Like so many of the countless weeks us weary wonks have wandered, this was a busy one for data flows discourse. As the European Union moves closer to casting doubt on the use of other transfer mechanisms, and the EU-U.S. Data Privacy Framework reportedly adds months to its expected implementation timeline, U.S. organizations brace for continued uncertainty about how to effectuate legal data transfers from the EU.
But even as data bridges crumble, new blueprints are drawn up.
The United Kingdom hosted a multilateral meeting of the Global Cross-Border Privacy Rules Forum, marking the one-year anniversary of the forum’s birth — like Athena from the head of Zeus — out of its Asia-Pacific Economic Cooperation progenitor. Always the courteous host, the U.K. marked the occasion by becoming the first non-APEC economy to foundational documents as it formalizes its structure and scope, including the Global CBPR Framework and Terms of Reference.
The framework is clearly modeled after the APEC Privacy Framework, first published in 2005 and updated in 2015. The principles appear to have received only ministerial updates in their translation to the Global CBPR Forum. More impactfully, the Terms of Reference explain the organizational structure of the forum, requirements for membership, and operations of the policy-making body of the coordinated effort, now called the Global Forum Assembly.
As I’ve written mapped the CBPR Program Requirements against the U.K. GDPR.
That said, no doubt top-of-mind for many in the ongoing CBPR efforts is the potential for organizational certification within CBPR to serve as a recognized transfer mechanism, from the U.K. and other jurisdictions. There are some hints this could be possible now under the U.K.’s proposed Data Protection and Digital Information (No. 2) Bill.
Specifically, the new Section 47A would empower the secretary of state to recognize new mechanisms that demonstrate "appropriate safeguards" as a valid transfer mechanism, beyond those specified under GDPR. The new power can only be exercised if the secretary of state considers that the "further safeguards are capable of securing that the data protection test set out in Article 46 is met in relation to transfers of personal data generally or in relation to a type of transfer specified in the regulations." In theory, this could afford the U.K. more flexibility to recognize frameworks, like CBPR, that might not neatly sit within the scope of one of the existing transfer mechanisms.
Other jurisdictions seem to be on a similar path to embracing the CBPR model. Last December, the United Arab Emirates Ministry of Artificial Intelligence and the U.S. Department of Commerce issued a joint statement regarding the considerations underpinning "the economic and social benefits of ensuring robust data protections, and enforcement of those protections, while promoting interoperable mechanisms that facilitate cross-border data transfers across economies with different regulatory regimes." The veiled reference to the CBPR system underscores the existing recognition in the Dubai International Financial Centre of the CBPR and PRP frameworks as adequate transfer mechanisms, similar to Bermuda’s recognition. Incidentally, the DIFC is one of the first jurisdictions to partner with the U.K. to build a
As would seem prudent, the U.K. appears to be working on multiple fronts to establish secure and trustworthy data transfer mechanisms with the U.S., including by negotiating a U.K. Extension to the EU-U.S. Data Privacy Framework, first mentioned in a recent public notice from the Department of Commerce.
There will be plenty to track on both sides of the Atlantic — and
Here's what else I’m thinking about:
- All three sitting commissioners of the U.S. Federal Trade Commission testified before the House Energy and Commerce Committee. Under sometimes withering questioning, the leaders defended the agency's track record and request for an increased budget. Statements from the commissioners about their intention to target artificial intelligence systems that are deceptive or biased also received media attention.
- In a separate E&C hearing, hosted by the oversight subcommittee, three experts on the data broker industry testified about concerns over the widespread collection and sale of consumer personal data. Laura Moy, faculty director, Center on Privacy and Technology at the Georgetown Law Center, was joined by Justin Sherman, senior fellow and research lead of the Data Brokerage Project at the Duke University Sanford School of Public Policy, and Marshall Erwin, vice president and chief security officer of Mozilla Corporation. Congress members from both parties were engaged and deep on the issues. This allowed the witnesses to explain a wide spectrum of harms, from "suckers lists" to reidentification, and impacts to vulnerable groups, from gamblers to older Americans to military service members.
- U.S. Reps. Anna Eshoo, D-Calif., and Zoe Lofgren, D-Calif., re-introduced their Online Privacy Act for the third time. The comprehensive bill that would create a Digital Privacy Agency is untouched from the 2021 version except for adding language that would preserve any state privacy laws with “stronger” protections, which the representatives refer to as a "federal floor," and directing the National Institute of Standards and Technology to establish a privacy risk management framework and carry out research on mitigating privacy risk. Representative Eshoo serves on the Energy and Commerce Committee.
Upcoming happenings
- 27 April at 2 p.m. EDT, the House Energy and Commerce Committee, Subcommittee on Innovation, Data, and Commerce hosts a hearing titled "Addressing America's Data Privacy Shortfalls: How a National Standard Fills Gaps to Protect Americans' Personal Information” (hybrid).
Please send feedback, updates and your favorite Greek myth to cobun@iapp.org.
