On December 9, 2021, Ann LaFrance, SPB Senior Partner and Vice President of the International Institute of Communications (“IIC”), moderated a panel discussion involving U.S. and international stakeholders’ perspectives on privacy and data protection trends and the value of interoperability in cross-border data transfers at the IIC’s (virtual) annual Telecommunications & Media Forum (“TMF”) in Washington DC.
The panelists discussed a wide range of topics, including the prospects for interoperability between and among national data privacy and protection regimes, data localization, emerging international frameworks, enforcement challenges and consumer trust. A summary of the major themes covered by the panelists is provided below.
Stakeholders in the U.S. and abroad recognize the importance of facilitating cross-border transfers of personal data, and are advocating for interoperable privacy laws, including agreement on a new framework to replace the EU-US Privacy Shield (“Privacy Shield”), which the European Court of Justice concluded was invalid from an EU law perspective in 2020.
One emerging framework to facilitate the free flow of personal data is the Asia-Pacific Economic Cooperation (“APEC”) Cross-Border Privacy Rules (“CBPR”) System, which currently has nine participating countries, including the United States and Mexico. The panelists discussed the conditions for an effective cross-border interoperability regime, including the following principles:
- Be transparent so that it is not difficult to comprehend what companies are doing with an individual’s data;
- Empower individuals by giving them rights over their own data;
- Promote corporate responsibility among companies that collect personal information;
- Have a strong enforcement mechanism to ensure that if consumers are granted rights they also have adequate remedies;
- Respect national sovereignty but limit data localization where necessary for national governments to protect legitimate state interests; and
- Be sufficiently flexible to allow for the evolution of technology and evolving regulatory requirements.
Although there is a consensus on the value of interoperable privacy regimes, there is also a recognition that there are different perspectives on what the critical elements of “interoperability” should consist of, how they should be implemented and what enforcement mechanisms should apply.
Data localization laws place restrictions on where personal information may be stored and processed. The panelists discussed the impact of data localization laws, including:
- The obstacles data localization laws create for businesses seeking to serve customers both globally and locally (e.g., significant operational costs), which affects cross-border commerce;
- Governments’ national security and law enforcement interests; and
- The need to balance the benefits of enabling data to flow freely across borders with the legitimate interests of governments to protect their citizens.
Emerging International Frameworks
Two models of interoperability were the focus of discussion: the APEC CBPR System, and the EU “adequacy” test established under the EU General Data Protection Regulation (the “GDPR”). The panelists discussed the benefits and challenges of both models and observed that, although the GDPR is generally considered a more stringent regime, the two models are not incompatible and there are countries that participate in both (e.g., Japan, Canada).
The panelists agreed that establishing a global privacy standard is challenging because privacy is culturally rooted, and each country may have a different understanding of human rights and civil liberties. Thus, what may be considered “private” in one country may not be so in another, which could affect the enforcement mechanisms included in each country’s privacy regime. The panelists also identified additional challenges in privacy enforcement, including the:
- Importance of allocating sufficient resources and enforcement powers to data protection authorities so they can promote accountability and secure redress for consumers;
- Privacy considerations in public and private sectors, which may sometimes be divergent; and
- Importance of developing legally enforceable mechanisms that evolve alongside changing technology.
From the consumer perspective, ensuring trust in online transactions is an imperative that will require laws designed to protect consumer privacy by default, including strong data minimization requirements, as well as effective opt-out mechanisms, such as global privacy controls that can be activated through browser settings.
There was a general consensus that we are now approaching an inflection point, with new and divergent privacy laws coming into force around the world, such as the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD), China’s Personal Information Protection Law (“PIPL”), California’s CCPA/CPRA and number of other privacy laws at the state level in the U.S. The panelists agreed that the next five years will be critical to the development of a global consensus on the minimum inter-operability requirements to legitimize cross-border data flows in a world that is ever more reliant on the global internet.