Privacy Lawls with Donata
Ep. 13 | Global, Cross-Border Privacy (Guest: Divya Sridhar Ph.D.)
What does it mean to transfer data across borders? How can this be a problem? Why are businesses shipping your information to otehr places to be ‘processed?’
We discuss all this and more with Dr. Divya Sridhar, Vice President of Global Data Privacy & Operations.
Show Transcript
Hello and welcome to episode 13 of Privacy Lawls, where I, Donata Stroink-Skillrud, speak with amazing privacy professionals and where we have some laughs along the way as well. This podcast is brought to you by Termageddon, an auto-updating Privacy Policies generator. Today I’ll be speaking with Doctor Sridhar about the Global Cross Border Privacy Rules Forum. Divya is the vice president of Global Privacy Division and Privacy initiatives operations at BBB National Programs Her portfolio encompasses the design, development and launch of multiple industry self regulation programs, including the Digital Advertising Accountability program, the Digital health Privacy program, and the teenage Privacy program. She’s a seasoned leader focused on data privacy, AI, and privacy enhancing technology policies at the international, federal and state levels. In the past, Divya served in numerous capacities of think tanks, private companies and nonprofits, leading government affairs and policy work specializing across the health and education technology sectors. Divya recently spoke at the IAPP Global Summit and at the IAPP Privacy Security Risk conference, and she regularly speaks on data privacy, tech policy related issues and national events and conferences. She has written books and authored publications in the fields of tech, privacy and public policy. She holds a PhD and master’s degree in public policy and a bachelor’s degree in finance. So, Divya, thank you so much for joining me on this chat today. can you tell us a little bit about BBB national programs what its goals are, and what types of projects you work on? Absolutely. Good morning and thanks so much for having me today. a little bit of history, I think will go a long way here. So BBB national programs is the sister entity of the Better Business Bureau. You all may be familiar with the BBB or the Better Business Bureau, which was for many years, for close to 50 years, one entity up until about 2019. And in 2019, the BBB national programs of 501, which I now work at. And I’m on the management team for BBB. national program spun off from the BBB. And so you can think of us now as sister organizations. our CEO, you know, sits on the board of the BBB and vice versa. And so we have a set of common goals and missions. first off the BBB is the rating and the accreditation body for those that are not familiar, so they handle complaints across local chapters. And BBB national programs is, you know, a mission driven organization. Our vision is to support industry with self regulation and greater accountability in the marketplace through our privacy and advertising programs. so you’ll see that our missions are very much aligned and we carry this very similar logo to the BBB, as well as a form of marketplace recognition. and so that’s just a bit about us. Very cool. I think most of us think of BBB as a way to look up whether or not a company is shady or treat customer reviews. So it’s really cool to see that you have this other industry helping portion of this as well. So it’s not just about consumers, it’s helping businesses as well. and for you yourself, I mean, you’ve had a really distinguished career in public policy. Do you have any advice for people who want to work in public policy but are really just not sure how to get there? Absolutely. So I’ll say, don’t feel that you need to take a cookie cutter approach to public policy and you don’t have to do that to succeed. I followed a really nontraditional path. So most folks who are in the public policy space and who are seasoned leaders, they land a congressional internship or a fellowship right on the hill, right out of college, and then they go to law school. I think that’s great. I think it’s one route and that’s an easy way to really make a mark in the policy space. I, on the other hand, my enthusiasm in policy really stemmed from my interest in policy research and writing and pros ever since high school. And so when I graduated from high school and college, I wasn’t really in the economic situation to pursue law school right away or to take on an unpaid congressional internship. So instead I decided to pursue the academia route. And so I completed my PhD in public policy while concurrently working part time in the policy space. So what that helped with was when I was completing my PhD HIPAA, the health sectoral privacy law, was being drafted and passed. And so that was a really amazing opportunity for me to learn more about the field of health information privacy and health education, sorry, health technology and women’s rights issues. As well. And so, you know, needless to say, I think my best advice is don’t be afraid to dive in, to take risks and to approach the field of policy from a non traditional manner or non traditional route. I feel like working in public policy would be so satisfying because you’re working on larger issues, right? Like, for us working in, at least for me, working in private sector, a lot of times my days are just, you know, figure out what this law means and how it affects people and all this other stuff, but you get to shape all these things. which I think must be really satisfying. And what made you interested in this kind of work? Yeah, the way I think about it, because I’ve worked both in healthcare policy, education policy, and now more broadly in tech, data privacy and AI policy. and I’ve also worked across nonprofit and, you know, the for profit sector. But the common