News

Articles:

Singapore joins APEC cross-border privacy rules for data controllers and processors

Singapore joins APEC cross-border privacy rules for data controllers and processors

According to a press
release
from the Personal Data Protection Commission (PDPC) of Singapore,
the country has become the sixth APEC (Asia-Pacific Economic Cooperation)
economy to participate in the Cross-Border Privacy Rules System (CBPR) alongside USA, Mexico, Canada, Japan and
the Republic of Korea. Singapore has also become the second APEC economy to
participate in the Privacy
Recognition for Processors (PRP) System
alongside USA.

Singapore submitted a Notice of Intent on 26 July 2017 to
participate in the APEC CBPR and PRP systems. With approval from the APEC Joint
Oversight Panel, on 20 February 2018, Singapore joined the PRP system.

CBPR applies to data controllers, which include
organisations that control the collection, holding, processing, or use of data.
PRP applies to data processors, which include organisations that process data
on behalf of other organisations at their instruction. Together, the CPBR and
PRP systems establish a harmonised set of data protection standards across the
Asia-Pacific.

These multilateral certification mechanisms require
organisations to develop and implement data protection policies consistent with
the APEC Privacy Framework. These will facilitate data transfers
for certified organisations across participating economies, while upholding
data protection standards. This is of critical importance for the digital
economy, as digital services can easily scale regionally if not globally, and data-related
economic activities are often cross-border.

PDPC is in the process of developing a certification scheme for
organisations, which would incorporate CBPR and PRP standards. The scheme is
expected to be implemented by end-2018. Once the scheme is in place, organisations
can apply and be certified, enabling them to exchange personal data with other certified
organisations in participating APEC economies much more seamlessly. At the same
time, consumers can be assured that the cross-border transfer of their personal
data will be subject to high standards of data protection.

CBPR was developed by APEC economies with input and
assistance from industry and civil society to build consumer, business and
regulator trust in cross border flows of personal information. The policies and
practices of the participating businesses must be assessed as compliant with
the program requirements of the APEC CBPR System by an Accountability Agent (an
independent APEC CBPR system recognised public or private sector entity) and be
enforceable by law.

Recognising that the APEC Privacy Framework and CBPR are
only applicable to personal information controllers, economies in the APEC Data
Privacy Subgroup, developed the PRP system. In the development of the PRP
System, three considerations were identified: 1) controllers should be able to
identify qualified and accountable processors able to implement a controller’s
privacy obligations related to the processing of personal information; 2)
processors should be able to demonstrate their ability to provide effective
implementation of a controller’s privacy requirements; and 3) the PRP System
should assist small and medium-sized enterprises not known outside of their
economy to become part of a global data processing network.