The APEC Cross-Border Privacy Rules (CBPR) System was created by APEC economies to facilitate trust in cross-border disclosure of personal information between participating countries. Australia's application to participate in the CBPR System was approved by APEC on 23 November 2018.
The introduction of the CBPR System will impact almost all Australian businesses. While the system is likely to make it easier to share information overseas, the system will introduce new privacy requirements which will apply to a potentially wider range of entities than just those currently subject to Australia's privacy laws.
The CBPR System
The CBPR System requires participating countries to implement data privacy policies which are consistent with the APEC Privacy Framework.
The Framework emphasises the importance of protecting an individual's privacy rights, while also acknowledging the need for flow of information around the world in the course of daily operations in today's global landscape.
These key aims are effected via the Framework's privacy principles, which are broadly similar to the existing Australian Privacy Principles (APPs). These principles include obligations to:
- notify individuals of the collection of their information, including the standard process for collection, storage and use of that information (comparable to APPs 1 and 5);
prevent harm, which includes taking account of risks, preventing misuse, and, where applicable, implementing remedial measures (comparable to APP 11);
- provide individuals with a choice as to whether their information is collected, to the extent possible (comparable to APP 3); and
- ensure accuracy of the information collected and stored, and provide individuals with a right to access and, if necessary, correct that information (comparable to APPs 12 and 13).
The policies implemented by the participating countries are independently assessed by a third party verifier, known as an Accountability Agent, to ensure both that the minimum privacy requirements are met, and that there is ongoing compliance. There must also be mechanisms in place to enforce the policy. This is generally done though joining the Cross Border Privacy Enforcement Arrangement (CPEA); the Office of the Australian Information Commissioner (OAIC) has been a member since 2010
In his submissions for inclusion, the Australia Privacy Commissioner acknowledged that:
"organisations carry on their business globally and … personal information is regularly disclosed, handled and stored overseas. Personal data protection is a global regulatory challenge."
The OAIC and the Australia Privacy Commissioner have said that the aim is to use the CBPR System to build on the existing Australian privacy protections in the Privacy Act 1988 (Cth) and other Australian privacy laws, and ensure a balance between protecting individual's right to privacy, and the free flow of information across borders. This is especially relevant in today's society, where information is often stored on cloud servers all around the world, and businesses do not restrict operations or third party service providers to those that are local.
Broader international impact
Although many of the requirements of the Framework are similar to those already set out in Australian privacy laws, the real benefit of the CPBR System comes from its international reach. In particular, Australian businesses will be able to have peace of mind that information disclosed to recipients in other participating countries will need to be handled in a manner that is consistent with the Framework.
This is likely to be especially beneficial for Australian entities who must comply with the APPs (either because they are subject to the Privacy Act or have assumed a contractual obligation to do so). Under APP 8.1 they must take reasonable steps to ensure that overseas recipients of information do not breach the APPs when dealing with that information, and they are accountable for any breaches.
The requirement is waived, however, if they reasonably believe that the overseas recipient is subject to a law or binding scheme that protects information in a substantially similar way to the APPs.
The application of the Framework in other participating countries will make it easier for entities to form this reasonable belief. Indeed, it is to be hoped that the OAIC will endorse the recognition of other participating countries' compliance with their CBPR System as sufficient to provide this reasonable belief. Only then is it likely that the CPBR System will achieve its objective of reducing the burden on entities obliged to take reasonable steps to ensure handling of information overseas is done in accordance with the APPs.
Whilst the CPBR may ease the compliance burden for many organisations, the CPBR System does have the potential to regulate a broader range of Australian businesses than Australia's current privacy regime.
The Privacy Act and APPs only apply to "APP Entities", which generally excludes businesses with an annual turnover of less than $3 million.
However, the requirements of the CBPR System may not be so limited. In particular, there is not (at present) any indication of the scope of businesses to which the policy will extend, with current consultation papers and submissions simply referencing the application to Australian "businesses" and "companies". It remains to be seen if the policy will be narrowed to APP entities, or if it will regulate a broader class of entities. If it is the latter, entities may find themselves having to comply with obligations they were not previously under when seeking to transfer personal information to participating countries.
Getting ready for the CBPR
Following the approval of Australia's participation in the CBPR System, the Attorney-General's Department and the OAIC, in consultation with Australian businesses, intend to work together to implement the CBPR System requirements. It remains to be seen exactly what the policies introduced by this working group will entail, and how much further it may extend than Australia's current privacy laws.
Hopefully, entities that already need to comply with the Privacy Act will face reduced barriers to disclosing personal information to recipients in other participating countries.
However, entities not currently subject to the Privacy Act should keep a close eye on developments as they may become subject to new obligations regarding cross-border transfers of personal information.