A globalized CBPR framework: Peering into the future of data transfers

Last month, at the IAPP’s Privacy. Security. Risk. 2021 conference, an important moment occurred that may have been easy to miss. The moment took place during a panel discussion among current and former U.S. Department of Commerce staff titled “The Evolution of International Privacy Policymaking in the U.S. Government.”

Just as billed, the discussion ranged across data flow issues around the world, from the EU-U.S. Privacy Shield (“We’re almost done.”) to new privacy laws in Brazil and India. In general, the speakers highlighted the longstanding commitments within the DOC’s International Trade Administration to push back on data localization rules, while ensuring consistent and robust privacy standards based on principles that can work around the world. As Director of the Office of Digital Services Industries Krysten Jenci, CIPP/US, put it, “You can’t do trade unless data is flowing across borders.”

Though these remarks went far to illustrate the consistent message that has been core to the ITA’s engagement on the international stage, from the Organisation for Economic Co-operation and Development to the Asia Pacific Economic Cooperation to the European Union, this was not “the moment.”

The conversation then turned to a discussion about the impression among many U.S. privacy professionals that the U.S. finds itself on the defensive in international discussions on privacy, rather than leading the conversation. Michael Rose, an ITA alumnus now working in Google’s global policy team, turned to Christopher Hoff, CIPP/E, CIPP/US, CIPM, and asked, “What is the U.S.’s offensive strategy?”

Fittingly, it was Hoff, the most senior official on stage, appointed day one of the Biden administration to serve as Deputy Assistant Secretary for Services, who dropped the clearest signals about the future of ITA’s work.

In response to Rose’s question, Hoff listed three priorities of the U.S. administration:

1. Tracking and combating data localization, in any form.
2. Prioritizing direct bilateral negotiations with jurisdictions around the world.
3. Supporting the globalization and expansion of the Asia Pacific Economic Cooperation Cross-Border Privacy Rules system.

Notably highlighting this last point, Hoff said, “CBPR is going global.”

This moment was years in the making, an unexpectedly pithy expression of a policy priority that had sometimes seemed like nothing more than a rumor: the U.S. government along with other participating economies is supporting an expansion of the CBPR system to allow participation by economies anywhere in the world.

The idea of converting CBPR from a regional to a global framework is rooted in a simple theory, foundational to the CBPR system: Baseline data protection standards across jurisdictions can be interoperable without being equivalent. Not only is this philosophy the U.S.’s official position today, but it also has been on display as a consistent theme in the work of the ITA for over two decades. It shows a practical approach to data transfers rooted in balancing four interrelated goals: essential privacy protections, trusted global digital trade, achievable compliance mechanisms, and effective cross-border enforcement among participating jurisdictions.

The CBPR system and the related Privacy Recognition for Processors system is voluntary but enforceable frameworks. Such a system has an implicit and often overlooked power. Layers of accountability create a structure where trust is never assumed, from the internal procedures required for an organization to receive certification, to the practices of independent accountability agents that are reviewed and approved by all participating regulators, to regulatory recognition and enforcement within each participating jurisdiction, to empowering consumers to pursue actionable complaints.

In fact, this model sits as a direct counterpoint to the EU’s “adequacy” model. Rather than empowering a single jurisdiction to determine the adequacy of a country’s privacy protections, an independent multilateral body is given this authority. This distributive model protects against the risk of protectionist trade priorities creeping into data protection assessments.

In addition, rather than deeming an entire jurisdiction to have adequate protection regardless of the actual practices of any given organization within that jurisdiction, the CBPR model provides a framework for organizations to proactively demonstrate a commitment to uniform privacy standards. Like other multilayered governance frameworks (Privacy Shield is quite similar), participating businesses are publicly listed, independently reviewed, subject to consumer redress procedures, and subject to enforcement of their commitments by their home regulator. This system assists both consumers and other businesses in properly vetting an organization before doing business with it.

And rather than relying only on resource-limited regulators to review and approve privacy commitments (as seen in the multi-year backlog of binding corporate rules applications within some DPAs), the CBPR system provides a mechanism for regulators to empower independent “accountability agents,” but only after those agents have demonstrated their transparency, independence, and proactive procedures. This mechanism assists in making participation scalable and achievable, an important factor if we care about the success of small and medium-sized businesses in accessing cross-border markets while still embracing enforceable privacy standards.

The precise structure of a globalized CBPR system is not known, though it is likely to look very similar to the existing model. If so, countries that wish to join the system will submit an application to existing members. Accountability agents will apply to their local regulator and be reviewed and approved by the members. Local accountability agents will certify businesses. Certification will include recognition throughout the system, along with any localized compliance benefits.

Such a system not only will allow jurisdictions from Bermuda to Brazil and beyond to recognize CBPR as a robust framework for meeting local data transfer requirements, as the Office of the Privacy Commissioner for Bermuda did last year, but also will provide jurisdictions with a reciprocal and multilateral acknowledgment that their standards exceed a recognized uniform baseline.

The timeline for CBPR’s global expansion is by no means certain, though remarks on stage suggested we will see concrete progress in 2022. In the meantime, it is worth reflecting on the utility of this interoperable framework. A transparent and accountable system that encourages organizations to achieve global privacy best practices is a win-win for businesses and consumers alike.