The United States is making efforts to further ease the burden of managing cross-border data transfers amid vast and often divergent privacy regulations across the globe. In addition to the recent announcement from the EU and U.S. on agreement for the Trans-Atlantic Data Privacy Framework, as announced by the US Department of Commence on April 21, the U.S. is teaming up with Canada, Japan, Singapore, Chinese Taipei, and the Republic of Korea to create the Global Cross-Border Privacy Rules (CBPR) Forum.
The Forum is based upon the CBPR System, which is a certification program backed by governments that companies can join in order to demonstrate compliance with internationally recognized data privacy protections. CBPR has been endorsed by the APEC leaders in the past and implements the APEC Privacy Framework. The CBPR aims to protect personal data by requiring (i) enforceable standards, (ii) accountability, (iii) risk-based protections, (iv) consumer-friendly complaint handling, (v) consumer empowerment, (vi) consistent protections, and (vii) cross-border enforcement cooperation.
In addition to the CBPR System, which only applies to data controllers, the Global CBPR Forum pulls ideas from the Privacy Recognition for Processors (PRP) Systems. The PRP Systems, meanwhile, applies to the processors of personal information, assisting them with demonstrating to the controllers that they can successfully and effectively implement the privacy obligations related to processing personal information. By pulling from both the CBPR and PRP Systems, the Global CBPR Forum is geared towards certifying and supporting all actors dealing with personal information as an independent certification system.
Supporting the free-flow of data through effective data protection and privacy is one of the main goals of the Global CBPR Forum. In addition, the Forum aims to encourage information exchange and incorporation, as well as regularly review the data protection and privacy standards of its members to ensure best practices and support working effectively with other data protection and privacy frameworks.
The announcement reflects the global motivation to make the burdens of complying with cross-border data transfer requirements more management in the face of increasing regulation.