h1

United States Becomes First Economy to Offer Asia-Pacific Economic Cooperation Privacy Trustmark to Data Processors

December 29, 2017

This post contains external links. Please review our external linking policy.

Michael Rose is a Policy Advisor in the International Trade Administration’s Office of Digital Services Industries

The United States is the first Asia-Pacific Economic Cooperation (APEC) economy to join the APEC Privacy Recognition for Processors (PRP) System, which offers a trustmark certification to personal information processors (processors) in the region. By improving transparency and trust in contracting relationships, PRP certification allows your business to showcase its commitment to consumer privacy protections, and facilitate partnerships with multinational companies in the digital economy.

To obtain PRP certification, your business must first confirm that its data privacy policies and practices comply with the PRP System’s baseline security and accountability standards for data protection. To verify compliance, an APEC-recognized auditor, known as an Accountability Agent, will review your security policies and practices, and may request additional information on relevant contractual obligations. You will also be required to demonstrate to the Accountability Agent what measures you have in place to hold your business accountable to those consumers and partners whose information you process. In many respects, the PRP certification process is comparable to that administered by the U.S. Department of Commerce for the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Frameworks.

Additional APEC economies, including Singapore and the Philippines, have already expressed interest in joining the PRP system in the coming year. Expanded implementation of the PRP System across the APEC region will help U.S. companies in evaluating whether prospective international business partners are committed to effective consumer privacy protections.

The 21 APEC member economies adopted the PRP System for data processors in 2015, as a corollary to the APEC Cross-Border Privacy Rules (CBPR) System for data controllers. Together, the PRP and CBPR Systems cover the entire data ecosystem—strengthening consumer privacy protections and trust across the Asia Pacific region, while facilitating trade by minimizing barriers to the cross-border flow of information.

The CBPR and PRP Systems are both voluntary but enforceable. In the United States, the Federal Trade Commission has primary responsibility for enforcing a company’s PRP certification and public attestations, and for bringing enforcement actions for false claims of certification.

The International Trade Administration’s Office of Digital Services Industries in the Industry and Analysis unit leads U.S. Government efforts to implement and expand the APEC CBPR and PRP Systems. We invite you to direct any feedback or questions to Michael Rose.