APEC Privacy Framework
- Lawfulness, fairness and non-discrimination
- Transparency and free access
- Purpose specification, use limitation and suitability
- Data minimization, storage limitation and accuracy
- Security and prevention
- Accountability and recordkeeping
- Data protection officer
- Data subjects rights
- Cross-border data transfer and localization
- Incident and breach
Despite not being binding in its nature, the Framework provided the legal ground for the creation of the APEC Cross-Border Privacy Rules (CBPR) system, as well as a common source for many of the regional privacy laws.
Adherence to the principles established in the APEC Privacy Framework and Cross-Border Privacy Rules may help a company in advancing their own compliance program, as well as increasing consumer trust and internal efficiency.
A document analyzing the costs and benefit of the APEC CBPR implementation, presented in 2016 at the APEC Senior Official’s Meeting, reported significant benefits for both companies and consumers.
Overall, compliance with the Framework and certification under the CBPR system may bring the following benefits for companies:
- Reducing cost and time to incorporate EU binding corporate rules
- Fostering the creation of a global privacy program
- Defining a common standard for compliance with APEC legislations
- Lowering complexity for cross-border data flow policies
- Increasing consumer trust
The Framework addresses every person or organization that process personal information, including when instructing another person or organization to perform said activity. Notably, it does not apply to subjects processing personal information under the instruction of another person or organization.
Additionally, it excludes individuals using personal information in connection to personal, family or household affairs and provides limited applicability to publicly available information.
The Framework applies to the APEC economies, but provides great flexibility in the implementation of its principles, taking into account social, cultural and other differences among members.
Personal information means any information about an identified or identifiable individual. It includes information that would allow a person to be identified if combined with other data.
Personal information controller means every person or organization that control the collection, holding, processing, use, disclosure or transfer of personal information, including when instructing another person or organization to perform said activity.
Lawfulness, fairness and non-discrimination
Collection and use of personal information
Principle 24 states that personal information should be obtained by lawful and fair means; where appropriate, said activity should require notice to, or consent of, the individual concerned.
Despite not creating specific and restrictive legal grounds for the initial data processing activities, the Framework limits unfair collection and use of personal information even in countries where no specific law against such methods exist.
Principle 26 highlights the characteristic of consent (defined ‘choice’), which should be provided with clear, prominent, easily understandable, accessible and affordable mechanisms.
When the choice is performed electronically or in writing, it should be clearly stated and displayed.
Consent should also be easily understandable and tailored to the particular groups of individuals (i.e. by using different languages or simplified concepts for children).
Choice may not be practicable or necessary under certain circumstances, for example:
- Information made available to the public
- Processing of business and professional contact information
- Organizational needs while processing employee-related information
- Circumstances of public interest (i.e. an outbreak of food poisoning)
Transparency and free access
Principle 21 ensures that individuals get informed on what information is collected and for what purpose.
Controllers are required to provide clear and accessible notices, including:
- The fact that personal information is being collected
- The related purposes
- Persons or organization to whom information might be disclosed
- Identity, location and contact information of the controller
- Choices and means offered by the controller to the individuals to limit use and disclosure of personal information
The notice should be provided before or at the time of collection and could be delivered using different methods, depending on the context (for example by posting them on a website, or by placing them into an employee handbook).
Principles 29-31 define the individuals right to access their information, which should be provided in a reasonable manner and understandable form; a charge may be imposed, if not excessive.
Purpose specification, use limitation and suitability
According to principle 25, personal information should be used only to fulfill the original purpose of their collection or other related and compatible purposes, unless the controller is able to identify different legal grounds.
The Framework specifically mentions three of such possible legal bases
- Necessity to provide a product or service requested by the individual
- Authority of law or other legal instruments, or any other proclamation and pronouncement possessing legal effect
Defining whether or not a purpose is compatible with the original purpose of collection should take into account the nature of personal information, the context of collection, the individual’s expectations and the intended use of the information.
