By Malcolm Crompton

Cross-border data transfers remain one of the hardest practical problems in privacy compliance. One framework IIS has worked on since its earliest days is the Cross-Border Privacy Rules (CBPR) system – first within the Asia-Pacific Economic Cooperation forum (APEC), and now through the Global CBPR Forum. This short reflection was prompted by a recent IAPP article on the Global CBPR Forum.

For the first years of its development (2003-2016), IIS was deeply involved in the creation of the APEC privacy framework and the CBPR system. Much of that process was led by officials from the Australian Attorney-General’s Department, especially Peter Ford and Colin Minihan. IIS led the design of the APEC Data Privacy Pathfinder in 2007, when Australia hosted APEC. After that, we collaborated closely with participants and officials from other economies including the United States, Japan and Korea, to agree on a workable CBPR system.

Much of our written contribution is collected on the Cross-Border Data Flows and International Regulation page of the IIS website. In particular, our short article ‘East meets West: striving to interoperable frameworks?’ (2014) compares CBPR with EU approaches to cross-border data flows, and explains why CBPR has practical advantages over mechanisms such as adequacy and Binding Corporate Rules. Later papers on that page include our work on benefits realisation from CBPR.

Over time, it became clear that the design of CBPR meant it did not have to be limited to APEC economies. That insight helped drive the creation of the Global CBPR Forum (established by participating jurisdictions in 2022) to transition CBPR and related certifications to a global framework.

In the words of the Global CBPR Forum website, Global CBPR certifications “allow organizations to demonstrate their compliance to internationally-recognised data protection and privacy standards developed and supported by participating jurisdictions. Accountability is a key feature of the Global CBPR and Global PRP Systems. Companies that seek Global CBPR or Global PRP certification must have their data protection and privacy policies and practices verified by a third-party certification entity known as an Accountability Agent.”

In practical terms, the Global CBPR System is designed to ensure that when a certified organisation moves personal information across borders, it is protected to the standards prescribed by the Global CBPR Framework. Importantly, participating jurisdictions nominate an enforcement “backstop” (a privacy enforcement authority/regulator) to support compliance and provide redress for individuals should matters reach that point.

Participation in Global CBPR has grown only slowly – not least because of stout resistance from European interests. But grow it does.

The recent article in IAPP News echoes everything IIS has been saying for the last 15-20 years. It is usefully titled “What makes the Global CBPR Forum an attractive data transfer framework to implement?” If your organisation is reassessing cross-border transfer mechanisms in 2026, Global CBPR is worth putting on the shortlist for serious evaluation.