Consultation document: Consultation on the implementation of the Global Cross-Border Privacy Rules (CBPR) Forum certifications in Canada

Overview
Background
Rationale for implementation
Implementation models
Additional reading

Overview

Canada is a Member of the Global Cross-Border Privacy Rules (CBPR) Forum, a multinational forum that has established the Global CBPR System and the Global Privacy Recognition for Processors (PRP) System (together, the "Global Systems"). These Global Systems are international privacy and data protection certifications that are designed to enable trusted data flows globally. The Global CBPR Forum is aiming to make these certifications available in participating jurisdictions in 2025.

As a founding Member of the Forum, Canada has committed to implementing the Global Systems in the Canadian marketplace. Canada's participation in the Global Systems would offer substantial benefits, including enhanced privacy and data protection for individuals, a competitive advantage and streamlined compliance for businesses, and improved trade facilitation for the economy. To maximise these benefits for Canadians, the Government is consulting on the best approach to implementing the Global Systems.

To participate in the consultation, please provide your feedback by July 31, 2025, through the online consultation form linked at the end of this document.

Background

On April 21, 2022, Canada and six other jurisdictions established the Global CBPR Forum, as a means of advancing interoperability among diverse regulatory approaches to privacy and data protection, to facilitate trusted cross-border data flows, and to ensure effective privacy and data protection globally. At present, the Global CBPR Forum has nine Member jurisdictions (Australia, Canada, Chinese Taipei, Japan, Mexico, Philippines, Republic of Korea, Singapore, and the United States) and four Associate jurisdictions (Bermuda, Dubai International Financial Centre, Mauritius, and the United Kingdom).

The Global CBPR and PRP Systems are central to the Global CBPR Forum's approach to achieving its aim of facilitating trusted cross-border data flows. Originally established under the Asia-Pacific Economic Cooperation (APEC), the CBPR and PRP Systems became internationally recognized mechanisms for cross-border data transfers. However, unlike the APEC Systems, which are limited to the Asia-Pacific region, the Global Systems will be available for participation by likeminded jurisdictions worldwide.

The Global CBPR System is designed for data controllers, i.e., organizations that control the collection, holding, processing, use, disclosure or transfer of personal information. The Global PRP System is designed for processors, i.e., organizations which process data on behalf of data controllers.

Organizations operating in jurisdictions which participate in the Global CBPR Forum can be certified as Global CBPR- or Global PRP-compliant if they implement data protection and privacy policies and processes that are consistent with the Global Systems' program requirements. These program requirements are based on the CBPR Privacy Principles, which include key principles such as data minimization, security safeguards, and accountability. There is substantial overlap between the program requirements and the obligations of the Personal Information Protection and Electronic Documents Act or PIPEDA. However, the Global Systems do not replace domestic laws; rather they recognize that differences exist among countries, establish baseline protections for all participating Members, and require businesses to comply with any additional and specific requirements in each Member jurisdiction.

Accountability is a key feature of the Global CBPR and PRP Systems. Companies that seek Global CBPR or Global PRP certification must have their privacy policies and practices verified by a third-party certification entity, known as an Accountability Agent. Only Global CBPR Forum-recognized Accountability Agents have the authority to certify a company's compliance with the Global CBPR and/or Global PRP System program requirements. This generates trust among consumers, businesses and regulators.

The Privacy Enforcement Authority (PEA)^{Footnote 1} of each participating jurisdiction also plays a key role in ensuring that certified organizations adhere to the Global Systems' program requirements. In general, a PEA can take enforcement actions against certified organizations for violations of the Global Systems under applicable domestic laws and regulations. In Canada, this role would be played by the Office of the Privacy Commissioner of Canada (OPC).

To facilitate cross-border cooperation in the enforcement of data protection and privacy laws, as well as the Global CBPR and Global PRP certifications, the Global CBPR Forum has established the Global Cooperation Arrangement for Privacy Enforcement (CAPE). The OPC joined the Global CAPE in 2024, fulfilling a precondition for Canada's membership in the Global CBPR Forum.

