New Global Cross-Border Privacy Rules Forum established by APEC CBPR members

The APEC CBPR and Privacy Recognition for Processors (PRP) systems are accountability-based voluntary frameworks for facilitating cross-border data transfers, similar to the EU binding corporate rules (BCRs) under GDPR. To become CBPR or PRP certified, companies need to apply to a third-party ‘accountability agent’ recognised by one of the APEC economies that have joined the systems. Enforcement of those certifications is based on separate APEC arrangements for cross-border privacy enforcement, and APEC and the EU have been looking into whether it would be possible to create a system of interoperability involving the BCRs and APEC CBPR and PRP systems.

The new Global Forum intends to develop an independent international certification system, based on the existing APEC CBPR and PRP systems, in order to bridge different regulatory approaches to data protection and increase the uptake of these systems globally. The FAQs document issued by the US Government clarifies that the new international certification system will be administered separately from the existing APEC CBPR and PRP systems. It also explains that the founding members of the Global CBPR Forum will work on the formal transition of operations under the APEC CBPR and PRP systems in their jurisdictions to the Global CBPR and PRP. All currently approved accountability agents and companies certified under the APEC CBPR or PRP systems are expected to be recognised automatically in the new Global CBPR Forum.

The pursuit of interoperability with other data protection and privacy frameworks is one of the objectives of the new Forum. Non-APEC jurisdictions that accept the objectives and principles of the Forum will also be able to join.

The founding economies for the new Global CBPR Forum include Canada, Japan, the Republic of Korea, the Philippines, Singapore, Taiwan, and the USA.