The Global CBPR System: A Compliance Framework for Cross-Border Data Flows Between Non-EU Countries

The Global CBPR System: A Compliance Framework for Cross-Border Data Flows Between Non-EU Countries

Key Takeaways

The Global Cross-Border Privacy Rules (Global CBPR) is a set of rules designed to facilitate international transfers of personal data between countries outside the European Union. The objective of this system is to ensure that organizations processing personal data comply with a common baseline of data protection rules within the territories of participating jurisdictions.


The Global Cross-Border Privacy Rules (“Global CBPR”) constitute a mechanism for transferring personal data between certified entities in jurisdictions that are members of the Global CBPR Forum. Effective as of June 2, 2025, this system aims to ensure that organizations handling personal data adhere to a shared set of data protection standards within the territories of member countries.

In this article, we explain what the Global CBPR is, how it operates, how it interacts with national data protection laws, which countries are participants, and the main differences between this system and the APEC CBPR.

In a second article, we will provide a comparative analysis between the Global CBPR and the GDPR.


1. What Is Global CBPR?

The Global Cross-Border Privacy Rules (Global CBPR) is a mechanism enabling the transfer of personal data between organizations (private companies and public authorities) located in member countries of the Global CBPR Forum.

This system, initiated in April 2022 through the Global CBPR Declaration, (1) is based on the principles of the APEC Cross-Border Privacy Rules. (2) However, the Global CBPR extends beyond the Asia-Pacific region and is intended to serve as a global reference framework for cross-border data flows. It became effective on June 2, 2025.

Like the APEC CBPR, the Global CBPR is grounded in the OECD Guidelines on the Protection of Privacy and Trans-Border Flows of Personal Data. (3) It encompasses obligations such as notice to data subjects, choice (consent), purpose limitation, rights of access and correction, data integrity and security, and data controllers accountability.

The framework has a dual objective: to protect personal data and privacy rights across participating jurisdictions, and to facilitate cross-border data flows essential for economic activity, trade, and innovation.

Unlike the GDPR, which is directly binding across EU Member States and largely harmonizes data protection in the EU, the Global CBPR operates on a voluntary participation model. Jurisdictions may elect to join the system, and organizations within those jurisdictions can apply for certification. Only Global CBPR-certified entities are permitted to transfer data to another certified entity in a member jurisdiction, provided that all program requirements are met.

The Global CBPR includes two distinct but complementary systems:
     - The Global Cross-Border Privacy Rules System (Global CBPR), for data controllers; and
     - The Global Privacy Recognition for Processors (Global PRP), for processors acting on behalf of controllers.

The system is governed by the Global CBPR Forum.


2. Overview of Global CBPR Operating Rules

The Global Cross-Border Privacy Rules System is built on a voluntary, certification-based model aimed at ensuring that certified organizations adhere to a shared foundation of privacy and data protection principles across member jurisdictions.

Its functioning is structured around three components: the core privacy principles, the scope of application, and the application and supervision mechanisms of Global CBPR.

    2.1 Global CBPR Privacy Principles

The Global CBPR is based on nine core privacy principles:

     1. Preventing Harm: Data protection rules must be designed to prevent misuse and reduce risks of harm to individuals;
     2. Notice: Organizations must provide clear, accessible information about their data practices, including methods of collection, purposes, sharing practices, and individuals’ rights;
     3. Collection Limitation: Personal data should be collected only if relevant, lawful and fair, preferably with notice or consent;
     4. Use of Personal Information (processing): Data use must be limited to declared or “compatible” purposes, unless further processing is legally authorized or based on consent;
     5. Choice (Consent): Individuals must have meaningful options regarding the collection, use, and disclosure of their data, along with mechanisms to exercise these rights;
     6. Integrity of Personal Information: Organizations must ensure that data is accurate, complete, and up to date;
     7. Security Safeguards: Controllers must implement physical, technical, and organizational measures to prevent data loss, unauthorized access, or misuse of data;
     8. Access and Correction: Individuals should be able to access and correct their data where necessary;
     9. Accountability: Organizations must implement internal policies, designate responsible persons, and demonstrate compliance through audits and oversight mechanisms.

