On April 17, 2023, the UK applied to join the Global Cross-Border Privacy Rules (“CBPR”) Forum as an Associate member. It is the first country to declare its application to participate in the Global CBPR as an Associate member since its inception one-year ago. In addition to its application, the UK co-hosted the Global CBPR Forum workshop “At One Year: Challenges and Opportunities”, which took place between April 17 to April 20, 2023.

Facilitating data transfers and data flows is a top priority for the UK government. While it has been developing data transfer tools such as data bridges, standard contractual clauses, and transfer risk assessments, the government and the UK ICO are also  considering other options, such as the Global CBPR System. As more jurisdictions look towards the Global CBPR System as a potential method for facilitating data transfers, this may become an appealing solution for organizations to consider to legitimize data transfers in multiple jurisdictions.

What is the Global CBPR Forum?

The Global CBPR Forum was established in 2022 via the Global CBPR Declaration, and derives from the Asia-Pacific Economic Cooperation (“APEC”) CBPR System. The Global CBPR Forum aims to expand the territorial scope of the APEC CBPR System in order to (i) facilitate data protection and free flow of data globally, (ii) share best practices and promote cooperation on data protection, and (iii) achieve interoperability with other data protection frameworks.

In order to achieve its aims, the Global CBPR Forum created the Global CBPR System (which is similar to binding corporate rules (“BCRs”) for controllers) and will seek to launch the Global Privacy Recognition for Processors (“PRP”) System (which is similar to BCRs for processors) in due course. The CBPR and PRP Systems are voluntary, accountability-based certification systems that allow organizations to demonstrate their compliance to internationally-recognized data protection and privacy standards, while also facilitating the free flow of data. An organization may apply for certification under the Global CBPR System and/or PRP System, and once they have been certified by a so-called “Accountability Agent”, they would be allowed to carry out cross-border data transfers among the jurisdictions that recognize the system without any further administrative burdens. Organizations can only be certified if the country in which they are headquartered has “Membership” status.

The Global CBPR Forum is currently made up of the following Member countries: Australia, Canada, Japan, the Republic of Korea, Mexico, the Philippines, Singapore, Chinese Taipei, and the United States of America. On April 13, 2023, the Global CBPR Forum officially opened its doors to participation by interested jurisdictions by publishing its Global CBPR Framework and Terms of Reference. The UK has applied to join as an “Associate” member only, and is currently waiting to be admitted.

UK’s participation in the Global CBPR Forum

As an Associate, the UK will be able to participate in the Global CBPR Forum discussions, but they will not have any voting rights to help shape the CBPR and PRP Systems. It is also seen as a pathway to potentially applying for full membership to the Global CBPR Forum.

Under the Associate status, organizations in the UK cannot take advantage of the certification scheme and data transfer mechanism provided under the Global CBPR and PRP Systems — this will only be possible once the UK becomes a full Member of the Global CBPR Forum.

The UK is still in the early stages of its engagement with the Global CBPR Forum, so it remains to be seen whether the UK will apply for full membership.

What does this mean for organizations?

As the Global CBPR Forum grows its membership, its CBPR and PRP Systems could become another data transfer tool that organizations may be able to utilize to legitimize their cross-border data transfers. For businesses with global operations, it can be a challenge to ensure compliance with the increasing number of data protection laws in jurisdictions around the world. As more and more jurisdictions adopt data localization rules or restrictions on data transfers, industry players — as well as policymakers and regulators– are calling for a more interoperable approach to legitimizing data flows. The Global CBPR Forum could be one avenue to explore for developing such an approach.

* * *

Covington regularly monitors developments regarding data transfers, and we would be happy to provide guidance about the Global CBPR Forum, whether you are a country interested in joining the Forum, or if you are an organization seeking to learn more about the certification process.

Photo of Mark Young Mark Young

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to…

Mark Young, an experienced tech regulatory lawyer, advises major global companies on their most challenging data privacy compliance matters and investigations.

Mark also leads on EMEA cybersecurity matters at the firm. He advises on evolving cyber-related regulations, and helps clients respond to incidents, including personal data breaches, IP and trade secret theft, ransomware, insider threats, and state-sponsored attacks.

Mark has been recognized in Chambers UK for several years as “a trusted adviser – practical, results-oriented and an expert in the field;” “fast, thorough and responsive;” “extremely pragmatic in advice on risk;” and having “great insight into the regulators.”

Drawing on over 15 years of experience advising global companies on a variety of tech regulatory matters, Mark specializes in:

  • Advising on potential exposure under GDPR and international data privacy laws in relation to innovative products and services that involve cutting-edge technology (e.g., AI, biometric data, Internet-enabled devices, etc.).
  • Providing practical guidance on novel uses of personal data, responding to individuals exercising rights, and data transfers, including advising on Binding Corporate Rules (BCRs) and compliance challenges following Brexit and Schrems II.
    Helping clients respond to investigations by data protection regulators in the UK, EU and globally, and advising on potential follow-on litigation risks.
  • GDPR and international data privacy compliance for life sciences companies in relation to:
    clinical trials and pharmacovigilance;

    • digital health products and services; and
    • marketing programs.
    • International conflict of law issues relating to white collar investigations and data privacy compliance.
  • Cybersecurity issues, including:
    • best practices to protect business-critical information and comply with national and sector-specific regulation;
      preparing for and responding to cyber-based attacks and internal threats to networks and information, including training for board members;
    • supervising technical investigations; advising on PR, engagement with law enforcement and government agencies, notification obligations and other legal risks; and representing clients before regulators around the world; and
    • advising on emerging regulations, including during the legislative process.
  • Advising clients on risks and potential liabilities in relation to corporate transactions, especially involving companies that process significant volumes of personal data (e.g., in the adtech, digital identity/anti-fraud, and social network sectors.)
  • Providing strategic advice and advocacy on a range of EU technology law reform issues including data privacy, cybersecurity, ecommerce, eID and trust services, and software-related proposals.
  • Representing clients in connection with references to the Court of Justice of the EU.
Photo of Sam Jungyun Choi Sam Jungyun Choi

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous…

Sam Jungyun Choi is an associate in the technology regulatory group in the London office. Her practice focuses on European data protection law and new policies and legislation relating to innovative technologies such as artificial intelligence, online platforms, digital health products and autonomous vehicles. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Sam advises leading technology, software and life sciences companies on a wide range of matters relating to data protection and cybersecurity issues. Her work in this area has involved advising global companies on compliance with European data protection legislation, such as the General Data Protection Regulation (GDPR), the UK Data Protection Act, the ePrivacy Directive, and related EU and global legislation. She also advises on a variety of policy developments in Europe, including providing strategic advice on EU and national initiatives relating to artificial intelligence, data sharing, digital health, and online platforms.