In recent months and years, considerable attention has been paid to the complexities of cross-border data transfers. Variability in international standards has added to the compliance costs for business and other organizations operating in multiple jurisdictions. In what was characterized by the US Commerce Secretary as a “historic moment” and the “beginning of a new era of multilateral cooperation” the United States, Canada, Japan, the Republic of Korea, the Philippines, Singapore, and Taiwan announced the establishment of a Global Cross-Border Privacy Rules (“CBPR”) Forum. The announcement comes in the context of rapidily emerging shifts in the international privacy landscape. Since the development of the EU’s General Data Protection Regulation (“GDPR”), there has been a proliferation of differing schemes. This patchwork landscape creates difficulties for individuals and businesses alike.
Amongst other things, the objectives of the Global CBPR Forum is to establish new internationally recognized certification systems and data privacy standards. These are to be based on the existing CBPR and Privacy Recognition for Processors (“PRP”) Systems, data privacy protection standards developed by Asia-Pacific Economic Cooperation (“APEC”). The goal is to permit certification for companies that meet high privacy standards and safeguards when transferring data globally. The Forum’s aim is to facilitate trade and cross-border data flow in a manner that reflects shared data privacy values and bridge differences in regulatory approaches to the issue. Further stated aims include periodic reviews of data protection and privacy standards of members to ensure alignment with best practices, and expansion and uptake of the systems globally.
Organizations and privacy industry stakeholders will be watching these developments closely and monitoring for expansion of participating member states. Companies that need to process, transfer or share data with global partners, vendors, or customers in any of the participating jurisdictions, should take note of these announcements and the prospective benefits of certification.
These developments are timely, with recent attention paid to negotiations between the United States and the European Union to establish a Trans-Atlantic Data Privacy Framework. In March 2022, the European Commission and the United States announced that a political agreement in principle had been reached on its creation. The United States has committed to establishing unprecedented measures and new safeguards to protect the privacy of personal data of individuals in the European Economic Area (“EEA”) for data transferred to the United States. Although this framework is eagerly anticipated, it is not yet a basis under which EEA data exporters can transfer data to the United States. Data exporters must continue to take heed of the case law from the Court of Justice of the European Union, and in particular its Schrems II decision of 16 July 2020, which invalidated the EU-U.S. Privacy Shield framework, necessitating the creation of this subsequent framework.
These recent announcements suggest that there is the potential for significant advancement in the harmonization of international standards for privacy and transborder data flows; a development that would be most welcome to many who have lamented the inefficiencies resulting from the uncertainty and cost of compliance in the modern digital economy.
The formal announcement and declaration of the founding members of the Global CBPR Forum can be found here:
A fact sheet on the Trans-Atlantic Data Privacy Framework can be found here:
FACT SHEET: United States and European Commission Announce Trans-Atlantic Data Privacy Framework | The White House