On June 2, 2025, the Global Cross-Border Privacy Rules (“CBPR”) Forum officially launched the Global CBPR and Privacy Recognition for Processors (“PRP”) certifications.  Building on the existing Asia-Pacific Economic Cooperation (“APEC”) CBPR framework, the Global CBPR and PRP systems aim to extend privacy certifications beyond the APEC region.  They will allow controllers and processors to voluntarily undergo certification for their privacy and data governance measures under a framework that is recognized by many data protection authorities around the world.  The Global CBPR and PRP certifications are also expected to be recognized in multiple jurisdictions as a legitimizing mechanism for cross-border data transfers.

Global CBPR and PRP Certifications

The “Global CBPR System” has been developed for controllers, and the “Global PRP System” has been developed for processors.  Some jurisdictions—such as Japan, Singapore, Bermuda and the Dubai International Financial Centre—already recognize the CBPR certification as a valid mechanism for cross-border data transfers under domestic law.  More jurisdictions are expected to recognize the CBPR certification as a valid mechanism for cross-border data transfers.

To obtain certification, organizations must undergo an independent assessment by an approved Accountability Agent to verify that their privacy practices meet the applicable program requirements.  Once certified, organizations will be able to display certification marks to indicate that they are certified under the Global CBPR System and/or the Global PRP System, demonstrating that they meet internationally recognized privacy and data protection standards.  The substantive requirements are as follows:

  • For Controllers: Under the Global CBPR System, organizations are required to implement key privacy principles such as notice, purpose limitation, data integrity, security safeguards, access and correction rights, and accountability.  Updates expected later in 2025 will introduce additional requirements on sensitive personal information, children’s personal information, and breach notification.  
  • For Processors: The PRP System focuses on two core areas, security safeguards and accountability.   

Organizations already certified under the APEC CBPR system will have their certifications automatically recognized under the Global CBPR system, although the APEC and Global CBPR systems will continue to operate separately.

Background to the Global CBPR Forum

The Global CBPR Forum was established in 2022 via the Global CBPR Declaration and builds on the existing APEC CBPR System. Its purpose is to expand the territorial scope of the original APEC framework to support data protection and the free flow of data globally, promote cooperation among governments, and achieve greater interoperability between privacy regimes.

The Global CBPR Forum currently includes the following full members: Australia, Canada, Japan, the Republic of Korea, Mexico, the Philippines, Singapore, Chinese Taipei, and the United States.  The United Kingdom, Bermuda, the Dubai International Financial Centre, and Mauritius have joined as “Associate” Members.  While Associate Members may participate in discussions, they do not offer the certification to organizations within their jurisdiction.  For background on the Global CBPR Forum’s origins and the UK’s early engagement with the system, see our previous post: “Global CBPR Forum: A New International Data Transfer Mechanism”.

The Global CBPR Forum also includes the Global Cooperation Arrangement for Privacy Enforcement (“CAPE”), a multilateral arrangement established in 2023 to enable data protection authorities to cooperate in cross-border data protection and privacy enforcement.  Global CAPE provides a structure through which regulators may voluntarily share information and request or provide assistance.  The current members of Global CAPE, which include the UK Information Commissioner’s Office and the U.S. Federal Trade Commission, are listed here.

Covington regularly monitors developments regarding data transfers, and we would be happy to provide guidance about the Global CBPR Forum, whether you are a country interested in joining the Forum or an organization seeking to learn more about the certification process.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Sam Jungyun Choi Sam Jungyun Choi

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such…

Recognized by Law.com International as a Rising Star (2023), Sam Jungyun Choi is an associate in the technology regulatory group in Brussels. She advises leading multinationals on European and UK data protection law and new regulations and policy relating to innovative technologies, such as AI, digital health, and autonomous vehicles.

Sam is an expert on the EU General Data Protection Regulation (GDPR) and the UK Data Protection Act, having advised on these laws since they started to apply. In recent years, her work has evolved to include advising companies on new data and digital laws in the EU, including the AI Act, Data Act and the Digital Services Act.

Sam’s practice includes advising on regulatory, compliance and policy issues that affect leading companies in the technology, life sciences and gaming companies on laws relating to privacy and data protection, digital services and AI. She advises clients on designing of new products and services, preparing privacy documentation, and developing data and AI governance programs. She also advises clients on matters relating to children’s privacy and policy initiatives relating to online safety.

Read more about Sam Jungyun ChoiEmailSam Jungyun's Linkedin Profile
Show more Show less
Matsumoto Ryoko

Ryoko Matsumoto is a global visiting lawyer who attended Kyoto University, Kyoto University Law School, and Stanford Law School.

Email
Photo of Stacy Young Stacy Young

Stacy Young is an associate in the London office. She advises technology and life sciences companies across a range of privacy and regulatory issues spanning AI, clinical trials, data protection and cybersecurity.

Read more about Stacy YoungEmail