Broken data protection in EU trade agreements

The study “Trade and Privacy: Complicated Bedfellows? How to achieve data protection-proof free trade agreements” is remarkable. On the one hand it shows, beyond doubt, that the EU fails to sufficiently protect personal data in its trade agreements. On the other hand, one of the safeguards it recommends could leave our personal data more vulnerable.

Monique Goyens, Director General of The European Consumer Organisation (BEUC), commented:

It’s unacceptable that the EU’s privacy and data protection rules could be challenged through trade policy. Trade deals should not undermine consumers’ fundamental rights and their very trust in the online economy. We’re pleased to see this study clearly echoing the European Parliament’s call to keep rules on privacy and data protection out of trade agreements.

The study is a crucial contribution to the debate in Europe (infographic). I’m grateful to the organisations which commissioned the study (BEUC, EDRi, CDD, TACD) and to the researchers: Kristina Irion, Svetlana Yakovleva, and Marija Bartl.

Nevertheless, this short note (pdf version) argues that the safeguards the study recommends would provide (much) less protection than suggested. (The note focuses on this issue. The study is much broader and comes with many valuable recommendations).

In trade agreements the EU commits itself to allow more and more cross-border flows of data. To protect personal data the EU has to regulate these flows; the EU needs a solid exception to its trade commitments. The first section of this note discusses article XIV of the General Agreement on Trade in Services (GATS, 1995), which is an exception to trade commitments. Unfortunately, the exception is limited by many conditions. In its trade agreements the EU uses a safeguard modelled after GATS article XIV. The European Parliament has stated a stronger exception is needed, an unconditional one.

Section two shows a completely different approach. The safeguard in the EU – South Korea trade agreement’s financial chapter provides a positive obligation to protect personal data. With this obligation resting on Korea, our financial data should be safe there. However, the safeguard seems hardly enforceable. After this introduction to two different approaches to safeguards, the note turns to the safeguards the study recommends.

Section three highlights a disagreement. It discusses a safeguard in the draft EU – Canada CETA trade agreement’s financial chapter. The study sees this safeguard as a strong exception to data flow commitments and recommends to give the safeguard a greater role in future trade agreements. It would be better than GATS article XIV, the exception discussed in the first section. However, this note argues to the contrary that the safeguard is not an exception. It is a positive obligation to protect personal data, like the EU – South Korea safeguard, discussed in the second section. Taking a step back, the section concludes that a new formulation in the EU – Canada CETA trade agreement can lead to opposing interpretations. Giving the safeguard a greater role in future trade agreements would be dangerous as its text leaves ample room for trade and investment tribunals to decide it is not an exception.

The fourth section discusses a second safeguard the study recommends, a safeguard in the 1994 Understanding on Commitments in Financial Services. It is an exception to data flow commitments; it may be stronger than GATS article XIV. But it is not unconditional; this creates uncertainty.

Finally, this note shows that investment protection rules can render unconditional exceptions to data flow commitments ineffective. Investment protection adds conditions. The section also points out systemic issues with supranational trade and investment adjudication. It argues that giving private parties access to supranational investment adjudication creates uncontrollable risks due to the specialised and supranational character.

This note concludes that proposed EU trade agreements, like EU – Canada CETA, would undermine data protection, democracy and the rule of law. If we don’t put our values first, deep integration agreements will compromise our values. The world faces major challenges. We need our values to guide us.

Study: K. Irion, S. Yakovleva and M. Bartl, “Trade and Privacy: Complicated Bedfellows? How to achieve data protection-proof free trade agreements“, independent study commissioned by BEUC et al., published 13 July 2016, Amsterdam, Institute for Information Law (IViR). (Hereinafter “Study”)

1 An exception from the past: GATS article XIV

The exception in article XIV of the General Agreement on Trade in Services allows parties to the agreement to take measures to protect privacy, personal data and other public interests. Despite the obligations in the GATS, states can take unilateral measures: “(…) nothing in this Agreement shall be construed to prevent the adoption or enforcement by any Member of measures: (…)”. Unfortunately, the exception comes with many conditions which World Trade Organization panels have enforced strictly.

