The FTC Joins the Global CBPR Party

Jan 29, 2024 by BBB National Programs' Global Privacy Division

This month, the Federal Trade Commission (FTC) announced participation in the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE), which supplements the global Cross Border Privacy Rules (CBPR) program, which itself will be expanding globally to become the CBPR Global Forum

In the statement the FTC clarified that their position is nonbinding and supports the necessary alignment between the agency and the work being completed on aligning privacy and data security issues focused on law enforcement, “without having to negotiate a separate memorandum of understanding with each participant.”

The FTC’s announcement signals the agency’s interest in keeping pace with the increasingly global nature of commerce and marks an important step forward for the global expansion of CBPRs. 

During workshops on the evolving CBPR system that took place last fall, it was clear that the CBPR system, which was once focused on only the Asian Pacific and Eastern economies, is indeed moving to a more global posture, adding countries with shared privacy values and regulatory frameworks from beyond the Eastern hemisphere. 

This movement reflects the need for more uniform global cooperation, sustainability, longevity, and interoperability in global data privacy. 

As it stands currently, more than 125 countries have their own unique data privacy laws, creating a fragmented ecosystem of data privacy laws and regulations worldwide. The CBPR framework offers a uniform solution to the existing patchwork, by bringing together the common requirements that are also most vital to safe and secure data processing and sharing across economies.

 

What do companies need to know? 

Companies proactively demonstrating compliance to the current CBPR framework will be seamlessly grandfathered in to the Global CBPR framework. 

Of note, the CBPR framework is very closely aligned (78%, to be exact) to other interoperable privacy programs like the EU-U.S. Data Privacy Framework (formerly Privacy Shield), which means that companies can feel a renewed confidence that they are not duplicating the work, but instead able to work toward uniform compliance across a series of data privacy regimes in the East and West. 

 

Which economies will participate? 

At this point it is not clear which countries will be added to the list of nine existing economies (United States, Mexico, Japan, Canada, Korea, Singapore, Australia, Philippines, and Chinese Taipei, with the UK as an associate).

However, we do know that some of the most interested countries may include: Sri Lanka, Nepal, Maldives, Peru, Colombia, Brazil, South Africa, Qatar, Ghana, and Saudi Arabia.

 

What new requirements could be added when CBPR goes global? 

It is yet to be determined whether new requirements will be added that go beyond the current CBPR framework. Topics such as risk assessments to appropriately assess harm, data breach requirements to signal robust data security safeguards, and data mapping and governance will remain as important additional, business compliance considerations when leveraging the CBPR framework. 

Learn more about BBB National Programs’ CBPR Program and Data Privacy Framework Services.

Suggested Articles

Blog

Old MacDonald Had an Engagement Farm: Lessons Learned from FTC v. NGL

Capturing user engagement is the foundation of internet commerce. And while the incentives to prompt greater engagement are certainly understandable, the recent NGL Labs case from the FTC raises important questions about the ethical and legal ramifications when companies try to artificially generate engagement among their userbase.
Read more
Blog

Independence Day Edition: CBPR Framework Offers “Checks & Balances”

Going, Going, Gone Global, a webinar on the CBPR Global Forum, delved into how privacy impacts businesses’ brand reputation and builds trust with key stakeholders, discussed the purpose of the Global CBPR, and its value to Global Forum members.
Read more
Blog

Industry Self-Regulation: Part of the Solution for Governing Generative AI

The spotlight on generative AI remains bright. The benefits and risks continue to be ever-present in the minds of business and political leaders. No matter the timing or the setting, the creation of transparency, accountability, and collaboration among stakeholders is key to successful industry self-regulation as is the importance of setting standards and best practices.
Read more
Blog

The Demise of “Chevron Deference”: Who Will Fill the Regulatory Gaps?

The Supreme Court's 1984 ruling in Chevron v. NRDC held that courts should defer to federal agencies’ interpretations of ambiguous federal laws so long as those interpretations are reasonable. So given the court’s decision to overturn it, where does that leave companies that want a level playing field and perhaps even to raise the bar, instead of racing to the bottom?
Read more