Workday’s Take on Global Data Transfers: An Update and What’s Next

Barbara Cosgrove, vice president, chief privacy officer at Workday, discusses Workday’s position on the creation of the Global Cross Border Privacy Rules Forum, what this means for the industry at large, and what to expect next for global data transfers.

At Workday, we value trust as a critical component of our relationship with our customers, and we recognized early on the importance of strong privacy protections and the value of third-party certifications for cross-border data transfers as a means of maintaining that trust. As part of this commitment, we are very pleased to see progress in privacy certification mechanisms in different parts of the world, and as a long-time supporter of the Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) and the first company to certify to the APEC Privacy Recognition for Processors (PRP), we applaud the U.S. Department of Commerce’s recent announcement on the creation of the Global CBPR Forum. We’re also excited to see progress from Europe and the United States in establishing a new transatlantic data transfer framework.

Building a Foundation of Trust in the Asia-Pacific Region and Beyond

The launch of the Global CBPR Forum couldn’t come at a more pivotal time. New privacy regulations enacted around the world continue to introduce complexities for multinational companies who transfer data across geographical regions. Companies must invest an increasing amount of resources to correctly map unique governance and transfer requirements to their data flows, including deploying contractual clauses that slightly vary between regions or even between states in the U.S. That’s why global privacy standards that are both robust and interoperable are of utmost importance.

It's refreshing to see positive steps toward ensuring privacy is protected and data transfers seamlessly continue for both Workday and our customers.

The Global CBPR Forum builds upon the existing APEC frameworks, and is intended to increase the adoption of the framework globally. It recognizes that interoperability may occur where countries have shared privacy values even though there are distinct nuances in their privacy regulations. Current founding participants include Canada, Chinese Taipei, Japan, the Philippines, the Republic of Korea, and Singapore. We strongly support the goal of expanding the Global CBPR to additional countries around the world as it will simplify transferring data to various regions.

Our transition to the Global CBPR Forum should be seamless, allowing Workday to continue to demonstrate compliance to internationally recognized privacy standards. 

Progress on the EU-US Data Privacy Framework

In addition to the CBPR announcement, we’re pleased that there will soon be greater legal certainty about future transfers of European personal data to the U.S. Last month, President Biden and the European Union (EU) Commission announced they reached an agreement in principle on a new framework for personal data transfers from the EU to the U.S. We’re awaiting an executive order from President Biden, which will officially set out the U.S.’s legal commitments and form the basis for a future adequacy decision from the EU Commission. Workday has maintained our certification to the Privacy Shield framework, which will again be a valid data transfer mechanism following the adequacy decision. We look forward to sharing more once the executive order is released.

It's refreshing to see positive steps toward ensuring privacy is protected and data transfers seamlessly continue for both Workday and our customers. In light of today’s ever-changing regulatory landscape, efforts like these that build trust across borders are essential.