Two Peas in a Privacy Pod: Global CBPR and the EU-U.S. Data Privacy Framework

Dec 6, 2022 by Rebecca Knight, CIPP/E, CIPP/US, Counsel, Policy Privacy Initiatives, BBB National Programs

One of the unique benefits of the Global CBPR System is the substantial overlap with the EU-U.S. Data Privacy Framework (EU-U.S. DPF). The nearly 78% alignment in key requirement areas means that certifying through one system will help an organization comply with requirements of the other, saving time, money, and valuable resources while pursuing both certifications. 

To clarify, this evaluation is made under the presumption that the commercial requirements of the Global CBPR System will be substantially like the commercial requirements currently found in the APEC CBPR System, as confirmed by the Global Forum. Similarly, it is presumed the commercial requirements of the EU-U.S. DPF will be substantially like the commercial requirements of Privacy Shield, as confirmed by Alex Greenstein, Director of Privacy Shield at the Department of Commerce. The Schrems II decision, which invalidated Privacy Shield, focused on the issue of U.S. government surveillance and not the commercial principles.

However, to date, neither of the latest iterations of these frameworks have been released. 

 

Interoperable Frameworks

In April 2021, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP (CIPL) published a report mapping the APEC Cross-Border Privacy Rules Requirements and EU-U.S. Privacy Shield Requirements to the provisions of the UK General Data Protection Regulation (UK GDPR). The EU GDPR no longer applies to the United Kingdom due to Brexit. However, the provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR

Through that mapping project, CIPL identified an overlap of 61% in relevant requirements between GDPR and the APEC CBPR System (soon to be the Global CBPR System), and an overlap of 67% between GDPR and Privacy Shield (soon to be the EU-U.S. DPF) requirements. 

Notably, the U.S. was able to achieve adequacy under GDPR by meeting most of the requirements either directly or indirectly, which bodes well for how adequate the Global CBPR System could be considered in the EU as an interoperable framework. 

Using CIPL’s analysis, I was able to match the outlined requirements to determine the overlap between the frameworks themselves: nearly 78%. Of the 161 GDPR requirements outlined, Privacy Shield and the APEC CBPR System are aligned on 125 requirements. In this context, alignment means both frameworks have an equivalent, similar, implied, or no requirement related to a specific GDPR article. 

 

Key Similarities 

The significant overlap between the frameworks is not surprising. Both the GDPR and APEC Privacy Framework, which serve as the basis for Privacy Shield and the APEC CBPR System respectively, are the progeny of internationally accepted privacy principles established by the Organisation for Economic Co-Operation and Development (OECD).  Key areas of alignment include:

  • Processing of personal data (Article 5): Data processing must be conducted in a fair, lawful, and secure way. Additionally, the frameworks require accuracy of the data, purpose limitation, and data minimization. 
  • Lawfulness of processing (Article 6): Express consent is required to process data for a secondary use, processing out of contractual necessity and compliance with a legal obligation is permitted, and processing must be limited to the original purposes of collection.
  • Conditions applicable to children’s consent (Article 8): Neither framework includes requirements specific to children’s personal data.
  • Transparent information, communication, and modalities for exercising data subject rights (Article 12): Providing the data subject’s rights in a clear and accessible way is required. Additionally, the controller must have a mechanism in place that allows the data subject to access and correct their data.
  • Information to be provided when personal data is collected from the data subject (Article 13): The controller is required to provide statements about its collection practices and policies, including what is collected, how, and the way it will be used.
  • Right of access by the data subject (Article 15): Controllers are required to acknowledge whether they hold personal information and provide access.
  • Right to rectification (Article 16): Data subjects have a right to request corrections or amendments to their personal information.
  • Right to erasure (Article 17): Data subjects have a right to challenge the accuracy of their personal information and to request deletion.
  • Right to data portability (Article 20): Neither framework includes a right to data portability.
  • Controller responsibilities (Article 24):  Controllers must be able to demonstrate compliance with the frameworks (i.e., accountability).
  • Processors (Article 28): The APEC CBPR System does not apply to processors. Instead, the APEC Privacy Recognition for Processors Certification (PRP) System does. However, both frameworks have requirements related to processors. Specifically, controllers must use trustworthy processors who will follow the controller’s instructions and handle personal data in a secure manner. Additionally, the necessary agreements between the controller and processor must be in place. 

