Unlocking Global Data Privacy Interoperability with CBPRs

May 2, 2024 by Divya Sridhar, Vice President, Global Privacy Division and Privacy Initiatives Operations, BBB National Programs.

In our digitally connected world, we can agree that safeguarding personal data is essential. The question is, how can government and business collaborate to achieve this critical goal?

At present, 137 countries have privacy laws and regulations in place - covering more than three-quarters of the world population – with each law incorporating differing expectations about the existing consumer privacy landscape. Furthermore, at least 85 jurisdictions worldwide have some form of a regulator or government authority that designates a data adequacy standard that must be met before data can be transferred. These data protection laws and standards both within the U.S. and across borders emphasize the need for a uniform model of baseline privacy considerations to help ensure data transfers are streamlined and privacy compliance is achievable.

Given such a diverse approach to data privacy, the new Global Cross Border Privacy Rules (CBPRs) and Privacy Recognition for Processors (PRP) System, launched this week by the Global CBPR Forum, offers a much-needed framework for a new era of international data protection, one that promotes trust and accountability while moving into a future where consumer privacy is honored and data can be transferred responsibly across borders, by data controllers and processors.

 

What Are Global CBPRs? 

The Global CBPR Forum economies support the free flow of data and are working to bridge different regulatory approaches by establishing an interoperable global standard for cross-border data protection, the Global CBPR and PRP framework. The new framework is an expansion of the existing APEC CBPR System and will allow more economies from around the world to participate.

The U.S. Department of Commerce and other members of the Global Forum in its release noted that, in addition to the original nine member economies (Australia, Canada, Japan, Mexico, the Republic of Korea, the Philippines, Singapore, Chinese Taipei, and the U.S.), three new economies have stepped forward to facilitate the Global Cooperation Arrangement for Privacy Enforcement (CAPE)

The Global CAPE is a complementary framework on cross-border data flows that represents privacy enforcement authorities that are participating in a multilateral arrangement to facilitate cross-border data flows. The three new participants of the Global CAPE are the U.K., the territory of Bermuda, and the privacy regulator of the Dubai International Finance Centre. These economies seem to be working to secure more widespread application of the CBPR and PRP system across these regions. 

 

Certification to the CBPR or PRP System

Two certifications are available: 

  • CBPR, focused on certifying data controllers 
  • PRP, designed for data processors and vendors

 

As businesses compare CBPRs to similar transatlantic and cross-jurisdiction data privacy frameworks, they will find significant overlap.

  • A 2021 report by the Centre for Information Policy Leadership (CIPL) mapped CBPR system requirements to the General Data Protection Regulation (GDPR) and identified more than half (61%) of relevant requirements shared between the two frameworks.
  • BBB National Program’s own analysis comparing the CBPR system to the EU-US Data Privacy Framework (DPF) (formerly Privacy Shield) indicates that DPF and CBPR share 125 interoperable requirements, or nearly 80% overlap.  

 

Notable areas of overlap include controller-processor due diligence, data subject access and control rights, transparent privacy disclosures, and security safeguards. For example, CBPR- and PRP-certified participants have reported that their CBPR certification helped them in the approval process for their Binding Corporate Rules – BCRs – by European institutions. 

The Global Forum utilizes Accountability Agents, key partners that certify the data protection and privacy policies of businesses. CBPR and PRP certifications are only issued by Accountability Agents registered with the participating privacy enforcement authority of the issuing member economy. For example, BBB National Programs is the only nonprofit Accountability Agent recognized to provide the CBPR and PRP certifications by the U.S. Department of Commerce.

New participants will have the option to obtain the certification starting in the summer of 2024. Participants who were previously certified under the APEC system will be grandfathered into the new system through the end of their current APEC certification term, because the overall requirements have not changed with the expansion to the Global framework.

