Editor's Note: This article has been updated to correctly state the new participants of the Global Cooperation Arrangement for Privacy Enforcement.
In our digitally connected world, safeguarding personal data is essential. The question is, how can government and business collaborate to achieve this critical goal?
At present, 137 countries have privacy laws and regulations in place — covering more than three-quarters of the world population — with each law incorporating differing expectations about the existing consumer privacy landscape. Furthermore, at least 85 jurisdictions worldwide have some form of a regulator or government authority that designates a data adequacy standard that must be met before data can be transferred. These data protection laws and standards both within the U.S. and across borders emphasize the need for a uniform model of baseline privacy considerations to help ensure data transfers are streamlined and privacy compliance is achievable.
Given such a diverse approach to data privacy, the new Global Cross-Border Privacy Rules and Privacy Recognition for Processors System, launched this week by the Global CBPR Forum, offers a much-needed framework for a new era of international data protection, one that promotes trust and accountability while moving into a future where consumer privacy is honored and data can be transferred responsibly across borders, by data controllers and processors.
What are global CBPRs?
The Global CBPR Forum economies support the free flow of data and are working to bridge different regulatory approaches by establishing an interoperable global standard for cross-border data protection, the Global CBPR and PRP framework. The new framework is an expansion of the existing APEC CBPR System and will allow more economies from around the world to participate.
The U.S. Department of Commerce and other members of the Global Forum in its release noted that, in addition to the original nine member economies — Australia, Canada, Japan, Mexico, the Republic of Korea, the Philippines, Singapore, Chinese Taipei, and the U.S. — three new economies have stepped forward to facilitate the Global Cooperation Arrangement for Privacy Enforcement. The Global CAPE is another, complementary framework on cross-border data flows that represents privacy enforcement authorities that are participating in a multilateral arrangement to facilitate cross-border data flows. The three new participants of the Global CAPE are the U.K., the territory of Bermuda, and the privacy regulator of the Dubai International Finance Centre. These economies seem to be working to secure more widespread application of the CBPR and PRP system across these regions.
Certification to the CBPR or PRP system
Two certifications are available: CBPR, focused on certifying data controllers and PRP, designed for data processors and vendors.
As businesses compare CBPRs to similar trans-Atlantic and cross-jurisdiction data privacy frameworks, they will find significant overlap. A 2021 report by the Centre for Information Policy Leadership mapped CBPR system requirements to the EU General Data Protection Regulation and identified more than half, 61%, of relevant requirements shared between the two frameworks. BBB National Program's own analysis comparing the CBPR system to the EU-US Data Privacy Framework, formerly Privacy Shield, indicates that DPF and CBPR share 125 interoperable requirements, or nearly 80% overlap.
Notable areas of overlap include controller-processor due diligence, data subject access and control rights, transparent privacy disclosures and security safeguards. For example, CBPR- and PRP-certified participants have reported that their CBPR certification helped them in the approval process for their binding corporate rules — BCRs — by European institutions.
The Global Forum utilizes accountability agents, key partners that certify the data protection and privacy policies of businesses. CBPR and PRP certifications are only issued by accountability agents registered with the participating privacy enforcement authority of the issuing member economy. For example, BBB National Programs is the only nonprofit accountability agent recognized to provide the CBPR and PRP certifications by the U.S. Department of Commerce.
New participants will have the option to obtain the certification starting in the summer of 2024. Participants who were previously certified under the APEC system will be grandfathered into the new system through the end of their current APEC certification term, because the overall requirements have not changed with the expansion to the global framework.
Uniform requirements
The new Global CBPR system assesses the governance of personal data by requiring:
- Enforceable standards. Participating economies must demonstrate that CBPR program requirements will be legally enforceable against certified companies.
- Accountability. A company must demonstrate to an accountability agent that they meet the CBPR requirements and are subject to ongoing monitoring and enforcement.
- Risk-based protections. Companies must implement security safeguards for personal data that are proportional to the probability and severity of harm, the confidential nature of the information, and the context in which it is held.
- Complaint handling and dispute resolution. Accountability agents investigate complaints and resolve disputes between consumers and certified companies concerning non-compliance.
- Consumer empowerment. Companies must provide consumers with the opportunity to access and correct their data allowing consumer insight into the privacy practices of the business with which they choose to do business.
- Consistent protection. Participants agree to abide by the 50 CBPR program requirements, implementing the same baseline protections across different legal regimes.
- Cross-border enforcement cooperation. The CBPR system provides a mechanism for regulatory authorities to cooperate on the enforcement of baseline program requirements.
The value proposition for businesses: Leveraging a uniform global baseline
The CBPR framework's global nature significantly extends its reach, aligning practices with multiple economies and potentially expanding a business' reach and its international business opportunities.
- Lowering the barriers to entry. CBPR certification not only provides participants with a competitive edge but also can reduce barriers to establishing offices and starting data processing in various jurisdictions.
- Heightened interoperability. Participation allows companies to know they are meeting a minimum bar of privacy compliance across jurisdictions, including in Canada, Japan and Singapore, known for particularly stringent data protection rules.
- Brand recognition. Companies charged with protecting personal data must demonstrate that they take data privacy and compliance with established global standards seriously and those completing the certification are presented with public recognition on the Department of Commerce's global compliance directory.
- Efficient vendor due diligence tool. Vendor due diligence can be a full-time job. The PRP certification for third-party vendors includes additional requirements for implemented security safeguards and accountability to enhance protections for the entire data value chain.
- Steps toward ISO Certification. For larger organizations and organizations processing a high volume of data, CBPR/PRP certification can be a first step toward implementing further controls for certification to other privacy standards and frameworks, such as the ISO 27701 certification. For small and medium-sized organizations that operate globally, the CBPR and PRP certification signals a commitment to upholding best industry practices and compliance with rigorous baseline security standards, a more practical and cost-efficient solution.
The CBPR System benefits consumers and businesses by ensuring that privacy compliance and regulatory differences across jurisdictions do not block a business' ability to deliver innovative products and services across the world.