by David Scholte*
Practical solutions to a theoretical conundrum
After the implementation of the General Data Protection Regulation (GDPR) in 2018, the European Union (EU) has been striving to keep up the high standards of protection of personal data transfers of EU citizens throughout the world. In order to secure these standards, it has two powerful different tools at its disposal.
Tool number one is the ´adequacy decision´. The EU commission will ´determine […] whether a country outside of the EU offers an adequate level of data protection´.(European Commission, Adequacy Decisions) Adequate means comparable to the protection offered by the EU. If so determined, the cross-border data flow between the EU and the third country can take place unimpeded and without any further safeguards. Tool number two are data protection provisions in the trade agreements between the EU and third countries. (See art. 28.3(2)(ii) CETA, art. 8.3 JEFTA and art. 8.62(e)(ii) EU-Singapore FTA)
The EU is a prominent advocate of liberalising (digital) trade but will always vehemently protect its data protection standards; this is made explicit in the statement that ´the EU data protection rules cannot be subject to negotiations in a free trade agreement´. (COM(2017) 7 final)
Data protection clauses in previous trade agreements used to be sectorial provisions modelled after art. XIV from the multilateral ´General Agreement on Trade in Services (GATS). However, with the changeability of digital trade and with the implementation of the broad scoped GDPR, the EU´s view was that new provisions were needed.
´These horizontal provisions rule out unjustified restrictions, such as forced data localisation requirements, whilst preserving the regulatory autonomy of the parties to protect the fundamental right to data protection´. (COM(2020) 264 final)
In 2018 the Commission published horizontal draft provisions that it intended to include in future trade agreements. It is noted that the provisions modeled after the GATS article have always included the requirement of ´necessity’ and stated that any measure taken with regard to the protection of personal data must not be a ´means of arbitrary or unjustifiable discrimination [or] a disguised restriction´. However, the new provisions would be applicable throughout the agreement and, most importantly, do away with the conditions and limitations found in the old type of provisions.
There are no longer requirements that must be fulfilled before a measure with regard to personal data can be taken. The Draft provisions regarding data protection are as following:
- Each party ecognizes that the protection of personal data and privacy is a fundamental right […]
- Each party may adopt and maintain the safeguards it deems appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data. Nothing in this agreement shall affect the protection of personal data and privacy afforded by the Parties´ respective safeguards.
- Each party shall inform the other Party about any safeguard it adopts or maintains according to paragraph 2.
- For the purposes of this agreement, ´personal data´ means any information relating to an identified or identifiable natural person.
- For greater certainty, the Investment Court System does not apply to the provisions in Articles 1 and 2.
Although the EU had proposed this provision in trade negotiations with Australia and New Zealand. the first agreement where this new type of rules has been fully implemented is the EU-UK Trade and Cooperation Agreement (TCA), albeit in a slightly different form.
- Each Party recognises that individuals have a right to the protection of personal data and privacy and that high standards in this regard contribute to trust in the digital economy and to the development of trade.
- Nothing in this Agreement shall prevent a Party from adopting or maintaining measures on the protection of personal data and privacy, including with respect to cross-border data transfers, provided that the law of the Party provides for instruments enabling transfers under conditions of general application for the protection of the data transferred.
- Each Party shall inform the other Party about any measure referred to in paragraph 2 that it adopts or maintains.
The compromise between the position of the parties reflects the difficulties in translating drafted horizontal provision into real negotiations. What is clear is that the all-encompassing, condition-less provision that the Commission had envisioned did not come to fruition. In the first paragraph data protection is no longer a fundamental right, something that is striking among purists and puts the protection of data legally on a lower pedestal than if it would have remained a fundamental right.
Moreover, in the draft provision, paragraph two gives both parties full authority over the adoption of safeguards, with no conditions attached. In contrast, the adopted TCA’s provision is worded quite differently: ´nothing in this agreement shall prevent […] provided that´ instead of ´Each party may adopt´. This gives the paragraph a negative wording with again some conditions attached. It bears a resemblance to the GATS article meaning that it would not be without conflict and possible dispute. (WTO Analytical Index, GATS – Article XIV (Jurisprudence))
Because of the transition period, under the agreement data flows are still unrestricted as long as the UK continue to apply the data protection rules, based on EU law (EU-UK Agreement part seven, Article FINPROV. 10A(4)). Moreover, with a pending adequacy decision, a large differentiation between the UK and EU data protection is not likely to arise. When the data protection in the UK is deemed to be adequate the article will become moot.
However, this quite substantial modification from the original proposal by the EU does show that the EU might be flexible on the wording of such rules. In the TCA case, the EU position is explained by the special and interconnected relationship with the UK, a European country and a former Member State. Nonetheless, it is interesting that the EU Commission did accept different draft provisions, although it had defiantly stated that those provisions would not be subject to negotiations.
In the future the EU will strive to include such horizontal provision in all future trade deals. Indeed, in the trade negotiations with Australia and New Zealand the provisions proposed are again mirroring the draft provisions. With New Zealand already having received an adequacy decision from the Commission, the question remains if a horizontal provision is a priority for both parties. Considering New Zealand’s ´culture of compliance´ (Henning, 2020) data protection will not be a major hurdle and one can expect the horizontal provision to be included in the upcoming EU-New Zealand trade deal without significant amendments.
For countries without this close connection to the EU data rules, such as Australia, the inclusion of such broad horizontal provision could be problematic. Third countries have the reasonable worry that such blanket exception could be used for ´otherwise unjustifiable IT and data localization requirements´. (Yakovleva & Irion, 2020, 219)
The provisions in the Australia and New Zealand deals will give a clearer idea on what these new horizontal provisions mean for EU trade negotiations and deals. It seems however that the Commission’s position on the matter is far more practical and reliant on adequacy decisions, thus unilateral, than it presents to be at first glance. The full regulatory autonomy that the EU strives for has not been achieved in the TCA and will thus most likely not be achieved in future trade deals. A missed opportunity.
*David Scholte is a Junior Lecturer in EU Law at Utrecht University, the Netherlands. He is also currently pursuing a Master in International Relations at Leiden University.