The Study shows that GATS article XIV and safeguards modelled after it are not data protection proof. 1 This is a major issue as upcoming trade agreements, for instance the EU – Canada CETA, open many cross-border markets, including related data flows, with only this broken safeguard. 2 The Study concludes that an unconditional exception is needed. 3

The European Parliament had reached the same conclusion. The Study “underscores the formula” of the European Parliament that new free trade agreements have to contain:

a comprehensive, unambiguous, horizontal, self-standing and legally binding provision based on GATS Article XIV which fully exempts the existing and future EU legal framework for the protection of personal data from the scope of this agreement, without any conditions that it must be consistent with other parts of the [agreement]. (page VI, emphasis added)

In the formula “exempts” and “based on GATS Article XIV” indicate that the Parliament wants an exception. As a whole the formula amounts to an unconditional exception.

We can now look at a different approach: additional safeguards which are not exceptions to data flow commitments, but positive obligations to protect personal data.

2 Positive obligations to protect personal data

The EU – South Korea trade agreement (EUKOR, 2011) has a general exception modelled after GATS article XIV. 4 In addition, EUKOR’s sub-section on financial services takes a different approach; the relevant part of article 7.43 Data processing reads:

(a) each Party shall permit a financial service supplier of the other Party established in its territory to transfer information in electronic or other form, into and out of its territory, for data processing where such processing is required in the ordinary course of business of such financial service supplier; and

(b) each Party, reaffirming its commitment (41) to protect fundamental rights and freedom of individuals, shall adopt adequate safeguards to the protection of privacy, in particular with regard to the transfer of personal data. (emphasis added)

The article contains two obligations, one to allow some data flows, the other to protect personal data. 5 The parties do not retain the right to take unilateral measures; the second paragraph is not an exception to data flow commitments. This was a new approach. Annegret Bendiek and Evita Schmieg noted:

As such, the South Korea FTA goes further than previous exceptions, regarding the proposed rules not as possible exemptions from free trade, but stressing the need to develop adequate safeguards in the first place.

The safeguard gives the responsibility to protect EU personal data transferred to Korea, to Korea. 6 This safeguard is a good addition, but on its own it is not sufficient. If the data protection in the other country turns out to be substandard, the safeguard seems hardly enforceable. 7

We see similar safeguards which are not exceptions to data flow commitments in three other trade agreements. 8 An essential difference between exceptions to data flow commitments and positive obligations to protect personal data is whether the parties to the agreement retain the right to unilaterally take measures despite the agreement’s obligations. We can now turn to the two safeguards the Study recommends.

3 Ceci n’est pas un carve-out

Trade agreements sometimes use the word “carve-out”. A carve-out is an exception. 9 As the Study uses “carve-out” for the safeguard discussed here, this section uses this word as well.

The Study concludes that the safeguard in the financial chapter of the draft EU – Canada CETA trade agreement is a strong carve-out and recommends to give it a greater role in future trade agreements. 10 11 This section tests whether the safeguard is a carve-out (exception).

Like in EUKOR’s sub-section on financial services, in CETA the parties allow some financial data flows. The related safeguard in CETA article 13.15 (2) reads:

Each Party shall maintain adequate safeguards to protect privacy, in particular with regard to the transfer of personal information. If the transfer of financial information involves personal information, such transfers should be in accordance with the legislation governing the protection of personal information of the territory of the Party where the transfer has originated. (emphasis added)

The safeguard has a similar construction as EUKOR article 7.43, but it has an additional element, the last sentence. The additional element is weak as it contains “should be”, not “shall”. A usual interpretation is that “should be” indicates interpretational guidance. The last sentence then gives guidance to the interpretation of “adequate safeguards”. Furthermore, article 13.15 (2) does not formulate a right to unilaterally take measures to protect personal data. It is not an exception to data flow commitments; it is a positive obligation to protect data.

This interpretation is in line with the interpretation of agreements with Korea, Singapore, Vietnam and Ukraine. 12 The new, weak element does not fundamentally change the interpretation, but it may strengthen the positive obligation to protect data. 13

Crucially, the safeguard does not allow unilateral measures. The Study reaches an opposite conclusion:

The second paragraph of this Article calls for “adequate safeguards to protect privacy”. The subsequent prudential carve-out for the protection of personal information reads:

“If the transfer of financial information involves personal information, such transfers should be in accordance with the legislation governing the protection of personal information of the territory of the Party where the transfer has originated.”

Read in the light of the previous commitment, “transfers” into and out of a party’s territory involving personal information is governed by the data protection law in the country of origin of the personal information. In other words, the EU can maintain its rules on the transfer of personal data to a third country in relation to financial services, and there is no dependency with a Commission decision attesting Canada an adequate level of protection in the meaning of Article 25.4 DPD. (emphasis added)

The interpretation leaves open various issues. First, the “subsequent prudential carve-out” is not formulated as a carve-out. Carve-outs are formulated differently. 14 Specifically, the paragraph does not formulate a retained right. The safeguard is not an explicit carve-out. At most it could be an implicit, constructed, carve-out.

