OPC Submission on the implementation of the Global Cross-Border Privacy Rules (CBPR) Forum certifications in Canada

BY EMAIL

June 20, 2025

Dear Senior Assistant Deputy Minister Dostal:

1. The Office of the Privacy Commissioner of Canada (OPC) welcomes Innovation, Science and Economic Development Canada’s (ISED) consultation on the implementation of the Global Cross-Border Privacy Rules (CBPR) Forum certifications in Canada.
2. We commend the timely exploration of this issue and the Government of Canada’s efforts to consider actions that can foster Canada’s digital economy through the strengthening of existing and new trade partnerships, as well as removal of barriers for Canadian small and medium-sized enterprises (SMEs) to innovate and succeed in the digital marketplace. The OPC believes that Canada’s participation in the Global CBPR Forum can provide support in this regard as there are clear benefits to organizations, individuals, the OPC, and Canada.

Supporting Canada’s Trade Partnerships

3. The OPC believes that having strong privacy protections facilitated through certification mechanisms can support international trade. The free flow of personal information across borders is fundamental to many businesses’ operations and is an important international trade objective, as demonstrated by the inclusion of provisions related to personal information protection in modern trade agreements between Canada, the United States of America, and Mexico (CUSMA) and under the Comprehensive Economic Trade Agreement (CETA) between the European Union and Canada. These trade agreements recognize the need to protect personal information in the context of electronic commerce.^{Footnote 1} Specifically, Article 19.8 of CUSMA further recognizes certification as a mechanism to facilitate cross-border information transfers while protecting personal information and allowing flexibility for countries to develop their own privacy laws.

Increasing Canadians’ Understanding and Control over How their Personal Information is Handled

4. The OPC supports mechanisms that can help individuals make informed decisions about sharing their personal information. As cross-border data flows can create inherent risks for privacy and potentially expose personal information to differing legal rules and levels of protection, the Global CBPR Forum can provide assurance to individuals that certified companies are complying with a baseline of privacy protection. The OPC, through its consultation on consent, examined how certification mechanisms such as trustmarks could enhance existing consent mechanisms under PIPEDA and help organizations proactively demonstrate accountability.^{Footnote 2} At the time, stakeholders expressed a general wariness of trustmark programs developed and operated by industry for industry, citing lack of independence as a major concern. The OPC did, however, hear from some parties that they would support the mechanism if it was overseen by a credible independent organization.^{Footnote 3} 

Providing the Private Sector with Regulatory Certainty and Clarity

5. The OPC believes that there is a benefit to implementation of both the Global CBPR and Global Privacy Recognition for Processors (PRP) systems (Global Systems) in Canada. Implementation of the Global Systems can provide companies with regulatory certainty when faced with the challenge of navigating their privacy obligations in different jurisdictions. With over 150 countries having enacted data protection or privacy legislation worldwide, it is imperative that jurisdictions establish baseline protections for international transfers.^{Footnote 4} Implementing the Global Systems could provide assistance in establishing this baseline of privacy protection to facilitate business interactions outside of Canada and would create a more predictable regulatory environment that could help to reduce organizations’ compliance costs.
6. Although the Global Systems’ requirements do not displace domestic laws or the responsibilities of domestic regulators, the Global PRP requirements could serve to clarify the relationship between controllers and processors operating in the system. Specifically, the requirements generally align with requirements under PIPEDA.^{Footnote 5} Principle 4.1.3 of PIPEDA provides that an organization is responsible for personal information in its possession or custody - including information that has been transferred to a third party for processing - and that the organization must use contractual or other means to provide a comparable level of protection while the information is processed by a third party. Despite this, recent OPC investigations have revealed a lack of clarity regarding the obligations of service providers.^{Footnote 6}  

