The FTC Joins the Global CBPR Party

Jan 29, 2024 by BBB National Programs' Global Privacy Division

This month, the Federal Trade Commission (FTC) announced participation in the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE), which supplements the global Cross Border Privacy Rules (CBPR) program, which itself will be expanding globally to become the CBPR Global Forum

In the statement the FTC clarified that their position is nonbinding and supports the necessary alignment between the agency and the work being completed on aligning privacy and data security issues focused on law enforcement, “without having to negotiate a separate memorandum of understanding with each participant.”

The FTC’s announcement signals the agency’s interest in keeping pace with the increasingly global nature of commerce and marks an important step forward for the global expansion of CBPRs. 

During workshops on the evolving CBPR system that took place last fall, it was clear that the CBPR system, which was once focused on only the Asian Pacific and Eastern economies, is indeed moving to a more global posture, adding countries with shared privacy values and regulatory frameworks from beyond the Eastern hemisphere. 

This movement reflects the need for more uniform global cooperation, sustainability, longevity, and interoperability in global data privacy. 

As it stands currently, more than 125 countries have their own unique data privacy laws, creating a fragmented ecosystem of data privacy laws and regulations worldwide. The CBPR framework offers a uniform solution to the existing patchwork, by bringing together the common requirements that are also most vital to safe and secure data processing and sharing across economies.

 

What do companies need to know? 

Companies proactively demonstrating compliance to the current CBPR framework will be seamlessly grandfathered in to the Global CBPR framework. 

Of note, the CBPR framework is very closely aligned (78%, to be exact) to other interoperable privacy programs like the EU-U.S. Data Privacy Framework (formerly Privacy Shield), which means that companies can feel a renewed confidence that they are not duplicating the work, but instead able to work toward uniform compliance across a series of data privacy regimes in the East and West. 

 

Which economies will participate? 

At this point it is not clear which countries will be added to the list of nine existing economies (United States, Mexico, Japan, Canada, Korea, Singapore, Australia, Philippines, and Chinese Taipei, with the UK as an associate).

However, we do know that some of the most interested countries may include: Sri Lanka, Nepal, Maldives, Peru, Colombia, Brazil, South Africa, Qatar, Ghana, and Saudi Arabia.

 

What new requirements could be added when CBPR goes global? 

It is yet to be determined whether new requirements will be added that go beyond the current CBPR framework. Topics such as risk assessments to appropriately assess harm, data breach requirements to signal robust data security safeguards, and data mapping and governance will remain as important additional, business compliance considerations when leveraging the CBPR framework. 

Learn more about BBB National Programs’ CBPR Program and Data Privacy Framework Services.

Suggested Articles

Blog

CFBAI and CCAI Publish the 2023 Annual Report on Participant Compliance and Program Progress

BBB National Programs has released the Children’s Food and Beverage Advertising Initiative (CFBAI) and Children’s Confection Advertising Initiative (CCAI) 2023 Annual Report. The report notes excellent compliance by the 22 CFBAI participants and the six CCAI participants in 2023.
Read more
Blog

The Case for Teaching Industry Self-Regulation in Law, Business, and Public Policy Schools

Law schools, business schools, and public policy programs have a unique opportunity to shape the future of corporate behavior by teaching students the importance of soft law and independent industry self-regulation.
Read more
Blog

5 Missteps to Avoid When Applying or Recertifying to the DPF Program

Each year, participants in the DPF Program need to recertify with the Department of Commerce. To help companies navigate it, our Global Privacy Division has outlined five key recommendations to keep in mind to avoid common missteps with the process.
Read more
Blog

Sharing Holiday Cheer (but Not a Child’s Personal Information)

Not surprisingly, cell phones, connected toys, and toys advertised on social media top wish lists of kids everywhere. To help ensure your holiday shopping experiences are as safe as possible, the team at CARU put together some holiday tips.
Read more