On April 21, 2022, the U.S. Department of Commerce Secretary Gina Raimondo (the “Department”) announced a key development in international collaboration concerning cross-border data flows with the newly created Global Cross-Border Privacy Rules Forum (the “Global CBPR Forum”) along with Canada, Japan, the Republic of Korea, the Philippines, Singapore and Chinese Taipei. The Global CBPR Forum is charged with promoting interoperability and helping bridge varying regulatory approaches to data protection and privacy. The Global CBPR Forum will also establish an international certification system to help companies demonstrate compliance with internationally recognized data privacy standards.
This is a positive development for businesses with international operations, as it has the potential to provide much needed clarity on cross-border data transfers. This clarity becomes critical as more jurisdictions adopt comprehensive privacy laws (or revise their existing laws to include cross-border data transfer requirements). This announcement by the Department regarding the CBPR comes a month after it had announced that the US and EU had reached in agreement in principle on developing a new legal framework for GDPR-compliant data transfers from the EU to the US. Both of these announcements indicate that cross-border data transfers (and addressing legal issues related to them) are an area of priority for the Department.
Tangential to the announcement, the Department released a declaration and a brief ‘Frequently Asked Questions’ (FAQ). Below are selected highlights from the Department’s declaration:
- Objectives. With reliance on the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) Systems, the Forum will promote the Global CBPR and PRP Systems to facilitate cross border data flow and encourage collaboration.
- Cooperation. Cooperation will be based on principles of mutual benefit and commitment between the member countries; consultation between the members will be based on such members’ research, analysis and policy ideas and active stakeholder participation, where appropriate.
- Participation. Participation in the Global CBPR Forum will be open to those countries which accept the objectives and principles of the Global CBPR Forum. Decisions regarding future participation in the Global CBPR Forum will be based on the unanimous consensus of all members. Non-members may be invited to the meeting of the Global CBPR Forum, at the discretion of all forum members.
- Governance. Meetings of Global CBPR Forum will be held at least biannually in order to determine the direction and implementation of the Global CBPR framework.
In the FAQ, the Department mentioned that (1) the Global CBPR Forum will consult with accountability agents and certified companies under APEC in order to transition operations from APEC to the Global CBPR Forum; (2) businesses currently certified under APEC’s accountability agents will automatically be recognized in the new Global CBPR Forum under on the same terms. The Department recommends that certified companies to contact their agents for more information about the transition; and (3) the Global CBPR Forum members will be open and welcome any consultations from countries that are aligned with its objectives.
Businesses should closely follow how the independent Global CBPR Forum will pave the way for new members, the transition that businesses under APEC will need to follow to comply with the Global CBPR Forum, and the compliance obligations required for the new certification standards set by the Global CBPR Forum.