Among Member jurisdictions, Chinese Taipei, Japan, Republic of Korea, Singapore, and the US have already implemented one or both of the APEC CBPR and PRP Systems. With the launch of the Global CBPR and PRP Systems, the Global Systems' certifications will be available to companies headquartered in these jurisdictions.

Rationale for implementation

Experience from jurisdictions that have implemented the APEC CBPR and PRP Systems, along with existing research, shows clear benefits to implementing the Global Systems. In particular, these certifications can enable greater transparency and control over personal information in cross-border transfers. Privacy policies and consent forms are often lengthy and confusing, leading to "consent fatigue", which creates a risk that users agree to the use of their information without fully understanding the implications. CBPR and PRP certifications provide a simple, visible way to verify that an organization maintains internationally recognized privacy standards. This helps individuals and potential business partners trust the organization's privacy practices. Additionally, Accountability Agents can provide access to an alternative form of dispute resolution and redress beyond those already provided by PEAs.

The CBPR and PRP certifications also offer significant benefits for businesses, particularly by simplifying privacy compliance. The Global Systems provide a clear framework for complying with the privacy laws of multiple jurisdictions, which could help Canadian organizations tackle common compliance challenges, like understanding legal requirements and integrating privacy measures into business operations. The clear certification criteria combined with guidance from Accountability Agents, assist businesses in building comprehensive privacy management programs. This is particularly helpful for Small and Medium-sized Enterprises (SMEs),^{Footnote 2} which often lack the resources to develop privacy management programs. In Canada, where the vast majority of businesses are SMEs, the CBPR and PRP Systems offer practical tools to manage privacy compliance, particularly when operating across borders.

The implementation of the Global Systems can also strengthen the Canadian economy by promoting trust in the marketplace. This is crucial, given the growing concerns with cross-border data flows, and in particular, the difficulty in ensuring consistent protections when personal information crosses international borders. In Canada, research shows that these concerns hold businesses back from fully using the Internet^{Footnote 3} and adopting artificial intelligence,^{Footnote 4} limiting their ability to compete in the digital economy. By ensuring accountability in cross-border data transfers, the Global Systems can make such transfers safer and more seamless, allowing businesses to expand confidently, while keeping high privacy standards in place.

Privacy certifications have long been used to build consumer confidence in online trade and commerce, and they remain a valuable tool for protecting privacy today. Certifications allow consumers to quickly verify that a business follows strong privacy standards while giving businesses a competitive advantage and a streamlined process to demonstrate privacy commitments. Moreover, certifications are one of the least expensive ways to facilitate international data transfers, second only to trade agreements. Given this, the Global CBPR and PRP Systems could meet a real need in Canada.

In addition, the benefits of the Global Systems are expected to grow rapidly as more jurisdictions join the Global CBPR Forum. Several jurisdictions are currently showing interest in implementing the Global Systems. For instance, the Australian Government noted broad support for adopting the CBPR System, with stakeholders recognizing its potential to enhance cross-border data flows and provide trade benefits for Australia.^{Footnote 5} The Global Systems' potential was also recognized in a recent report by the UK Government's International Data Transfer Expert Council, which highlighted the Global Systems' strong protections, enforceable standards, and mechanisms for accountability and regulatory cooperation.^{Footnote 6} Interest in the Global CBPR Forum continues to grow as jurisdictions seek new mechanisms to ensure secure and trusted cross-border data flows.

Implementation models

The Government of Canada intends to implement the Global Systems following the requirements set by the Global CBPR Forum. These requirements ensure that all participating jurisdictions follow the same standards for accrediting Accountability Agents. However, jurisdictions have some flexibility in how they implement the Global Systems – they can decide whether to adopt one or both Global Systems, the type of Accountability Agent that best fits their needs, and they can introduce additional measures to make the certifications more useful for individuals, businesses and the economy in their jurisdiction. This flexibility allows each jurisdiction to tailor its approach based on its specific needs. The implementation models outlined in this section illustrate how participating jurisdictions have tailored their approaches to implementing the CBPR and PRP Systems.

