate data transfers for certified organisations across participating economies, while upholding data protection standards. This is of critical importance for the digital economy, as digital services can easily scale regionally if not globally, and data-related economic activities are often cross-border.
PDPC is in the process of developing a certification scheme for organisations, which would incorporate CBPR and PRP standards. The scheme is expected to be implemented by end-2018. Once the scheme is in place, organisations can apply and be certified, enabling them to exchange personal data with other certified organisations in participating APEC economies much more seamlessly. At the same time, consumers can be assured that the cross-border transfer of their personal data will be subject to high standards of data protection.
CBPR was developed by APEC economies with input and assistance from industry and civil society to build consumer, business and regulator trust in cross border flows of personal information. The policies and practices of the participating businesses must be assessed as compliant with the program requirements of the APEC CBPR System by an Accountability Agent (an independent APEC CBPR system recognised public or private sector entity) and be enforceable by law.
Recognising that the APEC Privacy Framework and CBPR are only applicable to personal information controllers, economies in the APEC Data Privacy Subgroup, developed the PRP system. In the development of the PRP System, three considerations were identified: 1) controllers should be able to identify qualified and accountable processors able to implement a controller’s privacy obligations related to the processing of personal information; 2) processors should be able to demonstrate their ability to provide effective implementation of a controller’s privacy requirements; and 3) the PRP System should assist small and medium-sized enterprises not known outside of their economy to become part of a global data processing network.