Singapore Appoints Its First Ever Accountability Agent Under the CBPR System
Posted on August 7, 2019
On July 23, 2019, APEC issued a press release announcing Singapore’s appointment of the Infocomm Media Development Authority (IMDA) as its accountability agent. Singapore joined the APEC Cross-Border Privacy Rules (CBPR) system in March 2018 and is the third economy after the United States and Japan to operationalize the system.
The APEC CBPR is a regional, multilateral, cross-border data transfer mechanism and enforceable code of conduct developed for businesses by the 21 APEC member countries. As we have reported on previously, the CBPR system is meant to help companies transfer personal data across the borders of participating countries. Companies join by completing self-assessments and participating with an “accountability agent.” As Singapore’s accountability agent, IMDA will ensure the privacy policies and practices of participating companies comply with the APEC CBPR and Privacy Recognition for Processors (PRP) through independent third-party assessments before certifying them. Currently, the U.S., Mexico, Canada, Japan, South Korea, Australia, Singapore and Chinese Taipei participate in the CBPR system.
PUTTING IT INTO PRACTICE: We will continue to monitor the CBPR. As more countries fully participate, the CBPR system shows its growing viability as a cross-border data transfer scheme.
EU and Japan Finalize Data Transfer Deal
Posted on January 28, 2019
As we previously reported the EU and Japan reached a tentative deal last summer to ease data transfer restrictions between them. That deal has now been approved by both the European Commission and by Japan and is effective immediately. When the tentative deal was reached, Japan promised to add several new data protection safeguards. Those included new individual rights and limits on further transfers to third countries. Japan also agreed to limit government access to personal data, and to give Europeans a way to complain about government access. Japan has now implemented those safeguards. As a result, the European Commission has decided that Japan provides an adequate level of protection for personal data under the EU’s General Data Protection Regulation. This means that personal data can now be transferred freely between the EU and Japan. The decision will be jointly reviewed in two years, and then every four years thereafter. It is the first adequacy decision under GDPR.
The EU has recognized very few countries as having adequate protections for personal data. Those countries are Andorra, Argentina, Canada (commercial organizations only), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, and Uruguay.
The recognition of Japan is notable as the first mutual recognition. The new free exchange of personal data between the EU and Japan is a part of the EU-Japan trade agreement which is expected to come into effect in February 2019.
PUTTING IT INTO PRACTICE: companies transferring data between EU and Japan will find this new recognition extremely helpful. Keep in mind also that several other countries have been deemed “adequate” by the EU.
      19 Eye on Privacy 2019 Year in Review