What is the Global CBPR Forum?
The Global Cross-Border Privacy Rules (CBPR) Forum administers and promotes the adoption of the Global Cross-Border Privacy Rules (CBPR) System and Global Privacy Recognition for Processors (PRP) System to facilitate data protection and the free flow of data globally. It also seeks to share best practices and promote cooperation on data protection and privacy, and pursue interoperability with other data protection and privacy frameworks.
The Global CBPR Forum was established in April 2022. The 2022 Global CBPR Declaration and the Global CBPR Framework set forth the principles and objectives of the Forum. The Global CBPR Forum Terms of Reference sets out the structure and operational aspects of the Forum, e.g., the Global Forum Assembly (GFA) as the Forum’s policymaking body.
What is the Global CBPR Framework?
The Global CBPR Framework establishes a set of principles (the Global CBPR Privacy Principles on which the Global CBPR and Global Privacy Recognition for Processors (PRP) Systems are based) and implementation guidelines for jurisdictions to effectively protect personal information and privacy while maintaining information flows. It is based on the APEC Privacy Framework and is consistent with the core principles of the OECD’s Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data.
Members of the Forum commit to align their domestic legal systems with the Global CBPR Framework, either by implementing the Global CBPR and/or Global PRP Systems or by recognizing the Global CBPR and/or Global PRP Systems as valid data transfer mechanisms in their laws.
What are the Global CBPR and Global PRP Systems?
The Global CBPR and Global PRP Systems are practical, government-backed, privacy certifications which allow organizations to transfer personal information across participating jurisdictions seamlessly. Organizations in participating jurisdictions can be certified as Global CBPR- or Global PRP-compliant if they implement data protection and privacy policies and processes that are consistent with the Systems’ program requirements, which are based on Global CBPR Privacy Principles.
The Global CBPR System applies to data controllers, organizations that control the collection, holding, processing, use, disclosure or transfer of personal information. The Global PRP System was designed to help processors, organizations which process data on behalf of data controllers, to demonstrate their ability to effectively implement a data controller’s data protection and privacy requirements.
How are the Global CBPR and Global PRP Systems related to the Asia-Pacific Economic Cooperation (APEC) CBPR and PRP Systems?
The Global CBPR and Global PRP Systems are based on the APEC CBPR and APEC PRP Systems. As such, the Global CBPR and Global PRP Systems were substantively the same as the APEC CBPR and PRP Systems when the Global Systems were established.
However, they are administered separately – the Global CBPR Forum administers the Global CBPR and Global PRP Systems whereas APEC administers the APEC CBPR and PRP Systems. The Forum is currently undertaking efforts to review and update the Global CBPR and Global PRP Systems to ensure continued alignment with best practices across Members, so these Systems will diverge from the APEC CBPR and PRP Systems in the future.
For more information on how the Global CBPR and Global PRP Systems are administered, please refer to the Forum’s Terms of Reference and the Global CBPR and Global PRP Systems Policies, Rules and Guidelines, which can be found on the Forum’s website, https://www.globalcbpr.org/documents/.
What is the Global CAPE?
The Global Cooperation Arrangement for Privacy Enforcement (CAPE) is a practical multilateral mechanism for Privacy Enforcement Authorities (PEAs) to cooperate in cross-border data protection and privacy enforcement. It creates a framework under which participating PEAs may, voluntarily, share information and request and render assistance to each other.
All PEAs can apply to participate in Global CAPE; participation is not limited to PEAs of Global CBPR Forum Members or Associates. That said, the participation of at least one Privacy Enforcement Authority in the Global CAPE is a prerequisite for jurisdictions applying to be a member of the Global CBPR Forum.
How can jurisdictions participate the Global CBPR Forum?
A jurisdiction can participate in the Forum as an Associate or Member.
Associates may participate in the Forum’s governing body, the Global Forum Assembly (GFA). Associates may contribute to GFA meetings and activities but do not have decision making authority.
Members participate in the Global CBPR System and/or Global PRP System and set the Forum’s policy and strategy to advance the Forum’s principles and objectives.
A jurisdiction interested in participating in the Global CBPR Forum should contact the Chair of the Membership Committee (membership@globalcbpr.org) for more information.
The criteria and application process for joining the Forum as a Member or Associate is detailed on the Forum’s website, https://www.globalcbpr.org/about/membership/, as well as in the Forum’s Terms of Reference, which can also be found on the Forum’s website, https://www.globalcbpr.org/documents/.
