Lexology | 15 July 2016
Financial services: the challenge of data flows
by Stephen D. Hibbard
The TPP contains broad provisions intended to preserve the open internet and ensure cross-border data flows that are essential for businesses to transfer information in and out of countries, while acknowledging that countries also need to balance privacy interests and cybersecurity risks (Electronic Commerce—Ch. 14). Such cross-border data flows are ensured in part by the TPP’s prohibition on data localization—i.e., requiring as a condition of a company’s conducting business in a country that a user’s data be stored within the user’s country of residence (Art. 14.13).
These provisions in the Electronic Commerce chapter do not apply, however, to financial institutions, which are instead subject to specific provisions in the Financial Services chapter (Ch. 11).
For the most part, financial institutions are treated similarly to other businesses with respect to the free transfer of data between countries necessary to carry out data analysis in the regular course of business, although seven of the signatory nations—Canada, Chile, Malaysia, Mexico, Peru, Singapore, and Vietnam—have added stipulations (Ch. 11, Annex B). For example, each of Chile, Mexico, Peru, Singapore, and Vietnam have stipulated that its privacy laws govern financial data flows. Another common stipulation, added by Chile, Mexico, Peru, Singapore, and Vietnam, subjects the cross-border transfer and processing of financial data to prior regulatory approval.
If the TPP’s provisions governing the free transfer of data by financial institutions are at least consistent with the TPP’s provisions that apply broadly to other industries, the same cannot be said as it relates to data localization. Financial institutions and other providers of cross-border financial services are excluded from the TPP’s prohibition on data localization (Art. 14.1). Critics of this approach note that data localization requirements could increase costs, increase data security risks, and deter firms seeking to enter new markets. Proponents of this approach, including government regulators, view data localization as necessary to regulate markets in times of severe financial crises (such as during 2008–09), as well as to maintain security and privacy.
In the United States, at least, not extending the prohibition on data localization to financial institutions has been described by business and congressional leaders as one of three issues needing to be resolved before Congress votes on legislation implementing the TPP. To respond to this concern, on May 25, 2016, U.S. Treasury Secretary Jack Lew announced a proposal to resolve this issue in future trade agreements, but not in the TPP. His proposal is nonetheless significant because, if adopted in future trade agreements, such as the possible Trade in Services Agreement, it would apply to all TPP signatories other than Brunei, Malaysia, Singapore, and Vietnam.
Mr. Lew’s proposal has four points:
- Data localization regulations are prohibited when financial regulators in other countries can access information stored in the host country.
- Restrictions on cross-border data flows are prohibited when the business activity falls within the scope of a country’s financial services license.
- Before adopting data localization regulations, regulators must provide companies an opportunity to comment and address regulatory concerns.
- The above obligations may be enforced through state-to-state dispute settlement procedures.