Multistakeholder Approach Key to Global Regime, Says Cross Border Privacy Rules Chair

The Global CBPR Forum "enables trusted data flows globally through international data protection and privacy certifications," its website says. The voluntary GCBPR system launched June 2 with around 100 certified companies (see Ref:2506020003]).

The Forum offers two certifications: the GCBPR and the Privacy Recognition for Processors (PCP), Coe noted. The GCBPR has 50 program requirements companies must meet to obtain certification, the PRP 18, which apply specifically to data processors, said Coe, who is director of global data policy at the Commerce Department's International Trade Administration.

Companies seeking certification must show they meet all relevant requirements through a third-party accountability agent recognized by the forum, Coe said. The U.S. has four accountability agents where American companies can obtain certifications, which must be renewed annually, she said.

Certifications are enforceable by the relevant authorities in each jurisdiction, which in the U.S. is the FTC, she said.

The Global Forum is also initiating a trustmark as a way of creating a global brand, Coe said. The idea is to allow people looking at an organization's privacy policy or website to see that it has a certified trust program.

Coe was asked if the two certifications could be recognized as a valid data transfer system, like binding corporate rules or the EU-U.S. Data Privacy Framework. She acknowledged there are many privacy commonalities among countries to build on; however, it's up to each jurisdiction to determine how it wants to use the system within the context of its data-protection framework.

The GCBPR is "a tool in the toolbox." How it's used is up to each country, said Coe.