Cross-Border Privacy System Gains Second U.S. Compliance Agent

July 8, 2019 Debbie Zaller

(Article originally published on

U.S. companies will have another option for certifying their compliance with an Asia-Pacific region cross-border privacy rules program.

Schellman & Company LLC is the second company to become a U.S. accountability agent under the Asia Pacific Economic Cooperation’s Cross Border Privacy Rule (CBPR) System, the International Trade Administration said in a blog post.

Accountability agents evaluate if U.S. businesses’ privacy practices and procedures align with the requirements of the data privacy certification mechanism. Participation in the program is voluntary, but once a company is certified, their policies and practices become binding and national privacy authorities can enforce them.

Companies in the Asia-Pacific region can more easily exchange information across borders by demonstrating they maintain internationally recognized privacy standards. With two agents available, U.S. companies can expect more access to certification services, according to the federal government and Schellman.

“We have heard the call from U.S. industry for more Accountability Agents in the United States to promote greater options and more competitive pricing for the growing variety of companies seeking the benefits of a CBPR certification,” Jim Sullivan, deputy assistant secretary for services at the U.S. Department of Commerce’s ITA, said in a statement.

Adding another agent “is an indication that there is now support for CBPR and broader interest in certification,” Jarno Vanto, partner in Crowell & Moring LLP’s privacy and cybersecurity group, said in an email.

TrustArc subsidary TRUSTe has been the only U.S. accountability agent since 2013. APEC members created the CBPR system in 2011.

Debbie Zaller, Schellman’s privacy practice leader, said in a statement the company applied to become an agent after hearing about the APEC privacy framework and realizing there was an opportunity to “drive competition in the space and hopefully enable more organizations to pursue certification.”

Eight APEC economies—out of a total 21— have so far joined the CBPR system, including the U.S., Japan, Canada, Mexico, South Korea, Australia, Singapore, and Chinese Taipei, according to the ITA. The Philippines is in the process of joining.

“The number of global businesses who have joined the program has also been limited,” Francoise Gilbert, co-chair of Greenberg Traurig LLP’s data, privacy, and cybersecurity practice, said in an email.

“With the passage of time, the number will increase,” Gilbert said. “The more news about development and applicability of the CBPR Program, the more incentives for global businesses and for APEC Member Economies to look at the CBPR as a way to demonstrate their commitment to privacy and data protection,” she said.

About the Author

Debbie Zaller

Debbie is Principal and co-owner at Schellman & Company, LLC. She began her career in 2000 while working at Arthur Andersen in their Technology Risk Assurance practice. Debbie now leads the Midwest Region along with the Privacy, SOC 2 and SOC 3 service lines and is also on the AICPA’s SOC Specialist Task Force. She is responsible for internal training, methodology creation, and quality reporting. Debbie was a past member of the Florida Institute of Certified Public Accountants’ Board of Governors and served on the Finance and Office Advisory Committee. She also served on the AICPA’s Advanced SOC for Service Organizations Certificate Task Force.

More Content by Debbie Zaller
Previous Article
Schellman Becomes PCI Qualified PIN Assessor
Schellman Becomes PCI Qualified PIN Assessor

Schellman & Company has become a Qualified PIN Assessor (QPA) for the PCI PIN Security Program.

Next Article
14 Companies That Let You Work Remotely
14 Companies That Let You Work Remotely

The growing trend for work flexibility has taken over the country. From health care to communica...


First Name
Error - something went wrong!