ersonal Data Protection: A Comparative Analysis Between the GDPR (EU) and the Global CBPR System

ersonal Data Protection: A Comparative Analysis Between the GDPR (EU) and the Global CBPR System

Key Takeaways

In Europe, personal data protection is recognized as a fundamental principle. The General Data Protection Regulation (GDPR) aims to harmonize protection rules within the EU, while the Global Cross-Border Privacy Rules Framework (Global CBPR Framework) seeks to facilitate cross-border data flows among member countries of the Global CBPR Forum within a legally secure environment.


The Global Cross-Border Privacy Rules System (“Global CBPR System”) is a mechanism allowing the transfer of personal data between certified organizations located in the member countries of the Global CBPR Forum. Implemented on June 2, 2025, the objective of this system is to ensure that organizations processing personal data adhere to a common baseline of data protection rules across the territories of participating countries.

In a first article, we explained what the Global CBPR System is and how it operates.

In this article, we provide a comparative analysis between the GDPR and the Global CBPR.


1. Fundamental Principles and Operational Framework: GDPR vs. Global CBPR

Although both the GDPR and the Global Cross-Border Privacy Rules Framework (Global CBPR Framework) aim to ensure the protection of personal data, the GDPR’s primary objective is to harmonize protection rules within the EU. In contrast, the Global CBPR Framework seeks to facilitate cross-border flows of personal data between organizations (private companies and public authorities) located in the member countries of the Global CBPR Forum, within a legally secure environment.

    1.1 The GDPR: A Uniform Application Within the European Union

The General Data Protection Regulation (GDPR), which entered into force on May 25, 2018, is designed to apply uniformly across the Member States of the European Union. (1)

The GDPR’s primary objective is consumer protection, and through strengthened consent rules, it aims to give individuals greater control over their personal data.

The GDPR applies to any organization, public or private, acting as a controller or processor, located within the European Union, that processes personal data. Transfers of personal data within the EU (and the European Economic Area – EEA) are carried out freely, as are transfers of data between an organization located in the EU and an organization located in a country offering an adequate level of protection. (2)

Transfers to third countries are prohibited unless the parties adopt Standard Contractual Clauses (SCCs) approved by the European Commission, enter into an ad hoc contract validated by a supervisory authority (such as the CNIL), or rely on Binding Corporate Rules (BCRs) for intra-group personal data transfers.

    1.2 The Global CBPR: A Flexible, Voluntary System

The primary objective of the Global Cross-Border Privacy Rules System (Global CBPR) is to protect personal data while facilitating cross-border data flows, which are essential for economic activity, trade, and development.

Unlike the GDPR, whose provisions are binding on all Member States of the European Union, the Global CBPR is based on a two-step model: countries may choose to join the Global CBPR Forum, and organizations may then seek certification if they wish to benefit from the system.

The Global CBPR Forum, the system’s governing body, currently has nine full member countries (or “economies”): Australia, Canada, Japan, Mexico, the Philippines, the Republic of Korea, Singapore, Chinese Taipei (Taiwan) and the United States.

In addition, while the GDPR governs both internal personal data processing within the EU and international data transfers, the Global CBPR applies solely to cross-border data flows and does not impose requirements on the domestic data protection laws of participating countries.

The Global CBPR includes two distinct but complementary systems:

     - the Global Cross-Border Privacy Rules System (Global CBPR System) for data controllers, whose requirements are set out in the Global CBPR Framework (3), and
     - the Global Privacy Recognition for Processors System (Global PRP System) for processors.

A company certified under the Global CBPR must therefore ensure that its contracting partner located in another member economy is duly certified under the Global PRP before transferring personal data to that partner.

The Global CBPR is built on two essential pillars: flexibility and voluntariness.

     - “Flexibility”: the Global CBPR does not replace the data protection laws of participating countries. Its implementation allows for a degree of flexibility. Economies with stricter data protection laws retain the benefit of their domestic data privacy laws. Certain provisions of the Global CBPR Framework may also be adapted to account for social, cultural, economic, and legal differences across participating countries;
     - “Voluntariness”: only organizations located in the countries belonging to the Global CBPR Forum may choose to seek certification under the Global CBPR (or Global PRP for processors).

Organizations certified under the Global CBPR or Global PRP systems within member countries may then freely transfer personal data among themselves.


2. Key Principles and Distinctive Provisions in Both Systems

The GDPR and the Global CBPR are both inspired by the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. As a result, several fundamental principles are common to both systems, although their implementation differs. (4)

In addition, the Global CBPR Framework is based on the APEC Privacy Framework. Consequently, it is very similar to its predecessor, the APEC CBPR System, whose membership was limited to countries located in the Asia-Pacific region.

The comparison between the two systems, the GDPR and the Global CBPR Framework, is therefore very similar to the comparison between the GDPR and the former APEC Privacy Framework.

Below, we outline the main similarities and differences between the GDPR and the Global CBPR Framework.

