Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
Last week under the warm Boracay Island sun in the Philippines, regulators, policymakers, accountability agents and industry representatives gathered for the Global Cross-Border Privacy Rules Forum. Each session added an ingredient to the perfect privacy cake mix: a little flour of global cooperation, a dash of regulatory innovation, a spoonful of sugar from success stories and a good stir of cross-border accountability.
The base layer: The sponge of trust
The opening remarks by Global Forum Assembly Deputy Chair Evelyn Goh set the oven to just the right temperature. The CBPR is about ensuring data can move freely with trust across borders without melting down under privacy risks — a sweet but serious endeavor.
The "Navigating CBPR Certification" panel explored how certifications help whisk messy compliance eggs into a frothy accountability meringue. Panelists from the U.K. Department for Science, Innovation and Technology, the Philippine Chamber of Commerce and Industry, and Cloudflare discussed how certification provides the yeast for international trade, helping economies rise through interoperable privacy practices.
Blending accountability and action
The next panels added thickness and texture to the discussion. "Global CAPE in Action" simulated real-world cooperation and demonstrated that while ingredients differ across jurisdictions, the batter can still blend smoothly when guided by shared values.
The icing on the cake was welcoming South Africa as the newest member of the CBPR, with talk about Malaysia also applying for associate member status.
The Accountability Agent panel — featuring speakers from TrustArc, BBB National Programs, Taiwan's Institute for Information Industry, and the Japan Institute for Promotion of Digital Economy and Community — discussed the whipped cream of certification, a concoction of rigorous oversight and mutual confidence. Participants noted that becoming an Accountability Agent requires equal parts discipline and vanilla essence — a steady balance of compliance structure and trust-building flavor.
Sectoral flavors and global recipes
The second day of the forum introduced new layers and toppings. The U.K. Data (Use and Access) Act and a U.S. perspective on global data governance offered fresh powdered sugar insights, reminding attendees that interoperability isn't just about alignment — it's about creating a recipe that can be enjoyed in any jurisdiction.
The fourth panel, on sector-specific integration, explored how CBPR certification could support industries from fintech to telecoms. Representatives from Mynt, PLDT, Bangko Sentral ng Pilipinas, and Salesforce shared how the system helps small and medium enterprises fold compliance into daily operations, preventing heavy regulatory dough from weighing them down.
The cross-border data flows panel, featuring privacy leaders from IBM, Ayala Foundation, Quisumbing Torres, and Schellman, revealed both sweet successes and sticky challenges. They noted that there is still a need for wider awareness and simpler processes for certification, especially for small and medium enterprises — often seen as the "cupcakes" of the digital economy.
A riveting fireside chat with representatives from the Centre for Information Policy Leadership, Cisco, and the Office of the Privacy Commissioner of Canada suggested creative techniques to bake CBPR requirements into vendor due diligence and procurement processes.
Icing and decorations: Interoperability and the future
The penultimate panel with speakers from Japan's Personal Information Protection Commission, Dun & Bradstreet, Norebase and Cloudflare explored how different measurements, from the EU General Data Protection Regulation's Codes of Conduct to ISO standards, might be used to form a seamless mousse of accountability. As former deputy privacy commissioner of the Philippines' National Privacy Commission Damian Mapa aptly moderated, the future of global privacy governance may well depend on interoperability with harmony — where each layer retains its unique flavor while complementing the rest.
Final slice: A sweet ending
In his closing remarks, Deputy Commissioner Jose Sutton Belarmino II noted that trust cannot be localized, but it instead travels across borders — it is not a boundary, but a bridge.
Noting that the forum offers a one-of-a-kind, human-centered, trusted cross-border privacy framework, he concluded by inviting participants to keep the CBPR oven warm.
From the rich discussions and mixing of ideas, the Boracay forum has solidified a tasty blend of policy partnership.
With the right ingredients, timing and temperature, the CBPR will no doubt form a colorfully layered and deliciously sustainable model for global data trust, with regulators and organizations alike finally being able to have their cake and eat it too.
Charmian Aw, AIGP, CIPP/A, CIPP/E, CIPP/US, CIPM, FIP, is a partner at Hogan Lovells.
This article originally appeared in the Asia-Pacific Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.