U.S. First to Join Asia-Pacific Data Processor Privacy System

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

The U.S. is the first country to join a new Asia-Pacific Economic Cooperation program to certify privacy and security compliance and issue trust marks for companies that process personal data, the Department of Commerce announced Dec. 29.

Data-processing companies that gain the program’s certification can market their services more easily to multinationals doing business in APEC member countries, including the U.S. APEC has 21 Pacific rim country members, which account for approximately 54 percent of total global GDP and 44 percent of the total world trade, according to the Office of the U.S. Trade Representative.

APEC officially approved the U.S. participation in the Privacy Recognition for Processors (PRP) System Dec. 15. The PRP program is a corollary of the APEC Cross-Border Privacy Rules (CBPRs) system, which requires a participating country to adopt national data transfer procedures, including appointing an independent public or private sector accountability agent and an enforcement agency.

A company that gains PRP certification will be able to “facilitate partnerships with multinational companies in the digital economy” by showcasing their privacy commitment, Michael Rose, policy adviser in the International Trade Administration’s Office of Digital Services Industries, said in the blog post announcing U.S. participation in the program.

The PRP program, finalized by APEC in September 2016, includes baseline security, privacy, and accountability standards that companies must comply with in order to obtain certification. The country’s accountability agent certifies that specific companies’ policies comply with APEC standards.

Gaining PRP certification will help data processors sell their services and lets data controllers—companies that control the collection, use, and processing of personal data—know which processors to trust, Josh Harris, director of international affairs at TrustArc Inc. in Washington, told Bloomberg Law. TrustArc is the U.S. accountability agent for APEC CBPRs.

Companies may function as third-party processors for others, including services offered through apps, platforms, and the cloud. A subsidiary of a foreign entity might also serve as a data processor for its parent company.

A country’s participation in the PRP program can give a competitive boost to its entire domestic processing industry, Harris said.

Singapore and the Philippines have already expressed interest in joining the PRP program, according to Commerce’s announcement.

To contact the reporter on this story: George Lynch in Washington at glynch@bloomberglaw.com

To contact the editor responsible for this story: Donald Aplin at daplin@bloomberglaw.com

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security