    2.1 Main Similarities Between the Two Systems

There are many similarities between the GDPR and the Global CBPR, even though the terminology used is not always identical. References below point respectively to the articles of the GDPR and to the relevant paragraphs of the Global Cross-Border Privacy Rules Framework (2023).

    - Material Scope
The GDPR applies to the processing of personal data that is fully or partly automated, as well as to non-automated processing of personal data contained in or intended to be included in a filing system. (GDPR, Art. 2)

The Global CBPR System applies to natural or legal persons, whether private or public, that control the collection, holding, processing, use, or transfer of personal data. (CBPR Framework, para. 7)

    - Definitions
“Personal data”: under the GDPR, this means “any information relating to an identified or identifiable natural person” (data subject). (GDPR, Art. 4(1)). The definition used in the Global CBPR (“personal information”) is substantially the same. (CBPR Framework, para. 6)

“Controller”: under the GDPR, the controller is the natural or legal person that determines the purposes and means of the processing. (GDPR, Art. 4(7)). The definition in the Global CBPR (“personal information controller”) is similar. (CBPR Framework, para. 7)

    - Principles Relating to the Processing of Personal Data
Processing operations carried out under the GDPR are based on the principles of lawfulness, fairness and transparency; specified, explicit and legitimate purposes; data minimization (processing limited to what is necessary for the purposes); accuracy and up-to-date data; storage limitation; and secure and confidential processing. (GDPR, Art. 5(1))

These principles are reflected in the Global CBPR Framework among its nine foundational principles, namely the principles of notice (CBPR Framework, paras. 18–20), choice (para. 23), purpose (para. 22), collection limitation (para. 21), as well as notions of data integrity and data quality (para. 24).

For example, choice requires mechanisms that provide clear, accessible, and proportionate means for individuals to express consent; the GDPR’s principle of data minimization corresponds to the principle of collection limitation in the Global CBPR system. Collection must be limited to data relevant to the stated purposes, obtained lawfully and fairly, and, where appropriate, accompanied by notice and/or consent. Necessity and proportionality are essential criteria when assessing the relevance of the data collected.

    - Rights of the Data Subject
Under the GDPR, data subject rights include transparency and information rights, the right of access, the right to rectification, the right to erasure / right to be forgotten, as well as the rights to restriction of processing, data portability, objection, and rights related to automated decision-making and profiling. (GDPR, Arts. 12 et seq.)

The Global CBPR system recognizes the ability for individuals to obtain confirmation that a controller holds personal information about them, to access this information within a reasonable time, at a non-excessive cost and in an intelligible form, and to challenge the accuracy of the data and, where appropriate, request its correction, supplementation, modification, or deletion.

Access may be restricted for reasons of public or national security, the prevention or detection of criminal offenses, the protection of the privacy of others, commercial confidentiality, or judicial proceedings. (CBPR Framework, para. 24 and paras. 26–28)

    - Accountability Principle
The accountability principle is one of the core pillars of the GDPR. The controller must be able to demonstrate compliance with the Regulation. (Recital 85; GDPR, Art. 5(2) and Arts. 24 et seq.) This includes obligations such as maintaining a record of processing activities, conducting Data Protection Impact Assessments (DPIAs), implementing data protection by design and by default, appointing a Data Protection Officer (DPO) in certain cases, and relying on Binding Corporate Rules (BCRs) for intra-group data transfers.

The Global CBPR System also recognizes the accountability of the controller for the personal data under its control, including where processing is carried out by third parties (processors). (CBPR Framework, para. 29)

    - Data Security Principle
Controllers and their processors are responsible for ensuring adequate security, both physical and logical, of the personal data they process, taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the risks and the cost of security measures relative to the sensitivity level of the data. (GDPR, Art. 32(1))

The Global CBPR Framework likewise recognizes the principle of data security against loss, unauthorized access, destruction, unauthorized use, modification, disclosure, or any other misuse of data. Security measures must be proportionate to the likelihood and severity of the risk, the sensitivity of the data, and the context of the processing. (CBPR Framework, para. 25)

    2.2 Main Differences Between the Two Systems

Overall, the GDPR is a complex and detailed legal instrument whose application within the European Union is mandatory and harmonized, notably due to the role of the European Data Protection Board (EDPB).

The Global CBPR Framework is much more concise and drafted largely in conditional terms. It is an overlay framework that sits on top of the domestic data protection laws of the countries participating in the Global CBPR Forum. Its provisions set out principles that member countries commit to apply consistently, though not necessarily identically. (CBPR Framework, para. 2)

There are therefore significant differences between the two systems, beginning with the respective objectives pursued by the GDPR and the Global CBPR.

    - Material Scope
The GDPR applies to controllers and processors.

