CBPR and the U.S. Digital Trade Promotion Act: What the Proposal Signals for Cross-Border Data Flows
International data transfers are once again front and center in U.S. policy conversations. On December 9, 2025, a bipartisan group of U.S. senators introduced the U.S. Digital Trade Promotion Act (SB 3399), a proposal aimed at restoring U.S. leadership in digital trade and cross-border data flows.
Notably, the proposed legislation explicitly references the Cross-Border Privacy Rules (CBPR) framework, signaling renewed federal recognition of CBPR as a trusted mechanism for protecting personal data while enabling global commerce.
This marks a meaningful shift. After several years of uncertainty around U.S. digital trade policy, the proposal reflects a return to long-standing U.S. support for interoperable privacy frameworks that facilitate international data transfers without imposing localization requirements.
Within this context, the bill specifically references the CBPR system as a recognized framework for enabling trusted data transfers across borders.
While the Act does not create new privacy obligations for companies, it sends a clear policy signal: the U.S. views CBPR as a legitimate and scalable approach to addressing privacy in international trade.
In sum, and in the aftermath of these policy proposals in Congress, companies should feel confident in existing frameworks such as the CBPR to expedite overseas data transfers in a uniform, forward-looking manner – an approach with previous buy-in from the Federal Trade Commission and the U.S. Department of Commerce, and now is affirmatively being recognized on Capitol Hill.
Under CBPR, organizations voluntarily certify that their privacy practices meet a set of baseline requirements derived from the decades-old APEC Privacy Framework. Certification is granted by independent, third-party accountability agents and is subject to ongoing government oversight.
CBPR is not a law. It is a certification-based accountability system that complements existing privacy laws and helps bridge differences among national regulatory regimes.
CBPR addresses this tension by providing a common privacy and security baseline (set of requirements) across participating economies, including:
This is why CBPR has historically aligned well with trade objectives, and why it is resurfacing in federal proposals focused on digital trade.
At the same time, there is renewed momentum to modernize and expand the Global CBPR framework, with additional jurisdictions and their regulators committing to becoming full or associate members. Together, these developments point toward growing international interest in interoperable, certification-based privacy systems rather than fragmented national requirements.
The inclusion of CBPR in federal digital trade proposals suggests that:
While CBPR certification is voluntary, it increasingly functions as a way for companies to demonstrate accountability, transparency, and readiness for cross-border data requirements.
As governments continue to seek durable, scalable approaches to privacy in a global economy, CBPR’s role as a trusted, third-party accountability framework is once again gaining visibility.
With questions about CBPR, request a consultation with the Global Privacy Division team at BBB National Programs, a Department of Commerce-approved Global CBPR and PRP Accountability Agent.
Notably, the proposed legislation explicitly references the Cross-Border Privacy Rules (CBPR) framework, signaling renewed federal recognition of CBPR as a trusted mechanism for protecting personal data while enabling global commerce.
This marks a meaningful shift. After several years of uncertainty around U.S. digital trade policy, the proposal reflects a return to long-standing U.S. support for interoperable privacy frameworks that facilitate international data transfers without imposing localization requirements.
What is the U.S. Digital Trade Promotion Act?
The proposed Act establishes U.S. negotiating objectives for digital trade agreements. Among its priorities are commitments related to:- Cross-border data flows
- Avoiding unnecessary data localization mandates
- Interoperable privacy protections
- Trust frameworks that support global digital commerce
Within this context, the bill specifically references the CBPR system as a recognized framework for enabling trusted data transfers across borders.
While the Act does not create new privacy obligations for companies, it sends a clear policy signal: the U.S. views CBPR as a legitimate and scalable approach to addressing privacy in international trade.
In sum, and in the aftermath of these policy proposals in Congress, companies should feel confident in existing frameworks such as the CBPR to expedite overseas data transfers in a uniform, forward-looking manner – an approach with previous buy-in from the Federal Trade Commission and the U.S. Department of Commerce, and now is affirmatively being recognized on Capitol Hill.
A quick refresher: What is CBPR?
The Cross-Border Privacy Rules (CBPR) system is an internationally recognized, government-backed privacy framework designed to facilitate the transfer of personal data across participating economies while ensuring consistent privacy protections.Under CBPR, organizations voluntarily certify that their privacy practices meet a set of baseline requirements derived from the decades-old APEC Privacy Framework. Certification is granted by independent, third-party accountability agents and is subject to ongoing government oversight.
CBPR is not a law. It is a certification-based accountability system that complements existing privacy laws and helps bridge differences among national regulatory regimes.
Why CBPR Shows Up in Trade Policy
Trade agreements increasingly recognize that data flows are essential to modern commerce. At the same time, governments want assurances that personal data is handled responsibly when it moves across borders.CBPR addresses this tension by providing a common privacy and security baseline (set of requirements) across participating economies, including:
- Independent third-party oversight
- Enforcement mechanisms through accountability agents
- Flexibility to coexist with domestic privacy laws
This is why CBPR has historically aligned well with trade objectives, and why it is resurfacing in federal proposals focused on digital trade.
CBPR in the Broader Global Context
The proposed Digital Trade Promotion Act arrives amid a broader resurgence of U.S. government activity related to cross-border data flows. Recent trade discussions and agreements with countries such as Argentina and Indonesia have included efforts to secure commitments around data transfers and adequacy-style recognitions.At the same time, there is renewed momentum to modernize and expand the Global CBPR framework, with additional jurisdictions and their regulators committing to becoming full or associate members. Together, these developments point toward growing international interest in interoperable, certification-based privacy systems rather than fragmented national requirements.
What This Means for Businesses
For organizations that operate internationally (or plan to), these policy signals matter.The inclusion of CBPR in federal digital trade proposals suggests that:
- CBPR remains relevant to U.S. privacy and trade strategy
- Certification frameworks are likely to play a role in future data-flow discussions
- Businesses that align with recognized global frameworks may be better positioned as trade and privacy policies evolve
While CBPR certification is voluntary, it increasingly functions as a way for companies to demonstrate accountability, transparency, and readiness for cross-border data requirements.
Looking Ahead
International data transfers and digital trade are expected to be major policy topics heading into 2026. The premise behind the U.S. Digital Trade Promotion Act reinforces the idea that privacy and trade are no longer separate conversations, and that CBPR sits at the intersection of both.As governments continue to seek durable, scalable approaches to privacy in a global economy, CBPR’s role as a trusted, third-party accountability framework is once again gaining visibility.
With questions about CBPR, request a consultation with the Global Privacy Division team at BBB National Programs, a Department of Commerce-approved Global CBPR and PRP Accountability Agent.