Back to Frameworks

Global Cross-Border Privacy Rules (Global CBPR) Forum

International (Global CBPR Forum)
v2022
7 domains
12 controls

The Global Cross-Border Privacy Rules (Global CBPR) Forum is an international privacy certification system that succeeded the APEC CBPR System effective 21 April 2022. FOUNDING MEMBERS: United States + Canada + Japan + Republic of Korea + Philippines + Singapore + Taiwan (Chinese Taipei). UNITED KINGDOM acceded 2024 + first non-original-APEC member; additional jurisdictions in discussions including Mexico + Australia + New Zealand + Bahrain + Dubai DIFC + Argentina + Brazil + others. STRUCTURE: (a) GLOBAL CBPR SYSTEM - for CONTROLLERS / personal-information-handling companies / organizations that determine the purposes + means of personal data processing; based on the 9 APEC Privacy Principles (Notice + Collection Limitation + Uses + Choice + Integrity + Security Safeguards + Access + Correction + Accountability + Preventing Harm); 50 program requirements + intake + remediation processes; certified by Accountability Agents; (b) GLOBAL PRP (Privacy Recognition for Processors) - for DATA PROCESSORS / cloud service providers / SaaS / data processors; based on the 50 program requirements adapted for processor role; designed to facilitate Controllers + Processors agreements; (c) GLOBAL FORUM ASSEMBLY - intergovernmental governance; (d) GLOBAL FORUM STEERING COMMITTEE - operational oversight; (e) ACCREDITED ACCOUNTABILITY AGENTS (AAs) - third-party certifiers including TrustArc + Schellman + BBB National Programs + JIPDEC (Japan Information Processing Development Center) + others; AAs operate within their accredited jurisdictions. CERTIFICATION PROCESS: (1) organization completes self-assessment against Program Requirements; (2) engages Accountability Agent for review; (3) AA submits assessment for compliance evaluation + ongoing monitoring + dispute resolution + breach notification; (4) annual recertification + continuous monitoring. KEY BENEFITS: facilitates cross-border data transfers between member jurisdictions; demonstrates accountability; reduces compliance burden vs separate per-jurisdiction certifications; signals privacy commitment to customers + business partners. 2024-2025 STATUS: UK accession 2024 + first non-APEC member; ongoing GDPR-CBPR bridge-mechanism discussions with European Commission (no formal recognition yet); ASEAN model contract clauses coordination; PEP (Privacy Enhancing Technologies) + AI integration guidance pipeline; ongoing UK + Canada + Japan + Korea + Singapore + Philippines + Taiwan + US implementation; multiple new jurisdictions in accession discussions. RECOGNITION: CBPR + PRP certifications are increasingly recognized in US state DP laws (Connecticut + Virginia + Colorado + others recognize as adequacy mechanism) + California CCPA + sectoral privacy frameworks. SPONSORS + STAKEHOLDERS: US Department of Commerce + Federal Trade Commission + USTR; participating jurisdictions national DPAs; industry: Google + Microsoft + Apple + Meta + Amazon + Salesforce + AT&T + Workday + Adobe + IBM + Cisco + ServiceNow + Oracle + many others.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (7)

Global CBPR Forum: 2024-2025 Pipeline, UK Accession, New Jurisdictions, AI and PEP Integration

4 controls
Controls in the Global CBPR Forum: 2024-2025 Pipeline, UK Accession, New Jurisdictions, AI and PEP Integration domain of Global Cross-Border Privacy Rules (Global CBPR) Forum4 controls
CodeTitle
CBPR-2024-2025-UK-NewJurisdictions-AI-PEPGlobal CBPR Forum: 2024-2025 Update Pipeline - UK 2024, AI Integration, PEP, ASEAN MCC
CBPR-Implementation-Roadmap-Roles-OrgGlobal CBPR Forum: Implementation Roadmap, Organizational Roles and Certification Management
CBPR-IndustryAdoption-MajorCertifiedOrgs-SectoralGlobal CBPR Forum: Industry Adoption, Major Certified Organizations and Sectoral Application
CBPR-Status-AnnualMeeting-Working-Groups-FutureGlobal CBPR Forum: Status, Annual Meeting, Working Groups and Future Roadmap

Global CBPR Forum: 9 APEC Privacy Principles (Notice + Collection + Uses + Choice + Integrity + Security + Access + Accountability + Preventing Harm)

