Two Peas in a Privacy Pod: Global CBPR and the EU-U.S. Data Privacy Framework

Dec 6, 2022 by Rebecca Knight, CIPP/E, CIPP/US, Counsel, Policy Privacy Initiatives, BBB National Programs

One of the unique benefits of the Global CBPR System is the substantial overlap with the EU-U.S. Data Privacy Framework (EU-U.S. DPF). The nearly 78% alignment in key requirement areas means that certifying through one system will help an organization comply with requirements of the other, saving time, money, and valuable resources while pursuing both certifications. 

To clarify, this evaluation is made under the presumption that the commercial requirements of the Global CBPR System will be substantially like the commercial requirements currently found in the APEC CBPR System, as confirmed by the Global Forum. Similarly, it is presumed the commercial requirements of the EU-U.S. DPF will be substantially like the commercial requirements of Privacy Shield, as confirmed by Alex Greenstein, Director of Privacy Shield at the Department of Commerce. The Schrems II decision, which invalidated Privacy Shield, focused on the issue of U.S. government surveillance and not the commercial principles.

However, to date, neither of the latest iterations of these frameworks have been released. 

 

Interoperable Frameworks

In April 2021, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP (CIPL) published a report mapping the APEC Cross-Border Privacy Rules Requirements and EU-U.S. Privacy Shield Requirements to the provisions of the UK General Data Protection Regulation (UK GDPR). The EU GDPR no longer applies to the United Kingdom due to Brexit. However, the provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR

Through that mapping project, CIPL identified an overlap of 61% in relevant requirements between GDPR and the APEC CBPR System (soon to be the Global CBPR System), and an overlap of 67% between GDPR and Privacy Shield (soon to be the EU-U.S. DPF) requirements. 

Notably, the U.S. was able to achieve adequacy under GDPR by meeting most of the requirements either directly or indirectly, which bodes well for how adequate the Global CBPR System could be considered in the EU as an interoperable framework. 

Using CIPL’s analysis, I was able to match the outlined requirements to determine the overlap between the frameworks themselves: nearly 78%. Of the 161 GDPR requirements outlined, Privacy Shield and the APEC CBPR System are aligned on 125 requirements. In this context, alignment means both frameworks have an equivalent, similar, implied, or no requirement related to a specific GDPR article. 

 

Key Similarities 

The significant overlap between the frameworks is not surprising. Both the GDPR and APEC Privacy Framework, which serve as the basis for Privacy Shield and the APEC CBPR System respectively, are the progeny of internationally accepted privacy principles established by the Organisation for Economic Co-Operation and Development (OECD).  Key areas of alignment include:

  • Processing of personal data (Article 5): Data processing must be conducted in a fair, lawful, and secure way. Additionally, the frameworks require accuracy of the data, purpose limitation, and data minimization. 
  • Lawfulness of processing (Article 6): Express consent is required to process data for a secondary use, processing out of contractual necessity and compliance with a legal obligation is permitted, and processing must be limited to the original purposes of collection.
  • Conditions applicable to children’s consent (Article 8): Neither framework includes requirements specific to children’s personal data.
  • Transparent information, communication, and modalities for exercising data subject rights (Article 12): Providing the data subject’s rights in a clear and accessible way is required. Additionally, the controller must have a mechanism in place that allows the data subject to access and correct their data.
  • Information to be provided when personal data is collected from the data subject (Article 13): The controller is required to provide statements about its collection practices and policies, including what is collected, how, and the way it will be used.
  • Right of access by the data subject (Article 15): Controllers are required to acknowledge whether they hold personal information and provide access.
  • Right to rectification (Article 16): Data subjects have a right to request corrections or amendments to their personal information.
  • Right to erasure (Article 17): Data subjects have a right to challenge the accuracy of their personal information and to request deletion.
  • Right to data portability (Article 20): Neither framework includes a right to data portability.
  • Controller responsibilities (Article 24):  Controllers must be able to demonstrate compliance with the frameworks (i.e., accountability).
  • Processors (Article 28): The APEC CBPR System does not apply to processors. Instead, the APEC Privacy Recognition for Processors Certification (PRP) System does. However, both frameworks have requirements related to processors. Specifically, controllers must use trustworthy processors who will follow the controller’s instructions and handle personal data in a secure manner. Additionally, the necessary agreements between the controller and processor must be in place. 

 

Key Differences 

Though both Privacy Shield and the APEC CBPR System have roots in the OECD privacy principles, the APEC CBPR System has remained true to its free-trade and economic growth roots, while Privacy Shield is on its third evolution and primarily focused on the preservation of fundamental rights afforded to EU citizens. 

This evolution highlights three key differences. 

  1. Privacy Shield and the pending EU-U.S. DPF is a limited transfer mechanism based on geography and an EU adequacy decision. The transfer mechanism only applies to transfers of EU personal information and adequacy can be invalidated, which it has been twice before. Additionally, the framework only operates unilaterally between the EU and U.S. The APEC CBPR System, as it develops into the Global CBPR System, is not dependent on geography. Instead, it is a multilateral approach that extends to any geographical region in the world that has decided to participate. Further, none of the participants would have the right to invalidate the Global CBPR System, offering greater stability to the framework. 
  2. Privacy Shield is underpinned by a legally binding regulatory framework with extraterritorial reach. The APEC CBPR System is not. The GDPR is an EU law with a comprehensive set of data protection regulations that apply globally, of which Privacy Shield is a component. Contrarily, the APEC CBPR System is based on data protection principles and does not have one central legal foundation or reach outside of the region. Instead, the participating countries must demonstrate they can legally enforce the requirements against certified companies in their respective jurisdictions.
  3. Privacy Shield provides greater protection of sensitive data. Under the GDPR, the processing of sensitive data (i.e., race, religious belief, sexual orientation, etc.) is generally prohibited unless an exception exists. As such, Privacy Shield requires affirmative express consent before processing sensitive data. The APEC CBPR System takes a less strict approach. Instead of affirmative express consent, the APEC CBPR System allows the data controller to exercise due diligence and take reasonable steps as an alternative. 

 

Get Caught Up!

This article, evaluating how the Global CBPR System and the EU-U.S. DPF will complement and differ from each other, is the third in a series helping to bring to light the big changes taking place this year in cross-border data transfers. In our last post, we covered the globalization of the APEC CBPR System, the unique benefits of the Global CBPR System, and industry support. You may also find our profiling of the expansion of CBPR helpful as well. 

Suggested Articles

Blog

Fifty Shades of Consumer Health Data: Unclear Expectations for Digital Privacy

While momentum continues to build around what a regulated consumer health privacy landscape looks like, the environment remains shrouded in shades of gray. To date, a risk-based approach to consumer health data does not exist, but we believe a sliding scale for the risks carried by consumer health data should.
Read more
Blog

California Privacy Enforcement: Whose Job Is It Anyway?

The California Privacy Rights Act of 2020 went into effect bringing new privacy rights to California consumers and created the California Privacy Protection Agency. CCPA will continue to be enforced by the California Office of the Attorney Genera. Which begs the question: Whose enforcement is it anyway?
Read more
Blog

Unsubstantiated Claims May Lead to Civil Penalties

The U.S. economy is built on a fair and transparent product marketplace. It is the responsibility of companies to have adequate substantiation for health and safety claims and to hold their competitors to the same standard.
Read more
Blog

Data Privacy Advances, Despite Lack Of Federal Privacy Law

An appropriate federal privacy law would level the playing field for all companies and create much-needed uniformity in the digital marketplace to enable enhanced trust in the marketplace for businesses and consumers.
Read more