thread has been this love for, like I said, writing for policy research and to explore a three step process. I’ve really always tackled my work, my everyday in these three steps. So first look identify the policy challenge or the problem that we’re seeing, whether it’s data privacy laws or regulations that need to make the mark in a specific state or in a specific jurisdiction. Kind of think through that in a concrete manner. Second step kind of question, what’s worked so far in terms of policy compliance either laws, regulations or solutions. and what isn’t working? What has created the status quo for consumers, businesses and regulators? And then finally think through what potential future solutions could work. And that might mean amendments to a specific bill or to a law. It might mean soft touch regulation in spaces like AI where maybe we don’t need a law right away, right. Maybe we don’t need to rush in to stifle innovation. Maybe it’s a soft touch approach where organizations like our own, like BBB national programs, can help with co regulation with a government entity and then provide that industry expertise so that we’re not stifling companies and their potential, their ability to do well in the marketplace. so I think that three step process has always worked for me when I’m thinking about every part of my career and how I’ve tackled projects in the past. Yeah, it’s interesting that you say that, because this is a great segue into talking about step three, solutions and the CBPR forum, which is a solution for a really, really big problem that we’re facing right now in privacy. But before we kind of get into that particular portion, let’s just take a second to make sure that everybody’s on the same page. What does it mean to transfer data across borders? Yeah, I love that question. I think a lot of times when we talk about policy issues, especially in the privacy space, we think everybody’s in the know and there is a lot of education and awareness building that needs to happen, I think, in the marketplace, especially for consumers that are not on the same page. So let me take this 10,000 foot approach to answering this question. many trillions of dollars, trillions of dollars in data flows transfer across borders in our digital economy. So this could mean everything from every retail purchase that a consumer makes. The advertising you receive when you’re on a social media platform or other sites and you’re seeing this tailored advertising about a specific handbag or an outfit that would work for your personalized opinion. that’s data that’s being transferred and helping to tailor that advertising to you and to your personal profile or whether it’s something more common as leveraging health services, the apps that track your your steps and your fitness goals as well as financial services. So in the consumer finance space, this is particularly common, and it’s an unregulated sector. So all those activities really are data being transferred in an organic manner on the day to day. And so it doesn’t mean that you have to own your own business or to be in a position of power to actually be a part of a data transfer. consumers in the day to day world are routinely a part of the business to business, and the business to business, business to consumer transactions. Yeah, and a lot of this data transfers across borders as well. you know, great example that we see every day is a small business owner has a virtual assistant in another country, so they would transfer data there, or maybe they’re using some kind of advertising service where that data is transferred to another country for processing. So it happens every single day. But why is the cross border transfer this problematic especially for businesses? Yeah, I think it’s really interesting. It’s a matter of this broader information asymmetry that’s part of the marketplace today. consumers are typically aware of when the data is being transferred between them and the business that they are that is offering an online product or service to them, right? So you’re usually aware of what data, your personal information that you’re sharing with that business. What a consumer may not be aware of is the way that that business is actually using that data in various contexts, including when the business is housing that data on a platform or other service that is potentially headquartered located in a different country. That company that is offering you a product or service may have multiple subcontractors, vendors that it’s using in other countries that also leverage your data or have access to that data specifically as part of a contract with that business and then there are other entities out there, like data brokers, like advertisers, that may or may not be using your data for other purposes that are not stipulated or not part of a contract with you as the consumer. So the consumer may or may not have consented to the use of that data that is then being leveraged in other, other ways or in other manners that can actually benefit the consumer. Like, you know, in instances like tailored advertising, I like getting ads that, you know, kind of focus on me as an individual and kind of my likes and dislikes when it comes to clothing or handbags or whatever it is. but there are other instances of that, that are kind of this gray market of data where a lot of times consumers are not aware. So big picture here. The Federal Trade Commission and other regulatory bodies are cracking down now on the flow of this data and the fact that that data is being shared and sometimes sold without the consumer’s consent in this third party context. And that’s where cross border transfers, especially across borders, where the laws in the US versus the laws in other countries, other regions, other territories may be different and trying to align