Australia: Updated APEC Cross-Border Privacy Rules (CBPR) System outlining data subjects rights

On 4 November 2019, the Cross-Border Privacy Rules (CBPR) system is updated to include provisions endorsed by the Asia-Pacific Economic Cooperation (APEC ) leaders in APEC Privacy Framework 2015. The CBPR system implements the APEC Privacy Framework of 2005, by providing a voluntary data protection certification for companies that control personal data. Such data controllers can apply with third parties (accountability agents) for a certificate, which demonstrates compliance with the APEC privacy framework and enables data transfers to the APEC countries that participate in the CBPR system. The CBPR system introduces both obligations for data controllers and rights for data subjects. Regarding data protection obligations, the CBPR system requires companies to implement measures to prevent the misuse of personal data and take into consideration the risks to personal data when establishing remedial measures. Data controllers must implement appropriate safeguards against the unauthorised access, loss, destruction or modification of personal data. Regarding data subject rights, data controllers must collect data by lawful and fair means and where appropriate obtain consent from the data subject. Moreover, data subjects should be able to access the personal data collected by data controllers and request rectification and deletion, although these measures can be subject to limitations in instances where it is impossible or impracticable to change, suppress or delete personal data records. Regarding data breaches, the CBPR system does not require notification to competent authorities or data subjects by data controllers. Rather, the CBPR system obliges participating countries to introduce rules which require a contractual obligation for data breach notification between data controllers and agents, contractors and data processors.