Greetings from Portsmouth, New Hampshire, USA!
I have just returned from our Data Protection Congress event in Brussels, Belgium, which was full of interesting information on privacy program management, new policy developments, how the EU General Data Protection Regulation is playing out in real life, and Cross-Border Privacy Rules.
Yes, CBPRs. Sure, they're a data transfer mechanism geared toward the Asia-Pacific region, but they are increasingly relevant around the globe, and interest in them seems to increase every day. We will have a new report next week, for example, on new economies that are joining the program. Without giving it all away, I can say this: Both economies should be a very big deal for those looking to move data increasingly freely.
Perhaps more importantly, CBPRs are being considered as a global standard for transfer mechanisms. In the "new NAFTA" (the USMCA), for example, CBPRs are specifically mentioned, with the requirement that all parties to the agreement "recognize that the APEC Cross-Border Privacy Rules system is a valid mechanism to facilitate cross-border information transfers while protecting personal information." That clarifies data transfer for all of North America (which just happens to sit on the Pacific Ocean, after all).
Now we're hearing that the European Commission may be interested in looking more closely at the referential project they conducted a few years back that mapped binding corporate rules (one of the most robust ways to transfer data out of the EU) to CBPRs. Should CBPRs ever become completely on par with BCRs, or even something that could be approved by EU supervisory authorities with just a bit more effort or documentation, then interest in them should jump considerably. Already, Japanese adequacy with the EU (and vice versa) is likely to increase interest, as Japan's privacy law specifically mentions CBPRs as a valid transfer mechanism for Japanese personal data.
This is a space we'll be watching closely — let us know your thoughts on how CBPRs could (or could not) play a part in your data transfer governance framework.
If you want to comment on this post, you need to login.