BEERG Newsletter - CBPR: A rival to the GDPR?

Derek Mooney writes: Launched by the U.S. Dept of Commerce just over a year ago the Global Cross-Border Privacy Rules (CBPR) forum had its first meeting of 2023 in London last week. The CBPR is a voluntary accountability-based scheme to facilitate data transfers between members countries – it has been seen, by some, as a U.S. rejoinder to GDPR.

Initially launched with a focus on the Asia-Pacific region, CBPR comprises Australia, Canada, Japan, Republic of Korea, Mexico, the Philippines, Singapore, Taiwan (Taipei) and the United States. The UK’s application to join the CBPR will see the group expand its reach to outside the APEC zone. Other countries, such as the UAE, are said to following a similar path as the U.K. in embracing the CBPR model. 

Given the doubts about the U.K.’s future adequacy decisions under GDPR especially given its declared intention to increasingly diverge on data privacy with the EU, you can see why the British government is looking elsewhere.  

The U.K.’s Minister for Data and Digital Infrastructure, Julia Lopez MP told the House of Commons on April 17^th that “The CBPR system is one of the few existing operational mechanisms that, by design, aims to facilitate data flows on a global scale.” While UK officials were cited by Politico as describing the U.K’s participation in CBPR as an example of the major role that London intends to play in designing new global digital rules. 

CBPR allows any jurisdiction to seek Associate status if it supports the principles and objectives of the Forum; has laws that protect personal information; and “at least one public body that is responsible for enforcing law(s) and/or regulation(s).” The framework is based on the APEC Privacy Framework and is consistent with the core principles of the OECD’s Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data.

Put simply, you could say that CBPR aims to create an interoperable, global, data transfer framework without the need for equivalence – a less robust system of adequacy determination – one that could rival GDPR?

Though last week’s forum in London saw progress in bolstering CBPR’s structures and scope, it also seems that global CBPR certification that can serve as a transfer mechanism is still a long way off – so, it may be better to view the CBPR and GDPR as ultimately complementary rather than conflicting – but time will tell.