On April 17, 2023, the UK applied to join the Global Cross-Border Privacy Rules (“CBPR”) Forum as an Associate member. It is the first country to declare its application to participate in the Global CBPR as an Associate member since its inception one-year ago. In addition to its application, the UK co-hosted the Global CBPR Forum workshop “At One Year: Challenges and Opportunities”, which took place between April 17 to April 20, 2023.
Facilitating data transfers and data flows is a top priority for the UK government. While it has been developing data transfer tools such as data bridges, standard contractual clauses, and transfer risk assessments, the government and the UK ICO are also considering other options, such as the Global CBPR System. As more jurisdictions look towards the Global CBPR System as a potential method for facilitating data transfers, this may become an appealing solution for organizations to consider to legitimize data transfers in multiple jurisdictions.
What is the Global CBPR Forum?
The Global CBPR Forum was established in 2022 via the Global CBPR Declaration, and derives from the Asia-Pacific Economic Cooperation (“APEC”) CBPR System. The Global CBPR Forum aims to expand the territorial scope of the APEC CBPR System in order to (i) facilitate data protection and free flow of data globally, (ii) share best practices and promote cooperation on data protection, and (iii) achieve interoperability with other data protection frameworks.
In order to achieve its aims, the Global CBPR Forum created the Global CBPR System (which is similar to binding corporate rules (“BCRs”) for controllers) and will seek to launch the Global Privacy Recognition for Processors (“PRP”) System (which is similar to BCRs for processors) in due course. The CBPR and PRP Systems are voluntary, accountability-based certification systems that allow organizations to demonstrate their compliance to internationally-recognized data protection and privacy standards, while also facilitating the free flow of data. An organization may apply for certification under the Global CBPR System and/or PRP System, and once they have been certified by a so-called “Accountability Agent”, they would be allowed to carry out cross-border data transfers among the jurisdictions that recognize the system without any further administrative burdens. Organizations can only be certified if the country in which they are headquartered has “Membership” status.
The Global CBPR Forum is currently made up of the following Member countries: Australia, Canada, Japan, the Republic of Korea, Mexico, the Philippines, Singapore, Chinese Taipei, and the United States of America. On April 13, 2023, the Global CBPR Forum officially opened its doors to participation by interested jurisdictions by publishing its Global CBPR Framework and Terms of Reference. The UK has applied to join as an “Associate” member only, and is currently waiting to be admitted.
UK’s participation in the Global CBPR Forum
As an Associate, the UK will be able to participate in the Global CBPR Forum discussions, but they will not have any voting rights to help shape the CBPR and PRP Systems. It is also seen as a pathway to potentially applying for full membership to the Global CBPR Forum.
Under the Associate status, organizations in the UK cannot take advantage of the certification scheme and data transfer mechanism provided under the Global CBPR and PRP Systems — this will only be possible once the UK becomes a full Member of the Global CBPR Forum.
The UK is still in the early stages of its engagement with the Global CBPR Forum, so it remains to be seen whether the UK will apply for full membership.
What does this mean for organizations?
As the Global CBPR Forum grows its membership, its CBPR and PRP Systems could become another data transfer tool that organizations may be able to utilize to legitimize their cross-border data transfers. For businesses with global operations, it can be a challenge to ensure compliance with the increasing number of data protection laws in jurisdictions around the world. As more and more jurisdictions adopt data localization rules or restrictions on data transfers, industry players — as well as policymakers and regulators– are calling for a more interoperable approach to legitimizing data flows. The Global CBPR Forum could be one avenue to explore for developing such an approach.
* * *
Covington regularly monitors developments regarding data transfers, and we would be happy to provide guidance about the Global CBPR Forum, whether you are a country interested in joining the Forum, or if you are an organization seeking to learn more about the certification process.