On April 21, the establishment of the Global Cross-Border Privacy Rules (CBPR) Forum (“the Forum”) was announced by the US secretary of commerce, Gina Raimondo. Canada, Japan, the Republic of Korea, the Philippines, Singapore, Taiwan and the United States are its founding members. Raimondo called it “a historic moment for international cooperation in the digital sector.”
How does the Forum fit in the “noodle bowl” of international digital trade governance? Is it just one more noodle in an already thick regulatory soup, or is it, finally, the awaited recipe for a clear broth, in the form of a “single data area” that would make moving data across borders both simpler and cheaper for businesses whose operations depend on it?
According to the official statement released by Commerce Secretary Raimondo, the Forum is meant to achieve the latter: “The establishment of the Global CBPR Forum reflects the beginning of a new era of multilateral cooperation in promoting trusted global data flows that are critically important to our modern economy.”
To achieve this aim, the Forum will promote the Asia-Pacific Economic Cooperation (APEC) CBPR System, from which firms will be able to obtain data privacy certifications that demonstrate their compliance with the CBPR. Under the APEC CBPR System, accountability agents — recognized, but independent, public or private sector entities — are responsible for certifying firms that comply with the CBPR. At the time of writing, 49 companies were listed as being compliant (or certified) under the CBPR System.
If the Forum is just going to promote the APEC CBPR System and its certification process, it begs the question: What’s the point? There is nothing “historic” here.
However, according to its declaration, the Forum is also expected to “disseminate best practices for data protection and privacy and interoperability” and “pursue interoperability with other data protection and privacy frameworks.” And this is to be done through “consultation and exchange of views among representatives of members” and “active multistakeholder participation.”
Presumably, this means that the Forum wants to build on the APEC CBPR System but outside the APEC, which has been unable to update its privacy framework since 2005. Being outside the APEC’s aegis also allows non-APEC countries to join. On May 3, several non-APEC country representatives participated in a stakeholder meeting organized by the United States to discuss the Forum. Finally, taking the CBPR System away from the APEC is another way for the United States to weaken China’s economic orbit and its influence on international standards affecting the digital trade.
To make sense of the Forum, it is necessary to see its creation in the context of the Indo-Pacific Strategy of the United States. Addressing the various challenges posed by China is at the core of the strategy: “Our objective is not to change the PRC [People’s Republic of China] but to shape the strategic environment in which it operates, building a balance of influence in the world that is maximally favorable to the United States, our allies and partners, and the interests and values we share.” A “new digital-economy framework” to govern digital economies and cross-border data flows “according to open principles” is one of the ways that the United States has identified to shape China’s strategic environment and deliver prosperity in the region. The fact that the Forum’s other founding members, except for Canada, are from Asia supports the notion that the Forum’s original raison d’être is to be found in the United States’ Indo-Pacific Strategy.
To deliver on its Indo-Pacific Strategy’s proposed digital-economy framework, the United States could have instead chosen to rejoin the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and build on the agreement’s e-commerce chapter. Alternatively, or in addition, it could join the Digital Economy Partnership Agreement (DEPA) created by Chile, New Zealand and Singapore (with Canada and the Republic of Korea intent on joining). Why build yet another framework for international cooperation in governing digital trade?
Although the Forum is an important piece of the US Indo-Pacific Strategy, it also allows the United States to offer an alternative to the European Union’s General Data Protection Regulation (GDPR), and, therefore, to prevent the European Union from setting personal data-protection standards for the world.
The answer is two-fold. First, bashing the then Trans-Pacific Partnership (TPP) helped with Donald Trump’s election to the presidency in 2016, which is why he pulled America out of the TPP upon his arrival at the White House. President Joe Biden’s administration and the Democrats in Congress, therefore, want to avoid giving extra ammunition to the Republicans in the November mid-term elections. Second, China has applied to join both the CPTPP and the DEPA. Although it is highly unlikely that China’s applications will be approved anytime soon, it would put existing CPTPP and DEPA member states in an awkward position if they were to fast-track negotiations with the United States while stalling China’s. They would likely face retaliation from China, which they would rather avoid as China remains a key trade partner.
So, the best solution for the United States and its Indo-Pacific partners is to pursue a new framework to govern digital trade.
The Forum also doesn’t jeopardize the CPTPP, the DEPA or the Digital Economy Agreement (DEA) between Australia and Singapore. Because the DEPA and the DEA are much broader in scope than the Forum, which focuses only on protecting personal information for the time being, they are not in direct competition with the Forum. By being members of the Forum, DEPA and DEA members could actually achieve some of those agreements’ objectives. This would explain why Singapore, as a member to both the DEPA and the DEA, did not see any contraindication in also being one of the Forum’s founding members.
The Forum is also complementary to the CPTPP’s chapter on electronic commerce. This is because the CPTPP requires its members to adopt laws and regulations that protect personal information, which “should take into account principles and guidelines of relevant international bodies.” The Forum’s rules already satisfy the CPTPP’s requirement, since the APEC CBPR System is specifically mentioned in the digital trade chapter of the Canada-United States-Mexico Agreement, which is itself modelled on the CPTPP’s e-commerce chapter.
Although the Forum is an important piece of the US Indo-Pacific Strategy, it also allows the United States to offer an alternative to the European Union’s General Data Protection Regulation (GDPR), and, therefore, to prevent the European Union from setting personal data-protection standards for the world. Until now, the GDPR has been seen as the world’s best practices for protecting personal information. The European Union has also been able to use its market size to push its trade partners to adopt laws and regulations aligned with the GDPR (through the European Commission’s adequacy decisions) for businesses in these countries to access (i.e., import) personal data from the European Union.
Although the Forum calls for interoperability with other systems, it is not clear whether this will be possible with the GDPR. For the time being, the European Union does not consider parts of the APEC CBPR System as adequate (as made clear in the European Commission’s adequacy decision for Japan). So, Forum member states that want to allow their firms to access personal data from the European Union would still need to have their laws and regulations aligned with the GDPR. The same would apply to companies certified under the CBPR System. They would not qualify to flow data freely from Europe; they would need to obtain firm-specific permissions allowed under the GDPR.
It is also questionable whether the United States can provide leadership in updating the CBPR System through the Forum to offer global best practices. Without a federal privacy or data-protection framework in place, Washington has little to offer in terms of rules to promote.
This is potentially the weakest part of the US plan with the Global CBPR Forum. To make the latter effective, the United States needs to begin by adopting a national personal information protection framework at home (only some US states have such frameworks now). Otherwise, the Forum will end up being just another governance noodle in the digital trade soup and countries will continue looking to the European Union for best data-protection practices.
To conclude, it remains that the ideal situation for international digital trade is not rivalry between the Forum and the GDPR, but integration: the formation of a single data area where data can flow freely between the member states because they share similar, high-quality standards that will enable their consumers, businesses and governments to trust that their data is safe wherever it is found in the area. Ideally, the United States, the European Union and their economic partners should work together to develop an International Data Standards Board or a Digital Stability Board responsible for creating and enforcing an international single data/digital area between member states.
