Two Peas in a Privacy Pod: Global CBPR and the EU-U.S. Data Privacy Framework
Dec 6, 2022 by Rebecca Knight, CIPP/E, CIPP/US, Counsel, Policy Privacy Initiatives, BBB National Programs
One of the unique benefits of the Global CBPR System is the substantial overlap with the EU-U.S. Data Privacy Framework (EU-U.S. DPF). The nearly 78% alignment in key requirement areas means that certifying through one system will help an organization comply with requirements of the other, saving time, money, and valuable resources while pursuing both certifications.
To clarify, this evaluation is made under the presumption that the commercial requirements of the Global CBPR System will be substantially like the commercial requirements currently found in the APEC CBPR System, as confirmed by the Global Forum. Similarly, it is presumed the commercial requirements of the EU-U.S. DPF will be substantially like the commercial requirements of Privacy Shield, as confirmed by Alex Greenstein, Director of Privacy Shield at the Department of Commerce. The Schrems II decision, which invalidated Privacy Shield, focused on the issue of U.S. government surveillance and not the commercial principles.
However, to date, neither of the latest iterations of these frameworks have been released.
In April 2021, the Centre for Information Policy Leadership at Hunton Andrews Kurth LLP (CIPL) published a report mapping the APEC Cross-Border Privacy Rules Requirements and EU-U.S. Privacy Shield Requirements to the provisions of the UK General Data Protection Regulation (UK GDPR). The EU GDPR no longer applies to the United Kingdom due to Brexit. However, the provisions of the EU GDPR have been incorporated directly into UK law as the UK GDPR.
Through that mapping project, CIPL identified an overlap of 61% in relevant requirements between GDPR and the APEC CBPR System (soon to be the Global CBPR System), and an overlap of 67% between GDPR and Privacy Shield (soon to be the EU-U.S. DPF) requirements.
Notably, the U.S. was able to achieve adequacy under GDPR by meeting most of the requirements either directly or indirectly, which bodes well for how adequate the Global CBPR System could be considered in the EU as an interoperable framework.
Using CIPL’s analysis, I was able to match the outlined requirements to determine the overlap between the frameworks themselves: nearly 78%. Of the 161 GDPR requirements outlined, Privacy Shield and the APEC CBPR System are aligned on 125 requirements. In this context, alignment means both frameworks have an equivalent, similar, implied, or no requirement related to a specific GDPR article.
The significant overlap between the frameworks is not surprising. Both the GDPR and APEC Privacy Framework, which serve as the basis for Privacy Shield and the APEC CBPR System respectively, are the progeny of internationally accepted privacy principles established by the Organisation for Economic Co-Operation and Development (OECD). Key areas of alignment include:
- Processing of personal data (Article 5): Data processing must be conducted in a fair, lawful, and secure way. Additionally, the frameworks require accuracy of the data, purpose limitation, and data minimization.
- Lawfulness of processing (Article 6): Express consent is required to process data for a secondary use, processing out of contractual necessity and compliance with a legal obligation is permitted, and processing must be limited to the original purposes of collection.
- Conditions applicable to children’s consent (Article 8): Neither framework includes requirements specific to children’s personal data.
- Transparent information, communication, and modalities for exercising data subject rights (Article 12): Providing the data subject’s rights in a clear and accessible way is required. Additionally, the controller must have a mechanism in place that allows the data subject to access and correct their data.
- Information to be provided when personal data is collected from the data subject (Article 13): The controller is required to provide statements about its collection practices and policies, including what is collected, how, and the way it will be used.
- Right of access by the data subject (Article 15): Controllers are required to acknowledge whether they hold personal information and provide access.
- Right to rectification (Article 16): Data subjects have a right to request corrections or amendments to their personal information.
- Right to erasure (Article 17): Data subjects have a right to challenge the accuracy of their personal information and to request deletion.
- Right to data portability (Article 20): Neither framework includes a right to data portability.
- Controller responsibilities (Article 24): Controllers must be able to demonstrate compliance with the frameworks (i.e., accountability).
- Processors (Article 28): The APEC CBPR System does not apply to processors. Instead, the APEC Privacy Recognition for Processors Certification (PRP) System does. However, both frameworks have requirements related to processors. Specifically, controllers must use trustworthy processors who will follow the controller’s instructions and handle personal data in a secure manner. Additionally, the necessary agreements between the controller and processor must be in place.
Though both Privacy Shield and the APEC CBPR System have roots in the OECD privacy principles, the APEC CBPR System has remained true to its free-trade and economic growth roots, while Privacy Shield is on its third evolution and primarily focused on the preservation of fundamental rights afforded to EU citizens.
This evolution highlights three key differences.
- Privacy Shield and the pending EU-U.S. DPF is a limited transfer mechanism based on geography and an EU adequacy decision. The transfer mechanism only applies to transfers of EU personal information and adequacy can be invalidated, which it has been twice before. Additionally, the framework only operates unilaterally between the EU and U.S. The APEC CBPR System, as it develops into the Global CBPR System, is not dependent on geography. Instead, it is a multilateral approach that extends to any geographical region in the world that has decided to participate. Further, none of the participants would have the right to invalidate the Global CBPR System, offering greater stability to the framework.
- Privacy Shield is underpinned by a legally binding regulatory framework with extraterritorial reach. The APEC CBPR System is not. The GDPR is an EU law with a comprehensive set of data protection regulations that apply globally, of which Privacy Shield is a component. Contrarily, the APEC CBPR System is based on data protection principles and does not have one central legal foundation or reach outside of the region. Instead, the participating countries must demonstrate they can legally enforce the requirements against certified companies in their respective jurisdictions.
- Privacy Shield provides greater protection of sensitive data. Under the GDPR, the processing of sensitive data (i.e., race, religious belief, sexual orientation, etc.) is generally prohibited unless an exception exists. As such, Privacy Shield requires affirmative express consent before processing sensitive data. The APEC CBPR System takes a less strict approach. Instead of affirmative express consent, the APEC CBPR System allows the data controller to exercise due diligence and take reasonable steps as an alternative.
Get Caught Up!
This article, evaluating how the Global CBPR System and the EU-U.S. DPF will complement and differ from each other, is the third in a series helping to bring to light the big changes taking place this year in cross-border data transfers. In our last post, we covered the globalization of the APEC CBPR System, the unique benefits of the Global CBPR System, and industry support. You may also find our profiling of the expansion of CBPR helpful as well.