Data Privacy Certification: Establishment of Global Cross-Border Privacy Rules Forum and Resurrection of the Privacy Shield
On Thursday, April 21, 2022, US Commerce Secretary Gina M. Raimondo issued a statement on the establishment of the Global Cross-Border Privacy Rules (CBPR) Forum. The forum consists of Canada, Japan, the Republic of Korea, the Philippines, Singapore, Chinese Taipei, and the United States of America. The forum intends to establish the Global Cross Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) Systems, which will be a first-of-their-kind data privacy certifications that will help companies demonstrate compliance with internationally recognized data privacy standards.
The new Forum will also facilitate trade and international data flows and promote global cooperation, building on the countries’ shared data privacy values while recognizing their differences in their domestic approaches to protecting data privacy. Privacy scholar, Dr. Graham Greenleaf, tweeted that the Global CBPRs is a worthless reheating of APEC CBPRs, which after 10 years has only 3 active economies with certified companies: USA (36); Japan (3); Singapore (4). Certification is to 1980 standards. Canada, Korea, the Philippines & Taiwan just pretend to be involved.
This announcement comes weeks after an announcement of a political “agreement in principle” on a new EU-US data sharing system. On March 25, 2022, European Commission President Ursula von der Leyen and US President Biden announced an “agreement in principle” on a new EU-US data sharing system. This was after 21 months of uncertainty surrounding transfers of personal data from Europe to the United States.
In July 2020, the Privacy Shield framework regulating data transfers from the European Union (‘EU’) to the US (successor of the previous ‘Safe Harbour’ mechanism) was declared invalid by the CJEU in the Schrems II Ruling (CJEU-C-311/18). This was essentially due to concerns around US surveillance laws, which allow US intelligence agencies unfettered access to EU data subjects’ personal data. Consequently, a high degree of legal uncertainty was created around the flow of data to the US.
Following this Ruling, the Standard Contractual Clauses (‘SCCs’) issued by the European Commission were widely relied upon for such data transfers. But the workability of the SCCs has also been put into question by subsequent decisions issued by national data protection supervisory authorities. In fact, decisions issued by the DSB and the CNIL respectively have determined that European website operators relying on the SCCs for the transfer of data to US based Google Analytics are in breach of the GDPR. Similarly to the Schrems II ruling, the authorities concluded that the SCCs do not sufficiently prevent US intelligence authorities from gaining access to such data.
While the text for the new Privacy Shield has not yet been published, critics such as Maximilian Schrems have described the announcement as merely ‘lipstick on a pig’, referring to the introduction of solely superficial changes to the invalidated Privacy Shield, without actual amendments and solutions to the persistent problem of US surveillance on EU personal data.