Australia: Adoption of APEC Cross-Border Privacy Rules (CBPR) System including data transfer requirements

On 13 November 2011, the states of the Asia-Pacific Economic Cooperation (APEC) endorsed the establishment of the Cross-Border Privacy Rules (CBPR) system. The CBPR system implements the APEC Privacy Framework of 2005, by providing a voluntary data protection certification for companies that control personal data. Such data controllers can apply with third parties (accountability agents) for a certificate, which demonstrates compliance with the APEC privacy framework and enables data transfers to other APEC countries that participate in the CBPR system. Specifically, the CBPR system requires data controllers to obtain the consent of individuals (where applicable) for transfers of personal data to another organisation, both domestically and internationally. Furthermore, data controllers must exercise due diligence and implement reasonable steps to ensure the entity receiving the data follows the required privacy procedures.