The Cross Border Privacy Rule, commonly abbreviated as the CBPR, is a certification system that evaluates enterprises’ personal information protection systems for smooth personal information transfer between the Asia-Pacific Economic Cooperation (APEC) member economies.
In 2011, the APEC established the CBPR in order to protect personal information and guarantee free cross-border data transfers. The difference from the GDPR of the EU is that the CBPR establishes a personal information transfer system, instead of changing the personal information protection laws or systems of other states.
Currently, nine economies participate in the system: the Republic of Korea, the U.S., Mexico, Japan, Canada, Australia, Singapore, Taiwan, and the Philippines. Korea’s joining in the CBPR was approved in 2017. In May 2022, the Personal Information Protection Commission (PIPC) and the Korea Internet & Security Agency (KISA) jointly introduced the CBPR system for Korean enterprises. As a result, Korean enterprises are now able to obtain the CBPR certification without an overseas institution.
Utility of the CBPR System
The CBPR system (a) does not change the legal system of each country, but (b) can be adapted to their legal environment. In addition, the CBPR is (c) based on the voluntary participation of the states or enterprises and (4) the purpose of this system is to encourage the utilization of personal information.
CBPR-certified enterprises can improve their corporate images in terms of personal information protection by promoting their outstanding personal information protection systems. When they select overseas affiliates or subcontractors or expand their business abroad, they can save time and costs required for complying with the personal information regulations of the target countries. Through this certification system, Korean companies will be able to ensure international trust and strengthen their global competitiveness. In particular, Japan and Singapore allows overseas data transfer for CBPR-certified enterprises without a separate contract. Therefore, Korean enterprises running business in the two countries can transfer the personal information of local customers to Korea more conveniently.
Personal data subjects can decide whether an enterprise has a proper level of personal information protection through the CBPR certification. In addition, they can easily exercise their rights as data subjects and request damage remedies.
Being certified for the CBPR system does not mean that the obligation to obtain consent to data collection, required by local laws, are reduced or exempted. Relevant details are stipulated in Article 28-8 (Cross-Border Transfer of Personal Information) of the Personal Information Protection Act.
Article 28-8 (Cross-Border Transfer of Personal Information) |
(2) The personal information controller may transfer personal information abroad, if falling under any of the following subparagraphs: 1. Where consent to overseas information transfer is obtained from a data subject; 2. Where special provisions about overseas information transfer exist in other laws, treaties, or other international agreements signed by the Republic of Korea; 5. Where personal information is transferred to a state or an international organization whose personal information protection system is considered by the Personal Information Protection Commission being on par with the personal information protection level stipulated in the Act. |
CBPR Application Targets
Enterprises applied with the Personal Information Protection Act of the Republic of Korea
Enterprises transferring personal information to other countries including the Asia-Pacific region or receiving personal information from abroad for processing
Enterprises who need an enterprise-wide personal information protection system that can apply to their subsidiaries, affiliates, etc. located in the Asia-Pacific region
Enterprises who want to achieve recognition by establishing a personal information protection system complying with the global standards of the APEC privacy protection principle
Requirements for CBPR Certification
The APEC has developed the APEC Privacy Framework (APF) and established the personal information transfer principle and system for reliable trade between its member economies. The APF contains the nine principles including Notice and Collection Limitation.
APEC Privacy Framework | Description | Requirements for CBPR Certification (50 Clauses) |
Notice | Notice should be provided “either before or at the time” of collection of personal information or may be provided “as soon after as” is practicable. | Personal information protection policy notice items, notice methods, etc. |
Collection Limitation | Personal information should be relevant to the purposes of collection and any such information should be obtained by lawful and fair means, and where appropriate, with notice to, or consent of, the individual concerned. | Personal information collection methods, collection minimization, lawful collection, etc. |
Uses of Personal Information | Personal information collected should be used only to fulfill the purposes of collection and other compatible or related purposes. | Use of personal information only for the intended purposes, provision of information to third parties, etc. |
Choice | Where appropriate, data subjects should be provided with the right of choice in relation to the collection, use, and disclosure of their personal information. | How to provide data subjects with the right of choice in relation to the collection, use, and disclosure of their personal information |
Integrity of Personal Information | Personal information should be accurate, complete, and kept up-to-date. | Correction to maintain the accuracy and completeness of records and keep them up to date, notification to outsourcees, etc. |
Security Safeguards | Safeguards taken should be proportional to the likelihood and severity of the harm threatened and the sensitivity of the information. *No specific safeguard standards | Safeguards proportional to the sensitivity of the personal information and the likelihood and severity of the harm threatened, safeguard assessment, etc. |
Access and Correction | Personal information can be accessed or corrected upon the request of data subjects. The request may be denied where the burden or expense of doing so would be unreasonable or the information should not be disclosed to protect confidential commercial information. | Procedures, etc. for data subjects’ request for access, correction, and deletion |
Accountability | When personal information is to be transferred, the personal information controller should obtain the consent of the individual or exercise due diligence and take reasonable steps to examine the information protection level of the organization (individual) receiving such information. | Designation of responsible personnel, procedures for handling of complaints and damage remedies, the management and supervision over outsourcees and third parties, etc. |
Preventing Harm | Remedial measures should be proportionate to the likelihood and severity of the harm threatened. | (The content about “Preventing Harm” is contained in other principles including Accountability.) |
-
PREV Access Control, A Way to Protect Important Data
2023-08-24 -
NEXT Encryption and Encryption Algorithms
2023-08-24