 

Uniform Requirements

The new Global CBPR system assesses the governance of personal data by requiring:  

  • Enforceable standards: Participating economies must demonstrate that CBPR program requirements will be legally enforceable against certified companies.  
  • Accountability: A company must demonstrate to an Accountability Agent that they meet the CBPR requirements and are subject to ongoing monitoring and enforcement. 
  • Risk-based protections: Companies must implement security safeguards for personal data that are proportional to the probability and severity of harm, the confidential nature of the information, and the context in which it is held. 
  • Complaint handling and dispute resolution: Accountability agents investigate complaints and resolve disputes between consumers and certified companies concerning non-compliance.
  • Consumer empowerment: Companies must provide consumers with the opportunity to access and correct their data allowing consumer insight into the privacy practices of the business with which they choose to do business. 
  • Consistent protection: Participants agree to abide by the 50 CBPR program requirements, implementing the same baseline protections across different legal regimes. 
  • Cross-border enforcement cooperation: The CBPR system provides a mechanism for regulatory authorities to cooperate on the enforcement of baseline program requirements.

 

The Value Proposition for Businesses: Leveraging a Uniform Global Baseline

The CBPR framework's global nature significantly extends its reach, aligning practices with multiple economies and potentially expanding a business’s reach and its international business opportunities. 

  • Lowering the Barriers to Entry: CBPR certification not only provides participants with a competitive edge but also can reduce barriers to establishing offices and starting data processing in various jurisdictions. 
  • Heightened Interoperability: Participation allows companies to know they are meeting a minimum bar of privacy compliance across jurisdictions, including in Canada, Japan, and Singapore, known for particularly stringent data protection rules.
  • Brand Recognition: Companies charged with protecting personal data must demonstrate that they take data privacy and compliance with established global standards seriously and those completing the certification are presented with public recognition on the Department of Commerce’s global compliance directory.
  • Efficient Vendor Due Diligence Tool: Vendor due diligence can be a full-time job. The PRP certification for third-party vendors includes additional requirements for implemented security safeguards and accountability to enhance protections for the entire data value chain.
  • Steps Towards ISO Certification: For larger organizations and organizations processing a high volume of data, CBPR/PRP certification can be a first step towards implementing further controls for certification to other privacy standards and frameworks, such as the ISO 27701 certification. For small and medium-sized organizations that operate globally, the CBPR and PRP certification signals a commitment to upholding best industry practices and compliance with rigorous baseline security standards, a more practical and cost-efficient solution.

 

The CBPR System benefits consumers and businesses by ensuring that privacy compliance and regulatory differences across jurisdictions do not block a business’s ability to deliver innovative products and services across the world. 

With interest in a free consultation, contact our Global Privacy Division team

 

References

To learn more about the DoC process and planning, please refer to the following:  

First published in IAPP.

Suggested Articles

Blog

CARU in the 90s and 00s: Privacy & the Internet

The Children’s Advertising Review Unit (CARU) Privacy Guidelines helped form the foundation of COPPA. The arrival of Y2K brought with it an accelerated pivot from traditional advertising to online advertising and experiences, and new challenges in privacy compliance. Read about CARU's notable cases in children’s data privacy.
Read more
Blog

Why Trust is Essential to Success in Business

Trust cannot be imposed by the government, nor can it be proclaimed by a single company operating in a vast marketplace, and that has been true for decades. The building blocks of trust must come not just from businesses themselves but ideally from the industries of which they are a part.
Read more
Blog

Renewal Season: 5 Tips to Ensure a Smooth Data Privacy Framework Process

U.S. companies in the Data Privacy Framework Program (DPF) program recertify each year with the Department of Commerce to assess and account for how they handle and process personal data that originates in the EU, U.K., and/or Switzerland. Here are 5 tips for making it a smooth process.
Read more
Blog

The Evolution of CARU: Laying the Foundation in the 70s and 80s

For the last 50 years, companies marketing to children have held each other to a high ethical standard. The Children’s Advertising Review Unit (CARU) was established in 1974 as the U.S. mechanism of independent self-regulation for protecting children from deceptive or inappropriate advertising. Spanning decades, CARU’s early cases reflect the evolution of the children’s advertising and marketing space.
Read more