Data Privacy: The BSA’s Statement of Global Priorities
by
April 2, 2026
The Business Software Alliance’s position paper on Global Privacy Priorities for 2026 says that privacy laws should focus on (1) creating rights for consumers over their personal data, (2) imposing obligations on businesses to handle that data responsibly, (3) creating a clear and centralized enforcement mechanism, and (4) supporting an interoperable approach to privacy protections. As this excerpt from the position paper indicates, the BSA believes that laws should impose significant responsibilities on businesses for safeguarding consumers’ data:
Laws should put obligations on companies to handle consumers’ personal data responsibly. Laws should:
» Recognize the different roles of controllers and processors. Controllers are the companies that decide why and how to collect consumers’ personal data. In contrast, processors handle data on behalf of other companies. The distinction between controllers and processors is fundamental to privacy laws worldwide and should be reflected in any privacy law.
» Focus on personal data, by creating protections for information that relates to an identified or identifiable consumer. Data that is de-identified through robust technical and organizational measures to reduce the risk of re-identification should not be covered as personal data.
» Adopt heightened protections for sensitive data, such as requiring consumers to consent to processing of their sensitive personal data.
» Recognize a range of grounds for processing, to ensure companies can process personal data for valid reasons, including legitimate interests that are consistent with the reasonable expectations of a consumer. Laws should also support processing personal data for purposes including to perform a contract; in the public interest; in the vital interest of a consumer; necessary to comply with a legal obligation; and based on the consumer’s consent.
The BSA also says data protection laws should take an interoperable approach to privacy, so that those laws work in harmony to protect privacy, and should also facilitate the cross-border transfer of personal data, subject to appropriate safeguards.