On April 17, 2023, the UK applied to join the Global Cross-Border Privacy Rules (“CBPR”) Forum as an Associate member. It is the first country to declare its application to participate in the Global CBPR as an Associate member since its inception one-year ago. In addition to its application, the UK co-hosted the Global CBPR Forum workshop “At One Year: Challenges and Opportunities”, which took place between April 17 to April 20, 2023.

Facilitating data transfers and data flows is a top priority for the UK government. While it has been developing data transfer tools such as data bridges, standard contractual clauses, and transfer risk assessments, the government and the UK ICO are also  considering other options, such as the Global CBPR System. As more jurisdictions look towards the Global CBPR System as a potential method for facilitating data transfers, this may become an appealing solution for organizations to consider to legitimize data transfers in multiple jurisdictions.

What is the Global CBPR Forum?

The Global CBPR Forum was established in 2022 via the Global CBPR Declaration, and derives from the Asia-Pacific Economic Cooperation (“APEC”) CBPR System. The Global CBPR Forum aims to expand the territorial scope of the APEC CBPR System in order to (i) facilitate data protection and free flow of data globally, (ii) share best practices and promote cooperation on data protection, and (iii) achieve interoperability with other data protection frameworks.

In order to achieve its aims, the Global CBPR Forum created the Global CBPR System (which is similar to binding corporate rules (“BCRs”) for controllers) and will seek to launch the Global Privacy Recognition for Processors (“PRP”) System (which is similar to BCRs for processors) in due course. The CBPR and PRP Systems are voluntary, accountability-based certification systems that allow organizations to demonstrate their compliance to internationally-recognized data protection and privacy standards, while also facilitating the free flow of data. An organization may apply for certification under the Global CBPR System and/or PRP System, and once they have been certified by a so-called “Accountability Agent”, they would be allowed to carry out cross-border data transfers among the jurisdictions that recognize the system without any further administrative burdens. Organizations can only be certified if the country in which they are headquartered has “Membership” status.

The Global CBPR Forum is currently made up of the following Member countries: Australia, Canada, Japan, the Republic of Korea, Mexico, the Philippines, Singapore, Chinese Taipei, and the United States of America. On April 13, 2023, the Global CBPR Forum officially opened its doors to participation by interested jurisdictions by publishing its Global CBPR Framework and Terms of Reference. The UK has applied to join as an “Associate” member only, and is currently waiting to be admitted.

UK’s participation in the Global CBPR Forum

As an Associate, the UK will be able to participate in the Global CBPR Forum discussions, but they will not have any voting rights to help shape the CBPR and PRP Systems. It is also seen as a pathway to potentially applying for full membership to the Global CBPR Forum.

Under the Associate status, organizations in the UK cannot take advantage of the certification scheme and data transfer mechanism provided under the Global CBPR and PRP Systems — this will only be possible once the UK becomes a full Member of the Global CBPR Forum.

The UK is still in the early stages of its engagement with the Global CBPR Forum, so it remains to be seen whether the UK will apply for full membership.

What does this mean for organizations?

As the Global CBPR Forum grows its membership, its CBPR and PRP Systems could become another data transfer tool that organizations may be able to utilize to legitimize their cross-border data transfers. For businesses with global operations, it can be a challenge to ensure compliance with the increasing number of data protection laws in jurisdictions around the world. As more and more jurisdictions adopt data localization rules or restrictions on data transfers, industry players — as well as policymakers and regulators– are calling for a more interoperable approach to legitimizing data flows. The Global CBPR Forum could be one avenue to explore for developing such an approach.

* * *

Covington regularly monitors developments regarding data transfers, and we would be happy to provide guidance about the Global CBPR Forum, whether you are a country interested in joining the Forum, or if you are an organization seeking to learn more about the certification process.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mark Young Mark Young

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the…

Mark Young is an experienced tech regulatory lawyer and a vice-chair of Covington’s Data Privacy and Cybersecurity Practice Group. He advises major global companies on their most challenging data privacy compliance matters and investigations. Mark also leads on EMEA cybersecurity matters at the firm. In these contexts, he has worked closely with some of the world’s leading technology and life sciences companies and other multinationals.

Mark has been recognized for several years in Chambers UK as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” “provides thoughtful, strategic guidance and is a pleasure to work with;” and has “great insight into the regulators.” According to the most recent edition (2024), “He’s extremely technologically sophisticated and advises on true issues of first impression, particularly in the field of AI.”

Drawing on over 15 years of experience, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology, e.g., AI, biometric data, and connected devices.
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
  • Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • Counseling ad networks (demand and supply side), retailers, and other adtech companies on data privacy compliance relating to programmatic advertising, and providing strategic advice on complaints and claims in a range of jurisdictions.
  • Advising life sciences companies on industry-specific data privacy issues, including:
    • clinical trials and pharmacovigilance;
    • digital health products and services; and
    • engagement with healthcare professionals and marketing programs.
  • International conflict of law issues relating to white collar investigations and data privacy compliance (collecting data from employees and others, international transfers, etc.).
  • Advising various clients on the EU NIS2 Directive and UK NIS regulations and other cybersecurity-related regulations, particularly (i) cloud computing service providers, online marketplaces, social media networks, and other digital infrastructure and service providers, and (ii) medical device and pharma companies, and other manufacturers.
  • Helping a broad range of organizations prepare for and respond to cybersecurity incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, supply chain incidents, and state-sponsored attacks. Mark’s incident response expertise includes:
    • supervising technical investigations and providing updates to company boards and leaders;
    • advising on PR and related legal risks following an incident;
    • engaging with law enforcement and government agencies; and
    • advising on notification obligations and other legal risks, and representing clients before regulators around the world.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of UK and EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Sam Jungyun Choi Sam Jungyun Choi

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such…

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such as AI, digital health, and autonomous vehicles.

Sam is an expert on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, having advised on these laws since they started to apply. In recent years, her work has evolved to include advising companies on new data and digital laws in the EU, including the AI Act, Data Act and the Digital Services Act.

Sam’s practice includes advising on regulatory, compliance and policy issues that affect leading companies in the technology, life sciences and gaming companies on laws relating to privacy and data protection, digital services and AI. She advises clients on designing of new products and services, preparing privacy documentation, and developing data and AI governance programs. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.