Australia: Global Cross-Border Privacy Rules Forum updated the Global Cross-Border Privacy Rules System Program Requirements

On 23 March 2026, the Global Cross-Border Privacy Rules (CBPR) Forum updated the Global Cross-Border Privacy Rules System Program Requirements (PRs). The PRs apply to organisations seeking certification under the Global Cross-Border Privacy Rules System (CBPR System). The PRs increase from 50 to 57 requirements and update 3 existing requirements. The PRs set requirements under the Preventing Harm principle of the Global CBPR Privacy Framework, including obligations for processing sensitive data (PR 1) and children’s data (PRs 2 and 3), requirements to conduct risk assessment and mitigation (PR 4), and requirements to notify affected individuals of data breaches without unreasonable delay, including information on the breach, mitigation measures, and contact details (PR 5). The PRs require organisations to provide choice for direct marketing (PR 22), record and implement individuals’ choices (PR 26), and provide mechanisms for withdrawal of consent where personal data is no longer required (PR 27). The PRs require organisations to maintain records of processing activities (PR 46) and appoint qualified individuals responsible for compliance (PR 47), including procedures to receive and address complaints. The PRs require documented policies and procedures, provision of compliance evidence, and verification and monitoring by Accountability Agents responsible for certification and ongoing compliance. The PRs require administrative, technical, and physical safeguards, requirements for third-party processors to apply equivalent protections, and mechanisms for access and correction of personal data. From 1 April 2027, organisations must certify against the updated PRs. Until 1 April 2027, the Global Cross-Border Privacy Rules System (CBPR System) and APEC Cross-Border Privacy Rules System (APEC CBPR System) PRs remain aligned.