The status of EU-U.S. data flows and the political agreement on the Trans-Atlantic Data Privacy Framework dominated the privacy and data protection discussions at the IAPP Global Privacy Summit 2022 in Washington, D.C. Addressing the trickledown effects of the EU-U.S. situation on various facets of privacy pros' work was simply unavoidable with the topic being top of mind for so many.
But trans-Atlantic data flows are just one piece to the wider conversation around data transfers at a global level. While some transfer regimes may involve the EU, the U.S. or both, other countries or regions have their own complexities that require consideration and general awareness.
GPS22 brought a slew of updates and insights into solving cross-border transfers in other parts the world.
Teeing up the Global Cross-Border Privacy Rules Forum
The announcement by the U.S. Department of Commerce regarding the launch of the Global Cross-Border Privacy Rules Forum and its objective to create Global Cross Border Privacy Rules and Privacy Recognition for Processors Systems came after GPS22, but the DOC all but rolled out the concept for the unprecedented move during the IAPP Privacy. Security. Risk. 2021 conference last November. Panelists participating in one GPS breakout session contemplating solutions to global data flows spoke unprovoked and positively on the globalized CBPRs and PRP Systems.
The DOC's Global CBPR declaration outlines the forum's objectives "to promote interoperability" and to "bridge different regulatory approaches to data protection and privacy." Those goals are a recognition of the differences not only plaguing flows between nations from different regions of the world, but transfers between neighboring countries as well.
Singapore Personal Data Protection Commission Deputy Commissioner Yeong Zee Kin alluded to a "diversity of countries" and "different levels of data protection maturity" as the hurdles standing between any type of multilateral agreement on the free flow of data between APAC nations. Similarly, Restaurant Brands International Vice President & Chief Privacy Officer Laura Juanes Micas,CIPP/E, CIPP/US, said Latin American countries share a "cultural origin" in data protection laws, but there is "really no such thing as a standard" nor is there any uniformity among regulatory schemes across the region.
Kin has a wealth of experience with the Asia-Pacific Economic Cooperation's CBPRs and PRP Systems, which will ultimately transition its certification system to a global format in the DOC's outline. He said early participation in APEC CBPRs "wasn't at the forefront of people's consciousness" for so long because current and potential participants had "no concept personal data would need some type of transfer mechanism before it could flow." Kin added that certification systems like CBPRs "require a little more work" than contracts, but there can be confidence moving forward with "accountability as the foundation."
According to Micas, getting out of the "vicious circle" that comes from relying on contracts and more "paper solutions" will require contributions and progressive thinking from all concentrations in the privacy space. Global CBPRs may represent a step forward in the outside-the-box thinking that will help produce "more flexible mechanisms" countries can turn to.
"I do think there is a path to bridging the paperwork with embedding effective accountability, processes and governance," Micas said. "That all can be the vehicle to building trust and making the experience much more pleasant for practitioners while allowing us to focus on the things that really matter."
OECD trust initiatives
While there have been many snags in EU-U.S. adequacy talks, a consistent issue has been national security checks by U.S. government intelligence agencies. Government access to data through such checks isn't a dilemma exclusive to EU-U.S. negotiations, but something most data protection regimes around the world are taking into consideration more and more as far as compliance and fostering consumer trust go.
In the face of this growing dilemma on law enforcement and national security needs, the Organization of Economic Co-operation and Development has undertaken an effort to develop principles that describe how democracies protect data privacy when accessing data held by companies for law enforcement and national security. The goal of OECD's work would be to reconcile the protection of privacy with agencies' national security requirements while also tending to the perception of disparate data protection safeguards.
"This is an effort focused on identifying the shared common practices that the OECD members have, as democracies," said Lauren Bernick, CIPP/US, the principal deputy chief of the Office of Civil Liberties, Privacy, and Transparency for the Office of the U.S. Director of National Intelligence. She was joined by other OECD participants for a panel discussion at GPS22 on the group's initiative.
Bernick stressed that having perspectives from law enforcement and national security experts is not only important, but "the way to building the trust." She noted that the data protection dialogue has been "sophisticated" and ongoing "for years" while national security has only just begun to append itself to the discussion. The OECD effort simply provides a "unique opportunity," according to Bernick, to install expert opinions that otherwise haven't been looped in to "erode and get rid of the misunderstandings, perceptions and suspicions" about government access to data.
As important as it is for OECD partners to arrive at a consensus, organizations also view the trust initiative as crucial to their data flows and business models. Microsoft General Manager and Associate General Counsel Norman Barbosa works with Business at OECD, which is a network of international businesses that is invited in for limited interventions on OECD matters. He noted how the BIAC group and industry in general see the OECD's trust-building effort as an answer to "the lack of certainty and trust that is having an economic impact."
"We've hit a point in the development of technology where it is not simply a toy used for consumer reasons and gaming," Barbosa said. "Digital technology is critical to the advancement of major industry and is increasingly used by public-sector entities around the world. ... We believe shining some light and transparency on what the rules around national security and law enforcement collection are will help bring certainty and support further digital transformation and greater trust."
UK continues blazing its own path
One of the most intriguing data transfer conundrums belongs to the U.K., which is largely in control of its own future following Brexit and the subsequent decision to reform its overall data protection regime, including its approach to data flows. In March at at the IAPP Data Protection Intensive: U.K., Department of Digital, Culture, Media and Sport Director James Snook told folks the adequacy decisions that transfers hinge on will come following finalized reforms to the U.K. General Data Protection Regulation and will not necessarily fall in line with the adequacy decisions the EU arrives at.
DCMS Deputy Director of International Data Transfers Joe Jones echoed Snook's sentiments at GPS22, noting the U.K. is in the midst of "walking and chewing gum" as it tries to execute adequacy decisions and regulatory reforms all at once. With adequacy, Jones said the U.K. is "in very active and very progressive discussions with international partners around the world," noting specific positive talks with Brazil, Colombia and Singapore.
Those talks will only materialize into official adequacy decisions once any amendments to the U.K. GDPR are settled upon. Jones said the U.K. government has taken into consideration the "thousands" of submissions to the public consultation on the reforms and plans to lay out its "informed" position "hopefully in the next few weeks or couple months." He added that any final reforms will focus on global developments and how "the world has moved on" from what the U.K. GDPR was originally drafted to protect against.
"With our experience of revisiting the U.K. GDPR and asking ourselves what works or what could be improved, we've learned, borrowed and copied from countries around the world," Jones said. "You have to be humble and not just assume you're going to solve these issues by yourself within the contours and constraints of your jurisdiction. When we say convergence, what we actually mean is finding commonality and not just asking people to come to our standards."
The near-term solution for data flows to and from the U.K. is the updated clauses for international data transfer agreements that took force in March.