What makes the Global CBPR Forum an attractive data transfer framework to implement?

In a recent policy debate and workshop, a learned contributor to the privacy community — albeit not a privacy law expert — continuously referred to the Global Cross Border Privacy Rules Forum as if it were a law comparable to the EU General Data Protection Regulation, rather than a global system.

This is one of many misconceptions about the CBPR Forum, and its privacy rules for processing, that requires debunking. To do so, it is important to understand the current status of the system.

The Dubai International Financial Centre joined the Global CBPR Forum in December 2025, the first among countries outside the Asia-Pacific Economic Cooperation since it transitioned from the regional APEC Cross-Border Privacy Rules System in 2022. 

Transfers of personal data across borders have been a major point of discussion, pain, thought, even creative lawyering and regulating, for more than 10 years now, for many reasons. Knowing how your personal data will be treated within your own jurisdiction can be stressful enough — do I select yes, no, maybe? Reject all? Who am I rejecting all to and why are they asking? And how on earth are there so many cookies that I have never even seen?

And that's before knowing how your personal data will be treated if it leaves your — hopefully — protective home country for a foreign land that may have different laws, will surely have a different regulator, or doesn't have either.  

The primary options are binding corporate rules, which are largely unused and time consuming to finalize; derogations, which are largely to be seen and not heard or used; standard contractual clauses; or adequacy.  

While they have the strength and enforceable status of a contract, the SCCs are effectively GDPR cliff notes. They are long and complicated and simply executing a contract does not mean it won't be breached. 

Adequacy — at least the EU variety — is only open to 42 countries and the list is not growing quickly. It has been 30 years since the concept was promulgated and only 15 countries outside the EU have been recognized. 

Finally, adequacy does not guarantee compliance. To be fair, no mechanism does, but some can and do lessen the possibility of noncompliance with pragmatic, evidence-based due diligence. 

That's where the Global CBPR Forum, which provides for both the cross border privacy rules and the privacy rules for processing, comes in. CBPRs are not a law. Rather, they are a privacy-by-design certification scheme, with two layers of independent review and reasonably quick and efficient timelines. 

The system is scalable and flexible; a certification applicant can provide as much evidence as needed, or more, and can do so somewhat creatively as the language and assessment of each program requirement gives them room to breathe. 

In the end, it is a company's own adequacy assessment, determined by an independent, non-political body for building privacy by design at the core. 

When I say scalable, I mean scalable. For example, if an organization does not know where to start with a privacy or compliance program, look at the CBPR. Use this very detailed but efficient framework to build it from scratch. Is there a great structure in place, but it hasn't been tested for regulatory scrutiny? Test against the CBPR. Do some personal data transfers never really cross the EU horizon, or if they do, does the board or leadership need assurance that risk of massive EU fines will be limited because controls were insufficient? Compare the data transfer process to the CBPR framework and fill any gaps.   

There are only a handful of accountability agents, the independent bodies that conduct CBPR certification reviews and reporting. There are only a handful of organizations that have certified. The EU and a large portion of the world are still beholden to the EU system and framework, for better or worse.  

It's not that there is much "worse" in that regard — the EU built a great law. But regulatory implementation is still fragmented and international transfers have still not been addressed in the Digital Omnibus package, or otherwise. 

The latter causes a lot of expense in both time and money. Is it for a good cause? Yes, of course. Can it be done more cleanly, simply and quickly without sacrificing safety and human/privacy rights? Also, yes. Check out the CBPR. Global is in the name now for a reason. Privacy law and regulation is moving in that direction, but it's moving slowly and stiffly.  

One more reason to consider the CBPR: jurisdictions like the DIFC are hoping to create more bang for your regulatory buck. Because the CBPR principles and certification framework is essentially a privacy-by-design checklist — not a tick-box exercise — and because so many other laws depend on getting this bit right — including artificial intelligence regulations — why not use the CBPR framework as the basis for ensuring compliance with other laws, as well?  

Under Regulation 10 of the DIFC's Data Protection Law, which focuses on AI governance and ensuring privacy is protected in autonomous and semi-autonomous systems, certification is required where an AI system is used for commercial purposes and processes high-risk personal data — such as special category data, automated decision-making, using new technologies, or large-scale profiling or monitoring. 

The accreditation and certification scheme DIFC approved is the same as the Global CBPR framework. In other words, same framework, same way of accrediting entities to certify systems, same certification program requirements, equals the potential for reciprocity with the CBPR system. Hopefully it becomes very clear that this arrangement — a sort of CBPR/Regulation 10 reciprocity — would make logical sense to implement so companies get more for their money, have a more pragmatic method of certifying their systems and will be encouraged to comply and work with regulators rather than settle for the very limited scope of adequacy or the hefty SCCs.  

Consider using the program requirements for implementing best practices so one day, when the CBPR come to your part of the world you will be ready. 

The DIFC is hosting the 48th Global Privacy Assembly, "From Zero to AI: Pathways to Privacy in Progress," in December 2026. Those interested in participating, sponsoring or learning more can email gpa48@difc.ae or visit the GPA48 website. 

Lori Baker, AIGP, CIPP/E, CIPT, FIP, is vice president of data protection and regulatory compliance at the Dubai International Financial Centre.