A privacy enforcement authority can join the Global Cooperation Arrangement for Privacy Enforcement (CAPE), which the Global CBPR Forum established to facilitate enforcement cooperation. The Global CAPE is open to participation by any privacy enforcement authority even if the jurisdiction in not a Member or Associate of the Forum. A privacy enforcement authority interested in joining the Global CAPE should contact the Global CAPE co-administrators (Personal Information Protection Commission, Japan: international.i7d@ppc.go.jp or Federal Trade Commission, U.S: mpanzera@ftc.gov )
What are the benefits of becoming a Member of the Global CBPR Forum?
Members can participate in the Global Cross-Border Privacy Rules (CBPR) System and/or the Global Privacy Recognition for Processors (PRP) System, thereby making the Global CBPR and/or Global PRP certification available to businesses in their jurisdiction. They also determine the Forum’s policies and strategies and shape the Forum’s work.
Participating in the Global CBPR and PRP Systems offers substantial benefits, including enhanced data protection for individuals, a competitive advantage and streamlined compliance for businesses, and improved trade facilitation for the jurisdiction’s economy.
What are the benefits becoming an Associate of the Global CBPR Forum?
Jurisdictions that may not yet be ready to participate as Member of the Global CBPR Forum may consider joining as an Associate of the Forum. Becoming an Associate of the Global CBPR Forum provides jurisdictions the opportunity to participate in GFA meetings and have direct access to a diverse group of stakeholders with expertise on the cross-border data flows framework. With this, Associates can gain a deeper understanding of the Forum’s work and have direct engagement with Members. This engagement helps jurisdictions prepare for potential full membership in the Global CBPR Forums.
Associate status is valid for an initial period of two years, during which an Associate is expected to initiate an application for Membership.
How do the Global CBPR Systems impact domestic laws of participating jurisdictions?
The Global CBPR System establishes baseline protections that all certified organizations must comply with, but it does not replace domestic laws . In addition to adhering to the Global CBPR Program Requirements, Global CBPR-certified organizations must also comply with the privacy laws wherever they operate.
What kinds of organizations get certified under the Global Cross-Border Privacy Rules (CBPR) and Global Privacy Recognition for Processors (PRP) Systems?
The Global CBPR System certification helps personal information controllers (“controllers”) demonstrate compliance with internationally recognized data protection and privacy requirements. Many Global CBPR certified organizations operate across jurisdictions requiring a framework to manage cross-border personal data transfers and comply with data protection and privacy laws.
The Global PRP System certification helps personal information processors (“processors”) demonstrate their ability to assist controllers in complying with relevant data protection and privacy obligations.
How can my organization obtain Global CBPR or Global PRP certification?
As a first step, please visit the list of recognized Accountability Agents on the Global CBPR Forum website (https://www.globalcbpr.org/accountability-agents/) to check if there are Forum-recognized Accountability Agents operating in the jurisdiction where your organization is primarily located, i.e., where your HQ is based. Accountability Agents are third-party certification bodies approved by the Global CBPR Forum to certify interested organizations to the Global CBPR and/or Global PRP System.
In the United States there are multiple Accountability Agents, and you may wish to consult with more than one to find one that best suits your organization. As one of the first steps in the certification process, the Accountability Agent will request that you complete an intake questionnaire, which is a self-assessment of how your organization’s data protection and privacy policies, practices and processes comply with the Global CBPR and/or Global PRP Systems Program Requirements. The Accountability Agent will review your completed intake questionnaire and work with you to ensure you are meeting all of the Program Requirements.
The Global CBPR and Global PRP System Intake Questionnaires are available in the Forum’s website.
Where can I find the Global CBPR and/or Global PRP System Program Requirements?
The Global CBPR System Program Requirements and Global PRP System Program Requirements can be found on the Forum’s website.
What happens after my organization obtains the Global CBPR and/or Global PRP certification?
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.
Once the Accountability Agent has verified that your organization is compliant, it will issue your organization the Global CBPR and/or Global PRP certification seal. The details of your organization’s certification will also be published on the Compliance Directory of the Global CBPR Forum website.
Global CBPR and Global PRP certifications are valid for a year.
Once an organization has been certified for participation in the Global CBPR System, these data protection and privacy policies and practices are binding to that organization and enforceable.
What if there are no Forum-recognized Accountability Agents operating where my HQ is based?
Currently the Global CBPR and Global PRP certifications are only available to companies that have a Forum-recognized Accountability Agent operating in their jurisdiction. We recommend that you reach out to the Privacy Enforcement Authority in your jurisdiction for updates on whether an Accountability Agent will begin operating in your jurisdiction.
