Australia: Updated APEC Cross-Border Privacy Rules (CBPR) System outlining data transfer measures

On 4 November 2019, the Cross-Border Privacy Rules (CBPR) system is updated to include provisions endorsed by the Asia-Pacific Economic Cooperation (APEC) leaders in the APEC Privacy Framework 2015. The CBPR system represents a data privacy certification to which companies can adhere in order to demonstrate compliance with data protection measures and transfer data to the countries that endorsed the certification scheme. Under the CBPR system data controllers are required to obtain the consent of individuals where applicable to transfer personal data to another organization domestically or internationally. Furthermore, data controllers have to exercise due diligence and implement the necessary measures to ensure the protection of the data by the organization receiving it. The updated CBPR extends the certification scheme to data processing organizations. Data processors will be able to apply and receive accreditation from recognized accountability agents.