Late last year, Australia’s Attorney General confirmed that Australia planned to participate in APEC’s Cross Border Privacy Rules (CBPR) system. The CBPR system was intended to help companies that want to transfer personal data across the borders of participating countries. Currently there are five participating countries: Canada, Japan, South Korea, Mexico, and the US. This scheme has been viewed by some as a hopeful complement to the Binding Corporate Rules concept under the EU Data Privacy Directive. In recognition of the overlap between the two, the Article 29 Working Party and the APEC Electronic Steering Group put together a checklist of the commonalities between Binding Corporate Rules and CBPR certification.
As next steps, Australia needs to finalize its participation in the program. It has indicated that it will be working with the Office of the Australian Information Commission (OAIC) and businesses to implement the CBPR system. Then, Accountability Agents will conduct certifications on Australian companies who are interested in participating. It remains to be seen how the CBPR system, which has been expanding, will be impacted after the May 2018 implementation of GDPR.
Putting it Into Practice: This approval shows that governments are continuing to think about how they can help companies address the need to transfer data across borders while addressing varying privacy requirements.