1 controls
Controls in the Global CBPR Forum: 9 APEC Privacy Principles (Notice + Collection + Uses + Choice + Integrity + Security + Access + Accountability + Preventing Harm) domain of Global Cross-Border Privacy Rules (Global CBPR) Forum1 controls
CodeTitle
CBPR-9-APEC-Privacy-PrinciplesGlobal CBPR Forum: 9 APEC Privacy Principles (Notice + Collection + Uses + Choice + Integrity + Security + Access + Accountability + Preventing Harm)

Global CBPR Forum: Accountability Agents, Program Requirements, Certification Process

1 controls
Controls in the Global CBPR Forum: Accountability Agents, Program Requirements, Certification Process domain of Global Cross-Border Privacy Rules (Global CBPR) Forum1 controls
CodeTitle
CBPR-AccountabilityAgents-CertificationProcessGlobal CBPR Forum: Accountability Agents (TrustArc, Schellman, BBB, JIPDEC) and Certification Process

Global CBPR Forum: Coordination with GDPR + UK + Japan APPI + Korea PIPA + Singapore PDPA + US State Laws

2 controls
Controls in the Global CBPR Forum: Coordination with GDPR + UK + Japan APPI + Korea PIPA + Singapore PDPA + US State Laws domain of Global Cross-Border Privacy Rules (Global CBPR) Forum2 controls
CodeTitle
CBPR-Coord-GDPR-UK-Japan-Korea-Singapore-Philippines-StateLawsGlobal CBPR Forum: Coordination with GDPR + UK GDPR + Japan APPI + Korea PIPA + Singapore PDPA + Philippines DPA + US State Laws
CBPR-Crosswalk-GDPR-StateLaws-ISO27701-NISTGlobal CBPR Forum: Crosswalk to GDPR, US State Laws, ISO/IEC 27701 and NIST Privacy Framework

Global CBPR Forum: Cross-Border Transfer Recognition, Dispute Resolution, Enforcement

2 controls
Controls in the Global CBPR Forum: Cross-Border Transfer Recognition, Dispute Resolution, Enforcement domain of Global Cross-Border Privacy Rules (Global CBPR) Forum2 controls
CodeTitle
CBPR-DisputeResolution-Enforcement-CrossBorderRecognitionGlobal CBPR Forum: Dispute Resolution, Enforcement and Cross-Border Recognition
CBPR-Implementation-MultiState-AdequacyMechanismGlobal CBPR Forum: US Multi-State Adequacy Mechanism, State-by-State Recognition

Global CBPR Forum: Global PRP (Privacy Recognition for Processors) + Controller-Processor Linkage

1 controls
Controls in the Global CBPR Forum: Global PRP (Privacy Recognition for Processors) + Controller-Processor Linkage domain of Global Cross-Border Privacy Rules (Global CBPR) Forum1 controls
CodeTitle
CBPR-Global-PRP-Privacy-Recognition-ProcessorsGlobal CBPR Forum: Global PRP (Privacy Recognition for Processors) Controller-Processor Linkage

Global CBPR Forum: Governance, Membership and Relationship to APEC CBPR Predecessor

1 controls
Controls in the Global CBPR Forum: Governance, Membership and Relationship to APEC CBPR Predecessor domain of Global Cross-Border Privacy Rules (Global CBPR) Forum1 controls
CodeTitle
CBPR-Forum-Governance-MembershipGlobal CBPR Forum Governance, Membership and Relationship to APEC CBPR

Your Compliance Coverage

If you comply with Global Cross-Border Privacy Rules (Global CBPR) Forum, you already cover:

Maps to 52 other frameworks

12 total controls
Privacy Act 1988 (Australia)
2 source controls mapped|4 target controls covered
17%
Bahrain PDPL
2 source controls mapped|6 target controls covered
17%
17%
Family Educational Rights and Privacy Act (FERPA)
2 source controls mapped|6 target controls covered
17%
GLI-33 - Gaming Laboratories International Event Wagering Systems
2 source controls mapped|2 target controls covered
17%
Vietnam Law on Cybersecurity (No. 24/2018/QH14)
1 source controls mapped|2 target controls covered
8%
Vermont Artificial Intelligence and Consumer Data Act (AICDA)
1 source controls mapped|1 target controls covered
8%
USMCA Chapter 19 - Digital Trade (United States-Mexico-Canada Agreement)
1 source controls mapped|2 target controls covered
8%
UK Defence Standard 05-138 - Cyber Security for Defence Suppliers
1 source controls mapped|1 target controls covered
8%
TEFCA - Trusted Exchange Framework and Common Agreement
1 source controls mapped|1 target controls covered
8%
Russia Federal Law on Personal Data (152-FZ)
1 source controls mapped|2 target controls covered
8%
South Korea PIPA
1 source controls mapped|1 target controls covered
8%
India Account Aggregator Framework (RBI)
1 source controls mapped|1 target controls covered
8%
APPI
1 source controls mapped|5 target controls covered
8%
ISO/IEC 27400:2022
1 source controls mapped|2 target controls covered
8%
ISO/IEC 29134:2023
1 source controls mapped|3 target controls covered
8%
ISO/IEC 27014:2020
1 source controls mapped|2 target controls covered
8%
COSO Internal Control - Integrated Framework (2013)
1 source controls mapped|1 target controls covered
8%
Austria Data Protection Act (Datenschutzgesetz, DSG, amended 2018)
1 source controls mapped|3 target controls covered
8%
Australian Privacy Principles (APPs)
1 source controls mapped|3 target controls covered
8%
ISO/IEC 27557:2022 - Organisational Privacy Risk Management
1 source controls mapped|6 target controls covered
8%
German Supply Chain Due Diligence Act (LkSG)
1 source controls mapped|1 target controls covered
8%
NIST SP 800-171A Rev 3 - Assessing CUI Security Requirements
1 source controls mapped|2 target controls covered
8%
IEC 60601-1 - Medical Electrical Equipment Safety
1 source controls mapped|3 target controls covered
8%
FedRAMP Rev 5
1 source controls mapped|2 target controls covered
8%
FTC GLBA Safeguards Rule (16 CFR Part 314)
1 source controls mapped|1 target controls covered
8%
ISO/IEC 29100:2024
1 source controls mapped|3 target controls covered
8%
ISO/IEC 23837 - Security Requirements for Quantum Key Distribution
1 source controls mapped|2 target controls covered
8%
Florida Digital Bill of Rights (FDBR)
1 source controls mapped|3 target controls covered
8%
AML/CTF Act 2006 (Australia)
1 source controls mapped|1 target controls covered
8%
NIST AI Risk Management Framework (AI RMF 1.0)
1 source controls mapped|2 target controls covered
8%
Azerbaijan Law on Personal Data (2010)
1 source controls mapped|3 target controls covered
8%
Armenia Law on Protection of Personal Data (2015)
1 source controls mapped|3 target controls covered
8%
Aged Care Quality Standards (Australia)
1 source controls mapped|1 target controls covered
8%
BS 65000:2014 - Guidance on Organizational Resilience
1 source controls mapped|2 target controls covered
8%
Barbados Data Protection Act 2019
1 source controls mapped|3 target controls covered
8%
FFIEC Cybersecurity Assessment Tool (CAT)
1 source controls mapped|2 target controls covered
8%
AS9100D:2016 - Quality Management Systems for Aviation, Space, and Defence
1 source controls mapped|1 target controls covered
8%
AS9100D - Aerospace Quality Management System
1 source controls mapped|1 target controls covered
8%
ISO/IEC 27003:2017
1 source controls mapped|1 target controls covered
8%
ISO/IEC 38500:2024 - Governance of IT
1 source controls mapped|2 target controls covered
8%
GLBA
1 source controls mapped|1 target controls covered
8%
API 1164
1 source controls mapped|1 target controls covered
8%
8%
FedRAMP High
1 source controls mapped|1 target controls covered
8%
NIST SP 800-53 Revision 5.1 HIGH
1 source controls mapped|1 target controls covered
8%
FedRAMP Moderate
1 source controls mapped|1 target controls covered
8%
NIST SP 800-53 Rev 5 MODERATE
1 source controls mapped|1 target controls covered
8%
NIST SP 800-53 Rev 5 LOW
1 source controls mapped|1 target controls covered
8%
Azure Security Benchmark
1 source controls mapped|1 target controls covered
8%
AWS Well-Architected Security Pillar
1 source controls mapped|1 target controls covered
8%

Frequently Asked Questions

What is Global Cross-Border Privacy Rules (Global CBPR) Forum?