For data processors, the Global PRP Program simplifies these requirements by focusing on:

     1. Security measures (technical, organizational, and procedural); 
     2. Accountability, ensuring adherence to with controller instructions, breach notification, and secure deletion of data.

    2.2 Scope of Application of Global CBPR

The Global CBPR applies to data controllers and processors (via the Global PRP), provided they are established in a member jurisdiction of the Global CBPR Forum.

Each member jurisdiction integrates the Global CBPR rules into its domestic data protection framework (for example, Singapore aligns it with its Data Protection Trustmark (DPTM) certification, while Japan integrates it in its GDPR adequacy decision framework).

    2.3 Application and Supervision of Global CBPR

The Global CBPR system is implemented and supervised by Accountability Agents, national data protection authorities, and the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE).

Accountability Agents are independent national entities responsible for reviewing applications, granting certifications, and continuously monitoring certified organizations through audits and complaint handling.

National data protection authorities retain their regulatory competence. They ensure compliance with applicable domestic laws and may impose penalties in case of violations by organizations operating within their jurisdiction.

The system is reinforced by Global CAPE, a multilateral cooperation mechanism among Privacy Enforcement Authorities of member jurisdictions. Its functions include:

Global CAPE is a multilateral network of cooperation among privacy enforcement authorities of member countries. Its goals include:

     - Enabling regulators to share information and cooperate in investigations;
     - Strengthening cross-border enforcement of Global CBPR; and
     - Establishing a coordinated oversight mechanism bridging the gap between voluntary certification and national enforcement.

Global CAPE itself does not exercise disciplinary power over certified organizations.


3. Interaction with National Data Protection Laws

The Global CBPR system does not replace or override national data protection laws.

    3.1 Global CBPR vs. National Laws: A Complementary Role

Global CBPR is presented as a “common denominator” of data protection rules, allowing organizations to demonstrate compliance with international standards in this domain. The system acts as a bridging mechanism between different national legal systems, easing compliance for organizations operating across multiple jurisdictions.

    3.2 Implementation at the National Level

The effectiveness of Global CBPR depends largely on how national laws recognize or incorporate certification. According to the Global CBPR Framework (2023), each jurisdiction implements the system through its existing institutional structures.

Certification requires recognition by each national data protection authority. Accountability Agents are accredited domestically to ensure consistency with local regulations.

Exceptions to the scope and conditions of application of Global CBPR relating to national sovereignty, public order, or security may be applied at each member jurisdiction’s discretion, provided they are proportionate and transparent.


4. Countries Participating to Global CBPR

The Global CBPR Forum currently includes nine full member jurisdictions, several associate members, and a growing number of observer countries.

    4.1 Full Member Jurisdictions of the Global CBPR Forum

The Global CBPR Forum was officially launched in April 2022 with the Global CBPR Declaration. The founding members were Canada, Japan, the Republic of Korea, the Philippines, Singapore, and the United States. These six founding jurisdictions were part of the APEC CBPR system and transitioned into Global CBPR, with their prior certification being “integrated” into the new scheme.

Three additional jurisdictions have since joined the Forum as full members: Australia, Mexico, and Chinese Taipei (Taiwan).

    4.2 Associate Members and Observers

Several countries have joined as associate members, including the United Kingdom, Bermuda, the Dubai International Financial Centre (DIFC), Mauritius, and Nigeria.

A number of other countries participate as observers, with potential future participation under consideration.


5. Key Differences Between Global CBPR and APEC CBPR

The Global CBPR originates from the APEC CBPR, launched in 2011 to enable personal data flows among APEC’s 21 members. While both systems share accountability principles and fundamental privacy values, Global CBPR represents a significant evolution in several respects.