Second, the first sentence clearly designates agency (“Each Party shall”), the second doesn’t.

Third, “should be” is weaker than “is governed”. They have unequal strength.

Fourth, even if transfers from the EU would be governed by EU law, EU law could still be applied by Canada. Governing law does not set jurisdiction.

Fifth, “in accordance with” indicates following. One system follows the other; for instance, Canada should apply EU law. In other words, “in accordance with” suggests designating agency.

The first interpretation – the last sentence provides interpretational guidance – would seem more solid, but readers may have an opposite opinion. We can take a step back and conclude that the new formulation in the trade agreement can lead to opposing interpretations. The Study recommends to give the safeguard a greater role in future trade agreements. This would be dangerous as its text leaves ample room for trade and investment tribunals to decide it is not an exception.

4 An exception with a loophole

According to the Study the data protection safeguard in the 1994 Understanding on Commitments in Financial Services is strong. 15 To meet the Parliament’s and Study’s criteria it should be an unconditional exception. This section tests whether the exception is unconditional.

The safeguard (article B. 8) is an exception (“Nothing in this paragraph restricts the right of a member to protect …”), but with a condition (“as long as such right is not used to circumvent the provisions of the Agreement”). This condition conflicts with the condition in the European Parliament’s formula (which the Study underscores, as we saw above): “without any conditions that it must be consistent with other parts of the [agreement]”. The safeguard fails to meet the Parliament’s and Study’s criteria.

The condition may be intended to only prevent abuse. 16 This would make the safeguard stronger than GATS article XIV, and a step in the right direction. But some uncertainties remain. The US and companies are quick to label measures as draconian and protectionist. 17 Protectionist measures would be abuse. Consequently, a limitation to abuse could still leave some risk.

Worse would be an expansive interpretation of the condition. This would provide arbitrators with discretion to test protective measures against the whole agreement, creating various risks. 18

First, investment protection chapters contain tests on government behaviour, including the fair and equitable test, which give supranational investment arbitrators a wide discretion. Note discretions come together in the hands of supranational investment arbitrators; they can interpret both trade and investment rules.

Second, agreements often contain provisions like “The Parties shall comply with the following international agreements: …”, which expand the commitments. The EU TTIP investment proposal even contains “and other rules of international law applicable between the Parties”. 19

Third, as data flow commitments increase, the risks of most favoured nation treatment tests may increase. 20

Fourth, a trade agreement may contain a ceiling to data protection elsewhere in the agreement. Arguably, articles like EUKOR 7.43 and CETA 13.15 (discussed above) create ceilings as they provide data flow obligations with related (EU substandard) data protection safeguards. 13 7

Fifth, full suspension of data flows would amount to a zero quota violation of GATS and trade agreements. 21

The exception has a condition; this creates uncertainty. The Study notes the EU proposed the safeguard in the Trade in Services Agreement (limited scope). 22

5 Investment protection renders trade exceptions ineffective

The Study briefly discusses “Enforcement, in particular investment protection” (page 47). It notes investment protection poses a risk. Unfortunately, the Study doesn’t extend its unconditional exception criteria to investment rules and it doesn’t present a policy recommendation on investment protection. 23

Investment protection chapters come with their own set of obligations and with supranational investor-to-state dispute settlement (ISDS). Tellingly, investment protection rules can render unconditional trade exceptions ineffective. Investment protection rules add obligations: parties to an agreement may have an unconditional exception from trade rules to protect a public interest, but under the investment rules they have to act in a fair and equitable way (among other obligations). If they don’t, they have to pay damages. 24 This gives supranational investment arbitrators a wide discretion, creating uncertainty. The damages claims and awards could be prohibitively high and compromise the independence of EU authorities.

The European Commission added a “right to regulate” safeguard to investment chapters. Unfortunately, the safeguard is weak. 25 26 Interestingly, in the draft CETA text the commission made a strong exception for one issue it apparently cares about: decisions not to issue, renew or maintain a subsidy. 27 After removing conditions the safeguards in CETA article 8.9 paragraphs 3 and 4 could be a starting point for formulating an unconditional exception to exclude data protection from trade and investment rules. Still, an accusation of abuse, as mentioned in the previous section, seems always possible.