Data minimization, storage limitation and accuracy
According to principle 24, collection of personal information should be limited by the extent of the relevant purpose, as well as proportionate to what is required to fulfill such purpose.
At the same time, principle 27 requires controllers to maintain accurate, complete and up-to-date personal information.
No specific provision on storage limitation exists, but the aforementioned principles should regulate and consequently limit the retention periods of personal information.
Security and prevention
The Framework requires controllers to protect personal information with appropriate safeguards, listing events that are likely to create risks for the individuals, such as:
- Unauthorized access
- Unauthorized destruction, use, modification
- Unauthorized disclosure
Such safeguards should possess the following characteristics:
- Proportionality to the likelihood and severity of the harm threatened
- Proportionality to the sensitivity of the information
- Proportionality to the context in which the information is held
- Periodically reviewed
Accountability and recordkeeping
The personal information controller is ultimately responsible for ensuring the appropriate safeguards, even when instructing another organization or person to carry on a processing of its behalf.
To ensure accountability, controllers are encouraged to create and maintain a privacy management program in order to demonstrate effective protection of personal information.
Privacy management programs should be regulated by domestic law, but the Framework indicates which characteristics said policies should have:
- Tailored to the structure of the controller
- Tailored to the volume and sensitivity of personal information
- Provide safeguards that take into account the potential harm and risks to individuals
- Internal oversight, inquiry and incidents mechanisms
- Indicate accountable and trained personnel in charge of managing the program
- Regularly monitored and updated
Controllers should demonstrate compliance with their privacy management program to Privacy Enforcement Authorities or other relevant entities, such as the accountability agent designated under the CBPR system.
When personal information has to be transferred to another person or organization, the controller should either
- a) obtain the consent of the individuals
- b) perform a due diligence of the recipients and ensure consistency with the privacy framework
Such requirements do not apply when the transfer is required by domestic law.
The Framework does not contain specific provisions related to recordkeeping.
Data protection officer
The Framework does not introduce any specific figure comparable to the GDPR data protection officer, however it recommends controllers to designate trained personal in charge of managing the internal privacy program.
Data subjects rights
Three main rights are laid down in the Framework.
Right to be informed
The individuals should be able to obtain confirmation of whether or not the controller possesses personal information about them
Right to access
The individuals should receive personal information about them held by the controller
- Within a reasonable time
- At a proportionate charge
- In a reasonable manner
- In an understandable form
Right to rectify
The individuals should have the right to challenge the accuracy of any personal information related to them, as well as to have such information rectified, completed, amended or deleted.
- Unreasonable or disproportionate burden or expenses compared to the risks for the individuals in not having their right exercised
- Security reasons or commercial confidentiality
- Third persons privacy risks
If the individual request is rejected, the controller should provide an adequate explanation to the individual.
Cross-border data transfer and localization
The Framework encourages Member States to refrain from restricting free flow of personal information, when
- The recipient Country has laws and/or regulations to implement the Framework principles
- The controller has put in place effective mechanism and enforcement measures to ensure personal information a consistent level of protection
Notably, the Framework provided the legal ground for the implementation of the APEC Cross-Border Data Transfer system, intended to provide a minimum and common level of protection among participating countries and to simplify the flow of personal information.
Incident and breach
Privacy management programs should contain mechanisms to oversight, answer and deal with threats and incidents.
The Framework encourages the establishment of Privacy Enforcement Authorities.
The PEA should have the following duties:
- Enforcing privacy legislation
- Conducting investigations
- Pursuing enforcement measures
- Monitoring and assessing privacy management program
- Auditing individuals’ complaints and requests
- Co-operate with cross-border authorities for investigative purposes
Standards and Frameworks
APEC Privacy Framework
APEC Privacy Framework
The APEC Privacy Framework sets forth definitions, principles and implementing guidelines in order to promote e-commerce, data flow and privacy protection throughout the Asia Pacific Economic Cooperation region.
Last Updated: July 30, 2019
OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit OneTrust.com or connect on LinkedIn, Twitter and Facebook.