Global Cross-Border Privacy Rules (Global CBPR) Forum is a compliance framework from International (Global CBPR Forum) with 7 domains and 12 controls. The Global Cross-Border Privacy Rules (Global CBPR) Forum is an international privacy certification system that succeeded the APEC CBPR System effective 21 April 2022. FOUNDING MEMBERS: United States + Canada + Japan + Republic of Korea + Philippines + Singapore + Taiwan (Chinese Taipei). UNITED KINGDOM acceded 2024 + first non-original-APEC member; additional jurisdictions in discussions including Mexico + Australia + New Zealand + Bahrain + Dubai DIFC + Argentina + Brazil + others. STRUCTURE: (a) GLOBAL CBPR SYSTEM - for CONTROLLERS / personal-information-handling companies / organizations that determine the purposes + means of personal data processing; based on the 9 APEC Privacy Principles (Notice + Collection Limitation + Uses + Choice + Integrity + Security Safeguards + Access + Correction + Accountability + Preventing Harm); 50 program requirements + intake + remediation processes; certified by Accountability Agents; (b) GLOBAL PRP (Privacy Recognition for Processors) - for DATA PROCESSORS / cloud service providers / SaaS / data processors; based on the 50 program requirements adapted for processor role; designed to facilitate Controllers + Processors agreements; (c) GLOBAL FORUM ASSEMBLY - intergovernmental governance; (d) GLOBAL FORUM STEERING COMMITTEE - operational oversight; (e) ACCREDITED ACCOUNTABILITY AGENTS (AAs) - third-party certifiers including TrustArc + Schellman + BBB National Programs + JIPDEC (Japan Information Processing Development Center) + others; AAs operate within their accredited jurisdictions. CERTIFICATION PROCESS: (1) organization completes self-assessment against Program Requirements; (2) engages Accountability Agent for review; (3) AA submits assessment for compliance evaluation + ongoing monitoring + dispute resolution + breach notification; (4) annual recertification + continuous monitoring. KEY BENEFITS: facilitates cross-border data transfers between member jurisdictions; demonstrates accountability; reduces compliance burden vs separate per-jurisdiction certifications; signals privacy commitment to customers + business partners. 2024-2025 STATUS: UK accession 2024 + first non-APEC member; ongoing GDPR-CBPR bridge-mechanism discussions with European Commission (no formal recognition yet); ASEAN model contract clauses coordination; PEP (Privacy Enhancing Technologies) + AI integration guidance pipeline; ongoing UK + Canada + Japan + Korea + Singapore + Philippines + Taiwan + US implementation; multiple new jurisdictions in accession discussions. RECOGNITION: CBPR + PRP certifications are increasingly recognized in US state DP laws (Connecticut + Virginia + Colorado + others recognize as adequacy mechanism) + California CCPA + sectoral privacy frameworks. SPONSORS + STAKEHOLDERS: US Department of Commerce + Federal Trade Commission + USTR; participating jurisdictions national DPAs; industry: Google + Microsoft + Apple + Meta + Amazon + Salesforce + AT&T + Workday + Adobe + IBM + Cisco + ServiceNow + Oracle + many others. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does Global Cross-Border Privacy Rules (Global CBPR) Forum have?

Global Cross-Border Privacy Rules (Global CBPR) Forum has 12 controls organised across 7 domains. The largest domains are Global CBPR Forum: 2024-2025 Pipeline, UK Accession, New Jurisdictions, AI and PEP Integration (4 controls), Global CBPR Forum: Coordination with GDPR + UK + Japan APPI + Korea PIPA + Singapore PDPA + US State Laws (2 controls), Global CBPR Forum: Cross-Border Transfer Recognition, Dispute Resolution, Enforcement (2 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does Global Cross-Border Privacy Rules (Global CBPR) Forum map to?

Global Cross-Border Privacy Rules (Global CBPR) Forum maps to 52 other compliance frameworks. The top mapping partners are Privacy Act 1988 (Australia) (17% coverage), Bahrain PDPL (17% coverage), Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) (17% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with Global Cross-Border Privacy Rules (Global CBPR) Forum compliance?

Start your Global Cross-Border Privacy Rules (Global CBPR) Forum compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about Global Cross-Border Privacy Rules (Global CBPR) Forum requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 12 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 723 frameworks.

Get Started Free →

Free forever — no credit card required