At this point, note two wake up calls. First, the EU commission protected one issue it cares about and left other public interests, including data protection, to the discretion of supranational investment arbitrators. Second, the fact that the EU commission took extreme precautions to protect the one issue it cares about should alert us: every formulation is exploitable. It comes down to: can we trust the system?

Two systemic issues plague any supranational trade and investment adjudication. First, supranational adjudication is always specialised adjudication. Specialist courts and tribunals “tend to become over-enthusiastic about vindicating the purposes for which they were set up”. 28 Note that the supranational level does not have a supreme court to step in. As trade agreements achieve deeper and deeper integration more legal issues come under the jurisdiction of specialised adjudication.

Second, local systems have a legislative feedback loop; parliaments can update laws if they dislike the interpretation by courts. In other words, they can influence the development of law. This is not possible at the supranational level. As we can not expect the EU to withdraw from trade agreements, the addition of adjudication to trade agreements creates a lock in to development of law outside democratic scrutiny – with a high chance on expansive interpretation of trade and investment rights due to the specialised character.

It is possible to game untrustworthy systems. Their existence provokes predatory rent-seeking. Giving private parties access to supranational investment adjudication creates risks which are uncontrollable due to the specialised and supranational character. 29

6 Conclusion

We have ample reasons to abolish and avoid investor-to-state dispute settlement, in whatever form – be it a proposed court. 30 31

The European Parliament and the Study concluded that unconditional exceptions are necessary to exempt EU data protection rules from cross-border data flow commitments. The two safeguards the study recommends do not meet these criteria. Stronger exceptions are possible, but any formulation may turn out to be exploitable. 32 Trade and privacy are indeed difficult bedfellows. It is an open question whether data protection-proof free trade agreements are possible. 33

More generally, as trade agreements have deeper and deeper effects, state-state dispute settlement becomes more and more problematic. We have to fundamentally rethink trade rules and enforcement. 34

Proposed trade agreements, like EU – Canada CETA, would undermine data protection, democracy and the rule of law. If we don’t put our values first, deep integration agreements will compromise our values. The world faces major challenges. We need our values to guide us.

Footnotes:

1 Pages VI, VII (point 8) 34 and 55.

2 Study, Introduction, page 1: “Going beyond the GATS, the CETA, TTIP and TiSA agreements are very comprehensive and cover cross-border trade in services, which inevitably involves the processing and transferring of personal data in connection with the conduct of a service supplier’s business.”

3 The Study uses the words “unconditional exception” (text box page 45) and “unconditional carve-out” (page 57).

4 Article 7.50; note that the EU commission did not take an adequacy decision regarding data transfers to South Korea. The data transfers are based on the trade agreement.

5 20 of the then 27 EU member states committed themselves; William H. Cooper, EU-South Korea Free Trade Agreement and Its Implications for the United States, page 17.

6 The European Commission explains: “all financial firms will gain substantial market access to Korea and will be able to transfer data freely from their branches and affiliates to their headquarters.” How does this work in practice? After ratification Korea removed its ban on the transfer of financial data outside South Korea; it now permits transfer without customer consent. The EU strongly promotes its offensive interests; it expressed concerns that Korea did not go far enough in liberating data transfer.

7 The EU could start state-state arbitration. It is unclear whether that would be successful. The safeguard in EUKOR’s sub-section on financial services has two problems. First, “adequate” in EUKOR does not necessarily have the same meaning as within the EU, as supranational arbitrators do not have to read it in the light of the EU Charter of fundamental rights. Compare CJEU Safe Harbour judgment paragraph 74. Second, in the EU trust is based on the EU legal order including the Charter of fundamental rights and the EU Court of Justice. EUKOR does not have these. A trustworthy enforcement instrument is lacking to ensure that South Korea provides adequate protection.

8 The EU trade agreements with Singapore (draft, article 8.54), Vietnam (draft, page 84) and Ukraine (provisionally applied, not ratified by NL, article 129)

9 Trade agreements use the words “exception” and “carve-out”; there is no clear distinction. Compare CETA articles 28.3 (2) and 13.16. The WTO secretariat uses both words for the same article, see paragraph 28 with footnote 21.

10 Page VIII, point 2 (“exception”); page 42 main text and text box (“exceptions” and “prudential carve-outs”).

11 CETA also has a general safeguard in article 28.3 (2), which is modelled after the GATS article XIV exception.

12 See EU – Korea discussed above with reference to other trade agreements.

13 In an earlier blog I argued that the “adequate safeguards” in article 13.15 do not have to be “essentially equivalent to that guaranteed within the European Union”.