Global CBPR and PRP Systems

The CBPR System certifies businesses operating as data controllers, ensuring transparent and effective cross-border privacy and data protection. For jurisdictions engaged in international trade, the CBPR System offers a reliable way to allow data flows while ensuring strong privacy protections. Because it applies to data controllers, adopting the CBPR System can be a pragmatic first step to strengthen trust and promote trade, while ensuring robust privacy protections.

The Global PRP System certifies processors that can effectively implement a controller's privacy and data protection requirements.^{Footnote 7} It also helps controllers identify qualified, accountable processors, which can help to streamline compliance and strengthen accountability.^{Footnote 8}

A jurisdiction's decision to implement both the CBPR and PRP Systems depends on several factors, such as the key sectors in its economy, how many businesses act as data processors, market demand for data processor certifications, and the capacity of potential Accountability Agents to oversee the PRP System. In Canada, SMEs dominate the economy, making up over 99 per cent of Canadian businesses and accounting for over 72 per cent of businesses that export goods.^{Footnote 9} Since the Global PRP System was designed to help SMEs connect to the global data processing market, its implementation could be valuable, if a significant number of these businesses operate as data processors.

Looking at specific sectors may help assess the value of adopting the PRP System in Canada. The Information and Communication Technology (ICT) sector, a major driver of Canada's digital economy, is composed mainly of SMEs, approximately 98 per cent of which are small businesses.^{Footnote 10} Within this sector, 92.5 per cent of businesses specialize in software and computer services, including systems design and data processing,^{Footnote 11} work typically done by data processors. This suggests that PRP certifications could benefit many businesses in a key sector of the Canadian economy.

As noted, jurisdictions can choose to adopt the Global CBPR, PRP, or both Global Systems. Some Member jurisdictions, like Chinese Taipei, Japan, and Republic of Korea have only adopted CBPR, while others, like Singapore and the US, have implemented both. Some jurisdictions may also adopt a gradual approach, as the US did, first implementing the CBPR System and later adding the PRP System.

Questions for consideration

From your perspective, what are the benefits of implementing both the Global CBPR and PRP Systems in Canada?
Should the Government adopt a phased approach towards implementing the Global CBPR and PRP Systems in Canada?

Accountability Agent models

One of the first steps in implementing the Global CBPR and/or PRP Systems is selecting one or more Accountability Agents. The Global CBPR Forum has set specific standards for selecting Accountability Agents, requiring candidates to be independent and impartial, free of conflicts of interest, capable of assessing and monitoring organizations' compliance, and providing clear processes for dispute resolution and enforcement.

The selection process for Accountability Agents involves several steps, and Global CBPR Forum-recognized Accountability Agents are subject to multiple levels of oversight. The selection process involves approval by domestic authorities, the Global CBPR Forum's Accountability Agent Oversight and Engagement Committee, and the Global Forum Assembly, which is the Global CBPR Forum's governing body. Once approved, Accountability Agents remain under ongoing oversight and must undergo periodic reviews, ensuring continued credibility and effectiveness.

Each jurisdiction has some flexibility in selecting their Accountability Agent(s), allowing them to choose models that fit their regulatory and economic needs. Jurisdictions like Chinese Taipei, Japan, Republic of Korea, Singapore, and the US have adopted varied approaches, including government agencies, private entities, and hybrid models. The following provides an overview of these approaches in more detail.