that can be challenging. So you don’t always know whether that vendor that’s located abroad has the same quality of privacy laws and regulations that it is meeting compared to the companies in the US. And also I have to remind us, we don’t have a federal privacy law in the US also. So that’s another important kind of nuance here, is that we’re sharing data with other countries that may or may not have a higher standard of privacy laws. and this could create of course some challenges when it comes to protecting consumers data privacy and security when it’s shared across borders. Yeah, and especially in the US. I mean, a lot of us have been dealing or heard about the whole issue with data transfer to the US because us national security authorities may access this data and it’s not being provided with the same level of protection. And privacy laws are different across different countries and in the US, across different states as well. And that’s what makes compliance so hard, is because there is no one universal standard that you can use to transfer this data back and forth until this came out. So the global CBPR forum. what is it like? What countries was it established by and why was it established? absolutely. So I want to make sure that we’re clear on terminology and you’re correct, I think the global CBPR forum, this is not a new, it’s relatively new, but this is not the announcement that was made this week. to be clear, the global CDPR forum was established very recently. So about two years ago, in 2022 it is an organization of a number of countries that have come forward. They’ve stepped forward to establish a CBPR and PRP privacy recognition certification system. And so the announcement made this week, I’m sorry, was it last week? Last week, I believe. Yeah. The announcement made last week focused on the US Department of Commerce and other participating regulators of the CBPR Global Forum that was established two years ago. They came forward and they said this system is going to go live. And they are designating accountability agents like BBB national programs to help with actually certifying companies to these new requirements that are part of this universal framework. So just to be clear, the global CBPR forum is a group of countries that are all backing this potential framework or this now finalized framework. And the framework itself is being certified against by accountability agents that are acting on behalf of the privacy enforcement regulators. also I think a little bit of history may be helpful just to kind of give a little bit more context about how the global CBPR certification systems came live and how this whole process has come together because it happened fairly quickly. So that folks are aware. Back in 2005, the APEC economies all came together with a common mission to promote free trade through the Pacific region and they built the original APEC CBPR framework. fast forward to June 2012. That’s about seven years later. The US joined that apex CBPR forum, or that forum of economies. And we’ve seen a number of additional economies that have jumped on as well. And then that’s when, in 2022, the global CBPR forum was born. And it basically took a lot of the requirements from the APAC CBPR forum and that from that framework and established a much more broad, broad and global system that will allow for more economies to participate outside of just the APAC region. So that’s kind of the putting the pieces together from forum to framework to now. A certification system that really has gone live and can give businesses the accountability and the kind of empower them to do the right thing. So I know each country has slight differences, like psychological understandings about privacy. They have different legal frameworks. How does the forum bridge these differences to come up with one framework? Yeah. The beauty is that all the countries believe in a free flow of data through the OECD principles and through this joint trust in data free flows. And it’s a shared democratic vision that can kind of overcome the differences in the cultural and legal frameworks that are part of each of the individual countries that are participating. So we’ve worked to understand how the CDPR compares to other multilateral data flow arrangements across borders, because I think a lot of companies are probably wondering how would the CBPR framework, as a baseline, compare to the EU GDPR, which many companies have had to comply with in the last five years? It focuses on the european region, or compared to the EU and US data flow mechanism, which is the data privacy framework, and so on and so forth. So, just to give you a sense, when it comes to the requirements in the CDPR framework, the global CDPR framework, we have noted that the alignment between the GDPR and the CDPR framework is close to about 60% alignment. So a lot of the requirements, more than half of the requirements are the same. There’s a 70% alignment between the DPF and the GDPR, and an 80% alignment between DPF and the CBPR process. So that include DPF includes EU, Us as well as an extension for UK and Switzerland and the CBPRs, which is now global. So, as you can see, while there are differences across cultural and legal frameworks, there’s a way to bridge the gap by having alignment in the requirements across a lot of these free flow data. Free flow with trust based frameworks. That must have taken a really long time and a lot of effort to map those similarities. I’m sure that was very time consuming. Absolutely. I think, and I can’t say that we’ve done it all in house. We’ve leaned on a number of well recognized think tanks like CIPL. they have done a great job of kind of doing some of the groundwork on understanding the alignment. And then our in house alignment was that the data point around 80% between