14 Carve-outs and exceptions are formulated for instance like “This Agreement does not prevent a Party from …”, or “Without prejudice to its law governing (…) the processing of personal data, each Party shall provide …”, or “a Party may derogate from Articles …”.

15 Table page VII, point 9; text box page 42; the Study briefly discusses the safeguard on page 42.

16 There has been a debate on an exception in an other Annex (article 2 (a)), which uses the word “avoiding”. The exception also contains “measures for prudential reasons”.

17 USTR, 2014, Section 1377 Review, On Compliance with Telecommunications Trade Agreements, page 5.

18 The condition goes beyond the “not inconsistent” condition in GATS article XIV, as it includes measures taken, not only the invoked laws and regulations. Compare Study, page 38, bottom.

19 Section 3 article 13(2), page 22

20 The Study discusses MFN at page 28. It concludes that “the legal fallout from a GATS inconsistent refusal to grant a Commission adequacy decision would appear rather confined”.

21 Study, page 31, Market access. Admittedly, the Study does not expect a full suspension of data flows (page 32). Nevertheless, the option of full suspension should be available in cases of prolonged mass surveillance (note the statement of the Article 29 Working Party quoted at Study, page 9).

22 Page 42; see Wikileaks, article X.11; Greenpeace, 20 September 2016 leak; and analysis by EDRi.

23 The Study makes a distinction between the existing system and the new approach with an “Investors Court”. While discussing the existing system the Study refers to a Statement of Concern regarding the EU Commission’s 2014 ISDS consultation text, an early CETA text. While discussing the new approach (“One of the first legal assessments of the new approach to investment protection concluded that it can preserve the right to regulate, for example in data protection.”) it refers to a text (September 2014) also on an early CETA text. The commission presented its new approach in 2015 and the new CETA text in 2016. The 2014 study the Study refers to does not discuss the new (2015) approach with an “Investors Court”.

24 The safeguards modelled after GATS article XIV used in proposed EU trade agreements like EU – Canada CETA use “prevent”; the 1994 Understanding we saw above uses “restricts”; if the carve-outs were made unconditional, they would still not be safe in investment cases. Compare Van Harten, page 7.

25 Van Harten (page 4), S2B, FFII. The Study quotes CETA’s right to regulate clause (page 48). Note that “reaffirm their right” does not create a right.

26 More generally, Judges, academics and NGOs were critical about the latest (2015) proposals.

27 CETA, article 8.9 paragraphs 3 and 4. Part of the exception reads: “For greater certainty, a Party’s decision not to … does not constitute a breach of the provisions of this Section.” The next paragraph contains “For greater certainty, nothing in this Section shall be construed as … requiring that Party to compensate the investor therefor.”

28 Justice Heydon quoted at MRLegal blog; see also Brian Kahin: “The Federal Circuit quickly became a champion of its specialty, making patents more powerful, easier to get, harder to attack, and available for a nearly unlimited range of subject matter.”; and Josef Drexl on the Unified Patent Court, quoted at FFII; other examples are ISDS’s “widespread expansive interpretations of nearly every provision found in investment treaties” and WTO, see Public Citizen.

29 Private parties have less restraint than states regarding policy space. See for instance Michael Geist on the U.S. State Department submission in the Eli Lilly ISDS case.

30 State-state dispute settlement using investment protection rules like fair and equitable treatment would be invasive and should be avoided as well.

31 The right approach is to improve weak aspects of domestic legal systems. Domestic legal systems can combine equal access to the law with democratic scrutiny of the development of law. Investors are not obliged to invest in countries with weak legal systems. This may create an incentive for states to improve their legal system. In addition investors can take out political risk insurance. Also note the related “there is no obvious reason why the incorporation in TTIP of a simple norm of non discriminatory legal protection and equal access to domestic courts could not address the problem perfectly adequately”. (Statement of Concern)

32 See the previous section on CETA article 8.9 paragraphs 3 and 4.

33 Margot Kaminski argued trade is not the place for the EU to negotiate privacy. Kaminski mentions the issue of bundling. Bundling also makes it a more consequential decision to invalidate an agreement, which could ultimately be necessary to protect the independence of EU data protection authorities. Alternative approaches which could be explored are leaving data flow commitments out of trade agreements, or not applying supranational dispute settlement to them.

34 See for instance Dani Rodrik on his trilemma and on a democracy-enhancing rather than globalization-enhancing model of global governance.