Chinese Taipei's Accountability Agent is the Institute for Information Industry (III), a non-profit organization that was jointly established by government and industry.^{Footnote 12} It has long served as an ICT think tank for government, providing policy advice and technical services. This includes planning, formulating, and promoting various government policies related to the information industry. The Ministry of Economic Affairs maintains oversight over some areas of the III's operations, including its financial and investment status. Additionally, municipal and city-level government authorities have legislative power to require III to comply with applicable standards.^{Footnote 13}

In the Republic of Korea, the Accountability Agent is the Korea Internet and Security Agency (KISA).^{Footnote 14} KISA is both a nonprofit special organization and a public institution under Korean law.^{Footnote 15} It is described as a sub-organization under the Ministry of Science and ICT (MSICT), established to advance privacy protection and administer Korea's domestic privacy certification. It also collaborates with other government agencies and industry on initiatives to manage cybersecurity risks to the Korean marketplace.^{Footnote 16} In its role as an Accountability Agent, KISA operates under delegated authorities of the MSICT and the Korean PEA, the Personal Information Protection Commission (PIPC). Both entities direct KISA and maintain oversight over its conduct as an Accountability Agent. KISA also has statutory obligations to maintain ethical management, and KISA employees have statutory duties to act impartially.

Japan's Accountability Agent is JIPDEC, a non-profit foundation,^{Footnote 17} which has long worked closely with Japan's Ministry of Economy, Trade, and Industry. Since 1998, JIPDEC has administered the Japanese domestic privacy certification, PrivacyMark, which is based on Japanese industry standards on privacy. Additionally, JIPDEC provides a variety of governance and compliance management services for businesses and operates a department focused on research related to the use of digital information.

Singapore has a hybrid model for its Accountability Agent role. The Infocomm Media Development Authority (IMDA), a statutory board under the Ministry of Communications and Information, serves as the primary Accountability Agent.^{Footnote 18} While IMDA is the entity accountable to the Global CBPR Forum, it partners with several private sector assessment bodies to review applications from organizations seeking certification. Currently, seven assessment bodies with cross-sectoral experience in certifications and audits operate under IMDA. Organizations pay the application fee to IMDA and the assessment fee directly to the relevant assessment body. Additionally, there is a separate category of consultancy service providers that can assist organizations in preparing for CBPR certification; however, IMDA neither requires organizations to use the consultancy services nor endorses the services listed in its directory.^{Footnote 19}

The US relies entirely on private entities for its Accountability Agent role, with a mix of both non-profit and for-profit organizations providing certifications. Currently, the US has four Accountability Agents. The US Department of Commerce has stated publicly that multiple service providers are ideal because it strengthens US participation in the Global Systems.

All four US Accountability Agents bring distinct strengths to their roles under the CBPR and PRP Systems. The non-profit Accountability Agent, for instance, may conduct certification and enforcement with reduced risk of perceived or actual conflicts of interest.^{Footnote 20} In addition, as a non-profit organization, it has greater flexibility to align its operations with the priorities of the businesses that it works with.

Among the for-profit US Accountability Agents, one is a privacy compliance technology company that focuses on simplifying and automating privacy management for organizations.^{Footnote 21} It offers both CBPR and PRP certifications as part of its "assurance services," which include other privacy certifications. It also offers a suite of technologies and platforms to simplify compliance for businesses.

Another for-profit US Accountability Agent is a multinational cyber and software resilience company that operates across multiple sectors.^{Footnote 22} It manages cyber threats, providing advice to technology manufacturers, financial institutions, critical infrastructure providers, retailers, and governments on safeguarding businesses, software, and personal data. The CBPR and PRP certifications complement its risk management and governance advisory services.

The remaining for-profit US Accountability Agent is a Certified Public Accountant (CPA) firm, which was initially established as an audit firm and now offers a diverse range of around sixty audits and assessments across six sectors. It operates across sectors such as financial services, fintech, healthcare, and cloud computing.^{Footnote 23} The CBPR and PRP certifications align with its other compliance services, which focus on external audits.

The choice of Accountability Agent(s) is crucial, as it affects certification pricing, business adoption and the overall economic impact of the certifications. In designing Canada's model, it is important to consider key features of the Canadian regulatory and economic context. As noted above, since the great majority of Canadian businesses are SMEs, certification pricing must be set at a level that works for them. A non-profit model could help keep costs down, but might struggle to be financially sustainable. In such a case, some government support may help to support the work, as seen in Chinese Taipei, for instance. On the other hand, a for-profit model could encourage competition among multiple Accountability Agents, driving costs lower.

