Transborder data flows are among the most significant and complex issues in the privacy profession at the moment. As the U.S. and EU work to finalize the highly anticipated Trans-Atlantic Data Privacy Framework, an announcement involving the other side of the North American continent aims to help mitigate some global complexity and promote data flows with privacy protections.
Calling it "a historic moment for international cooperation in the digital sector," U.S. Department of Commerce Secretary Gina Raimondo announced Thursday the creation of the Global Cross-Border Privacy Rules Forum along with Canada, Japan, the Republic of Korea, the Philippines, Singapore and Chinese Taipei.
“The establishment of the Global CBPR Forum reflects the beginning of a new era of multilateral cooperation in promoting trusted global data flows that are critically important to our modern economy," Raimondo said in a press release. "The Global CBPR Forum intends to establish the Global Cross Border Privacy Rules and Privacy Recognition for Processors Systems, first-of-their-kind data privacy certifications that help companies demonstrate compliance with internationally recognized data privacy standards. At the same time, the new Forum will facilitate trade and international data flows and promote global cooperation, building on our shared data privacy values while recognizing the differences in our domestic approaches to protecting data privacy."
Tangential to Raimondo's announcement is the CBPR Declaration, which lays out the principles undergirding the agreement, as well as its scope of activity, mode of operation, participation and organization.
The declaration establishes a forum "to promote interoperability" and to "bridge different regulatory approaches to data protection and privacy," the release states. Objectives include a certification system based on the Asia-Pacific Economic Cooperation CBPR and PRP Systems, a periodic review of members' data protection and privacy standards, and promotion of interoperability with other data protection and privacy frameworks.
Under its operational objectives, the forum's members will consult and exchange views, and share research, analysis and policy ideas. Participation "is intended to be open, in principle, to those jurisdictions" that accept the forum's objectives, and member consensus will determine future participation, the declaration states.
Commerce also released a set of frequently asked questions, which explains that the new Global CBPR Forum "intends to establish an international certification system based" on the Asia-Pacific Economic Cooperation CBPR and PRP Systems. It notes that the forum "will be independently administered and separate from the APEC Systems." The founding members of the forum will consult with accountability agents and certified companies in APEC "to formally transition operations from APEC to the Global CBPR Forum" and will offer 30 days' notice to the accountability agents.
The FAQs also address those organizations that are currently certified or considering certification in the APEC CBPR and PRP Systems, stating that certifications "will continue ... until further notice." There are plans to transition operations to the new forum, the FAQs state, and all approved accountability agents and certified companies "will automatically be recognized in the new" forum.
Commerce urges certified companies to contact their agents for more information about the transition.
One such Accountability Agent is the BBB National Programs. Josh Harris, its global privacy initiatives director, applauded Thursday's announcement, saying the work of the forum "has been in development for several years."
Harris said, "The launch of a Global CBPR Forum is a key development in international cooperation on cross-border data flows. This Forum continues and expands the U.S. approach to data flows and paves the way for new entrants into this system — particularly those countries that have developed or are developing a national data privacy certification. Additionally, this Forum provides a mechanism for such certifications to be cross recognized in a first-of-its-kind international exchange, helping to bridge different regulatory approaches to data protection and privacy."
Indeed, the prioritization by the Commerce Department to support the expansion of the APEC CBPR system was mentioned last October, during the IAPP Privacy. Risk. Security. conference in San Diego. This was detailed in an article for The Privacy Advisor, by IAPP Managing Director for Washington, D.C., Cobun Zweifel-Keegan, CIPP/US, CIPM, who, at the time worked for BBB National Programs. During a breakout session comprising current and former members of Commerce, Deputy Assistant Secretary for Services Christopher Hoff, CIPP/E, CIPP/US, CIPM, said, "CBPR is going global."
At the time, Zweifel-Keegan wrote, "The idea of converting CBPR from a regional to a global framework is rooted in a simple theory, foundational to the CBPR system: Baseline data protection standards across jurisdictions can be interoperable without being equivalent."
He added, "Such a system not only will allow jurisdictions from Bermuda to Brazil and beyond to recognize CBPR as a robust framework for meeting local data transfer requirements, as the Office of the Privacy Commissioner for Bermuda did last year, but also will provide jurisdictions with a reciprocal and multilateral acknowledgment that their standards exceed a recognized uniform baseline."
In her statement Thursday, Commerce Secretary Raimondo sounded an optimistic note for what the forum can bring to global data transfers. "With this unique approach founded on creating practical compliance tools and based on cooperation," she said, "we can make the digital economy work for consumers and businesses of all sizes alike.”
Photo by Ian Hutchinson on Unsplash