Episode Show Notes: The Past and Future of Privacy Accountability: Is CBPR a Model?



In this episode of the Accountability Studio, moderator Cobun Zweifel-Keegan, Deputy Director of Privacy Initiatives at BBB National Programs, led a conversation on the cross-border privacy rules system, or CBPR, which is a voluntary framework with a global impact. He was joined by Josh Harris, BBB National Programs Director of Global Privacy Initiatives, and Sam Schofield, International Trade Specialist, Global Data Privacy.

Their conversation took a deep dive into the Asia-Pacific Economic Cooperation (APEC), a regional economic forum with 21 member economies around the Pacific rim and the creator of CBPR.

 

At the start of the episode, Sam laid the groundwork for where the APEC-CBPR idea came from and the primary reason for a privacy model being connected to APEC. In his explanation, he detailed how the first step of APEC was to establish its privacy standards. He described them as:

  • A set of about nine to twelve different privacy principles based on other internationally recognized privacy principles in the Organisation for Economic Co-operation and Development (OECD) that date back to 1980, and revised in 2013. These OECD privacy principles influence a lot of the APEC privacy principles that 21 economies agreed on. 

Following the inception of these principles, there was a need to have a mechanism to implement them, which is how the APEC CBPR System came to fruition. There are 50 program requirements that nine economies within APEC recognize as baseline standards in this system, even though they do have different data privacy regulations.

The conversation continued with Josh, who spoke to how everything came together and what APEC was trying to accomplish when creating the CBPR system. Since different economies experience a range of challenges, he emphasized, “If you’re ever going to get any project launched in APEC, you have to demonstrate that it’s going to have a tangible economic impact across all 21 different economies.” 

Josh outlined four key components of the system in his explanation of why and how the CBPR system looks as it does. These were: 

  1. It’s economic-based.
  2. It’s working to resolve the needs of some of the least developed economies in the world.
  3. It’s working to resolve the needs of the most developed economies in the world.
  4. It has to be consensus-based.

The conversation then continued with Sam detailing how they view the CBPR system as having four layers of structure and accountability at the International Trade Administration. It is largely because of its multi-layered format that APEC functions the way that it does. One of the layers in this format which they discussed in more depth as the episode progressed, was the role of the accountability agents, which BBB National Programs is one of for the United States. 

In this episode, Josh and Sam discuss how APEC holds companies accountable to the standards they voluntarily accept through the CBPR system. Josh spoke to the role of the accountability agents, and how they are required by governments to demonstrate how they will enforce their program requirements. Sam then addressed how “in the event that there are repeated and willful violations of the CBPR program requirements,” a government enforcement agency is likely to step in and take further action.

Following their insights, Cobun noted that since there are increasingly growing baseline compliance standards worldwide, participating in the system provides an additional channel for companies to demonstrate how they are meeting requirements and expectations. 

Continuing the conversation, each privacy expert highlighted additional reasons why a company would want to join the CBPR system and receive the certification.

“It is a credential that companies have and a level of assurance that they provide to governments that they take privacy protections seriously,” said Sam. He continued to share how organizations show “they are instituting these baseline sort of standards around data and how they process it and ensuring that there are adequate protections given to all of their data processing, whether that is data at rest or data traveling across borders.”

As the system grows, Sam emphasized that so will the number of benefits companies receive from participating. Consequently, by joining the system now, companies will experience more long-term returns on their investment as more economies begin to recognize CBPRs. 

At the close of the episode, Cobun asked Josh and Sam for their insights on why interoperability, a term they both mentioned, is important in this global framework. Sam detailed,  “Interoperability is this intentional focus on creating common certifications, common frameworks, that both governments and the private sector agree on.” This set of standards can then be applied “to demonstrate your privacy posture and in compliance with different laws around the world.”

Listen to the full episode here