Skip to main content

APEC Cross-border Privacy Enforcement Arrangement (CPEA)

Last page update:

"A significant step forward in Asia-Pacific privacy protection"
Colin Minihan, Chair, APEC Electronic Commerce Steering Group - Data Privacy Subgroup

The APEC Cross-border Privacy Enforcement Arrangement (CPEA) aims to:

  • facilitate information sharing among Privacy Enforcement Authorities (PE Authorities) in APEC economies (which may include Privacy Commissioners' Offices, Data Protection Authorities or Consumer Protection Authorities that enforce Privacy Laws)
  • provide mechanisms to promote effective cross-border cooperation between authorities in the enforcement of Privacy Law, including through referrals of matters and through parallel or joint investigations or enforcement actions
  • encourage information sharing and cooperation on privacy investigation and enforcement with PE Authorities outside APEC (including by ensuring that the CPEA can work seamlessly with similar arrangements in other regions and at the global level)

Importance of information privacy to APEC

The flow of information is fundamental to doing business in the global economy. The ability to network, exchange ideas and share knowledge can determine a company's likelihood of success. Conversely, the inability to conduct such interactions can seriously impede business.

In endorsing the APEC Privacy Framework in 2004 (see link below), APEC Ministers recognised that cooperation to balance and promote effective information privacy protection and the free flow of information in the Asia-Pacific region is key to improving consumer confidence and ensuring the growth of electronic commerce.

Significance of the CPEA

In 2007 a Data Privacy Pathfinder initiative was established to progress the implementation of the APEC Privacy Framework. The Pathfinder involves multiple projects aimed at promoting consumer trust and business confidence in cross-border data flows. It also includes general commitments regarding the development of a Cross-Border Privacy Rules system.

The CPEA is an outcome of the Pathfinder initiative. It focuses on one of the four key goals of the APEC Privacy Framework, namely to facilitate both domestic and international efforts to promote and enforce information privacy protections. A volunteer group of APEC member economies led the CPEA's development, with input from civil society and business groups.

The CPEA aims to contribute to consumer confidence in electronic commerce involving cross-border data flows by establishing a framework for regional cooperation in the enforcement of Privacy Laws. In future it can also contribute to cross-border enforcement of an APEC Cross-Border Privacy Rules system for businesses.

The CPEA is therefore an important aspect of APEC's efforts to increase cross-border trade and growth in electronic commerce.

What the CPEA does

The CPEA creates a framework for the voluntary sharing of information and provision of assistance for information privacy enforcement related activities. Any PE Authority in an APEC economy may participate. Participating PE Authorities will contact each other for assistance or to make referrals regarding information privacy investigations and enforcement matters that involve each other's economies.

For example, during an investigation, a PE Authority in Economy X may seek the assistance of a PE Authority in Economy Y, if certain evidence of the alleged privacy violation (or the entity being investigated) is located in Economy Y. In that case, the PE Authority in Economy X may send a Request for Assistance to the point of contact in the PE Authority in Economy Y. The PE Authority in Economy Y may then consider the matter and provide assistance on a discretionary basis.

International cooperation

In 2007 the Organisation for Economic Cooperation and Development (OECD) adopted a recommendation to promote cooperation between OECD member countries on information privacy law enforcement. APEC and the OECD have begun to coordinate their initiatives to ensure they are compatible, and to secure cooperation amongst PE Authorities in different regions.

In the Asia-Pacific region, the Asia-Pacific Privacy Authorities (APPA) Forum helps to form partnerships and exchange ideas about information privacy regulation, new technologies and the management of information privacy enquiries and complaints. All PE Authorities participating in the CPEA are eligible to become members of the APPA Forum.

Where to find more information

Some frequently asked questions about the CPEA are answered below.
You can also find:

FAQS

Q. When did the Cross-border Privacy Enforcement Arrangement (CPEA) commence?

A. The CPEA was endorsed by APEC Ministers in November 2009 and commenced on 16 July 2010.

Q. What is a Privacy Enforcement Authority (PE Authority)?

A. A PE Authority is any public body that is responsible for enforcing information Privacy Law, and that has powers to conduct investigations or pursue enforcement proceedings. It can be a national or sub-national authority. 'Privacy Law' is defined in the CPEA as the laws and regulations of an APEC economy, the enforcement of which have the effect of protecting personal information consistent with the APEC Privacy Framework.

