As of September 2022, Twilio is certified under the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPRs) and Privacy Recognition for Processors (PRP) systems. These voluntary and enforceable privacy certifications demonstrate our commitment to data protection and facilitate international data transfers from APEC economies.
Twilio’s inclusion in the directory of CBPR and PRP certified companies can be found here.
What are the APEC Cross Border Privacy Rules and Privacy Recognition for Processor Systems?
The APEC Privacy Framework was established by APEC to help member economies develop a consistent domestic approach to the protection of personal data. The framework comprises 9 principles and forms the basis of a regional system called the APEC Cross-Border Privacy Rules (CBPR) that seeks to maintain the free flow of data between APEC economies by bridging differences between their national privacy laws.
CBPR is made up of 50 program requirements that operationalise the 9 principles and organizations can demonstrate their compliance through a certification process managed by approved accountability agents. Functionally, the certification provides a mechanism for organizations (acting as data controllers) to transfer personal data between APEC economies and to recipients in other jurisdictions, whether affiliated or non-affiliated entities, provided any additional legal requirements are met.
The PRP is a companion certification to the CBPRs designed specifically for organizations that process personal data as data processors on behalf of other organizations (data controllers). It assists with vendor due diligence by providing assurance to data controllers that the processing of their data is consistent with the APEC CBPR system.
Which countries participate in the APEC CBPRs and PRP Systems?
All 21 APEC economies have endorsed APEC CBPRs and intend to participate. To date, nine economies have joined the CBPRs - US , Australia, Japan, Singapore, Philippines, South Korea, Mexico, Canada, and Taiwan. Several other APEC economies are seeking to join including Indonesia, Chile, Vietnam, and Malaysia. Currently, only the US and Singapore are participating in the PRP system but other APEC are expected to follow.
As Twilio is headquartered in the US, we applied for both CPBR and PRP certifications through TrustArc, a recognised US accountability agent, and our certifications apply to all Twilio group members.
How did Twilio obtain these certifications and how are they enforced?
To obtain the certifications, we went through a rigorous process with TrustArc to review Twilio’s privacy policies and practices and confirm they meet the certification requirements. To ensure on-going compliance we are required to recertify with TrustArc on an annual basis.
Twilio provides complaint and redress mechanisms to consumers that are managed for us by TrustArc and accessible here. TrustArc seeks to investigate and resolve disputes and has the power to suspend or withdraw certifications for non-compliance. Ultimate enforcement is by APEC based Privacy Enforcement Authorities (PEA) who may bring actions against an organization for failing to comply. In Twilio’s case, this is the US Federal Trade Commission.
Why did Twilio obtain the APEC CBPR and PRP certifications?
In short, the APEC CBPRs and PRP certifications build on Twilio’s privacy program, demonstrate our commitment to robust data protection practice globally and enable compliance with some privacy laws.
Twilio has established and implemented Binding Corporate Rules to ensure adequate protection for internal transfers of personal data between Twilio group members in the European Union and elsewhere. The APEC CBPRs and PRP certifications provide overlapping safeguards to personal data transferred within the Twilio group from participating APEC economies.
In some cases, the CBPR certification also helps us to transfer personal data between APEC economies and meet data transfer requirements under national privacy laws in both APEC and non-APEC economies.
What do Twilio’s APEC CBPR and PRP certifications mean for our customers?
Twilio’s CBPR and PRP certifications provide our customers with assurance about our privacy program as both a data controller and processor and our commitment to being responsible and accountable for data protection.
In addition to the terms of Twilio’s Data Processing Addendum, the CBPR certification may also help our customers meet data transfer requirements under national privacy laws in some APEC and non-APEC economies. For example, Singapore, Japan, Bermuda and the Dubai International Finance Center recognise CBPRs.
Where can I get more information?
If you have more questions regarding Twilio’s CBPR and PRP certifications please reach out to the Twilio Privacy Team.