Google and the Global Cross Border Privacy Rules

The value and convenience of the global internet relies upon the free flow of information across borders: collaborating with global colleagues, speaking with a loved one via Google Meet, finding directions to the closest pharmacy on Google Maps, or finding and buying everyday items online. Global data flows make these daily activities work seamlessly, and support the health and growth of the modern digital economy and the opportunity it promises for users around the world.

As governments explore new rules governing data transferred abroad, there is an unprecedented need for global, interoperable solutions. Companies, governments, and policymakers must work together to create new legal and technical tools, set out interoperability standards, and most importantly, align on new frameworks to maintain both privacy and essential data flows.

One of these global solutions is the recently announced Global Cross Border Privacy Rules (CBPR), a privacy certification that will allow companies to demonstrate their compliance with government-approved requirements for data protection, backed by a review of those protections by a third-party. The Global CBPR system is an important step toward enabling continued, trusted data flows between participating jurisdictions, and Google is committing to certifying under the future Global CBPR system.

How collaboration will help ensure the future of data flows

When governments announced the formation of the Global CBPR Forum earlier this year, designed to oversee the Global CBPR system, Google was honored to participate in the first meeting along with representatives from 20 jurisdictions. What we shared and heard from the governments at the Forum was a desire to solve the problem of trusted data flows together.

At the Global CBPR Forum, industry players and government representatives sounded a clear call for the certification program to find the right balance between holding companies accountable for their data use, protecting individuals from harm and misuse, and helping maintain the trust within the ecosystem that enables innovation and change, all while being globally scalable.

The Global CBPR system advances efforts to protect the digital ecosystem from fragmentation, which would come at a cost to access to information as well as opportunities and livelihoods for people around the world. This is a critical moment for governments to work with industry and other stakeholders to stabilize the regulatory landscape so that companies can confidently offer products and services that rely on international data flows without compromising privacy protections. The Global CBPR system is one step towards that clarity and security.

Next steps for Google and the Global CBPR system

Our investment in privacy and security is at the core of every product we build. We will bring this experience to the conversation to help build a robust Global CBPR system. We will work with our partners to provide input through the Global CBPR Forum on the practical realities of services facing fragmented privacy regulations. This global fragmentation is a challenge for any business, especially for small and medium-sized enterprises (SMEs) who often don’t have the resources to navigate a patchwork of laws. We also encourage the governments of the Global CBPR Forum to work with academics and civil society to understand how to make CBPR requirements scalable and able to bridge divergent legal requirements and cultural expectations of privacy.

We are also committed to finding ways to help and support Google customers to certify to this global standard, especially among small and medium enterprises. This kind of support will help scale these key privacy protections to more users, strengthening the businesses of our customers. We will continue to look for ways in the future to support participation in the US and globally in the CBPRs to raise privacy protections for users around the world.

The creation of the Global CBPR Forum is part of a global conversation on bringing strong, interoperable privacy protections to our users and the users of countless other companies around the world. We look forward to the Global CBPR Forum establishing new requirements and will certify to the system at the first opportunity.