Cross-Border Privacy System Gains Second U.S. Compliance Agent

July 8, 2019 Debbie Zaller

(Article originally published on

U.S. companies will have another option for certifying their compliance with an Asia-Pacific region cross-border privacy rules program.

Schellman & Company LLC is the second company to become a U.S. accountability agent under the Asia Pacific Economic Cooperation’s Cross Border Privacy Rule (CBPR) System, the International Trade Administration said in a blog post.

Accountability agents evaluate if U.S. businesses’ privacy practices and procedures align with the requirements of the data privacy certification mechanism. Participation in the program is voluntary, but once a company is certified, their policies and practices become binding and national privacy authorities can enforce them.

Companies in the Asia-Pacific region can more easily exchange information across borders by demonstrating they maintain internationally recognized privacy standards. With two agents available, U.S. companies can expect more access to certification services, according to the federal government and Schellman.

“We have heard the call from U.S. industry for more Accountability Agents in the United States to promote greater options and more competitive pricing for the growing variety of companies seeking the benefits of a CBPR certification,” Jim Sullivan, deputy assistant secretary for services at the U.S. Department of Commerce’s ITA, said in a statement.

Adding another agent “is an indication that there is now support for CBPR and broader interest in certification,” Jarno Vanto, partner in Crowell & Moring LLP’s privacy and cybersecurity group, said in an email.

TrustArc subsidary TRUSTe has been the only U.S. accountability agent since 2013. APEC members created the CBPR system in 2011.

Debbie Zaller, Schellman’s privacy practice leader, said in a statement the company applied to become an agent after hearing about the APEC privacy framework and realizing there was an opportunity to “drive competition in the space and hopefully enable more organizations to pursue certification.”

Eight APEC economies—out of a total 21— have so far joined the CBPR system, including the U.S., Japan, Canada, Mexico, South Korea, Australia, Singapore, and Chinese Taipei, according to the ITA. The Philippines is in the process of joining.

“The number of global businesses who have joined the program has also been limited,” Francoise Gilbert, co-chair of Greenberg Traurig LLP’s data, privacy, and cybersecurity practice, said in an email.

“With the passage of time, the number will increase,” Gilbert said. “The more news about development and applicability of the CBPR Program, the more incentives for global businesses and for APEC Member Economies to look at the CBPR as a way to demonstrate their commitment to privacy and data protection,” she said.

About the Author

Debbie Zaller

Debbie Zaller is a Principal at Schellman & Company, LLC. Debbie leads the SOC 2, SOC 3 and Privacy service lines and is also an AICPA-approved and nationally listed SOC Specialist. As practice leader she is responsible for internal training, methodology creation and quality reporting. Debbie also leads the firm’s Midwest market. Debbie has over 20 years of IT compliance and attestation experience. Debbie was on the AICPA Task Force for the Advanced SOC for Certification Exam, was a member of the Florida Institute of Certified Public Accountants Board of Governors and served on the Finance and Office Advisory Committee.

More Content by Debbie Zaller
Previous Video
Service Overview: APEC
Service Overview: APEC

What is it APEC, what are the benefits, and why use Schellman?

Next Article
APEC announces new US accountability agent for CBPR certifications
APEC announces new US accountability agent for CBPR certifications

The Asia-Pacific Economic Cooperation is set to boost the status of its Cross-Border Privacy Rul...

Schellman can help you prepare for upcoming international laws by reviewing your privacy program