The Global CBPR applies only to personal information controllers. It is complemented by the Global Privacy Recognition for Processors System (Global PRP System), which applies to processors. (CBPR Framework, para. 11)

    - Territorial Scope
The GDPR applies to the processing of personal data carried out in the territory of the European Union, whether or not the processing actually takes place within the EU. The Regulation also has extraterritorial effect, as it applies to the processing of personal data relating to individuals residing in the EU by organizations established outside the EU. (GDPR, Art. 3)

The Global CBPR does not define a territorial scope, as the system is intended to apply to any economy that is a member of the Global CBPR Forum, without geographical restrictions, and only to organizations located in those member countries that are certified under the Global CBPR system (and/or for processors the Global PRP system).

    - Publicly Accessible Data
As a general rule, the GDPR applies to personal data regardless of whether the data is publicly accessible or not.

The Global CBPR applies only very narrowly to publicly accessible personal data. Since individuals generally make such data publicly available themselves and the data is not collected directly from them, the principles of notice and choice are considered not to apply. (CBPR Framework, para. 8)

    - Personal Data Breaches, Notification, and Remediation
The GDPR defines a personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.” (GDPR, Art. 4(12)). In the event of a data breach, the controller is required to notify the competent supervisory authority. (GDPR, Art. 33)

The Global CBPR does not contain a definition of a personal data breach. However, member countries are expected to provide procedures for notification to supervisory authorities or to individuals in the event of a breach. (CBPR Framework, paras. 17 and 51)

    - Retention of Personal Data
The GDPR limits the retention of personal data to the period necessary for the purposes for which it is processed. Afterward, the data must be deleted or retained for longer periods in anonymized form (for archiving, scientific research, etc.). (GDPR, Art. 5(1))

By contrast, the Global CBPR Framework does not establish a data retention limitation requirement.

    - Children’s Data
Article 8 of the GDPR provides specific rules for the protection of minors’ personal data, allowing each Member State to set the age threshold for consent between 13 and 16 years old (15 years in France).

The Global CBPR Framework does not provide specific protection for minors’ data nor any age-based consent requirement. It only recommends adapting notice and choice mechanisms to the age of the individual when the personal data concerns minors. (CBPR Framework, para. 23)

    - Sanctions
As a binding regulation, the GDPR provides for administrative fines imposed by supervisory authorities in cases of non-compliance. (GDPR, Arts. 83–84)

The Global CBPR does not contain a sanctions regime. Competent authorities in member countries should apply enforcement measures in accordance with their domestic data protection laws.

    - Centralized Supervisory Authority
The European Data Protection Board (EDPB) is responsible for ensuring consistent application of the Regulation within the EU. Among its functions, the EDPB issues guidelines and adopts binding decisions in cases of cross-border processing.

The Global Cooperation Arrangement for Privacy Enforcement (Global CAPE) is a multilateral mechanism enabling national authorities to cooperate on the cross-border enforcement of privacy and data protection laws, including through information sharing and mutual assistance. However, Global CAPE does not issue guidelines or adopt centralized decisions. (CBPR Framework, para. 13)


    The Global CBPR System, complemented by the Global PRP System, is not recognized by the European Commission as providing an adequate level of protection. The two multinational data protection systems therefore operate in parallel. Nonetheless, the development of the Global CBPR System represents a major step forward in the international evolution of data protection.


* * * * * * * * * * *

(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR).

(2) Countries recognized as providing an adequate level of protection include, among others: Argentina, Canada, Israel, Japan, New Zealand, the Republic of Korea, Switzerland, the United Kingdom, the United States (under the EU–U.S. Data Privacy Framework) and Uruguay.

(3) Global Cross-Border Privacy Rules (CBPR) Framework (2023)

(4) The Global CBPR Framework is based on nine fundamental principles, which we described in our previous article.


Bénédicte DELEPORTE
Avocat

Deleporte Wentz Avocat
www.dwavocat.com

November 2025 

Go back to News and Publications

Mots clés :

advertising (1) adwords (3) ai (27) anssi (3) arcep (5) arcom (19) artificial intelligence (11) audiovisual (2) audit (4) blockchain (8) cbpr (7) children (4) cjeu (2) cloud computing (3) cnil (19) commerce (4) communication (8) compliance (37) confidentiality (1) consumers (2) contract (9) cookies (6) copyright (5) cross-border data transfers (6) cybercrime (2) cybersquatting (3) data controller (2) data privacy (17) data privacy framework (2) database (1) digital accessibility (1) domain names (2) dpf (2) drones (1) dsa (8) e-commerce (15) employee (3) encryption (1) eu (18) europe (17) france (15) fraud (1) gdpr (30) general data protection regulation (10) indexing (2) information technology (9) intellectual property (10) internet (36) ip (5) legal training (4) liability (5) métavers (3) networks (1) nft (4) privacy (14) privacy shield (2) regulation (4) robotics (7) rpa (6) safe harbor (2) search engines (4) security (3) singapore (5) social media (7) software (7) trademark (2) uas (1) unmanned aircraft (1) us (3) video game (3)