Asia-Pacific Economic Cooperation CBPR Goes Global: What You Need to Know

On April 21, 2022, Canada, Japan, the Republic of Korea, the Philippines, Singapore, Chinese Taipei, and the United States announced the establishment of the Global Cross-Border Privacy Rules Forum (the “Forum”).

The Forum aims to create new international Cross-Border Privacy Rules (“CBPR”) and Privacy Recognition for Processors (“PRP”) certification systems open to any interested global jurisdictions. U.S. Secretary of Commerce Gina M. Raimondo, in her announcement, described the establishment of the Forum as “the beginning of a new era of multilateral cooperation in promoting trusted global data flows.” She also explained that the Forum is the “first-of-their-kind data privacy certifications that help companies demonstrate compliance with internationally recognized privacy standards.”

Background: The Asia-Pacific Economic Cooperation (“APEC”) is a regional Forum of Pacific Rim countries created in 1989 to foster economic development and integration between its members. APEC members adopted their Privacy Framework in 2005 and established the CBPR in 2011 to implement that framework. Currently, nine countries participate in the CBPR, including the United States, Mexico, Canada, Japan, South Korea, Singapore, Chinese Taipei, Australia, and the Philippines. In 2015, APEC created the companion Privacy Recognition Processors (“PRP) certification for data processors. Currently, the United States and Singapore are the only participating countries.

The Forum is the latest in a string of cross-border privacy initiatives announced this year. On March 25, the United States and European Union announced a preliminary agreement on a new data transfer framework, the Trans-Atlantic Data Privacy Framework. Also in March, the EU and nine Asian nations – Australia, Comoros, India, Japan, Mauritius, New Zealand, the Republic of Korea, Singapore, and Sri Lanka – issued a joint declaration on privacy and the protection of personal data; marking the start of efforts to create a cooperative privacy framework between the continents.

What Global CBPR Forum hopes to accomplish: Here are the Forum’s expected goals:

  • To promote expansion and uptake of the Global CBPR and PRP Systems globally to facilitate data protection and free flow of data.
  • To disseminate best practices for data protection and privacy and interoperability.
  • To pursue interoperability with other data protection and privacy frameworks.

Timeframe: The Forum anticipates creating new CBPR and PRP systems in the foreseeable future but has not announced an expected date. They have told companies with current APEC CBPR and PRP certifications that they will receive 30 days’ notice before the new systems are in effect.

Looking Ahead: Companies who are currently certified by APEC need do nothing. For companies interested in certification, doing so now guarantees certification with the Forum’s new CBPR and PRP systems.

As noted, the establishment of the Global CBPR Forum is a huge step toward a single global standard for data privacy and data transfer. Considering the Trans-Atlantic Privacy Framework negotiations and the March joint declaration between the EU and countries in Asia to negotiate a framework, it seems only a matter of time before there are comprehensive global data privacy standards. Whether or not the Forum is the ultimate group responsible is yet to be seen.

For additional information on this topic, please contact Martin Tully at mtully@redgravellp.com or Billy Minshall at wminshall@redgravellp.com.