Skip to main content

What is the Cross-Border Privacy Rules System

Last page update:

How APEC’s innovative approach to data privacy cooperation protects personal data and facilitates trade to benefit consumers and businesses

The APEC Cross-Border Privacy Rules (CBPR) system is a government-backed data privacy certification that companies can join to demonstrate compliance with internationally-recognized data privacy protections.  The CBPR system implements the APEC Privacy Framework endorsed by APEC Leaders in 2005 and updated in 2015.

The CBPR system benefits consumers and business alike by ensuring that regulatory differences do not block businesses’ ability to deliver innovative products and services.  Significantly, the CBPR system was recognized in the new trade agreement among Canada, Mexico and the United States demonstrating the trade benefits of cooperating on these issues.  Further, Japan has recognized the CBPR system to enable cross-border data transfers in compliance with domestic law.

Through the CBPR system, certified companies and governments are working together to ensure that when personal information moves across borders, it is protected in accordance with the standards prescribed by the system’s program requirements and is enforceable across participating jurisdictions.

The CBPR system protects personal data by requiring:

  • Enforceable standards: To join, participating economies must demonstrate that CBPR program requirements will be legally enforceable against certified companies.
  • Accountability: To become certified, a company must demonstrate to an accountability agent—an independent CBPR system-recognized public or private sector entity— that they meet the CBPR program requirements, and the company is subject to ongoing monitoring and enforcement.
  • Risk-based protections: Certified companies must implement security safeguards for personal data that are proportional to the probability and severity of the harm threatened, the confidential nature or sensitivity of the information, and the context in which it is held.
  • Consumer-friendly complaint handling: Accountability agents receive and investigate complaints and resolve disputes between consumers and certified companies in relation to non-compliance with its program requirements.
  • Consumer empowerment: Certified companies must provide consumers with the opportunity to access and correct their personal data. Further, by publicly certifying to the CBPR system’s requirements, consumers gain insight into the privacy practices on business with which they choose to do business.
  • Consistent protections: While governments may impose additional requirements with which certified companies must still comply, all participants must agree to abide by the 50 CBPR program requirements, facilitating the implementation of the same baseline protections across different legal regimes.
  • Cross-border enforcement cooperation: The CBPR system provides a mechanism for regulatory authorities to cooperate on the enforcement of program requirements.

Developed by all 21 APEC economies and endorsed by APEC Leaders in 2011, an APEC economy must demonstrate that it can enforce compliance with the CBPR system’s requirements before joining.  Currently, nine economies participate in the system: Australia, Canada, Japan, the Republic of Korea, Mexico, the Philippines, Singapore, Chinese Taipei, and the United States.

For more information, please visit