From Regional to Global: The CBPR System Goes Global

Oct 25, 2022 by Rebecca Knight, CIPP/E, CIPP/US, Counsel, Policy Privacy Initiatives, BBB National Programs

Last month, we covered the objectives of the Global Forum, APEC, the APEC Framework, and the APEC CBPR System. This month, we will discuss the transition from the APEC CBPR System to the Global CBPR System under the Global Forum. 

At IAPP’s Privacy. Security. Risk. 2021 conference, Christopher Hoff, then Deputy Assistant Secretary for Services at the U.S. Department of Commerce, listed three privacy policy priorities: (1) combating data localization (paywall), (2) prioritizing bilateral negotiations with jurisdictions globally, and (3) supporting the globalization and expansion of the APEC CBPR System. Emphasizing the third priority, Hoff declared in a rather pithy statement that “CBPR is going global.” Six months later, the Global Forum was announced, paving the way for a “first-of-[its]-kind data privacy certification” that permits cross-border data transfers regardless of geographic borders under the Global CBPR System.  

 

The Global CBPR System  

The Global Forum was founded to “promote interoperability and help bridge different regulatory approaches to data protection and privacy.” As an international cooperative, the Global Forum’s primary objective is the global expansion of the CBPR system to promote the free flow of data while maintaining robust data protections for consumers regardless of jurisdiction. Through this globalized system, the Global Forum will be able to promote consumer trust in the digital economy, drive economic growth, and increase competitiveness for participating businesses and countries.  

The Global CBPR System will be based on the APEC CBPR System. However, the Global CBPR System will be independently administered and separate from the APEC CBPR System. The founders of the Global Forum will work with Accountability Agents and certified businesses in the APEC System to seamlessly transition operations from APEC to the Global Forum with at least 30 days’ notice. At this time, the date of transition has not been established, but significant forward movement is expected soon. Government officials, regulators, and other privacy experts will be meeting in South Korea at the start of November to discuss their shared vision for the Global Forum.  

 

Unique Benefits 

Participation in the Global CBPR System presents unique benefits to participants that include:  

  1. Consumer Trust: In a recent study, Cisco found that 90% of respondents in its global survey would not purchase from an organization that doesn’t properly protect its data. Additionally, 91% of respondents indicated that external privacy certifications are important when considering which organizations to purchase from. As such, demonstrating compliance with internationally recognized privacy standards through an independent certification system is key to fostering consumer trust. 
  2. Multilateral Approach: Like the invalidated Privacy Shield Framework (unilateral approach), the Global CBPR System will create a legal basis for cross-border data transfers. However, unlike the Privacy Shield Framework (soon to be the EU-U.S. Data Privacy Framework), the Global CBPR System is multilateral. This means certified businesses will be able to transfer data from Point A to Point B, then continue transferring the data to Points C, D, and E, if necessary, while still maintaining robust data privacy standards and protections. As such, participants in the Global CBPR System will benefit from cross-border transfers to countries such as Australia, Brunei Darussalam, Canada, Indonesia, Japan, Korea, Malaysia, New Zealand, the Philippines, Singapore, Thailand, and the United States. And more jurisdictions, such as the United Kingdom, have expressed interest in joining the Global Forum. As membership expands, so will the data transfer capabilities. Additionally, this multilateral approach ensures that the Global CBPR System cannot be invalidated by one jurisdiction’s government because it’s an international cooperative that is accountability-based and voluntary by design. As such, no one jurisdiction can invalidate the system.
  3. Cost Effectiveness: The privacy regulatory landscape is becoming increasingly fragmented with many jurisdictions adopting their own nuanced privacy laws. This fractured environment is costly for businesses as they try to navigate these systems, which both overlap and conflict. Through the Global CBPR System, businesses will be able to certify to one common set of privacy standards that permit cross-border transfers around the globe. This will be a cost-effective mechanism that will lead to greater accessibility and participation by businesses of all sizes. 
  4. Complementary to GDPR: As stated by Shannon Coe, Global Data Policy Director for the U.S. International Trade Administration at the Department of Commerce, “Companies that took part in the now-defunct EU-US Privacy Shield data-transfer mechanism already meet most requirements of a soon-to-be-expanded multilateral pact originating in the Asia-Pacific region…There is substantial overlap with APEC's Cross-Border Privacy Rules, or CBPR.” This substantial overlap will be discussed, in depth, in the next installment of this series.  

 

Industry Support for the Global Forum  

On July 18, 2022, Keith Enright, Chief Privacy Officer for Google, announced in a public policy blog that Google is “commit[ed] to certifying under the future Global Forum system.” Consistent with the Global Forum, Google believes the Global CBPR System is a viable solution to the increasingly fragmented privacy regulatory landscape. As such, Google, along with its partners and fellow industry leaders, will be providing input on the practical realities faced by companies of all sizes in the hopes of building a system that is scalable and accessible around the world. 

UP NEXT . . . we’ll be detailing how the Global CBPR System will complement the EU – U.S. Data Privacy Framework (Privacy Shield 2.0). Stay tuned.  

Suggested Articles

Blog

Old MacDonald Had an Engagement Farm: Lessons Learned from FTC v. NGL

Capturing user engagement is the foundation of internet commerce. And while the incentives to prompt greater engagement are certainly understandable, the recent NGL Labs case from the FTC raises important questions about the ethical and legal ramifications when companies try to artificially generate engagement among their userbase.
Read more
Blog

Independence Day Edition: CBPR Framework Offers “Checks & Balances”

Going, Going, Gone Global, a webinar on the CBPR Global Forum, delved into how privacy impacts businesses’ brand reputation and builds trust with key stakeholders, discussed the purpose of the Global CBPR, and its value to Global Forum members.
Read more
Blog

Industry Self-Regulation: Part of the Solution for Governing Generative AI

The spotlight on generative AI remains bright. The benefits and risks continue to be ever-present in the minds of business and political leaders. No matter the timing or the setting, the creation of transparency, accountability, and collaboration among stakeholders is key to successful industry self-regulation as is the importance of setting standards and best practices.
Read more
Blog

The Demise of “Chevron Deference”: Who Will Fill the Regulatory Gaps?

The Supreme Court's 1984 ruling in Chevron v. NRDC held that courts should defer to federal agencies’ interpretations of ambiguous federal laws so long as those interpretations are reasonable. So given the court’s decision to overturn it, where does that leave companies that want a level playing field and perhaps even to raise the bar, instead of racing to the bottom?
Read more