Policy Issue Summary
A single, binding global data privacy standard does not yet exist. Instead, governments and companies operate under regional systems with different priorities. The European Union’s General Data Protection Regulation (GDPR) focuses on privacy as a legal right and limits how organizations collect, use, and keep personal data. The Global Cross-Border Privacy Rules (CBPR) system takes a different approach: it uses a certification model to help companies transfer data across borders more easily. In practice, a company is reviewed against shared privacy requirements, and if it qualifies, it can display a certification mark showing that it met the program’s baseline standards. That approach can support trade, but it does not create one uniform level of privacy protection. As a result, people receive different protections depending on where they live, and companies face a patchwork of obligations.
The most important policy gaps are practical. Many companies still collect more data than they need, combine it across services, and share it with outside firms. Some use personal data to create detailed profiles for targeted advertising or to sort people into categories based on income, health interests, religion, or location. Others collect biometric information, such as facial images, fingerprints, or voiceprints, without strong safeguards. Data brokers deepen the problem by buying, combining, and reselling information such as location history, consumer purchases, and demographic traits, often without a direct relationship with the people affected.
A stronger international approach would not require every country to adopt identical rules, but it should establish a shared floor. At minimum, that floor should limit unnecessary data collection, require extra protections for high-risk data such as biometric and precise location information, restrict opaque profiling and micro-targeted advertising, and give people meaningful ways to challenge misuse. It should also strengthen enforcement by allowing collective complaints, raising penalties for repeat violations, and giving workers more say over workplace monitoring tools such as productivity tracking software, keystroke logging, and AI-based performance scoring.
Analysis
The best-known privacy model today is the GDPR. It matters globally because it applies not only to organizations based in the European Union, but also to many organizations outside the EU that offer goods or services to people in the EU or monitor their behavior there. The GDPR also sets out clear principles that are easier to explain in everyday language. Data minimization means collecting only the personal data that is actually needed for a stated purpose. Purpose limitation means using data only for the specific reason it was collected unless there is a lawful basis to do more. These ideas have influenced privacy laws in other countries, but enforcement remains uneven, especially against very large firms operating across borders.
The Global CBPR system reflects a different policy goal. It is run through the Global CBPR Forum and is designed to build trust in cross-border data flows through a common certification process. Under that process, a company applies for review through an approved third-party assessor, is checked against the program’s requirements, and, if approved, may display a certification mark. In practical terms, that can reduce friction by lowering the need for companies to navigate a separate certification or review process in each participating market. The trade-off is that interoperability and data movement are central aims of the system, so it is not the same thing as a single, rights-centered global privacy law.
It is therefore misleading to describe privacy governance as a simple dual system. GDPR and Global CBPR are important frameworks, but they do not divide the whole world neatly into two camps. Many countries have their own national laws, some countries participate in CBPR-related arrangements, and multinational companies often have to satisfy several overlapping systems at once. The real problem is not that two systems exist; it is that there is no single binding baseline that combines strong privacy rights with workable rules for cross-border data transfers. Until that gap is addressed, the world will continue to rely on a patchwork rather than a true global standard.
Engagement Resources
- Privacy International (https://privacyinternational.org/): A global organization campaigning against the exploitation of data by corporations and states, fighting for the right to privacy as a foundation for human dignity and systemic justice.
- Noyb – European Center for Digital Rights (https://noyb.eu/): A non-profit organization utilizing strategic litigation to enforce privacy laws across Europe, specifically targeting tech monopolies and holding them accountable for regulatory violations.
- Electronic Frontier Foundation (https://www.eff.org/): A leading nonprofit defending civil liberties in the digital world, providing extensive research and legal advocacy against invasive surveillance and corporate data overreach.
- Access Now (https://www.accessnow.org/): An international human rights organization dedicated to defending and extending the digital rights of users at risk, with a strong focus on algorithmic accountability and data protection.
- Algorithmic Justice League (https://www.ajl.org/): An organization that combines art and research to illuminate the social implications and harms of artificial intelligence, advocating for equitable and accountable data practices.
- Internet Governance Forum (https://intgovforum.org/en/about): A United Nations-convened multistakeholder forum on digital public policy that brings together companies, technical experts, and civil society to discuss issues such as data privacy, AI, and internet governance.