Europe is trying to work out a way to have its data protection cake, without it being gobbled up in trade agreements.
After more than a year, trying to work out how to guarantee international data flows in compliance with the GDPR (General Data Protection Regulation), at the end of January the European Commission put out an astonishingly brief text endorsing “horizontal provisions for cross-border data flows and personal data protection in trade negotiations,” it lists four conditions.
“Cross-border data flows shall not be restricted between the Parties by:
(i) requiring the use of computing facilities or network elements in the Party’s territory for processing, including by imposing the use of computing facilities or network elements that are certified or approved in the territory of a Party;
(ii) requiring the localisation of data in the Party’s territory for storage or processing;
(iii) prohibiting storage or processing in the territory of the other Party;
(iv) making the cross-border transfer of data contingent upon use of computing facilities or network elements in the Parties’ territory or upon localisation requirements in the Parties’ territory.”
“It seems to me that the emphasis here is on eliminating any instances of data localization requirements, which is of course the right thing to do if you are trying to facilitate global trade in today’s digital economy,” explained Eduardo Ustaran, Partner at Hogan Lovells, adding, “the fact that the opening shot of the data protection provisions is its recognition as a fundamental right raises the standards to a very high level indeed.”
Because protection of personal data is a fundamental right in the EU, it is not up for negotiation in trade deals. However, the Commission believes that “data flows between the EU and third countries can be ensured using the mechanisms provided under the EU data protection legislation.” Speaking off the record, data protection experts told CPO that it seems the Commission is intent on contradicting itself on data protection at every turn.
The normal method for so-called “third country” data flows to be approved by the EU are “adequacy decisions” – a recognition that the other country has an equivalent level of data protection to the EU. Currently, just 11 countries are deemed to have adequate levels of data protection – Switzerland, Andorra, the Faroe Islands, Guernsey, Jersey, the Isle of Man, Argentina, Canada, Israel, New Zealand and Uruguay – plus the U.S., under the controversial Privacy Shield scheme.
However with new trade deals on the horizon, notably with Mexico, the Commission is keen to emphasize that “dialogues on data protection and trade negotiations with third countries can complement each other, but must follow separate tracks – like with Japan and South Korea.”
The Commission has been especially concerned with cases where an adequacy decision “cannot be realistically reached in parallel to ongoing trade negotiations.” It believes its four rules set out in the text would safeguard the protection of personal data, while at the same time allowing the EU to tackle protectionist practices with trading partners.
MEP and former Justice Commissioner, Viviane Reding, praised the text, tweeting “Hallelujah, a silver bullet” has been found. However, others in the European Parliament’s trade committee were less impressed. MEP Marietje Schaake described it as “a fraught compromise,” and referred to the letter sent by MEPs to the Commission last December in which the Parliament made clear that “rules on data flows cannot – and should not – undermine our fundamental rights to data protection and privacy.”
That letter also called on the Commission to “strictly prohibit unjustified data localization requirements in free trade agreements; considers that the removal of such requirements should be a top priority, and emphasizes that the relevant data protection legislation should be adhered to; regrets attempts to use such requirements as a form of non-tariff barrier to trade and as a form of digital protectionism; considers that such protectionism seriously hampers opportunities for European businesses in third country markets and undermines the efficiency benefits of digital trade.”
“Frankly, 21st century trade rules cannot be meaningful without taking data flows into account. If we want to be a rule maker as opposed to be a rule taker, the EU needs to be in the driving seat, and come up with a joint position that enables our economies to grow and rules to be strengthened, while preserving our fundamental rights,” said Schaake.
However, the Commission text includes a potential “get out of jail free card.” According to the text, “a Party may at any time propose to the other Party to review the list of restrictions listed in the preceding paragraph. Such request shall be accorded sympathetic consideration.”
It is easy to guess at scenarios where a country might want the restrictions “reviewed” – national security provisions, local telecoms law, or interception law may require equipment and or data to be processed in the member state. A “sympathetic” view could open the door to all these, potentially in violation of EU data protection laws.
The has been put to the other European institutions, as well as the European Data Protection Supervisor and the Article 29 Working Group of data protection authorities. The last two may well want to see that loophole closed.