DPF and CDPRs. So what are some of the privacy principles used here? Yeah. So the APAC, the original principles which now have carried forward into the global CBPR include nine key areas. First, preventing harm. Second, notice, which is basically a function of transparency to the consumer limiting the collection of data to a purpose that’s necessary and proportionate to the service or the product that is being provided, uses of personal information. So making sure that we’re clear as to, like I mentioned before, you know, whether you’re using that personal information for providing the product, or maybe it’s for advertising or for other things, that needs to be clear. Or if you’re sharing with the businesses, sharing that data with other contractors, that needs to be clear. choice to consumers integrity of personal information, security safeguards, access and correction of the consumer data. So consumers have the right to make amends where necessary to their own personal data, and then accountability. So ensuring that you’re using other organizations to check your homework and make sure that, you know, you’re meeting those requirements. Yeah I can definitely see a lot of parallels between this and other privacy laws, which is really cool because, you know, saves companies time when it comes to compliance. so BBB national programs is the only nonprofit accountability agent providing CBPR and privacy recognition for processor certification, which is huge. so what was the process of being chosen as an accountability agent like? Yeah, I think that’s a great question. I think there’s a lot of misconceptions out there on the process of becoming an AA. first off, we have a really rich history. We have, like I mentioned we’re a legacy organization that has this reputation for the work we do and for our mission. and in addition to that, we’ve got strong relationships with international governments and with regulators. we also run a domestic program known as the Coppa safe harbor program. and that program is a safe harbor. Aligning businesses to the FTC, the Federal Trade Commission’s children’s online privacy rule. And so that’s really important. Some of these programs that have been established have really helped differentiate us as having the seasoned experience as well as the relationships with regulators to be able to do the right thing and have an understanding of aligning businesses to the laws and the regulations that are out there. With all that being said, you know in terms of the actual process to apply it took a fairly robust bandwidth of our internal teams. We did have to submit quite a few requirements, demonstrate the documentation about our questionnaire and what companies have to go through the rigor that they have to establish to meet all the requirements that are part of the global forums framework. and yes, we are the only nonprofit in the space to conduct this work in the US. And so I think that’s very telling. As to the kind of bar that’s been set with regard to the global CBPR. Absolutely. And I think it’s a very important position with a lot of different responsibilities that have to be taken very seriously. so obviously this shows that you do that. but what are some of the responsibilities of accountability agents. Yeah, absolutely. Well, I think you were first asking, you know, what do accountability agents look like? Can I say tall, It. dark and handsome and essentially my husband. I’m kidding there. But as an accountability agent, you know, we get certified with the US Department of Commerce every two years. and so the Department of Commerce has to verify our application and they actually work. The doc is actually the regulator that participates in the global CDPR forum. and there are others that are on the joint oversight committee that other regulators that are part of that committee. all of this application that we submit has to be reviewed by that entire board, including the US, but also other international regulators. So there is kind of almost a multi step process. And it’s not just, there’s no buffer just because it’s a US regulator. And so that process undergoes quite a bit of verification of our application and ensuring that we’re, like I said, we’re meeting the requirements that are part of the global CBPR framework. we work with businesses of all sizes to help them get certified in the participating jurisdiction of the privacy regulator that has been recognized to participate in the global CDPR PRP framework. You know, we are allowed to work with the US Department of Commerce as long as the company is headquartered in the US. So that’s an important differentiation I want to make. There might be a’s in other countries that are co regulatory bodies. They may be non ngo’s, but within the US there is no designation like we have to be an NGO or we have to be either for profit or nonprofit. Our process is, you know, kind of unique to the US and kind of their requirements for us. Got it. So let’s say a business does want to obtain a certification. What is that process? Look. Absolutely. So I’m glad you asked. It’s a very simple four step process, but just know that this is, it can take, you know, months. And so it’s a fairly robust process, but the initial intake is fairly quick. step one, businesses, as I mentioned, you don’t have to be a very large company. A lot of the smaller companies have really benefited from participating in this step one, they submit the online application. Step two, sign the contract and we provide as soon as the company is signed the contract and they’re ready to move forward, we provide a number of materials to help onboard the companies and give them a, you know, a little bit of a primer on what they need to have ready to go in order to submit the appropriate documentation. We do this because we know even though