The cross-border data flow commitment in the Digital Trade chapter comes with a safeguard in article 12.5, Protection of personal data and privacy:
- Each Party recognises that the protection of personal data and privacy is a fundamental right and that high standards in this regard contribute to enhancing consumer confidence and trust in digital trade.
- Each Party may adopt or maintain measures it deems appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data. Nothing in this Agreement shall affect the protection of personal data and privacy afforded by the Parties’ respective measures.
The EU commission first presented this approach in 2018. This unconditional safeguard is a major improvement over earlier ones based on GATS article XIV, which contains conditions, among them a necessity test. The mention of data protection and privacy as a fundamental right in trade agreements is a positive development. NGOs welcomed the decision. For a broad discussion, see Svetlana Yakovleva and Kristina Irion (2020). I was somewhat more skeptical.
Compared with GATS article XIV like safeguards, which contain conditions, an exception without conditions is much stronger. Hence the positive reception. There are, however, some potential limitations and weaknesses.
First, is the exception compatible with GATS’s principle of non-discrimination?
Second, a zero-quota issue may arise. Say a dictator takes over a trading partner and the EU would like to suspend data flows. Trade arbitrators may see this as a not allowed zero-quota.
Third, chapter 10 with cross-border services commitments contains a most favoured nation clause. See below.
Fourth, if we compare the exception with the weak right to regulate clause, we see similarities. With the discussions on the right to regulate clause in investment chapters in mind, we could consider:
(a), recognising something that is already known (para 1) doesn’t create anything new;
(b), the formulation “Nothing in this Agreement shall affect” (para 2) does not preclude or limit compensation orders;
(c), the strength of the safeguard then comes down on the first sentence of para 2, which does not preclude or limit compensation orders either.
But, such an interpretation would be scandalous, not? A scenario in which disembedded supranational trade arbitrators would interpret exceptions to commitments as outrageously as disembedded supranational investment arbitrators, may not seem very likely, as there are differences between trade arbitration and investment arbitration. Will these differences be enough? Ideas and interpretations change over time. With the right to regulate clause and the exception in the same chapter, do they come contagiously close?
The strength of a safeguard may depend on the context. It seems prudent to only use these commitments and this exception to commitments in a safe situation and avoid asynchronous situations, in which the states party to the agreement have or may develop very different interests or ideas on fundamental rights, the public interest, and democracy.
If we really do not want disembedded supranational trade arbitrators to take fundamental rights unfriendly decisions it may not be enough to indicate that in the text. A stronger option is to not give them jurisdiction, nor jurisdiction to decide on jurisdiction. The EU could continue working with adequacy decisions and leave data flow commitments out of trade agreements. This has worked between the EU and New Zealand for a decade now.
If the EU would remove the data flow commitment from the Digital Trade chapter, it would still make sense to keep a strengthened exception, as cross-border services commitments imply cross-border data flows and we can expect the return of a commitment regarding financial data.
When the EU commission first presented these trade agreement based sweeping data flows commitments with the new exception it noted that the new plans are meant for countries which do not have an adequate protection of personal data. Reuters helpfully gave an example: Russia.
Sweeping cross-border data flow commitments with Russia, under this or whatever safeguard would seem imprudent by now. It will remain important to choose trade partners wisely, and even, ever more wisely.