Fostering Data Free Flow with Trust

7. Certification mechanisms, including the Global CBPR Forum certifications, can be one effective tool to consider in the establishment of trust when personal information crosses borders. Since the introduction of the concept of Data Free Flow with Trust (DFFT) in 2019, the OPC has since worked with international counterparts to identify commonalities and elements of convergence between existing regulatory approaches to help establish trust. We note that the 2023 Ministerial Declaration of the G7 Digital and Tech Ministers’ includes a vision for operationalizing DFFT and its priorities. The declaration recognizes that trust should be built and realized through various legal and voluntary frameworks, guidelines, standards, technologies and other means that are transparent and protect data.^{Footnote 7}
8. The OPC has recognized this through co-sponsoring resolutions by the Global Privacy Assembly (GPA) that seek to advance data transfer tools which ensure DFFT.^{Footnote 8} In this resolution, we committed to support efforts to bridge differences in regulatory systems and promote and develop certification tools that can secure trustworthy transfers, where relevant.
9. The OPC also co-sponsored a GPA resolution endorsing and encouraging certification mechanisms as a means by which organizations can show effective compliance with privacy and data protection laws and regulations and may engage in cross-border transfer of personal data in a trusted and accountable manner.^{Footnote 9}
10. Moreover, the OPC is a member and the current host of the G7 Data Protection and Privacy Authorities (DPA) Roundtable, which maintains DFFT as a pillar of the group’s work. In 2024, the G7 DPA Working Group on DFFT completed a comparison of the Global CBPR Forum and GDPR certification mechanisms.^{Footnote 10} The comparison determined that while the schemes are grounded in different legal foundations and structures, and contain certain differing provisions, they share many similar key data protection principles, as well as common elements regarding lawful basis of processing, purpose limitation, security and transparency requirements.

Protecting and Promoting Privacy with Maximum Impact

11. The OPC has committed, through its 2024-27 Strategic Priorities, to maximize the OPC’s impact in fully and effectively promoting and protecting the fundamental right to privacy. Implementation of the Global CBPR Forum can maximize impact by providing the OPC with assistance in the handling of complaints and alleviating enforcement burdens, as well as establishing an alternative dispute resolution mechanism. Such efficiencies would benefit Canadians by reducing processing times and providing different avenues to seek redress. 
12. Participation in certification mechanisms similar to the Global CBPR Forum have proven beneficial to the OPC in the past and will undoubtedly serve us in the future as privacy violations often extend beyond Canadian borders.
13. Under Section 23.1 of PIPEDA, the OPC is allowed to share information, under specific circumstances, with foreign counterparts that have duties and functions similar to those of the OPC with respect to the protection of personal information. This provision has enabled the Office to participate in the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE), a precondition to Canada’s participation in the Global CBPR Forum. Similarly, this is the provision relied upon to participate in the Asia Pacific Economic Cooperation Cross-border Privacy Enforcement Arrangement (APEC CPEA). Our participation in that arrangement enabled the OPC to investigate Ashley Madison with the Office of the Information Commissioner of Australia (OAIC) in 2016.^{Footnote 11}
14. In the Global Systems, Accountability Agents certify applicant organizations against the Global Systems’ Program Requirements and may only do so in the jurisdiction for which they have been accredited to operate. Accountability Agents monitor compliance of certified companies and offer a dispute resolution mechanism to assist individuals in resolving conflicts with their certified organizations. Individuals have the choice of lodging a complaint about a certified organization either through an Accountability Agent’s dispute resolution mechanism, or through the OPC as Canada’s Privacy Enforcement Authority (PEA). The OPC may rely on s.12(1)(a) of PIPEDA, which requires a complainant to first exhaust other grievance or review procedures available to them. This would apply to complaints against companies that are certified under the Global CBPR System and utilize their dispute mechanism, which would have a positive impact on OPC resources by allowing privacy conflicts with these certified companies to be addressed without the need for an investigation.
15. Regarding different Accountability Agent models, and whether these entities should be able to certify against PIPEDA, the OPC notes that the former Bill C-27, the Digital Charter Implementation Act, 2022, included a framework providing for codes of practice and certification mechanisms approved by the OPC.^{Footnote 12} The OPC would be generally supportive of a similar approach being taken to support the implementation of the Global CBPR Forum. 

Additional Measures to Ensure a High Standard of Privacy Protection

16. Regarding measures that would maximize the benefits of the Global CBPR and PRP certifications in Canada, the OPC would encourage the consideration of certification mechanisms, and Canada’s implementation of the Global CBPR Forum, as one mechanism among many that can serve to establish privacy protections when personal information crosses borders. 
17. Presently, PIPEDA does not contain separate and explicit rules governing trans-border data flows. The OPC has previously recommended that PIPEDA contain provisions that specifically address trans-border data flows to ensure that Canadians’ personal information is appropriately protected when leaving the country. Canada’s private sector privacy law should provide for tools to ensure that a comparable level of protection is provided when personal information travels across borders, such as standard contractual clauses, codes of practice, and binding corporate rules, in addition to certification mechanisms.
18. Although Canada’s participation in the Global CBPR can provide some assurances regarding protection of personal information in these contexts, it is important to note that most modern privacy laws contain an array of legislative solutions to address trans-border data flows.
19. We would welcome this new opportunity to work with businesses to help ensure that their activities comply with PIPEDA and encourage the Government of Canada to continue exploring mechanisms that can foster trust when personal information crosses borders.

Sincerely,