Q. Which PE Authorities participate in the CPEA?

A: Please check the website to find out which PE Authorities currently participate in the CPEA:
http://www.apec.org/Groups/Committee-on-Trade-and-Investment/Digital-Economy-Steering-Group/Cross-border-Privacy-Enforcement-Arrangement.aspx

Q. What types of assistance may a participating PE Authority seek from another?

A. The CPEA provides for PE Authorities to seek a range of assistance from each other. For example, assistance could involve cooperating on enforcement action, or sharing information about an organisation or matter being investigated; collecting evidence in relation to privacy investigations; or transferring an information privacy complaint to another PE Authority for investigation (where appropriate and with relevant safeguards).

Q. How does the CPEA help electronic commerce in the APEC region?

A. APEC economies recognise the importance of protecting information privacy and maintaining information flows across economies in the Asia-Pacific region and among their trading partners.

APEC's 1998 Blueprint for Action on Electronic Commerce emphasises that the potential of electronic commerce cannot be realised without government and business cooperation:

'to develop and implement technologies and policies, which build trust and confidence in safe, secure and reliable communication, information and delivery systems, and which address issues including privacy'.

The lack of consumer trust and confidence in the privacy and security of on-line transactions and information networks is one element that may prevent member economies from gaining the full benefits of electronic commerce.

The adoption of the APEC Privacy Framework in 2004 was a key measure to improve consumer confidence so as to ensure the growth of electronic commerce. However, creating a framework of privacy principles is not of itself enough to ensure consumer confidence.

Consumers also need to have confidence that protections put in place will be respected. Given the cross-border nature of electronic commerce, it would undermine confidence if regulators could do nothing to assist consumers when a matter had a cross-border element.

The CPEA is not a complete solution to cross-border enforcement, however, it is a significant step to assist in cross-border enforcement where there is a Privacy Law and PE Authority in more than one of the economies involved.

Q. What benefits does this bring to business and government in the APEC region?

A. The CPEA provides more effective mechanisms to help investigate and enforce existing Privacy Laws across borders. Compliant businesses may see more effective action being taken against non-compliant businesses causing harm to consumers or the relevant industry. Growth in consumer trust in electronic commerce will also benefit business more generally.

Governments that have enacted Privacy Laws will find the CPEA may assist their PE Authorities in protecting their citizens, or may assist in obtaining redress where avenues of investigation and enforcement are limited. Regulators can cast their net wider in relying on voluntary assistance from fellow PE Authorities.

By fostering connections between participating PE Authorities, and between this and other regional or global cooperation mechanisms, the CPEA can help to promote collaboration, ingenuity, and sharing of knowledge and resources.

Q. What benefits does it bring to consumers in the APEC region?

A. With the growth of electronic commerce involving the movement of personal information between different economies, there is also an increase in the likelihood of information privacy issues with a cross-border element. This can pose additional difficulties in investigating and resolving violations of consumers' personal information privacy. The CPEA will assist participating PE Authorities in the APEC region to address these challenges, through cross-border cooperation on consumer privacy investigations and enforcement matters.

Q. Does the CPEA promote cooperation beyond APEC economies?

A. One of the objectives of the CPEA is to facilitate cooperation with similar networks of PE Authorities in other regions of the world. APEC and the OECD have begun to coordinate their initiatives to ensure they are compatible and to secure cooperation amongst PE Authorities in different regions.

Q. How does a PE Authority in an APEC member economy become a participant in the CPEA?

A. Firstly, a PE Authority needs to notify the CPEA Administrator(s) of its intention to participate. That notification must confirm that the PE Authority meets the definition of 'Privacy Enforcement Authority' set out in the CPEA, and be accompanied by a letter of confirmation from an appropriate government official verifying the PE Authority's status. The PE Authority must also supply a contact point notification and a statement of its practices, policies and activities.

A PE Authority that wishes to participate should use the template forms for each of these documents, which are posted on the APEC Information Management Portal. (To gain access to this site, PE Authorities should contact the head of their economies APEC Electronic Commerce Steering Group delegation or other appropriate government official.)

Details of current CPEA Administrators can be found at:
http://www.apec.org/Groups/Committee-on-Trade-and-Investment/Digital-Economy-Steering-Group/Cross-border-Privacy-Enforcement-Arrangement.aspx