 

Key Differences 

Though both Privacy Shield and the APEC CBPR System have roots in the OECD privacy principles, the APEC CBPR System has remained true to its free-trade and economic growth roots, while Privacy Shield is on its third evolution and primarily focused on the preservation of fundamental rights afforded to EU citizens. 

This evolution highlights three key differences. 

  1. Privacy Shield and the pending EU-U.S. DPF is a limited transfer mechanism based on geography and an EU adequacy decision. The transfer mechanism only applies to transfers of EU personal information and adequacy can be invalidated, which it has been twice before. Additionally, the framework only operates unilaterally between the EU and U.S. The APEC CBPR System, as it develops into the Global CBPR System, is not dependent on geography. Instead, it is a multilateral approach that extends to any geographical region in the world that has decided to participate. Further, none of the participants would have the right to invalidate the Global CBPR System, offering greater stability to the framework. 
  2. Privacy Shield is underpinned by a legally binding regulatory framework with extraterritorial reach. The APEC CBPR System is not. The GDPR is an EU law with a comprehensive set of data protection regulations that apply globally, of which Privacy Shield is a component. Contrarily, the APEC CBPR System is based on data protection principles and does not have one central legal foundation or reach outside of the region. Instead, the participating countries must demonstrate they can legally enforce the requirements against certified companies in their respective jurisdictions.
  3. Privacy Shield provides greater protection of sensitive data. Under the GDPR, the processing of sensitive data (i.e., race, religious belief, sexual orientation, etc.) is generally prohibited unless an exception exists. As such, Privacy Shield requires affirmative express consent before processing sensitive data. The APEC CBPR System takes a less strict approach. Instead of affirmative express consent, the APEC CBPR System allows the data controller to exercise due diligence and take reasonable steps as an alternative. 

 

Get Caught Up!

This article, evaluating how the Global CBPR System and the EU-U.S. DPF will complement and differ from each other, is the third in a series helping to bring to light the big changes taking place this year in cross-border data transfers. In our last post, we covered the globalization of the APEC CBPR System, the unique benefits of the Global CBPR System, and industry support. You may also find our profiling of the expansion of CBPR helpful as well. 

Suggested Articles

Blog

Old MacDonald Had an Engagement Farm: Lessons Learned from FTC v. NGL

Capturing user engagement is the foundation of internet commerce. And while the incentives to prompt greater engagement are certainly understandable, the recent NGL Labs case from the FTC raises important questions about the ethical and legal ramifications when companies try to artificially generate engagement among their userbase.
Read more
Blog

Independence Day Edition: CBPR Framework Offers “Checks & Balances”

Going, Going, Gone Global, a webinar on the CBPR Global Forum, delved into how privacy impacts businesses’ brand reputation and builds trust with key stakeholders, discussed the purpose of the Global CBPR, and its value to Global Forum members.
Read more
Blog

Industry Self-Regulation: Part of the Solution for Governing Generative AI

The spotlight on generative AI remains bright. The benefits and risks continue to be ever-present in the minds of business and political leaders. No matter the timing or the setting, the creation of transparency, accountability, and collaboration among stakeholders is key to successful industry self-regulation as is the importance of setting standards and best practices.
Read more
Blog

The Demise of “Chevron Deference”: Who Will Fill the Regulatory Gaps?

The Supreme Court's 1984 ruling in Chevron v. NRDC held that courts should defer to federal agencies’ interpretations of ambiguous federal laws so long as those interpretations are reasonable. So given the court’s decision to overturn it, where does that leave companies that want a level playing field and perhaps even to raise the bar, instead of racing to the bottom?
Read more