25 June 2018

FTAs and EU Data Protection

Trade and privacy: complicated bedfellows? How to achieve data protection-proof free trade agreements (Institute for Information Law, 2018) by Kristina Irion, Svetlana Yakovleva, and Marija Bartl for BEUC, CDD, TACD and EDRi assesses
how EU standards on privacy and data protection are safeguarded from liberalisation by existing free trade agreements (the General Agreement of Trade in Services (GATS) and the Comprehensive Economic and Trade Agreement (CETA)) and those that are currently under negotiation (the Trans-atlantic Trade and Investment Partnership (TTIP) and the Trade in Services Agreement (TiSA)).
The report
was jointly commissioned by the European Consumer Organisation (BEUC), the Center for Digital Democracy (CDD), the Transatlantic Consumer Dialogue (TACD) and European Digital Rights (EDRi), and executed by the Institute for Information Law (IViR) at the University of Amsterdam. Based on the premise that the EU does not negotiate its privacy and data protection standards, the study clarifies safeguards and risks in respectively the EU legal order and international trade law. 
In the context of the highly-charged discourse surrounding the new generation free trade agreements under negotiation, this study applies legal methods in order to derive nuanced conclusions about the preservation of the EU’s right to regulate privacy and the protection of personal data. The EU legal order itself carries robust safeguards that protect EU privacy and data protection standards from (involuntary) liberalisation via the international trade agreements to which the EU is party. Not only are the fundamental rights to privacy and the protection of personal data well entrenched in EU primary law, but the principle of “autonomy of the EU legal order” and the lack of “direct effect” in conjunction with international trade law moreover preclude EU law from being automatically changed. International trade agreements to which the EU is or will become a party should be consistent with all aspects of EU legislation on data protection, which vests, by international standards, the highest level of protection. Even when it cannot overturn EU legislation, international trade law should not become a venue for challenging the EU approach to the protection of personal data. The EU’s global policy model and its legitimacy vis-à-vis its trade partners must not be undermined. The contemporary ubiquity of the processing of personal data in cross-border trade in services renders data protection measures especially susceptible to being probed for their compliance with the EU’s commitments in international trade agreements. The potential for trade disputes is not just an issue of the EU entering into further commitments on data flows, but a current risk with existing commitments in core disciplines in international trade agreements. The EU’s right to regulate, as recognised in international trade agreements, is subject to certain trade-conforming limitations and conditions. Under the GATS, for example, a party may adopt measures that are not inconsistent with the obligations and commitments assumed under this agreement. In the case that measures are found to be GATS-inconsistent, the general exceptions are the central bulwark for defending a party’s right to regulate, and the only context within which regulatory objectives and concerns can be deliberated. As a concrete example, the EU rules on transfers of personal data to third countries (Chapter IV of the Data Protection Directive), which aim to protect the remainder of EU data protection law from circumvention, have been exposed to a finding of GATS inconsistency. This means that the requirements of the general exceptions must be met in order to defend this EU measure. Entering into additional commitments on free data flows without a prudential carve-out for a party’s privacy and data protection laws would only raise the bar for justification, and compound pressure on the general exceptions. 
The GATS carries an explicit exception on privacy that is subject to a series of tests, leaving a certain margin for interpretation that cannot be fully anticipated from a solely EU-centric perspective. There is an entire spectrum of opinions as to whether or not some measures of EU data protection law would meet the general exceptions. In addition, EU policy and practice could fall short of the required level of consistency, for example in how the Commission administers adequacy decisions. Not only is there a need to update trade rules for the digital economy and cross-border data flows but, from an EU perspective, it is also necessary to upgrade the exception for privacy and data protection. Entrusting the EU’s right to regulate in new generation free trade agreements to the general exceptions, which are modelled after the GATS, would perpetuate a residual legal risk. Note in this respect that EU negotiators injected an additional safeguard for EU rules on the transfer of personal data to third countries in CETA’s Financial Services Chapter. 
This study underscores the formula of the European Parliament that new free trade agreements should contain “a comprehensive, unambiguous, horizontal, self-standing and legally binding provision based on GATS Article XIV which fully exempts the existing and future EU legal framework for the protection of personal data from the scope of this agreement, without any conditions that it must be consistent with other parts of the [agreement].” As long as this is not granted, the EU should not enter into additional commitments concerning free data flows in new and enhanced disciplines that lack any reference to the party’s privacy and data protection laws. In relation to new provisions that each party shall adopt or maintain a privacy and data protection legal framework, they should not be linked to any qualitative conditions (e.g. “adequate”, “non-discriminary”), nor to principles and guidelines of international bodies if these would introduce a ceiling for the acceptable level of protection. The table below [not copied in this blogpost] lists all of the safeguards and risks identified in the study. The recommendations that follow are addressed to EU decision makers and trade negotiators respectively, and list practical steps for how to strengthen and modify existing safeguards on privacy and data protection in order to make them fit for purpose in next generation free trade agreements.
The report offers the following recommendations for EU decision makers and trade negotiators as 'practical steps for how to strengthen and modify existing safeguards on privacy and data protection in order to make them fit for purpose in next generation free trade agreements'.
1. Underscoring the formula of the European Parliament that new free trade agreements better entrust their right to regulate in the field of privacy and data protection to ... a comprehensive, unambiguous, horizontal, self-standing and legally binding provision based on GATS Article XIV which fully exempts the existing and future EU legal framework for the protection of personal data from the scope of this agreement, without any conditions that it must be consistent with other parts of the [agreement]. 
2. Underscoring the European Parliament’s position that additional commitments concerning free data flows in new and enhanced disciplines should not be disconnected from any reference to the party’s privacy and data protection laws. CETA’s Chapter on Financial Services, for example, introduces an exception for regulating the cross-border transfer of personal data.
3. In relation to new positive obligations that each party shall adopt or maintain a privacy and data protection legal framework, these should not be linked to any qualitative conditions (e.g. “necessary”), nor to the principles and guidelines of international bodies if these would introduce a ceiling for the acceptable level of protection. 
4. Pursuant to the EU’s current practice, insert “no direct effect” clauses in free trade agreements and Council decisions approving these free trade agreements. In order to forego any finding of “direct effect”, avoid reference in EU legal acts to specific provisions in free trade agreements.
5. With a view to protecting EU privacy and data protection standards, it should be incumbent on the European Data Protection Supervisor (EDPS) to issue opinions on the texts of free trade agreements that the EU plans to adopt. 
6. When there is reason to believe that a new free trade agreement to which the EU will become a party negatively affects EU privacy and data protection standards, a Member State, the European Parliament, the Council or the Commission should initiate an advisory opinion procedure at the Court of Justice as provided for in Article 218(11) of the TFEU. 
7. Adequacy assessments and decisions by the Commission must not grant differential treatment to some third countries and not to others. The Commission should adopt procedural rules for the administration of the assessment of adequate levels of protection for third countries, thereby facilitating “consistency of enforcement”.
8. The Commission should publish impact assessments on preserving the EU’s right to regulate in areas of public interest and legal reasoning based on which it concludes, with sufficient certainty, that EU data protection law in all aspects satisfies the requirements of the general exceptions modelled after GATS Article XIV(c)(ii).
9. EU institutions should commission a study into enterprise customers’ preferences in the outsourcing and provisioning of computer services involving the personal data processing in order to build an evidence base supporting the fact that EU data protection law is a differentiating factor in the competitive relationship between services and service suppliers.