News

The Global Cross Border Privacy Rules – A new paradigm in data protection

29 May 2025
Data center
Data center

The launch of the Global Cross Border Privacy Rules (CBPR) and Privacy Rules for Processors (PRP) systems on June 2, 2025 offers a framework to manage increasingly difficult standards for global data privacy governance. 

By offering a scalable, interoperable, and internationally trusted framework, it responds to the exponential growth of cross border data flows driven by digitalization, enabling businesses - from multinational corporations to small and medium enterprises - to operate seamlessly across jurisdictions while maintaining high privacy standards and safeguarding consumer trust and ultimately meeting legal requirements. 

To help make sense of this development and how it might relate to your business, we explore key takeaways from the recent Global CBPR Forum hosted by the Infocomm and Media Development Authority (IMDA) in Singapore on May 26 and 27, 2025, and explain how multinational companies may be able to benefit from this system. 

What is the Global CBPR?

The Global CBPR system is a voluntary, accountability-based certification framework designed to facilitate secure and privacy-respecting cross border data transfers while ensuring robust data protection standards. Building on the foundation of the Asia-Pacific Economic Cooperation (APEC) CBPR system, the Global CBPR extends its reach beyond APEC economies, creating an international standard for data privacy that transcends regional boundaries. 

The accompanying Privacy Recognition for Processors (PRP) system complements this by addressing the obligations of data processors, processing personal data on behalf of, and pursuant to, the instructions of data controllers.

As of May 2025, the US Department of Commerce’s Shannon Cole serves as Chair of the Forum, and IMDA’s Evelyn Goh as Deputy Chair, and both of their terms have been renewed for the next two years. 

How does the Global CBPR work?

The Global CBPR operates through third-party accountability agents (Accountability Agents), who assess and certify organizations’ privacy policies, practices and data governance against a set of rigorous standards derived from the APEC Privacy Framework’s nine principles and adapted to meet global expectations: Accountability, Preventing Harm, Notice, Choice, Collection Limitation, Use of Personal Information, Integrity of Personal Information, Security Safeguards, and Access and Correction. 

These certifications are enforceable by privacy authorities in participating jurisdictions.

Who are the participating economies?

At present, the Global CBPR Forum includes nine member economies: Australia, Canada, Japan, Mexico, the Philippines, the Republic of Korea, Singapore, Chinese Taipei, and the United States. These economies are all participants in the former APEC CBPR system. 

However, there is a strong commitment to expanding membership to non-APEC jurisdictions. Notably, the United Kingdom joined as an Associate member in April 2023, signalling its intent to explore full membership in due course. This is aligned with the UK’s objective to facilitate lawful global data flows through multiple legal mechanisms that are internationally recognized. Bermuda, Dubai International Financial Center, and Mauritius are also Associates, with Thailand and Nigeria declaring that they have a similar intent to join the Forum this year.

The Forum was also attended by an additional cross-continental and multi-disciplinary group hailing from: Bangladesh, Brazil, Brunei, Cambodia, Chile, France, Germany, India, Israel, Luxembourg, Qatar, Malaysia, Nigeria, Sri Lanka, Switzerland, Thailand, and the United Arab Emirates. Many of these economies intimated an intent or that they were considering to join the Global CBPR Forum, either as a member or an associate member.

The Forum operates on a consensus-based model, with bi-annual meetings to steer its strategic direction. Following the Singapore forum in May 2025, the next meeting will be hosted in the Philippines. 

How does the Global CBPR update the former APEC CBPR system?

At the outset, organizations that are APEC CBPR- or APEC PRP-certified, as well as jurisdictions that are participating members of the APEC CBPR and PRP systems, will be grandfathered automatically into the Global CBPR and PRP systems respectively.

With that said, the Global CBPR represents a significant evolution of the APEC CBPR system. While the APEC CBPR system established in 2011 sought to facilitate data transfers among APEC economies, it was confined to 21 member economies. In contrast, the Global CBPR departs from a regional remit, extending into a framework open to all jurisdictions worldwide. 

