'Cross-border data flows and privacy in global trade law: has trade trumped data protection?' by Mira Burri in (2023) 39(1) Oxford Review of Economic Policy 85–97 comments
This article is set against the complex backdrop of the evolution of the data-driven economy and its regulation, and seeks to provide a better contextualization of the topic of data protection as a matter of trade law. It looks at the recent proliferation of rules on data flows, specifically addressed in free trade agreements (FTAs), at how data protection has been framed in these treaties, as well as at the available reconciliation mechanisms developed to interface trade and privacy. The article explores the most advanced models that have been developed in this regard so far, with a focus on some US-led and EU-led treaties. These analyses build the basis for testing the conjecture as to whether trade law has gone too fast and too deep, encroaching on domestic privacy law developments that unfold at a much slower pace.
Burri states
Legal adaptation in the face of technological advances, including in the area of trade law, is not necessarily a new topic. This is true also for digital technologies as, on the one hand, the World Trade Organization (WTO) membership realized fairly early on with the 1998 Work Programme on Electronic Commerce that all areas of trade are deeply affected by the Internet and changes in the existing rules for trade in goods, trade in services, as well as those for the protection of intellectual property (IP) rights, may be needed. On the other hand, this acknowledgment has been accompanied by a host of studies that explored where such changes are most urgent and what they might look like, as well as considering their political feasibility. Yet, it is fair to note that this dual mobilization of policy and scholarship was based on a wave of technological changes that were still, so to speak, at level 2.0, where the Internet was seen as a mere platform enabling the online sale of services and goods, often framed under ‘e-commerce’, but failed to recognize the disruptive potential of the Internet as a general purpose technology (GPT) with far-reaching spillover effects. With the changing conditions of trade and the emergence of global value chains (GVCs), intensified convergence, and servicification, these effects did become palpable and were considered by a series of later studies. Yet, the centrality of data remained largely ignored, as their embeddedness in the economy and their profound societal effects were at an early stage. It is only recently, with the advent of the so-called ‘Fourth Industrial Revolution’, that the impact of data across all sectors of the economy and the disruptive character of digitization were fully acknowledged. And it is only in very recent times, with the shaping of Big Data and artificial intelligence (AI) as distinct new phenomena, that both policy and academic circles, not exclusively in the area of trade, recognized the need for a change in legal design that goes beyond plain adjustments.
These later stages exposed also in a new way the link between digital trade, or data-enabled/driven trade, and privacy protection, and their regulation became intensely contested. Previously privacy and trade law were rarely connected and nor has their interface been addressed in the legal frameworks. While there has been a robust scholarly and policy debate on the impact of the ‘hard’ rules of international economic law on non-economic interests, privacy has seldom been one of the major concerns. The new field of contestation was defined by the increased value of data and the affordances of Big Data and Big Data analytics. In this context, there is now broad agreement that data are so essential to economic processes that they are commonly said to be the ‘new oil’. Many studies have revealed the vast potential of data, and the dependence of new and emerging technologies, like AI, on data.
Yet, this increased dependence on data brought about a new set of concerns. The impact of data collection, use, and re-use upon privacy was particularly recognized by scholars and policy-makers. These challenges triggered a new preoccupation for law-makers and led to reform of data protection laws around the world, best exemplified by the EU General Data Protection Regulation (GDPR). The reform initiatives are, however, not coherent and are culturally and socially embedded, reflecting societies’ understandings of constitutional values, relationships between citizens and the state, and the role of the market, as illustrated later on by a reference to the US and EU’s approaches to data protection.
The tensions around data have also revived older questions about sovereignty and international cooperation in cyberspace. Data’s intangibility and pervasiveness pose particular difficulties for determining where data are located, as bits of data, even those associated with a single transaction or online activity, can be located anywhere. With the increased value of data and the associated risks and because of the contentious jurisdictional issues, governments have proactively sought new ways to assert control over them—in particular by prescribing diverse measures that ‘localize’ the data, their storage or suppliers, so as to keep them within the state’s sovereign space. Erecting barriers to data flows has, however, serious implications for trade and brings about a tension between data protectionism and data sovereignty and the inherent to trade agreements striving to liberalize trade, foster growth, and innovation.
Overall, with the amplified role of data in societies, the interfaces between trade and privacy protection have become multiple and intensified. They raise important questions as to adequate regulatory design that can reconcile economic and non-economic concerns, national and international interests. This article is set against this complex backdrop and seeks to provide a better understanding and contextualization of the topic of data protection as a matter of trade law. It looks at the recent proliferation of rules on data flows, specifically addressed in free trade agreements (FTAs), at how data protection has been framed in these treaties as well as at the available reconciliation (or escape) mechanisms developed to interface trade and privacy. The article explores the most advanced models that have been developed in this regard so far, with a focus on some US-led and EU-led treaties. These analyses build the basis for testing the conjecture as to whether trade law has gone too fast and too deep encroaching on domestic privacy law developments that unfold at a much slower pace.