A globalized CBPR framework: Peering into the future of data transfers

Nov 30, 2021 by Cobun Zweifel-Keegan, Deputy Director, Privacy Initiatives, BBB National Programs

Last month, at the IAPP’s Privacy. Security. Risk. 2021 conference, an important moment occurred that may have been easy to miss. The moment took place during a panel discussion among current and former U.S. Department of Commerce staff titled “The Evolution of International Privacy Policymaking in the U.S. Government.”

Just as billed, the discussion ranged across data flow issues around the world, from the EU-U.S. Privacy Shield (“We’re almost done.”) to new privacy laws in Brazil and India. In general, the speakers highlighted the longstanding commitments within the DOC’s International Trade Administration to push back on data localization rules, while ensuring consistent and robust privacy standards based on principles that can work around the world. As Director of the Office of Digital Services Industries Krysten Jenci, CIPP/US, put it, “You can’t do trade unless data is flowing across borders.”

Though these remarks went far to illustrate the consistent message that has been core to the ITA’s engagement on the international stage, from the Organisation for Economic Co-operation and Development to the Asia Pacific Economic Cooperation to the European Union, this was not “the moment.”

The conversation then turned to a discussion about the impression among many U.S. privacy professionals that the U.S. finds itself on the defensive in international discussions on privacy, rather than leading the conversation. Michael Rose, an ITA alumnus now working in Google’s global policy team, turned to Christopher Hoff, CIPP/E, CIPP/US, CIPM, and asked, “What is the U.S.’s offensive strategy?”

Fittingly, it was Hoff, the most senior official on stage, appointed day one of the Biden administration to serve as Deputy Assistant Secretary for Services, who dropped the clearest signals about the future of ITA’s work.

In response to Rose’s question, Hoff listed three priorities of the U.S. administration:

  1. Tracking and combating data localization, in any form.
  2. Prioritizing direct bilateral negotiations with jurisdictions around the world.
  3. Supporting the globalization and expansion of the Asia Pacific Economic Cooperation Cross-Border Privacy Rules system.

 

Notably highlighting this last point, Hoff said, “CBPR is going global.”

This moment was years in the making, an unexpectedly pithy expression of a policy priority that had sometimes seemed like nothing more than a rumor: the U.S. government along with other participating economies is supporting an expansion of the CBPR system to allow participation by economies anywhere in the world.

The idea of converting CBPR from a regional to a global framework is rooted in a simple theory, foundational to the CBPR system: Baseline data protection standards across jurisdictions can be interoperable without being equivalent. Not only is this philosophy the U.S.’s official position today, but it also has been on display as a consistent theme in the work of the ITA for over two decades. It shows a practical approach to data transfers rooted in balancing four interrelated goals: essential privacy protections, trusted global digital trade, achievable compliance mechanisms, and effective cross-border enforcement among participating jurisdictions.

The CBPR system and the related Privacy Recognition for Processors system is voluntary but enforceable frameworks. Such a system has an implicit and often overlooked power. Layers of accountability create a structure where trust is never assumed, from the internal procedures required for an organization to receive certification, to the practices of independent accountability agents that are reviewed and approved by all participating regulators, to regulatory recognition and enforcement within each participating jurisdiction, to empowering consumers to pursue actionable complaints.

In fact, this model sits as a direct counterpoint to the EU’s “adequacy” model. Rather than empowering a single jurisdiction to determine the adequacy of a country’s privacy protections, an independent multilateral body is given this authority. This distributive model protects against the risk of protectionist trade priorities creeping into data protection assessments.

In addition, rather than deeming an entire jurisdiction to have adequate protection regardless of the actual practices of any given organization within that jurisdiction, the CBPR model provides a framework for organizations to proactively demonstrate a commitment to uniform privacy standards. Like other multilayered governance frameworks (Privacy Shield is quite similar), participating businesses are publicly listed, independently reviewed, subject to consumer redress procedures, and subject to enforcement of their commitments by their home regulator. This system assists both consumers and other businesses in properly vetting an organization before doing business with it.

And rather than relying only on resource-limited regulators to review and approve privacy commitments (as seen in the multi-year backlog of binding corporate rules applications within some DPAs), the CBPR system provides a mechanism for regulators to empower independent “accountability agents,” but only after those agents have demonstrated their transparency, independence, and proactive procedures. This mechanism assists in making participation scalable and achievable, an important factor if we care about the success of small and medium-sized businesses in accessing cross-border markets while still embracing enforceable privacy standards.

The precise structure of a globalized CBPR system is not known, though it is likely to look very similar to the existing model. If so, countries that wish to join the system will submit an application to existing members. Accountability agents will apply to their local regulator and be reviewed and approved by the members. Local accountability agents will certify businesses. Certification will include recognition throughout the system, along with any localized compliance benefits.

Such a system not only will allow jurisdictions from Bermuda to Brazil and beyond to recognize CBPR as a robust framework for meeting local data transfer requirements, as the Office of the Privacy Commissioner for Bermuda did last year, but also will provide jurisdictions with a reciprocal and multilateral acknowledgment that their standards exceed a recognized uniform baseline.

The timeline for CBPR’s global expansion is by no means certain, though remarks on stage suggested we will see concrete progress in 2022. In the meantime, it is worth reflecting on the utility of this interoperable framework. A transparent and accountable system that encourages organizations to achieve global privacy best practices is a win-win for businesses and consumers alike.

Originally published in IAPP's The Privacy Advisor

Suggested Articles

Blog

Enhancing Brand Safety: Understanding Self-Regulation vs. Independent Industry Self-Regulation

With copious amounts of content proliferating across a growing number of platforms and websites, it is an ongoing challenge for advertisers and platforms to ensure that digital ads are not placed next to harmful content. In this conversation, there is a key distinction few are making — the difference between ‘self-regulation’ and ‘independent, industry-wide self-regulation.’
Read more
Blog

CFBAI and CCAI Published the 2020 Annual Report on Participant Compliance and Program Progress

BBB National Programs has released the CFBAI and CCAI 2020 Annual Report, which includes findings on CFBAI and CCAI participant compliance with their commitment to advertise only foods that meet CFBAI’s strict Uniform Nutrition Criteria or to not engage in advertising primarily directed to children under age 12. The Report indicates excellent compliance by the 19 CFBAI participants and the eight CCAI participants in 2020.
Read more
Blog

What Do You Need to Know about the Florida Lemon Law?

If you have ever purchased or leased a car or SUV that you consider a lemon, you may have questions about the myriad of federal and state laws that govern your vehicle and the remedies available to you. Each state also has their own statute governing vehicles sold and leased in that state for personal use. Today, we look at the lemon law in Florida, one of the fastest-growing states in the U.S.
Read more
Blog

AI Can Be A Force For Good In Recruiting And Hiring New Employees

A challenge for rapid innovation in any industry is the ability for legal and regulatory requirements to keep pace. In the recruiting and hiring process, where AI provides aid to human decision-making and a welcome relief to managing a deluge of data, company leaders are asking themselves: How can we combine important technological innovation with a proactive approach to employment law requirements?
Read more