Stay in the know
We’ll send you the latest insights and briefings tailored to your needs
While questions remain about the Forum’s operation and uptake by the international community, this marks a further step toward the convergence of international data practices.
The Australian Government recently announced that Australia joined the Global Cross-Border Privacy Rules (Global CBPR) Forum. The Forum, launched in April 2022, establishes a certification system to help companies in participating jurisdictions demonstrate compliance with internationally-recognised privacy standards, with the aim of fostering interoperability and international data flows (Global GBPR declaration).
The Global CBPR Forum will replace the existing APEC Cross-Border Privacy Rules (APEC CBPR) and Privacy Recognition for Processors (PRP) certification systems, enabling non-APEC countries to participate.
The potential benefits of such a global certification system and increased interoperability are especially relevant for tech companies and other data driven businesses that rely heavily on being able to seamlessly transfer customer data internationally, including by:
The Global CBPR will be modelled after the baseline requirements under the existing systems. There is no formal timeline for when the transfer from existing to systems to the Global CBPR will occur. In the meantime, the APEC CBPR and PRP systems will remain in place.
The APEC CBPR system is aimed at ‘data controllers’, to certify that they have adequate measures in place to protect personal information in line with baseline requirements. These requirements are broadly comparable with the APPs and include:
The PRP system is aimed at ‘data processors’, to certify their capacity to process a controller’s data in compliance with the controller’s obligations under the APEC CBPR. Requirements for PRP certification include the implementation of appropriate measures and safeguards to ensure data is protected, processing is limited to the purposes specified by controllers, and controllers are kept informed about the handling of their data. This will be relevant for many cloud providers that only process data on behalf of their customers.
To date, numerous companies including key tech players have obtained certification under the APEC CBPR and PRP systems.1
Like the existing mechanism under the current systems, entities will be able to obtain annual certification by submitting a self-assessment questionnaire to a certified ‘accountability agent’.
The accountability agent will audit the entity’s privacy policies and practices to determine if they are compliant with the requirements.
One key feature of the certification systems is that consumers in participating jurisdictions may direct privacy complaints against certified entities to an accountability agent in the first instance. Disputes which are not resolved by an accountability agent are referred to the privacy enforcement authority in the relevant jurisdiction. This is intended to promote the more efficient resolution of disputes.
The actual operation of the Global CBPR, will, as with the previous systems, vary in each participating jurisdiction. For example, each jurisdiction has discretion in determining the types of entities that can certified as accountability agents: the US has certified 5 third party private companies, while in Singapore the only certified agent is a government agency.
Questions also remain about how widely the Global CBPR will be taken up by non-APEC jurisdictions.2
Australia’s application to participate in the APEC CBPR system, was endorsed by APEC in November 2018, however Australia has not to date enacted any legislation or other instrument to give effect to the APEC CBPR.
The announcement of Australia’s participation comes as Australia’s Government is working on broader reforms of Australian privacy laws, including several changes to rules on overseas disclosure. These included propositions to implement the APEC CBPR in Australian law through the adoption of an APP code,3 and to recognise the certification as a basis for transferring personal information outside Australia.4 The Government also acknowledged recommendations to introduce into the Privacy Act the concepts of data controllers and data processors, at the core of the APEC CPBR and PRP systems, and the privacy/data protection laws of many other countries such as the European Union, but noted this may present challenges including due to the small business exemption.
The Australian Government’s final report on the proposed reforms will hopefully provide greater clarity on the extent to which the Global CBPR may be implemented in Australia.
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2024
We’ll send you the latest insights and briefings tailored to your needs