the CBPR requirements for obtaining the certification is all public, we know that companies need the handholding. It really benefits them to have us sit down and say, okay, by this requirement, this actually means you need this specific documentation in your privacy policy. Or by this requirement, this means that we need to be able to see how your security standards match to what is mentioned in the requirements. So we do a lot of handle holding when it comes to providing the materials companies need to get up to speed and get ready to go. Step three is completing the certification questionnaire. That really aligns very, very closely to the CBPR framework itself because those questions need to be almost nearly identical. But we provide, again, additional guides to help with answering the questions, and that guide will help companies feel comfortable and feel like even if they’re answering a yes or no question, that they’re meeting the necessary level of commitment that they need to, to be able to say yes because this is a formal robust accountability process. And then step four get your seal. So this can take anywhere from I would say two to three months for the smaller companies, maybe a little bit longer for the larger companies, but it really depends on whether the company has all their ducks in a row or not. and whether they’re ready to go. very cool. I like the way that you kind of interpret the requirements and explain them to the business. You know, part of my job, I read a lot of privacy policies, which I’m, like, the only person who does that. you know, I see a lot of we comply with GDPR because we process data under these legal bases, and it lists out all the legal bases, including, like, the public authority, legal basis, and they’re not a public authority at all. So we see so much of just regurgitating the exact text of the law and people calling that compliance. so I really like that you do that. That’s really nice. It. Yeah, I mean, I see, I see us kind of, I know that wasn’t really a question, but just, just to add to that, I think I see us kind of as a translator sometimes, you know? And that’s why having that relationship with the government is helpful, because sometimes there’s a question even on the businesses behalf, and they might, they might have, they might have spent millions of dollars on outside counsel to support them, but they don’t have a direct line to the government body who’s asking the question. And that’s where we can come in and we can have the question be phrased confidentially, not bringing in a name of the company, not reference the company directly, but ask the question as to whether or not the company’s complying with that specific provision and get an answer. And so that’s helpful to companies to be able to have that direct line of insight? Yeah, that’s extremely helpful. so, lastly, do you have any tips for businesses that are considering the certification? Yeah, I would just say, you know, we’re putting together a cheat sheet for businesses. And that’s, again, something I think our greatest it’s one of the things that sets us apart from other organizations or other aas all the handholding that we do, and we really want to see companies succeed. We’re coming at this from again, a nonprofit lens, and that mission that drives us. while this is going to be a rigorous process, my tip is, you know, it’s definitely worth it. You don’t necessarily want to go with just the lowest price player or maybe a free service. As you mentioned, Ananda, I think the challenge here is being able to interpret some of the questions and really have a good understanding of what’s being asked. and so you want to seek out that expertise and feel confident that when you have completed this questionnaire, that you have really met all the requirements and you’ve had strong legal expertise as well as you know, technologists, take a look under the hood. and so while we don’t, I wouldn’t say we provide legal guidance, but we are, we do have a number of attorneys in house. We have academics, you know, we have researchers who really have an understanding of privacy law. and the other thing I’ll mention is, you know, with regard to tips for businesses, you may be thinking, you may not be thinking about dispute resolution as an important arm kind of vehicle to arm you. But that’s another area where we do provide, as part of our certification, doctor services, dispute resolution services in house. And that’s an area where we have a strong history a really rich history of providing support. So when consumers complain about a privacy issue, as long as it’s directly related to one of those requirements in the global cbprs, we’re there to help companies with those complaints and kind of hash it out before it were. Before it were to go to a regulator. So that additional level of service, I think, also really helps companies. And of course, I will say, I’ll leave it to you you know, you have to do what’s right to fit your brand, your work ethic, and, you know, help you achieve the compliance success you need to be branded as a good actor. So keep all that in mind when you’re thinking through the CBPR global certification. Absolutely. I mean, I think so much of the certification could move into the remainder of the privacy compliance program, since there’s so many overlaps. and this is something that’s not really a matter for joking, because there are spines involved and investigations and all those other things. So you definitely want to go with somebody who has that level of expertise and guidance and resources and connections. so that’s really great. so, divya, thank you so much for taking the time to talk to me today about this. for everyone listening, please make sure to subscribe so you don’t miss our next episode. Thank you for having me. Have a good day. Bye.