A globalized CBPR framework: Peering into the future of data transfers

Nov 30, 2021 by Cobun Zweifel-Keegan, Deputy Director, Privacy Initiatives, BBB National Programs

Last month, at the IAPP’s Privacy. Security. Risk. 2021 conference, an important moment occurred that may have been easy to miss. The moment took place during a panel discussion among current and former U.S. Department of Commerce staff titled “The Evolution of International Privacy Policymaking in the U.S. Government.”

Just as billed, the discussion ranged across data flow issues around the world, from the EU-U.S. Privacy Shield (“We’re almost done.”) to new privacy laws in Brazil and India. In general, the speakers highlighted the longstanding commitments within the DOC’s International Trade Administration to push back on data localization rules, while ensuring consistent and robust privacy standards based on principles that can work around the world. As Director of the Office of Digital Services Industries Krysten Jenci, CIPP/US, put it, “You can’t do trade unless data is flowing across borders.”

Though these remarks went far to illustrate the consistent message that has been core to the ITA’s engagement on the international stage, from the Organisation for Economic Co-operation and Development to the Asia Pacific Economic Cooperation to the European Union, this was not “the moment.”

The conversation then turned to a discussion about the impression among many U.S. privacy professionals that the U.S. finds itself on the defensive in international discussions on privacy, rather than leading the conversation. Michael Rose, an ITA alumnus now working in Google’s global policy team, turned to Christopher Hoff, CIPP/E, CIPP/US, CIPM, and asked, “What is the U.S.’s offensive strategy?”

Fittingly, it was Hoff, the most senior official on stage, appointed day one of the Biden administration to serve as Deputy Assistant Secretary for Services, who dropped the clearest signals about the future of ITA’s work.

In response to Rose’s question, Hoff listed three priorities of the U.S. administration:

  1. Tracking and combating data localization, in any form.
  2. Prioritizing direct bilateral negotiations with jurisdictions around the world.
  3. Supporting the globalization and expansion of the Asia Pacific Economic Cooperation Cross-Border Privacy Rules system.


Notably highlighting this last point, Hoff said, “CBPR is going global.”

This moment was years in the making, an unexpectedly pithy expression of a policy priority that had sometimes seemed like nothing more than a rumor: the U.S. government along with other participating economies is supporting an expansion of the CBPR system to allow participation by economies anywhere in the world.

The idea of converting CBPR from a regional to a global framework is rooted in a simple theory, foundational to the CBPR system: Baseline data protection standards across jurisdictions can be interoperable without being equivalent. Not only is this philosophy the U.S.’s official position today, but it also has been on display as a consistent theme in the work of the ITA for over two decades. It shows a practical approach to data transfers rooted in balancing four interrelated goals: essential privacy protections, trusted global digital trade, achievable compliance mechanisms, and effective cross-border enforcement among participating jurisdictions.

The CBPR system and the related Privacy Recognition for Processors system is voluntary but enforceable frameworks. Such a system has an implicit and often overlooked power. Layers of accountability create a structure where trust is never assumed, from the internal procedures required for an organization to receive certification, to the practices of independent accountability agents that are reviewed and approved by all participating regulators, to regulatory recognition and enforcement within each participating jurisdiction, to empowering consumers to pursue actionable complaints.

In fact, this model sits as a direct counterpoint to the EU’s “adequacy” model. Rather than empowering a single jurisdiction to determine the adequacy of a country’s privacy protections, an independent multilateral body is given this authority. This distributive model protects against the risk of protectionist trade priorities creeping into data protection assessments.

In addition, rather than deeming an entire jurisdiction to have adequate protection regardless of the actual practices of any given organization within that jurisdiction, the CBPR model provides a framework for organizations to proactively demonstrate a commitment to uniform privacy standards. Like other multilayered governance frameworks (Privacy Shield is quite similar), participating businesses are publicly listed, independently reviewed, subject to consumer redress procedures, and subject to enforcement of their commitments by their home regulator. This system assists both consumers and other businesses in properly vetting an organization before doing business with it.

And rather than relying only on resource-limited regulators to review and approve privacy commitments (as seen in the multi-year backlog of binding corporate rules applications within some DPAs), the CBPR system provides a mechanism for regulators to empower independent “accountability agents,” but only after those agents have demonstrated their transparency, independence, and proactive procedures. This mechanism assists in making participation scalable and achievable, an important factor if we care about the success of small and medium-sized businesses in accessing cross-border markets while still embracing enforceable privacy standards.

The precise structure of a globalized CBPR system is not known, though it is likely to look very similar to the existing model. If so, countries that wish to join the system will submit an application to existing members. Accountability agents will apply to their local regulator and be reviewed and approved by the members. Local accountability agents will certify businesses. Certification will include recognition throughout the system, along with any localized compliance benefits.

Such a system not only will allow jurisdictions from Bermuda to Brazil and beyond to recognize CBPR as a robust framework for meeting local data transfer requirements, as the Office of the Privacy Commissioner for Bermuda did last year, but also will provide jurisdictions with a reciprocal and multilateral acknowledgment that their standards exceed a recognized uniform baseline.

The timeline for CBPR’s global expansion is by no means certain, though remarks on stage suggested we will see concrete progress in 2022. In the meantime, it is worth reflecting on the utility of this interoperable framework. A transparent and accountable system that encourages organizations to achieve global privacy best practices is a win-win for businesses and consumers alike.

Originally published in IAPP's The Privacy Advisor

Suggested Articles


KOSA (and Children’s Privacy) on the Move

The Kids Online Safety Act (KOSA) is gaining traction in the U.S. Senate after the most recent round of revisions released this month by Senators Richard Blumenthal and Marsha Blackburn, following on the heels of proposed changes to the COPPA Rule. Here are CARU's high-level takeaways from the KOSA revisions with some insight into each revision.
Read more

Location Not Found: Mitigating Precise Geolocation Consent Flow Risk

Privacy-minded Federal Trade Commission (FTC) watchers have seen two bombshell enforcement actions related to alleged mishandling of consumer geolocation data. The Privacy Initiative team delves into those cases, the breadth of the penalties the FTC has included in the proposed orders, and best practices to avoid the crosshairs.
Read more

The ABCs of DPF and GDPR

Easing data flows across the Atlantic, the EU-U.S. DPF satisfies requirements outlined under the General Data Protection Regulation (GDPR), helping companies avoid steep fines.
Read more

The FTC Joins the Global CBPR Party

This month the Federal Trade Commission (FTC) announced participation in the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE), signaling the agency’s interest in keeping pace with the increasingly global nature of commerce and marks an important step forward for the global expansion of CBPRs.
Read more