A globalized CBPR framework: Peering into the future of data transfers

Nov 30, 2021 by Cobun Zweifel-Keegan, Deputy Director, Privacy Initiatives, BBB National Programs

Last month, at the IAPP’s Privacy. Security. Risk. 2021 conference, an important moment occurred that may have been easy to miss. The moment took place during a panel discussion among current and former U.S. Department of Commerce staff titled “The Evolution of International Privacy Policymaking in the U.S. Government.”

Just as billed, the discussion ranged across data flow issues around the world, from the EU-U.S. Privacy Shield (“We’re almost done.”) to new privacy laws in Brazil and India. In general, the speakers highlighted the longstanding commitments within the DOC’s International Trade Administration to push back on data localization rules, while ensuring consistent and robust privacy standards based on principles that can work around the world. As Director of the Office of Digital Services Industries Krysten Jenci, CIPP/US, put it, “You can’t do trade unless data is flowing across borders.”

Though these remarks went far to illustrate the consistent message that has been core to the ITA’s engagement on the international stage, from the Organisation for Economic Co-operation and Development to the Asia Pacific Economic Cooperation to the European Union, this was not “the moment.”

The conversation then turned to a discussion about the impression among many U.S. privacy professionals that the U.S. finds itself on the defensive in international discussions on privacy, rather than leading the conversation. Michael Rose, an ITA alumnus now working in Google’s global policy team, turned to Christopher Hoff, CIPP/E, CIPP/US, CIPM, and asked, “What is the U.S.’s offensive strategy?”

Fittingly, it was Hoff, the most senior official on stage, appointed day one of the Biden administration to serve as Deputy Assistant Secretary for Services, who dropped the clearest signals about the future of ITA’s work.

In response to Rose’s question, Hoff listed three priorities of the U.S. administration:

  1. Tracking and combating data localization, in any form.
  2. Prioritizing direct bilateral negotiations with jurisdictions around the world.
  3. Supporting the globalization and expansion of the Asia Pacific Economic Cooperation Cross-Border Privacy Rules system.

 

Notably highlighting this last point, Hoff said, “CBPR is going global.”

This moment was years in the making, an unexpectedly pithy expression of a policy priority that had sometimes seemed like nothing more than a rumor: the U.S. government along with other participating economies is supporting an expansion of the CBPR system to allow participation by economies anywhere in the world.

The idea of converting CBPR from a regional to a global framework is rooted in a simple theory, foundational to the CBPR system: Baseline data protection standards across jurisdictions can be interoperable without being equivalent. Not only is this philosophy the U.S.’s official position today, but it also has been on display as a consistent theme in the work of the ITA for over two decades. It shows a practical approach to data transfers rooted in balancing four interrelated goals: essential privacy protections, trusted global digital trade, achievable compliance mechanisms, and effective cross-border enforcement among participating jurisdictions.

The CBPR system and the related Privacy Recognition for Processors system is voluntary but enforceable frameworks. Such a system has an implicit and often overlooked power. Layers of accountability create a structure where trust is never assumed, from the internal procedures required for an organization to receive certification, to the practices of independent accountability agents that are reviewed and approved by all participating regulators, to regulatory recognition and enforcement within each participating jurisdiction, to empowering consumers to pursue actionable complaints.

In fact, this model sits as a direct counterpoint to the EU’s “adequacy” model. Rather than empowering a single jurisdiction to determine the adequacy of a country’s privacy protections, an independent multilateral body is given this authority. This distributive model protects against the risk of protectionist trade priorities creeping into data protection assessments.

In addition, rather than deeming an entire jurisdiction to have adequate protection regardless of the actual practices of any given organization within that jurisdiction, the CBPR model provides a framework for organizations to proactively demonstrate a commitment to uniform privacy standards. Like other multilayered governance frameworks (Privacy Shield is quite similar), participating businesses are publicly listed, independently reviewed, subject to consumer redress procedures, and subject to enforcement of their commitments by their home regulator. This system assists both consumers and other businesses in properly vetting an organization before doing business with it.

And rather than relying only on resource-limited regulators to review and approve privacy commitments (as seen in the multi-year backlog of binding corporate rules applications within some DPAs), the CBPR system provides a mechanism for regulators to empower independent “accountability agents,” but only after those agents have demonstrated their transparency, independence, and proactive procedures. This mechanism assists in making participation scalable and achievable, an important factor if we care about the success of small and medium-sized businesses in accessing cross-border markets while still embracing enforceable privacy standards.

The precise structure of a globalized CBPR system is not known, though it is likely to look very similar to the existing model. If so, countries that wish to join the system will submit an application to existing members. Accountability agents will apply to their local regulator and be reviewed and approved by the members. Local accountability agents will certify businesses. Certification will include recognition throughout the system, along with any localized compliance benefits.

Such a system not only will allow jurisdictions from Bermuda to Brazil and beyond to recognize CBPR as a robust framework for meeting local data transfer requirements, as the Office of the Privacy Commissioner for Bermuda did last year, but also will provide jurisdictions with a reciprocal and multilateral acknowledgment that their standards exceed a recognized uniform baseline.

The timeline for CBPR’s global expansion is by no means certain, though remarks on stage suggested we will see concrete progress in 2022. In the meantime, it is worth reflecting on the utility of this interoperable framework. A transparent and accountable system that encourages organizations to achieve global privacy best practices is a win-win for businesses and consumers alike.

Originally published in IAPP's The Privacy Advisor

Suggested Articles

Blog

Old MacDonald Had an Engagement Farm: Lessons Learned from FTC v. NGL

Capturing user engagement is the foundation of internet commerce. And while the incentives to prompt greater engagement are certainly understandable, the recent NGL Labs case from the FTC raises important questions about the ethical and legal ramifications when companies try to artificially generate engagement among their userbase.
Read more
Blog

Independence Day Edition: CBPR Framework Offers “Checks & Balances”

Going, Going, Gone Global, a webinar on the CBPR Global Forum, delved into how privacy impacts businesses’ brand reputation and builds trust with key stakeholders, discussed the purpose of the Global CBPR, and its value to Global Forum members.
Read more
Blog

Industry Self-Regulation: Part of the Solution for Governing Generative AI

The spotlight on generative AI remains bright. The benefits and risks continue to be ever-present in the minds of business and political leaders. No matter the timing or the setting, the creation of transparency, accountability, and collaboration among stakeholders is key to successful industry self-regulation as is the importance of setting standards and best practices.
Read more
Blog

The Demise of “Chevron Deference”: Who Will Fill the Regulatory Gaps?

The Supreme Court's 1984 ruling in Chevron v. NRDC held that courts should defer to federal agencies’ interpretations of ambiguous federal laws so long as those interpretations are reasonable. So given the court’s decision to overturn it, where does that leave companies that want a level playing field and perhaps even to raise the bar, instead of racing to the bottom?
Read more