Is the New US-Led Data Privacy Forum Just Another Noodle in the Regulatory Soup?
On April 21, the establishment of the Global Cross-Border Privacy Rules (CBPR) Forum (“the Forum”) was announced by the US secretary of commerce, Gina Raimondo. Canada, Japan, the Republic of Korea, the Philippines, Singapore, Taiwan and the United States are its founding members. Raimondo called it “a historic moment for international cooperation in the digital sector.”
How does the Forum fit in the “noodle bowl” of international digital trade governance? Is it just one more noodle in an already thick regulatory soup, or is it, finally, the awaited recipe for a clear broth, in the form of a “single data area” that would make moving data across borders both simpler and cheaper for businesses whose operations depend on it?
According to the official statement released by Commerce Secretary Raimondo, the Forum is meant to achieve the latter: “The establishment of the Global CBPR Forum reflects the beginning of a new era of multilateral cooperation in promoting trusted global data flows that are critically important to our modern economy.”
To achieve this aim, the Forum will promote the Asia-Pacific Economic Cooperation (APEC) CBPR System, from which firms will be able to obtain data privacy certifications that demonstrate their compliance with the CBPR. Under the APEC CBPR System, accountability agents — recognized, but independent, public or private sector entities — are responsible for certifying firms that comply with the CBPR. At the time of writing, 49 companies were listed as being compliant (or certified) under the CBPR System.
To make sense of the Forum, it is necessary to see its creation in the context of the Indo-Pacific Strategy of the United States. Addressing the various challenges posed by China is at the core of the strategy: “Our objective is not to change the PRC [People’s Republic of China] but to shape the strategic environment in which it operates, building a balance of influence in the world that is maximally favorable to the United States, our allies and partners, and the interests and values we share.” A “new digital-economy framework” to govern digital economies and cross-border data flows “according to open principles” is one of the ways that the United States has identified to shape China’s strategic environment and deliver prosperity in the region. The fact that the Forum’s other founding members, except for Canada, are from Asia supports the notion that the Forum’s original raison d’être is to be found in the United States’ Indo-Pacific Strategy.
If the Forum is just going to promote the APEC CBPR System and its certification process, it begs the question: What’s the point? There is nothing “historic” here.
However, according to its declaration, the Forum is also expected to “disseminate best practices for data protection and privacy and interoperability” and “pursue interoperability with other data protection and privacy frameworks.” And this is to be done through “consultation and exchange of views among representatives of members” and “active multistakeholder participation.”
Presumably, this means that the Forum wants to build on the APEC CBPR System but outside the APEC, which has been unable to update its privacy framework since 2005. Being outside the APEC’s aegis also allows non-APEC countries to join. On May 3, several non-APEC country representatives participated in a stakeholder meeting organized by the United States to discuss the Forum. Finally, taking the CBPR System away from the APEC is another way for the United States to weaken China’s economic orbit and its influence on international standards affecting the digital trade.
To deliver on its Indo-Pacific Strategy’s proposed digital-economy framework, the United States could have instead chosen to rejoin the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) and build on the agreement’s e-commerce chapter. Alternatively, or in addition, it could join the Digital Economy Partnership Agreement (DEPA) created by Chile, New Zealand and Singapore (with Canada and the Republic of Korea intent on joining). Why build yet another framework for international cooperation in governing digital trade?
The answer is two-fold. First, bashing the then Trans-Pacific Partnership (TPP) helped with Donald Trump’s election to the presidency in 2016, which is why he pulled America out of the TPP upon his arrival at the White House. President Joe Biden’s administration and the Democrats in Congress, therefore, want to avoid giving extra ammunition to the Republicans in the November mid-term elections. Second, China has applied to join both the CPTPP and the DEPA. Although it is highly unlikely that China’s applications will be approved anytime soon, it would put existing CPTPP and DEPA member states in an awkward position if they were to fast-track negotiations with the United States while stalling China’s. They would likely face retaliation from China, which they would rather avoid as China remains a key trade partner.
To conclude, it remains that the ideal situation for international digital trade is not a new noodle in the regulatory soup and direct rivalry with the European Union’s General Data Protection Regulation (GDPR), but integration: i.e., the formation of a single data area where data can flow freely between the member states because they share similar, high-quality standards that will enable their consumers, businesses and governments to trust that their data is safe wherever it is found in the area. Ideally, the United States, the European Union and their economic partners should work together to develop an International Data Standards Board or a Digital Stability Board responsible for creating and enforcing an international single data/digital area between member states.
Click here to read Patrick Leblond’s original blog post published by the Centre for International Governance Innovation.