The Commission's Proposed Horizontal Provisions for Cross-Border Data Flows and Personal Data Protection in EU Trade and Investment Agreements
On January 31, 2018, the European Commission (the “Commission”) endorsed horizontal clauses on cross-border data flows, data protection and privacy in trade and investment agreements (the "Proposal").1 These clauses, if agreed on by EU member states, will serve as the starting point for negotiations on provisions to be included in Free Trade Agreements ("FTAs") and Bilateral Investment Treaties ("BITs") between the European Union ("EU") and third countries.
This Proposal is important for international trade. The expansion of the digital economy involves a range of industries that increasingly rely on personal data to offer services and goods to their customers. In the digital economy, personal data are collected, stored and transferred across the globe. Personal data flows become a central factor of commercial exchanges. In this context, data protection and international trade are head and tail of the same coin for any cross-border activities.
The Proposal comes timely as a new EU privacy framework is entering into force in May 2018 and the EU is negotiating FTAs with various countries and groups, such as Indonesia, the Philippines and MERCOSUR, with negotiations being planned with Australia and New Zealand. A BIT is being negotiated between the EU and China. The Proposal suggests the inclusion of data provisions in those FTAs in order to ensure that EU companies can effectively operate in third-country markets without being subject to restrictions.
2. The Proposal
The Proposal prohibits restrictions imposed by governments on cross-border data flows resulting from:
- Requirements to use local computing facilities or networks;
- Data localization requirements;
- Prohibitions on storage of data in the territory of the other party to the FTA or BIT; and
- The conditioning of cross-border data flows on the use of local computing facilities or networks or through data localization requirements.2
At the same time, the Proposal contains a broad exemption for measures that each of the contracting parties deems "appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data." The Proposal further stipulates that "nothing […] shall affect the protection of personal data and privacy afforded by the Parties' respective safeguards." Thus, the Proposal foresees a self-judging exception from the obligations on the prohibition of data localization requirements. Finally, the proposed EU Investor Court System will not apply to these provisions; this means that investors cannot allege that their investment has been impaired as a result of newly imposed requirements or prohibitions in respect of data flows or localization requirements.
3. Reason for the Proposal: The Upcoming New EU Privacy Framework
The Proposal reflects core concepts of the EU General Data Protection Regulation ("GDPR"), which will enter into force in the EU on May 25, 2018. The GDPR aims to simplify the administrative process related to the protection of personal data in the EU and to enable cross-border data flows between EU member states while increasing the protection of EU data subjects.
The GDPR is a real game changer for e-commerce businesses and online stores. Those companies, by their nature, receive and process a vast amount of personal data and have cross-border activities. The GDPR expands the territorial reach of privacy rules, which will now apply to companies located outside of the EU when they handle EU personal data. In particular, the new regulation will apply to organizations established outside of the EU when they process personal data in connection with (a) the offering of goods or services to an individual in the EU and/or (b) the monitoring of the behavior of an individual in the EU.
The GDPR takes into account the global nature of the right to privacy and also ensures that, when EU personal data are transferred abroad, the protection travels with the data. On this basis, the EU regime on international data transfers provides a broad and varied toolkit to enable data flows while ensuring a high level of protection.
Under the GDPR, cross-border transfers outside the EU are, in principle, prohibited unless certain specific conditions are met. In this context, the Commission has the power to determine whether a third country ensures an adequate level of protection. For this purpose, the Commission assesses whether the third country's privacy regime is essentially equivalent to that of the EU. When assessing the adequacy of a third country's privacy regime, the Commission takes into account the third country's relevant data protection legislation, the existence and effective functioning of an independent supervisory authority with responsibility for enforcing compliance with the data protection rules, and the international commitments the third country has entered into in relation to the protection of personal data. The effect of such an "adequacy decision" is that personal data can flow from the EU to that third country without any further safeguard being necessary. In other words, transfers to the country in question will be assimilated to intra-EU transfers of data. As of today, the Commission has granted adequacy decisions to such countries as, inter alia, Andorra, Argentina, Canada, and the United States.
Taking into account the central role played by personal data in the global information society, increasingly the Commission negotiates trade agreements in parallel with considerations for granting adequacy decisions. This demonstrates that the Commission is not willing to give up on promoting a high level of data protection even though it recognizes that this goes hand in hand with the need to facilitate international trade.
4. Next Steps?
The horizontal clauses are framed by means of a letter. Therefore, there is uncertainty as to the exact legal status of the Proposal, including its legal basis. One could foresee that, if agreed upon by the EU member states, the Proposal could serve as a mandate for the Commission in FTA and BIT negotiations. Currently, the Proposal is the subject of discussions in the EU Council. It was last featured on the agenda of the March 7, 2018 meeting of the Working Party on Information Exchange and Data Protection.3
The response of the EU member states to the Proposal is as of yet unknown; however, initial industry reports indicate that EU IT services companies with operations in third countries consider that the broadly phrased exception could undermine the value of having such a prohibition on data localization requirements in the first place. Moreover, some believed that the prohibition is not worded strongly enough and should include such concepts and phrases as "non-discriminatory" and "not more trade restrictive than necessary."
In short, the content of the provisions in FTAs and BITs might still change from what is currently provided for in the Proposal.