Each model demonstrates certain advantages. The Republic of Korea uses a government-run model, while the US depends entirely on private entities. However, as seen with JIPDEC in Japan and the III in Chinese Taipei, even among private entities, there may be different levels of cooperation with relevant government departments. On the other hand, Singapore's hybrid model combines elements of different approaches. These models are not mutually exclusive. For example, there can be a lower-cost option for smaller enterprises with potential government support, while allowing for-profit Accountability Agents to serve larger businesses. Additionally, different actors could handle different Accountability Agent functions, as in Singapore.

Questions for consideration

Given your knowledge of the Canadian market, what are the potential advantages and disadvantages of adopting:
1. a public sector Accountability Agent model (e.g., the model in the Republic of Korea)?
2. a private sector Accountability Agent model (e.g., the models in Chinese Taipei, Japan, and the United States)?
3. a hybrid Accountability Agent model (e.g., the model in Singapore)?
How can Canada adapt its implementation of the Global CBPR and PRP Systems to accommodate the needs of SMEs while maintaining rigorous privacy standards?

Maximising the benefits of certifications

As discussed, the CBPR and PRP certifications offer many benefits, and jurisdictions can enhance the benefits through their approach towards implementation. In Singapore for example, the IMDA operates as the primary Accountability Agent and engages private sector partners to provide assessment and audit services which can be tailored to organizations of different sizes and sectors. In addition, Singapore offers funding support to help organizations cover some certification costs,^{Footnote 24} expanding access to a broader range of companies.

Another key feature of Singapore's approach is its streamlined process for obtaining multiple certifications, such as CBPR, PRP, and its domestic privacy certification, at a reduced overall cost.^{Footnote 25} Since IMDA oversees both the domestic privacy certification and the CBPR and PRP Systems, businesses benefit from more straightforward compliance and greater interoperability between different certifications.

In contrast, the US approach builds on its market-driven privacy culture. US Accountability Agents benefit from long-standing expertise in privacy and compliance, which makes them trusted authorities under the CBPR and PRP Systems, with significant market awareness and demand for their services. Their broad industry knowledge allows them to offer organizations integrated compliance solutions, reducing costs and simplifying multijurisdictional requirements.

For Canada, these different models offer valuable insights. As noted above, several jurisdictions have Accountability Agents that certify compliance with both CBPR and/or PRP and their national privacy laws. In Canada, there are privacy certifications based on industry standards, but there is no certification based on the legislative requirements under PIPEDA. A Canadian Accountability Agent offering certification against both PIPEDA and the Global Systems may have advantages. It could simplify compliance, increase market incentives, and enhance consumer protections. It may also reduce the regulatory burden by resolving more privacy complaints through the Accountability Agent(s). However, administering both frameworks may require the Accountability Agent(s) to expend significant resources.

Accountability Agents also add value to the certifications through measures that could inform Canada's approach. Some bundle services, such as combining multiple certifications, to reduce costs and promote CBPR and/or PRP adoption, while others leverage cross-industry expertise to address diverse compliance needs, emerging risks, and complex supply chains. These measures can contribute to the CBPR and/or PRP certifications' value and uptake.

Questions for consideration

What measures would maximize the benefits of the Global CBPR and PRP certifications in Canada?
Should a Canadian Accountability Agent(s) also be able to certify compliance with Canadian privacy law, such as the Personal Information Protection and Electronic Documents Act (PIPEDA)?

Additional reading

Global CBPR Forum documents on participating in the Global CBPR and PRP Systems: https://www.globalcbpr.org/documents/.

ISED, Canada's Digital Charter in Action: A Plan by Canadians, for Canadians.

Organisation for Economic Co-operation and Development (OECD), Cross-border data flows: taking stock key policies and initiatives (2022) (https://www.oecd.org/content/dam/oecd/en/publications/reports/2022/10/cross-border-data-flows_91466bb8/5031dd97-en.pdf) (PDF, 4.5 MB).

