Our Data Flows, Localization, and Transfer Mechanisms Project champions the development of sustainable, future-ready frameworks for international data transfers. In an increasingly interconnected digital economy, the ability to move data securely and lawfully across borders is essential for innovation, economic growth, and global collaboration.
CIPL actively contributes to the enhancement and modernization of international data transfer mechanisms, with a strong focus on:
-
The Global Cross-Border Privacy Rules (Global CBPR) and Global Privacy Recognition for Processors (Global PRP) systems, supporting scalable, interoperable privacy standards across jurisdictions.
-
Developing and refining certifications, codes of conduct, and other accountability-based transfer tools.
-
Strengthening frameworks like Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs) to ensure legally sound and business-friendly pathways for cross-border data movement.
Central to our work is the promotion of a risk-based approach to data transfers and data transfer impact assessments, empowering organizations to identify and mitigate privacy risks while maintaining compliance with evolving global data protection laws.
As governments around the world increasingly consider or implement data localization mandates, CIPL works to counteract these trends by advocating for balanced, multilateral solutions. We promote policies that ensure fair access to data across borders, support secure government access mechanisms, and uphold robust data security practices, helping to build global trust in data governance.
Through thought leadership, multistakeholder engagement, and policy development, CIPL drives forward practical and scalable solutions that align with both regulatory requirements and commercial realities. Our work ensures that data can flow responsibly, securely, and lawfully—powering innovation and protecting privacy in the global digital economy.
For over 20 years CIPL has been a leading advocate for organizational accountability in data protection and broader digital and data policy. Since 2018 we have applied our thought leadership to the field of AI.
2015
We began foundational work on international data transfer tools and best practices.
2017
We published Essential Legislative Approaches for Enabling Cross-Border Data Transfers in a Global Economy. In this paper, we outlined global legislative principles for enabling lawful and trusted data flows.
2020
- We published extensive FAQs on the Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) which served as a guide for businesses navigating the CBPR and PRP systems.
- We published our paper Accountable Data Transfers Between India and the U.S, which explored responsible data flows within the Framework created under India’s draft PDP Bill.
- Turning to Europe, we published our white paper Path Forward After Schrems II: Strategic white paper on operationalizing international transfers post-CJEU ruling.
2022
Our publication of Case Studies from British Columbia: Real World Local Law Assessments Enabling Trusted Global Data Flows provided an in-depth study how practical solutions can be enacted for global data flows. While our Mapping APEC CPBR and EU/UK Standards: Interoperability Analysis of Key Transfer Regimes continued our work to get to the heart of complex legal frameworks around data flows.
2023
We partnered with Tech, Law and Security TLS to produce two papers: The ‘Real Life Harms’ of Data Localization Policies and Data Localization and Government Access to Data Stored Abroad. This paper series sought to help policymakers and stakeholders to:
- Better understand the real-life impact of data localization policies;
- Outline the disruptive impact of these policies on critical business operations and key products and services;
- Promote practical and scalable solutions in the service of cross-border data flows with trust.
Our updated FAQs on the CBPR and PRP systems provided further clarity for organizations navigating these systems following key developments in these frameworks.
2024
We published The Zero Risk Fallacy: International Data Transfers, Foreign Governments’ Access to Data and the Need for a Risk-Based Approach, written by Theodore Christakis. In this paper, Professor Christakis makes the case for a nuanced and risk-based approach to data transfers, where data protection measures are proportionate to the risks at hand.
Our work on data flows is driven by 3 core goals, each of which seeks to build a future which unlocks the broad benefits of data in a trusted and secure way.
Advancing Scalable and Accountable Data Transfer Mechanisms
-
Promote and help refine global frameworks like the Global CBPR and Global PRP systems to support interoperable and consistent cross-border data practices.
-
Develop and align codes of conduct, certifications, BCRs, and SCCs with evolving regulatory expectations and business needs.
-
Provide in-depth guidance and comparative analysis on the mapping of transfer mechanisms across jurisdictions (e.g., APEC, GDPR, UK GDPR, Privacy Shield).
-
Collaborate with regulators and industry stakeholders to promote practical, risk-based pathways for lawful data transfers.
Promoting a Risk-Based Approach to International Data Governance
-
Advocate for risk-based data transfer impact assessments (TIAs) as a pragmatic alternative to rigid or zero-risk standards.
-
Develop thought leadership to support nuanced government access policies and balanced oversight.
-
Encourage global adoption of contextual, harm-based approaches to data protection and government access to data.
Countering Data Localization through Multilateral Policy Solutions
-
Publish evidence-based reports on the economic and operational harms of data localization mandates.
-
Facilitate multistakeholder roundtables and consultations to build consensus on equitable cross-border data access.
-
Advocate for global frameworks that protect data security while enabling legitimate government and private sector access to data.
-
Promote cloud computing and digital infrastructure as tools for privacy-respecting global data movement.
Global CBPR & Global PRP Systems Playbook: An Actionable Guide for Participation in the Global Cross-Border Privacy Rules and the Global Privacy Recognition for Processors
What are the Global Cross-Border Privacy Rules (Global CBPR)? What is the Global Privacy Recognition for Processors (Global PRP)? How do these systems work? What benefits do they provide to businesses and individuals alike? These questions and more are addressed in CIPL’s Global CBPR & Global PRP Systems Playbook, which explains how these programs provide […]
The “Zero Risk” Fallacy: International Data Transfers, Foreign Governments’ Access to Data and the Need for a Risk-Based Approach
Since the CJEU Schrems II Judgment in July 2020, European data protection authorities (DPAs) in the EU have developed a “zero risk” theory in relation to Chapter V of the General Data Protection Regulation (GDPR). They have been asking data controllers and processors that transfer personal data outside the EU to “eliminate” all risks of […]
Data Sharing Between Public and Private Sectors: When Local Governments Seek Information from the Sharing Economy
This paper addresses the growing trend of localities requesting (and sometimes mandating) that data collected by the private sector be shared with the localities themselves. Such requests are generally not in the context of law enforcement or national security matters, but rather are part of an effort to further the public interest or promote a […]