    5.1 Enhancements Introduced by Global CBPR

Global CBPR brings several enhancements upon APEC CBPR, including:

    - Expanded geographic scope: while APEC CBPR is limited to APEC’s 21 members and designed as a regional mechanism, Global CBPR is open to all jurisdictions worldwide, including non-APEC countries. 

    - Augmented certification requirements: although organizations already certified under APEC CBPR were automatically recognized under Global CBPR, the new system introduces broader requirements, including:

     o Data breach notification,
     o Management of sensitive data,
     o Rules on direct marketing and withdrawal of consent,
     o Designation of data protection officers (DPOs),
     o Maintenance of records of processing activities (RoPA),
     o Specific safeguards for children’s data.

    - Distinct governance structure: APEC CBPR is administered within the APEC institutional framework, overseen by the APEC Electronic Commerce Steering Group. In contrast, Global CBPR is governed by the Global CBPR Forum, an independent international body established by the 2022 Declaration.

    5.2 Status of APEC CBPR

The APEC CBPR system is still in place and continues functioning within the APEC institutional framework. However, in practice it is now largely superseded by Global CBPR, which has absorbed its principles, structure, and certification model.

In participating jurisdictions, both systems may coexist. Existing APEC CBPR certifications remain valid, but new certifications increasingly align with the Global CBPR framework.

Thus, while APEC CBPR will persist for now, it is expected to gradually give way to Global CBPR as the de facto standard for cross-border data protection certification.


    The Global CBPR complements, but does not replace, national data protection regimes. The system is designed to build bridges between diverse national privacy frameworks, offering a flexible certification mechanism to facilitate cross-border data transfers.

The effectiveness of Global CBPR will depend on the extent of its recognition by additional jurisdictions and its integration into national data protection regulations. It is therefore a hybrid mechanism: standardized at the international level, yet implemented flexibly at the national level.

As of today, the Global CBPR Forum includes nine member jurisdictions. The accession of new members, particularly those beyond the Asia-Pacific region, will broaden the system’s influence as a parallel framework to the GDPR for governing cross-border data flows.

* * * * * * * * * * *


(1) Global Cross-Border Privacy Rules (CBPR) Declaration, 21 April 2022

(2) APEC Cross-Border Privacy Rules System Program. APEC, the Asia-Pacific Economic Cooperation organization, comprises 21 countries in the Asia-Pacific region.

(3) OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

October 2025 


Retourner à la page des Actualités et Publications

Mots clés :

accessibilité numérique (7) adwords (3) ai (25) anssi (3) arcep (3) arcom (15) audiovisuel (3) audit (1) base de données (3) bitcoin (1) blockchain (6) cbpr (5) cgv (1) chine (1) cjue (1) cloud computing (3) cnil (17) commerce (4) communication (8) compliance (32) confidentialité (3) conformité (19) consommateurs (3) contrat (8) contrefaçon (10) cookies (6) copyright (5) cryptologie (1) csa (1) cybercriminalité (5) cybersquatting (3) data (1) data privacy framework (2) dma (4) données à caractère personnel (17) données personnelles (31) dpf (2) droit d'auteur (11) dsa (8) e-commerce (15) e-consommateurs (1) enfance (6) etats-unis (5) eu (17) europe (16) formation (1) fraude (2) gdpr (28) google (4) hébergeur (5) ia (18) ico (1) informatique (11) informatique et libertés (4) intelligence artificielle (17) internet (32) jeu vidéo (3) liberté d'expression (3) logiciel (11) loi informatique et libertés (5) loi sren (6) marque (3) métavers (3) méthode agile (2) monnaie électronique (1) moteur de recherche (7) nda (1) nft (4) nom de domaine (1) numérique (11) originalité (5) privacy shield (2) propriété intellectuelle (13) protection des données (10) publicité (6) référencement (4) réglementation (12) réseau (2) réseaux sociaux (11) responsabilité (10) responsable du traitement (11) rgpd (21) robotique (7) rpa (6) salariés (4) santé publique (1) sécurité (7) singapour (8) site web (3) us (3) vie privée (21)