By Steve Wood

In mid-May I joined colleagues from around the globe for the recent Global CBPR Forum in Tokyo. The event was well attended with over 100 participants – 30 different countries were represented and 28 different DPAs were there as well.  The interest in the CBPR is clearly growing with Africa, the Middle East and South America all represented alongside delegates from APEC and across Asia. Representatives from the UK Government, ICO d the German Federal DPA attended as well.

The switch from APEC to a Global Forum has generated a new interest and there was a lot of discussion about how the CBPR now needs to scale and create momentum – with government, regulators and companies. While we know that work is underway to consider reforms to the CBPR Framework, there was no detail revealed on the plans to make it more interoperable with other DP laws internationally.   There should hopefully be more news on this at the next Forum later in 2024. The reform issue is the key pivot in getting greater involvement from countries, companies and regulators.  Aside from the UK’s Associate Membership there were no announcements about new members.  Therefore, the CBPR still has the feel of dancefloor with a few participants, many sat on the chairs around the side deciding whether to move on to the floor on join the disco. 

Multi-stakeholder discussion

As part of the Forum, I led a panel on Global CBPR Interoperability with IAF Board Chair Scott Taylor (CPO, J&J), Jacobo Esquenazi (WW Data Protection Officer and Privacy Strategy Director, HP Inc), Stefano Fratta (Global Advocacy and Privacy Policy, Meta), Miguel Bernal-Castillerro from the Canadian Privacy Commissioner’s Office and Evelyn Goh from the Singapore Government.

The panel discussed benefits of CBPR as a global accountability mechanism, what the current barriers are, what different stakeholders need to do to address them and create incentives to join the system. The aim of panel was to ensure a multi stakeholder discussion.  Key points covered on the panel included:

• the role of CBPR in creating trust, how it can work as part of wider toolkit to support data transfers and accountability
• the value CBPR as corporate demonstration and verification of standards applied – mistakes may happen but the certification demonstrates to regulators that due diligence was in place
• the importance of there being regulatory certainty in how CBPR operates – including statutory recognition of the system in data protection laws and promotion by regulators, including how they consider during enforcement and investigations
• the challenge of convincing vendors to certify, even if the procuring company offered to pay – as the wider benefits were not clearer enough to the vendor.

The panelists agreed there is need to demystify CBPR.

Throughout the event there were positive references to the multi-lateral nature of the CBPR, that it generates collaboration between stakeholders and the global dimension now creates an inclusive approach.  Discussion also covered the issue of trust and how the structure, process and reliability of CBPR can all contribute to realising it in practice. Despite the lack of detailed plans for reforming CBPR to enhance interoperability with other data protection laws internationally, the conference highlighted the importance of such reforms as a pivotal factor in encouraging countries to join the initiative.

AI and CBPR

There was also considerable discussion about the role CBPR can play in AI governance and demonstration of accountability across borders.  The panel discussing AI and CBPR suggested the CBPR principle on preventing harm could play a significant role in AI governance. There were mixed views on how far CBPR should go to cover AI as this could be make the certification more complex and daunting for new companies.  The discussion suggested that there could be a CBPR + plus AI as one solution.

There was also interest in how CBPR certification was often put in place alongside ISO certifications such 27001 (less so for 27701).  The future is likely to require companies to undertake data governance plus compliance plus ethics – CBPR could help link these elements.

The Dance of Participation

The Global CBPR System is now up and running and accountability agents can start issuing new certifications from this summer. However, with the APEC certification grandfathered over, and the framework and country membership still the same, this is not much of a step forward towards the dance floor.

There were some interesting sessions that looked at the practical mapping of CBPR to other DP laws. Bojana Bellamy from CIPL presented a mapping on Brazil’s law to CBPR, highlighting the level of commonality was strong and how gaps could be bridged, including use of regulatory guidance. The mapping also looked at the picture in reverse and whether the CBPR meets the Brazilian law – highlighting gaps on areas such as automated decision making and breach notification.  

Building Trust through Collaboration

As part of the international data flows initiative in the G7 Group of Data Protection Authorities, the German DPA presented a mapping of GDPR certification system and CBPR, with a particular focus on enforceability of data subject rights and differences between the regimes. Some attendees responded by highlighting the relevance of consumer law in countries such as US, which could hold companies accountable for public assurances they provide, including certification statements, indicating that the gap may not be as great as some assume  There was also some discussion as to whether the GDPR certification approach was a fair comparison to CBPR as the GDPR approach requires conformity assessment – discussion then took place as to whether GDPR codes of conduct were a fairer match to CBPR, while noting that GDPR codes are intended to have a sector based scope.

Sebastian Ziegler (Director General of Mandat International, with special consultative status to the UN) presented a proposal to bridge between the Europrise Privacy Seal under Article 42 and CBPR – this was an interesting proposal but some saw challenges because of the EU system’s focus on certifying processing activities not privacy management and accountability programmes – companies are likely to be more interested in the latter.

The UK also presented a plan to introduce CBPR in their jurisdiction by using a special SCC to bridge gaps with UK GDPR (this was quite light on detail and more will be coming later this year).

These technical discussions illustrated the importance of the CBPR system being reformed first and this then makes some of questions around bridging less complex.

The collaborative focus of these discussions is a welcome and positive feature of the Forum.

The Road Ahead for CBPR

Forum participants recognized that a patchwork of approaches will not serve anyone well – there is hope for global interoperability and to recognise data subjects as global citizens. Throughout the event there were positive references to the multi-lateral nature of the CBPR, that it generates collaboration between stakeholders and the global dimension now creates an inclusive approach. The IAF is enthusiastic about the increasing momentum towards greater interoperability, expansion through the Global CBPR Forum.