OECD and World Trade Organization, Economic Implications of Data Regulation: Balancing Openness and Trust (2025) (https://www.oecd.org/en/publications/economic-implications-of-data-regulation_aa285504-en.html) (PDF, 1.5 MB).

OECD, Mapping commonalities in regulatory approaches to cross-border data transfers (2021) No. 248 (https://www.oecd.org/content/dam/oecd/en/publications/reports/2021/05/mapping-commonalities-in-regulatory-approaches-to-cross-border-data-transfers_e66a8dc0/ca9f974e-en.pdf) (PDF, 5.3MB).

Footnotes

Footnote 1

"Privacy Enforcement Authority" means any public body that is responsible for enforcing privacy and data protection laws, and that has powers to conduct investigations and/or pursue enforcement proceedings.

Return to footnote 1 referrer

Footnote 2

This paper adopts the definition of SMEs provided in ISED's Key Small Business Statistics (2023): an SME is an enterprise with 1 to 499 paid employees.

Return to footnote 2 referrer

Footnote 3

Statistics Canada, Reasons for not using the Internet by industry and size of enterprise (September 17, 2024).

Return to footnote 3 referrer

Footnote 4

Statistics Canada, Reasons business or organization does not plan to use artificial intelligence (AI) in producing goods or delivering services over the next 12 months, third quarter of 2024 (August 27, 2024).

Return to footnote 4 referrer

Footnote 5

Attorney-General's Department, Australian Government, Privacy Act Review Report (2022) https://www.ag.gov.au/sites/default/files/2023-02/privacy-act-review-report_0.pdf.

Return to footnote 5 referrer

Footnote 6

The UK Government's International Data Transfer Expert Council, Towards a sustainable, multilateral, and universal solution for international data transfers (November 2023) https://assets.publishing.service.gov.uk/media/65734b2f33b7f2000db72135/towards_a_sustainable_multilateral_and_universal_solution_for_international_data_transfers.pdf.

Return to footnote 6 referrer

Footnote 7

The PRP System does not alter the allocation of responsibility between controllers and processors under domestic laws.

Return to footnote 7 referrer

Footnote 8

Note that CBPR-certified controllers are not required to engage PRP-certified processors.

Return to footnote 8 referrer

Footnote 9

See footnote 2.

Return to footnote 9 referrer

Footnote 10

ISED, Canadian ICT Sector Profile 2023.

Return to footnote 10 referrer

Footnote 11

Ibid.

Return to footnote 11 referrer

Footnote 12

For more information, visit the III website (https://www.iii.org.tw/en/about/iii/overview).

Return to footnote 12 referrer

Footnote 13

See the Joint Oversight Panel's Recommendation Report (October 28, 2020) (https://cbprs.org/wp-content/uploads/2021/07/Recommendation-Report-JOP_-Chinese-Taipei-III-AA-CBPR-FINAL-1.pdf)

Return to footnote 13 referrer

Footnote 14

For more information, visit the KISA website (https://www.kisa.or.kr/EN).

Return to footnote 14 referrer

Footnote 15

See the Joint Oversight Panel's Recommendation Report (September 26, 2023) (https://cbprs.org/wp-content/uploads/2023/11/KISA_JOP_Re-Certification_Recommendation_Report_final.pdf).

Return to footnote 15 referrer

Footnote 16

See KISA, National Cybersecurity White Paper (2021) (https://www.kisa.or.kr/EN/303#fnPostAttachDownload) (PDF, 26MB).

Return to footnote 16 referrer

Footnote 17

For more information, visit the JIPDEC website (https://english.jipdec.or.jp/Aboutus.html).

Return to footnote 17 referrer

Footnote 18

For more information, visit the IMDA website (https://www.imda.gov.sg/).

Return to footnote 18 referrer

Footnote 19

For more information, visit IMDA, "About the Data Protection Trustmark (DPTM)" (https://www.imda.gov.sg/how-we-can-help/data-protection-trustmark-certification).

Return to footnote 19 referrer

Footnote 20