This article was published in "The Privacy Advisor", a monthly member newsletter of the International Association of Privacy Professionals (IAPP). The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, support and improve the privacy profession globally.
International data flows are a centerpiece of today’s globalized world economy. With supply chains and business operations relying on the movement of data globally, one key takeaway for privacy regulators is the need for effective cross-border transfer mechanisms. As different data protection rules are developed and implemented throughout various countries and continents, such as the EU General Data Protection Regulation or the Lei Geral de Proteção de Dados in Brazil, the interoperability between different privacy schemes needs to be accounted for to support and establish global data flows.
This article explores different mechanisms for international transfers of personal data, discusses their key benefits and major challenges, and evaluates the importance of aligning privacy regimes effectively to create global cross-border transfer mechanisms, ensuring interoperability and mutual recognition between different privacy laws.
Approved codes of conduct are one of the transfer mechanisms of personal data to third countries introduced by the GDPR. Such codes can be developed by industries themselves, having to meet the legal requirements, such as providing appropriate safeguards, enforceable data subject rights and effective legal remedies for data subjects as set out in Chapter 5 of the regulation. Once a code of conduct is drafted, it must be approved by European Data Protection Board and declared generally valid by the European Commission to achieve facilitated proof of GDPR compliance regarding data transfers outside of the EU. The EDPB is set to publish dedicated guidelines for certification and codes of conduct as a tool for transfers later this year.
One key advantage of codes of conduct is their rigorous oversight. Code compliance must be supervised by independent monitoring bodies as accredited by the supervisory authorities, in addition to the general oversight by data protection authorities. These monitoring bodies must demonstrate their independence and expertise and need to have established complaints handling procedures and structures in place. And similar to the codes of conduct themselves, monitoring bodies need to be officially endorsed by the respective competent DPA.
Brazil’s new privacy regime, the LGPD, took a page out of the GDPR’s playbook and also introduced codes of conduct as cross-border mechanisms. While the exact implementation of codes under the Brazilian law is still being discussed, it is relevant to strive for alignment between European third-country transfer codes and their Brazilian counterparts. Ideally, mutual recognition schemes could help organizations to streamline compliance with multiple cross-border transfer frameworks, not only between Europe and Brazil, but also globally. Of course, this depends on the actual requirements of the respective privacy laws — very similar obligations for data transfers can enable cross-border interoperability more directly.
This approval and oversight structure is broadly the same approach taken under the CBPR and PRP systems, for use by data controllers and processors, respectively. While these programs are certifications and not codes of conduct, there are broad parallels. Specifically, a participating company must adhere to specific program requirements that must be approved by a third party. In the instance of CBPRs/PRPs, this third party is an accountability agent that must itself be approved to perform such oversight by the Asia-Pacific Economic Cooperation member economies.
And there is precedence for a comparative analysis of different transfer instruments in the 2014 BCR-CBPR Referential, which sought to identify commonalities between the two approaches. The aim of that project was not to fully harmonize the two instruments but rather to establish a clear path for those companies streamlined participation in both. That goal is an appropriate and achievable one that could guide future discussions between interested governments and/or companies. Several companies that are CBPR/PRP certified have been involved in the development of the EU Cloud Code of Conduct, which provides a valuable resource in this regard as a code particularizing Article 28 of the GDPR by focusing on requirements for processors and by this acting as sufficient guarantee pursuant Article 28.5 of the GDPR. Once approved, this code could be easily extended to also serve as a transfer tool to third countries. In this context, aligning to existing initiatives, such as the CBPR and PRP systems or the concepts for processor-to-processor standard data protection clauses, will be key to ensure global alignment across borders.
All of this presents an opportunity to reengage in interoperability initiatives to allow companies to more readily incorporate both transfer instruments into their global privacy policies and practices. In fact, companies themselves are well positioned to take a leading role in demonstrating how these efficiencies can be leveraged in service of their global approaches to data protection similar to Merck’s use of its CBPR certification as a basis for its binding corporate rules approval.
As modern economies rely on robust international transfer mechanisms, it is crucial to ensure interoperability when privacy laws are introduced, adopted and implemented. Tools like approved codes of conduct and the CBPR and PRP systems are examples of how to ensure alignment and how to create an innovation-friendly environment for companies.