Outside the U.S., and particularly in Europe, there are numerous data protection authorities with varying agenda and enforcement powers — there are 46 authorities in the European Economic Area, with 16 in Germany alone.
Neither the U.S. government nor any states had established European-style data protection authorities until 2020 when the California Privacy Rights Act, which amends and adds to the California Consumer Privacy Act, required the creation of a new California Privacy Protection Agency.
The CPPA was the first, and is still the only, U.S. state agency dedicated to privacy law rulemaking and enforcement. Over the past year, the agency has increased its cooperation with data protection authorities and bodies around the world, which may ultimately influence rulemaking and enforcement by the CPPA as well as its international partners.
CPPA's international cooperation
The CPPA's overall mandate for international cooperation is not expressly regulated within the act.
However, the CCPA provides that the funds available from enforcement fines may be used to fund cooperative programs with international law enforcement organizations to combat fraudulent activities with respect to consumer data breaches.
And it is clear that the CPPA is actively seeking international cooperation. It is a member of or cooperating with an increasing number of authorities and bodies, including the Global Privacy Enforcement Network and the Global Privacy Assembly, an international body of more than 130 data protection and privacy authorities. The CPPA was voted into the Asia Pacific Privacy Authorities forum in 2023, joining the U.S. Federal Trade Commission as the second U.S. organization to become a member of the Asia Pacific body.
Most recently, the CPPA and France's data protection authority, the Commission Nationale de l'Informatique et des Libertés, signed a declaration of cooperation to facilitate joint research, share information and convene meetings.
European DPAs' cooperation within the EU, internationally
At the EU level, local data protection authorities are members of and cooperate within the European Data Protection Board, an independent EU body established according to EU General Data Protection Regulation Articles 68-76. The EDPB participates in drawing up recommendations for the purposes of interpreting and applying the GDPR and helps to ensure the consistency of practices and sanctions emanating from the various European data protection authorities.
The European data protection authorities also cooperate in the context of the "one-stop-shop" mechanism, which applies under the GDPR's Article 56 for "cross-border processing." In principle, each authority is responsible for fulfilling the tasks under the GDPR on the territory of its own member state pursuant to Article 55.
However, the authorities of all member states in which the cross-border processing takes place are not simultaneously responsible — rather, the authority of the main establishment or the only establishment of the controller is generally responsible for monitoring such processing activities. This "lead authority" is committed under Article 60 to cooperate with the other authorities and endeavor to reach a consensus.
At the local level, data protection laws or applicable guidelines and policies further define how the local data protection authorities will cooperate. In France, the CNIL explains that the one-stop-shop mechanism involves, in particular, the transmission of information to the relevant data protection authorities, the possibility to lodge objections to a draft decision by the lead authority, and the possibility of attending meetings of the "restricted panel," which is the committee that can impose sanctions on noncompliant organizations.
In parallel, EU bodies also cooperate with non-EU authorities, but only at the speed, and based on the priorities of, the applicable political agenda. When they do not take place in the framework of bilateral agreements, such as the one between the CNIL and the CCPA, they take place in the context of international forums like the G7 Summit or meetings of the GPA. The latest resolutions adopted by the GPA unsurprisingly relate to artificial intelligence, based on the results of surveys carried out among GPA members.
Since there are no dedicated data protection authorities or agencies in U.S. states other than California, and no U.S. authority with powers similar to the EDPB, cooperation between different U.S. states is unlikely to mirror the intra-European model in the short term.
But U.S. state regulators have stated they are increasingly engaging with each other and sharing information seemingly to promote interpreting provisions within different U.S. state laws in similar ways.
The CPPA may also, following the European model, continue to exchange information with and cooperate with authorities around the world. For now, the international cooperation sought by the CPPA appears more limited than, for example, the cooperation between the CNIL and the Personal Information Protection Commission of South Korea.
Outlook
Multinationals operating across borders need to take an increasingly growing body of rules into consideration when operationalizing privacy law compliance programs.
Given the unique provisions of the CCPA and its regulations, the CPPA is likely to continue to forge its own path. But its increased cooperation with other U.S. state regulators and authorities around the world may lead to a deeper understanding of technologies impacting personal information and possibly rulemaking or enforcement that is more aligned with approaches taken in other jurisdictions.
That should be good news for companies trying to operationalize compliance with a growing number of laws in a streamlined way.
Magalie Dansac Le Clerc, CIPP/E, and Helena Engfeldt, CIPP/E, CIPP/US, are partners at Baker McKenzie.
