Like so many of the countless weeks us weary wonks have wandered, this was a busy one for data flows discourse. As the European Union moves closer to casting doubt on the use of other transfer mechanisms, and the EU-U.S. Data Privacy Framework reportedly adds months to its expected implementation timeline, U.S. organizations brace for continued uncertainty about how to effectuate legal data transfers from the EU.
But even as data bridges crumble, new blueprints are drawn up.
The United Kingdom hosted a multilateral meeting of the Global Cross-Border Privacy Rules Forum, marking the one-year anniversary of the forum’s birth — like Athena from the head of Zeus — out of its Asia-Pacific Economic Cooperation progenitor. Always the courteous host, the U.K. marked the occasion by becoming the first non-APEC economy to apply to join the Global CBPR Forum. At the same time, the forum released the next foundational documents as it formalizes its structure and scope, including the Global CBPR Framework and Terms of Reference.
The framework is clearly modeled after the APEC Privacy Framework, first published in 2005 and updated in 2015. The principles appear to have received only ministerial updates in their translation to the Global CBPR Forum. More impactfully, the Terms of Reference explain the organizational structure of the forum, requirements for membership, and operations of the policy-making body of the coordinated effort, now called the Global Forum Assembly.
As I’ve written before, these moves are in furtherance of a simple idea, which has been core to the CBPR ethos since its origination: Baseline data protection standards across jurisdictions can be interoperable without being equivalent. The CBPR system and the related Privacy Recognition for Processors system are designed to be voluntary but enforceable frameworks. Such a system has an implicit and often overlooked power. Layers of accountability create a structure where trust is never assumed, from the internal procedures required for an organization to receive certification, to the practices of independent accountability agents that are reviewed and approved by all participating regulators, to regulatory recognition and enforcement within each participating jurisdiction, to empowering consumers to pursue actionable complaints.
There is much work to do as stakeholders work to finish establishing the updated CBPR structures. Since the framework is meant to be applied flexibly by its members, it is difficult to say precisely what the U.K.'s membership would mean. The U.K. regime is certainly compatible with the baseline CBPR requirements. Though this is due for an update, the Centre for Information Policy Leadership previously mapped the CBPR Program Requirements against the U.K. GDPR.
That said, no doubt top-of-mind for many in the ongoing CBPR efforts is the potential for organizational certification within CBPR to serve as a recognized transfer mechanism, from the U.K. and other jurisdictions. There are some hints this could be possible now under the U.K.’s proposed Data Protection and Digital Information (No. 2) Bill.
Specifically, the new Section 47A would empower the secretary of state to recognize new mechanisms that demonstrate "appropriate safeguards" as a valid transfer mechanism, beyond those specified under GDPR. The new power can only be exercised if the secretary of state considers that the "further safeguards are capable of securing that the data protection test set out in Article 46 is met in relation to transfers of personal data generally or in relation to a type of transfer specified in the regulations." In theory, this could afford the U.K. more flexibility to recognize frameworks, like CBPR, that might not neatly sit within the scope of one of the existing transfer mechanisms.
Other jurisdictions seem to be on a similar path to embracing the CBPR model. Last December, the United Arab Emirates Ministry of Artificial Intelligence and the U.S. Department of Commerce issued a joint statement regarding the considerations underpinning "the economic and social benefits of ensuring robust data protections, and enforcement of those protections, while promoting interoperable mechanisms that facilitate cross-border data transfers across economies with different regulatory regimes." The veiled reference to the CBPR system underscores the existing recognition in the Dubai International Financial Centre of the CBPR and PRP frameworks as adequate transfer mechanisms, similar to Bermuda’s recognition. Incidentally, the DIFC is one of the first jurisdictions to partner with the U.K. to build a data bridge, "a framework which will facilitate the free and secure flow of personal data following an assessment of the laws and practices that protect data to high standards."
As would seem prudent, the U.K. appears to be working on multiple fronts to establish secure and trustworthy data transfer mechanisms with the U.S., including by negotiating a U.K. Extension to the EU-U.S. Data Privacy Framework, first mentioned in a recent public notice from the Department of Commerce.
There will be plenty to track on both sides of the Atlantic — and around the world — as these and other parallel conversations continue. When it comes to data flows and digital bridges, "infrastructure week" may never end.
Here's what else I’m thinking about:
- All three sitting commissioners of the U.S. Federal Trade Commission testified before the House Energy and Commerce Committee. Under sometimes withering questioning, the leaders defended the agency's track record and request for an increased budget. Statements from the commissioners about their intention to target artificial intelligence systems that are deceptive or biased also received media attention.
- In a separate E&C hearing, hosted by the oversight subcommittee, three experts on the data broker industry testified about concerns over the widespread collection and sale of consumer personal data. Laura Moy, faculty director, Center on Privacy and Technology at the Georgetown Law Center, was joined by Justin Sherman, senior fellow and research lead of the Data Brokerage Project at the Duke University Sanford School of Public Policy, and Marshall Erwin, vice president and chief security officer of Mozilla Corporation. Congress members from both parties were engaged and deep on the issues. This allowed the witnesses to explain a wide spectrum of harms, from "suckers lists" to reidentification, and impacts to vulnerable groups, from gamblers to older Americans to military service members.
- U.S. Reps. Anna Eshoo, D-Calif., and Zoe Lofgren, D-Calif., re-introduced their Online Privacy Act for the third time. The comprehensive bill that would create a Digital Privacy Agency is untouched from the 2021 version except for adding language that would preserve any state privacy laws with “stronger” protections, which the representatives refer to as a "federal floor," and directing the National Institute of Standards and Technology to establish a privacy risk management framework and carry out research on mitigating privacy risk. Representative Eshoo serves on the Energy and Commerce Committee.
- 27 April at 2 p.m. EDT, the House Energy and Commerce Committee, Subcommittee on Innovation, Data, and Commerce hosts a hearing titled "Addressing America's Data Privacy Shortfalls: How a National Standard Fills Gaps to Protect Americans' Personal Information” (hybrid).
Please send feedback, updates and your favorite Greek myth to email@example.com.
If you want to comment on this post, you need to login.