Global Data Transfer Developments: Taking the APEC CBPR System Global

On April 21, Canada, Singapore, Japan, the U.S., the Republic of Korea, Chinese Taipei, and the Philippines released a joint declaration announcing the creation of a Global Cross-Border Privacy Rules (CBPR) Forum. This global CBPR Forum, which is drawn from the Asia-Pacific Economic Cooperation (APEC) forum’s existing CBPR and Privacy Recognition for Processors (PRP) Systems, will allow for the expansion of the CBPR system beyond APEC’s twenty-one economies into a truly international framework.

The expansion of the CBPR system will promote the free flow of data over international borders, while promoting effective and robust data protections for consumers. A globalized CBPR system is intended to promote trust in the digital economy, spur economic growth, and increase competitiveness for participating companies and countries.

The CBPR Forum will establish an international certification system to recognize companies that institute high-standard privacy protections and ensure that robust safeguards are in place when participating organizations transfer data globally. The system builds off of the existing CBPR framework developed within the Asia-Pacific Economic Cooperation (APEC) forum.

The objective will be for participating member economies to recognize the Global CBPR system as a valid legal basis for cross-border data transfers, and incorporate it into their domestic privacy legislation and otherwise recognize it under trade agreements or other bilateral and/or multilateral frameworks. The Global CBPR system will therefore add a vitally needed additional data transfer mechanism that can be available for companies of all sizes and industries that seek to demonstrate their commitment to privacy and strong data governance protections.

The promotion of voluntary, interoperable frameworks for data transfers – such as the CBPR system – is important given the rapidly-evolving landscape of international privacy legislation. New, comprehensive privacy frameworks have proliferated around the world over the last decade, with the EU’s General Data Protection Regulation (GDPR) the most prominent – and most often copied – example. Yet the resulting data protection landscape is quite fragmented, with countries and economies adding unique provisions and creating new standards to reflect their own unique cultural attributes, economic status, and traditions. For companies that need to share data with global partners, vendors, and customers, this has increased compliance costs, imposed legal uncertainty, and generally led to inefficiency in the modern digital economy.

The members of the new Global Forum will seek to address these challenges by promoting this trusted framework as an interoperable mechanism that can bridge the varying privacy regimes – and allow a more seamless, efficient pathway to ensure the trusted flow of data.

In the formal announcement of the new Global Forum, United States Secretary of Commerce, Gina M. Raimondo, declared that it heralded a “new era of multilateral cooperation in promoting trusted global data flows that are critically important to our modern economy.” It is also a timely development amid the ongoing negotiations between the U.S. and EU to establish a new trans-Atlantic data transfer mechanism, to replace the former U.S.-EU Privacy Shield framework. The Biden Administration has hinted that expansion of the CBPR framework, to promote recruitment of new member economies, may feature in its broader negotiations to launch the Indo-Pacific Economic Framework.

Companies should take note of the globalized CBPR system as a potentially cost-effective, proven framework to demonstrate their commitment to consumer privacy. Countries as varied as the United Kingdom, Brazil, and the United Arab Emirates had previously expressed interest in the APEC CBPR system. As the system now “goes global” – and with the rising attention given to robust privacy legislation around the world – we can expect that other countries and economies will sign on to recognize the CBPR system as legally-recognized pathway to transfer personal data around the world.

The formal announcement and declaration of the founding parties of the Global CBPR Forum can be found here. To learn more about how the CBPR system works and its benefits, you can find a helpful primer developed by C&M International on the official CBPR website.

To discuss how our firm helps multinational clients understand and navigate the rapidly-changing global data governance landscape, please don’t hesitate to reach out.