A new model for cross-border data transfers: CBPR.


Mexico City, March 14th, 2023.

On 21 April 2022, the United States of America («US»), together with Canada, Japan, South Korea, the Philippines, Singapore, and Chinese Taipei, established the «Global CPBR Forum» which aims to promote and implement the APEC Global Cross Border Privacy Rules (CBPR). In this sense, the Global CPBR Forum is a cooperative body that seeks to promote a certification that helps companies demonstrate internationally that they comply with recognized data protection standards. Therefore, it facilitates cross-border transfers of personal data. This certification is known as CBPR, and one of the «Global CBPR Forum» goals has been to encourage its adoption and use in Latin American countries.

In the case of Mexico, it has been established in the Agreement between Mexico, the United States of America, and Canada, known as USMCA, in chapter 19, «Digital Trade,» that the Parties recognize the APEC Transborder Privacy Rules system as a valid mechanism to facilitate cross-border data transfers. The CBPR system requires participating companies to implement privacy policies consistent with the APEC privacy framework to obtain certification. Third-party certifiers assess and certify companies’ compliance with CBPR privacy standards.

During March 9 and 10, a workshop was held at the National Institute for Transparency, Access to Information and Protection of Personal Data («INAI») entitled «The Way Forward: United States – Mexico, CBPR Cooperation,» in which representatives from the US and Mexico met together with stakeholders to reach agreements regarding the regional adoption of the CBPR. In the framework of this event, Commissioner Josefina Román Vergara mentioned that the Secretary of Economy together with INAI, have been working with the Global CBPR Forum for INAI to become a third-party certifier. As a result, INAI has undertaken various actions, such as creating a direction within the organic structure of INAI to implement CBPR in Mexico and has begun the procedures to become a third-party certifier.

Within the workshop framework, it was mentioned that the CBPR did not prevent the use of or compliance with other privacy frameworks, such as the General Data Protection Regulation («GDPR») or the use of Model Contractual Clauses. The CBPR is intended to be one more tool at the disposal of companies to comply with their personal data protection obligations. Likewise, the benefits of adopting this CBPR model for companies were emphasized, including: i) Providing confidence to consumers and customers that their personal data are processed under recognized data protection standards; ii) Streamlining business operations between the North American region by establishing a uniform compliance mechanism; and iii) Preventing obstacles between cross-border data transfers and guaranteeing transfer protections.

The future implementation of the CBPR model in Mexico will undoubtedly bring new tools for small and large businesses to transfer personal data to other jurisdictions and comply with their obligations. The information technology and data protection area remain at your service.


Adolfo Athié Cervantes



Renata Denisse Buerón Valenzuela



Erika Itzel Rodríguez Kushelevich



Ivan García Argueta