Crucially from an international recognition perspective, there are also material updates to the assessment criteria pursuant to which an organization is to be certified. The following are additional issues to be considered for potential inclusion in the Global CBPR assessment criteria:

  • Breach notification to individuals 
  • Sensitive data
  • Direct marketing choice 
  • Privacy personnel
  • Risk assessment
  • Withdrawal of consent
  • Records of processing and consent
  • Children's data

In addition, the following issues are presently under consideration, which shows the evolving nature of the framework to adapt in a flexible and credible way to the needs surrounding the protection of personal data at an international level:

  • Certification frequency 
  • Third party transfers 

How does the Global CBPR interact with legislative frameworks?

The Global CBPR is designed to complement, not replace, existing legislative frameworks, serving as a common denominator across disparate regulatory regimes. Regulatory bodies in participating economies will be looking at ensuring interoperability with domestic legal frameworks (for instance, IMDA will be mapping Singapore’s data protection Trustmark scheme with the Global CBPR), which presents a strong value proposition for multinational businesses in particular. More specifically: 

  • Global CBPR and the European Union’s General Data Protection Regulation (GDPR): While the Global CBPR is not currently recognized as equivalent or adequate for EU data transfers, the enhancements introduced regarding the assessment criteria evidence the continued efforts to enhance interoperability. This could not only streamline compliance in the future for organizations operating in both Global CBPR and GDPR jurisdictions, but serve as a basis for a globally recognized set of privacy principles and practices.
  • National Laws in Asia: In Singapore, Global CBPR certification is recognized under the Personal Data Protection Act for overseas data transfers, eliminating additional compliance requirements. Similarly, Japan’s adequacy decision under the GDPR acknowledges Global CBPR participation, although supplementary rules apply for EU data transfers. As more member states join, we will likely see a trend towards integrating national laws and even local certification schemes with the Global CBPR.
  • Global CAPE: The Global Cooperation Arrangement for Privacy Enforcement (CAPE) facilitates cooperation among privacy enforcement authorities (27 to-date to be precise), and enhances cross border enforcement in data protection, which in turn will provide greater certainty and consistency for both data users and data subjects. 

Takeaways from the Global CBPR Forum 2025 in Singapore

The Global CBPR framework has an important role to play, both in shaping global privacy regulation and as a tool for companies to legitimize data flows and operationalise compliance in multiple jurisdictions alike. 

Core themes that surfaced in the Singapore Forum attended by members of our team include: 

  • Expansion Momentum and Network Effects: Discussions at the Singapore Forum highlighted strong interest from existing members as well as additional jurisdictions, with several non-APEC economies exploring associate or full membership. This signals the Forum’s potential to become a “global” standard. As take-up increases, there is also exponential value in participating in the system, such that it enhances the competitive advantages for global businesses or their vendors/processors to  obtain certification. 
  • Promotes Technology and AI Innovation: The Forum emphasized leveraging technology, such as automated tools, to streamline compliance and enhance scalability for businesses. The Global CBPR also has a vital role to play in the development and adoption of advanced AI which requires large volumes and diverse sources of data. 
  • Consumer-Centric Focus: Sessions underscored the importance of transparent dispute resolution mechanisms, empowering consumers to have their privacy related concerns seamlessly and effectively addressed through Accountability Agents or national authorities.
  • SME Support: IMDA announced initiatives to support small and medium enterprises with certification costs, reinforcing the Global CBPR framework’s accessibility.
  • Interoperability Roadmap: The Forum outlined plans to deepen alignment with frameworks like the EU GDPR and emerging AI governance standards.

For more information on certification processes or to engage with an Accountability Agent, visit www.globalcbpr.org.

For assistance or advice on whether and how to apply, feel free to contact any of the authors or your usual Hogan Lovells contact. 

 

 

 

Authored by Charmian Aw, Guillermo Larrea, Scott Loughlin and Eduardo Ustaran. 

Contacts

bio-image

Charmian Aw

Partner

location Singapore

bio-image

Guillermo Larrea

Partner

location Mexico City

bio-image

Scott T. Loughlin

Partner

location Washington, D.C.

bio-image

Eduardo Ustaran

Partner

location London

View more

Related topics

Related countries

View more insights and analysis

arrow
arrow

Register now to receive personalized content and more!

 

Register
close
See benefits
Register