Trade and privacy: complicated bedfellows?

JPEG - 93.2 kb

Institute for Information Law (University of Amsterdam) | 13 June 2016

Trade and privacy: complicated bedfellows?

by Kristina Irion, Svetlana Yakovleva, Marija Bartl

Summary

This independent study assesses how EU standards on privacy and data protection are safeguarded from liberalisation by existing free trade agreements (the General Agreement of Trade in Services (GATS) and the Comprehensive Economic and Trade Agreement (CETA)) and those that are currently under negotiation (the Trans-atlantic Trade and Investment Partnership (TTIP) and the Trade in Services Agreement (TiSA)). It was jointly commissioned by the European Consumer Organisation (BEUC), the Center for Digital Democracy (CDD), the Transatlantic Consumer Dialogue (TACD) and European Digital Rights (EDRi), and executed by the Institute for Information Law (IViR) at the University of Amsterdam.

Based on the premise that the EU does not negotiate its privacy and data protection standards, the study clarifies safeguards and risks in respectively the EU legal order and international trade law. In the context of the highly-charged discourse surrounding the new generation free trade agreements under negotiation, this study applies legal methods in order to derive nuanced conclusions about the preservation of the EU’s right to regulate
privacy and the protection of personal data.

The EU legal order itself carries robust safeguards that protect EU privacy and data protection standards from (involuntary) liberalisation via the international trade agreements to which the EU is party. Not only are the fundamental rights to privacy and the protection of personal data well entrenched in EU primary law, but the principle of “autonomy of the EU legal order” and the lack of “direct effect” in conjunction with international trade law moreover preclude EU law from being automatically changed. International trade agreements to which the EU is or will become a party should be consistent with all aspects of EU legislation on data protection, which vests, by international standards, the highest level of protection. Even when it cannot overturn EU legislation, international trade law should not become a venue for challenging the EU approach to the protection of personal data. The EU’s global policy model and its legitimacy vis-à-vis its trade partners must not be undermined.

The contemporary ubiquity of the processing of personal data in cross-border trade in services renders data protection measures especially susceptible to being probed for their compliance with the EU’s commitments in international trade agreements. The potential for trade disputes is not just an issue of the EU entering into further commitments on data flows, but a current risk with existing commitments in core disciplines in international trade agreements.

The EU’s right to regulate, as recognised in international trade agreements, is subject to certain trade-conforming limitations and conditions. Under the GATS, for example, a party may adopt measures that are not inconsistent with the obligations and commitments assumed under this agreement. In the case that measures are found to be GATS-inconsistent, the general exceptions are the central bulwark for defending a party’s right to regulate, and the only context within which regulatory objectives and concerns can be deliberated.

As a concrete example, the EU rules on transfers of personal data to third countries (Chapter IV of the Data Protection Directive), which aim to protect the remainder of EU data protection law from circumvention, have been exposed to a finding of GATS inconsistency.

This means that the requirements of the general exceptions must be met in order
to defend this EU measure. Entering into additional commitments on free data flows without a prudential carve-out for a party’s privacy and data protection laws would only raise the bar for justification, and compound pressure on the general exceptions.

The GATS carries an explicit exception on privacy that is subject to a series of tests, leaving a certain margin for interpretation that cannot be fully anticipated from a solely EU-centric perspective. There is an entire spectrum of opinions as to whether or not some measures of EU data protection law would meet the general exceptions. In addition, EU policy and practice could fall short of the required level of consistency, for example in how the Commission administers adequacy decisions.

Not only is there a need to update trade rules for the digital economy and cross-border data flows but, from an EU perspective, it is also necessary to upgrade the exception for privacy and data protection. Entrusting the EU’s right to regulate in new generation free trade agreements to the general exceptions, which are modelled after the GATS, would perpetuate a residual legal risk. Note in this respect that EU negotiators injected an additional safeguard for EU rules on the transfer of personal data to third countries in CETA’s Financial Services Chapter.

This study underscores the formula of the European Parliament that new free trade agreements should contain “a comprehensive, unambiguous, horizontal, self-standing and legally binding provision based on GATS Article XIV which fully exempts the existing and future EU legal framework for the protection of personal data from the scope of this agreement, without any conditions that it must be consistent with other parts of the [agreement].”

As long as this is not granted, the EU should not enter into additional commitments concerning free data flows in new and enhanced disciplines that lack any reference to the party’s privacy and data protection laws. In relation to new provisions that each party shall adopt or maintain a privacy and data protection legal framework, they should not be linked to any qualitative conditions (e.g. “adequate”, “non-discriminary”), nor to principles and guidelines of international bodies if these would introduce a ceiling for the acceptable level of protection.

Click here for the full report (pdf - 881KB)