Global Cross-Border Data Transfer Scheme Launches; Complements GDPR
Worldwide interest is growing in adopting the Global Cross-Border Privacy Rules (GCBPR) system for international data transfers, the Hogan Lovells law firm reported.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The system, and its accompanying Privacy Recognition for Processors (PRP) regime, launched June 2 with around 100 certified companies. It will complement, not replace, privacy regimes such as the General Data Protection Regulation (GDPR), the firm wrote.
The GCBPR is a voluntary, accountability-based certification framework designed to enable secure, privacy-protective cross-border transfers while ensuring data protection standards, the attorneys said. The PRP system complements the GCBPR by addressing data processors' obligations in processing personal data on behalf of and pursuant to data controllers' instructions.
The frameworks are administered by the Global CBPR Forum, which was established in 2022 to support the free flow of data and effective data protection and privacy globally. The forum is currently chaired by Shannon Coe, Department of Commerce director of global data policy, International Trade Administration.
The GCBPR operates through third-party accountability agents, who assess and certify organizations' privacy policies, practices and data governance against a set of standards, Hogan Lovells wrote. These include accountability, notice, choice, collection, use of personal information, security safeguards and access and correction.
Certifications are enforceable by privacy authorities in participating jurisdictions. There are currently nine members of the Global CBPR Forum: Australia, Canada, Japan, Mexico, the Philippines, the Republic of Korea, Singapore, Chinese Taipei, and the U.S. These countries form the Asia-Pacific Economic Cooperation (APEC) CBPR system on which the global regime is based.
However, there's a "strong commitment" to expanding membership to non-APEC countries. The U.K., the firm noted, joined as an associate member in 2023, and other nations have also signaled interest.
The GCBPR "represents a significant evolution of the APEC CBPR system," the firm wrote. It extends the framework worldwide and makes crucial updates to the assessment criteria by which companies are certified. The forum is also considering adding criteria, such as breach notification to individuals, sensitive data, risk assessment and children's data.
While the GCBPR doesn't replace other laws such as the GDPR, it could streamline compliance by "serving as a common denominator across disparate regulatory regimes," the firm said. Regulators in participating countries will look to ensure interoperability with domestic laws.
While the GCBPR isn't recognized as equivalent or adequate for EU data transfers, the enhanced assessment criteria demonstrate the continuing effort toward greater interoperability. "This could not only streamline compliance in the future for organizations operating in both Global CBPR and GDPR jurisdictions, but serve as a basis for a globally recognized set of privacy principles and practices."
The Global CBPR Forum met May 26-27 in Singapore. Among its main takeaways, according to Hogan Lovells, were that the GCBPR has a key role in conjunction with the development and adoption of AI systems requiring large volumes and diverse sources of data; and that plans are afoot to strengthen alignment with the GDPR and emerging AI governance standards.