The FTC Joins the Global CBPR Party

Jan 29, 2024 by BBB National Programs' Global Privacy Division

This month, the Federal Trade Commission (FTC) announced participation in the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE), which supplements the global Cross Border Privacy Rules (CBPR) program, which itself will be expanding globally to become the CBPR Global Forum

In the statement the FTC clarified that their position is nonbinding and supports the necessary alignment between the agency and the work being completed on aligning privacy and data security issues focused on law enforcement, “without having to negotiate a separate memorandum of understanding with each participant.”

The FTC’s announcement signals the agency’s interest in keeping pace with the increasingly global nature of commerce and marks an important step forward for the global expansion of CBPRs. 

During workshops on the evolving CBPR system that took place last fall, it was clear that the CBPR system, which was once focused on only the Asian Pacific and Eastern economies, is indeed moving to a more global posture, adding countries with shared privacy values and regulatory frameworks from beyond the Eastern hemisphere. 

This movement reflects the need for more uniform global cooperation, sustainability, longevity, and interoperability in global data privacy. 

As it stands currently, more than 125 countries have their own unique data privacy laws, creating a fragmented ecosystem of data privacy laws and regulations worldwide. The CBPR framework offers a uniform solution to the existing patchwork, by bringing together the common requirements that are also most vital to safe and secure data processing and sharing across economies.

 

What do companies need to know? 

Companies proactively demonstrating compliance to the current CBPR framework will be seamlessly grandfathered in to the Global CBPR framework. 

Of note, the CBPR framework is very closely aligned (78%, to be exact) to other interoperable privacy programs like the EU-U.S. Data Privacy Framework (formerly Privacy Shield), which means that companies can feel a renewed confidence that they are not duplicating the work, but instead able to work toward uniform compliance across a series of data privacy regimes in the East and West. 

 

Which economies will participate? 

At this point it is not clear which countries will be added to the list of nine existing economies (United States, Mexico, Japan, Canada, Korea, Singapore, Australia, Philippines, and Chinese Taipei, with the UK as an associate).

However, we do know that some of the most interested countries may include: Sri Lanka, Nepal, Maldives, Peru, Colombia, Brazil, South Africa, Qatar, Ghana, and Saudi Arabia.

 

What new requirements could be added when CBPR goes global? 

It is yet to be determined whether new requirements will be added that go beyond the current CBPR framework. Topics such as risk assessments to appropriately assess harm, data breach requirements to signal robust data security safeguards, and data mapping and governance will remain as important additional, business compliance considerations when leveraging the CBPR framework. 

Learn more about BBB National Programs’ CBPR Program and Data Privacy Framework Services.

Suggested Articles

Blog

KOSA (and Children’s Privacy) on the Move

The Kids Online Safety Act (KOSA) is gaining traction in the U.S. Senate after the most recent round of revisions released this month by Senators Richard Blumenthal and Marsha Blackburn, following on the heels of proposed changes to the COPPA Rule. Here are CARU's high-level takeaways from the KOSA revisions with some insight into each revision.
Read more
Blog

Location Not Found: Mitigating Precise Geolocation Consent Flow Risk

Privacy-minded Federal Trade Commission (FTC) watchers have seen two bombshell enforcement actions related to alleged mishandling of consumer geolocation data. The Privacy Initiative team delves into those cases, the breadth of the penalties the FTC has included in the proposed orders, and best practices to avoid the crosshairs.
Read more
Blog

The ABCs of DPF and GDPR

Easing data flows across the Atlantic, the EU-U.S. DPF satisfies requirements outlined under the General Data Protection Regulation (GDPR), helping companies avoid steep fines.
Read more
Blog

The FTC Joins the Global CBPR Party

This month the Federal Trade Commission (FTC) announced participation in the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE), signaling the agency’s interest in keeping pace with the increasingly global nature of commerce and marks an important step forward for the global expansion of CBPRs.
Read more