Today, the Software & Information Industry Association (SIIA) and DIGITALEUROPE hosted a panel for Trade in Services Agreement (TISA) negotiators. The discussion focused on: “Cross-Border Data Flows and Compliance with National Data Protection Laws.”
The Brookings Institution, International Trade Commission, and the European Center for International Political Economy, among others, have made compelling economic arguments for cross-border data flows. SIIA and DIGITALEUROPE share that view. This is why we advocate for provisions in trade agreements such as TISA that would establish a general obligation to permit cross-border data flows, prohibit data localization, and allow exceptions based on the exceptions contained in the General Agreement in Trade in Services (GATS) Article XIV. The recently concluded Trans-Pacific Partnership (TPP) reportedly includes provisions along these lines (the text has not been released yet).
Today’s event focused on how countries can adopt binding data flow obligations, yet at the same time maintain distinct national privacy regimes. For instance, the European Union will keep its fundamental rights based privacy system, and the United States will maintain its sectoral framework, driven largely by a harm-based approach.
How can this been done?
The key is to construct mechanisms that allow for cross-border data flows. Those mechanisms permit companies to transfer data from one country to another as long as they comply with the law in the country from which the data was collected. Panelists discussed the U.S.-EU Safe Harbor Framework, the Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR), the EU-APEC “referential,” Binding Corporate Rules (BCRs), and Model Contracts. See this resource paper for more information.
The big elephant in the room (although that elephant was thoroughly discussed) was of course the European Court of Justice (ECJ) October 6, 2015 ruling in the Schrems case. The judgment invalidated the 2000 U.S.-EU Safe Harbor Framework. Nonetheless, the European Commission noted in its October 6, 2015 statement on the case that “transatlantic data flows between companies can continue using other mechanisms for international transfers of personal data available under EU data protection law.” Panelists discussed those other mechanisms, as well as speculated on what a renegotiated Safe Harbor Framework might look like.
Malcolm Crompton, former Australian Privacy Commissioner, noted that data is not sufficiently recognized for what it is: a valuable asset. He suggested that accounting standards bodies should recognize this. Crompton emphasized the need for countries to have privacy regimes that inspire confidence in individuals so that those individuals do not care where their data is stored. One way to do that he suggested was to consider Australian Privacy Principle 8 which establishes that the entity that collects data is liable no matter where the data is sent. Crompton also referred to the study: “East Meets West: striving for interoperable systems.” This piece suggests that European and APEC privacy rules are similar and that for safe cross-border data transfers to occur, and thereby instill confidence in individuals that their data is being handled appropriately, four conditions need to be met. First, countries have to have baseline levels of privacy protection. Second, the protections need to be expressed in law and policy. Third, accessible enforcement and redress mechanisms are required. Fourth, the system needs to be “tested” periodically.
Peter Olson, Vice President and Head of the Ericsson European Affairs Office in Brussels, framed the discussion by referring to an increasingly “networked society,” enabled by broadband, the cloud, and mobility. Ericsson manages networks involving one billion subscribers so data privacy compliance in the 180 countries in which Ericsson operates is crucial. The company uses the U.S.-EU Safe Harbor Framework (so far), BCRs, and Model Contracts. The firm is still evaluating the impact of the Schrems judgment. Olson highlighted three aspects of the current debate. First is the public’s confusion regarding how the government handles privacy and how companies manage privacy. Second is the fact that the “transfer of data does not imply circumvention of national law.” Third, there is room for improving efficiency in data flows without impacting national standards, for instance in the privacy space.
Joseph H. Alhadeff, Vice President of Global Public Policy for Oracle, emphasized that the concept of “balance” is not always appropriate in discussing cross-border data flows and compliance with national data protection laws. Instead, countries should seek to “optimize” trade and privacy. He suggested that when nations seek to achieve a privacy goal, there could be different ways to reach the same objective with different trade results. It would be best to choose the option that is least trade distorting. Alhadeff noted that the ECJ in the Schrems case invalidated the Safe Harbor finding, although it did not actually rule on the substance of Safe Harbor. While the judgement continues to permit the Commission to issue adequacy findings, it also permits DPAs to investigate and question the sufficiency of adequacy findings. However, it reserves solely to the Court the ability to invalidate such findings. Alhadeff pointed to APEC’s Privacy Recognition for Processors (PRP) annex where countries had succeeded in finding an “optimal” outcome by raising privacy levels and trade. How? The PRP facilitates the ability of Processors to show how their data management frameworks work, thereby making it easier for companies to contract with Processors and engage in cross-border data flows.
It was clear both in the informal conversations before and after the event, and the questions that]
were asked during the panel, that the trade negotiators are thinking hard about how to insert an Article XIV-style exception to eventual data flows provisions in TISA. A delegate from the EU asked whether an Article XIV-style provision in TISA should contain a national security exception. Alhadeff responded, “Conceptually, yes.” He recognized that countries have historically been reluctant to invoke national security exceptions when justifying policies or laws impacting trade for fear that many other countries would soon do the same. In the trade context, this was akin to using “the nuclear option.” So, the challenge is to find language that would allow countries to invoke national security exceptions when a country is genuinely motivated by national security but to dissuade countries from measures that are in reality rooted in industrial policy.
This well attended event was a success from SIIA’s perspective because the panelists were able to engage in sophisticated, back-and-forth discussions with TISA negotiators on the interplay between trade and privacy. Alhadeff and Olson made it clear that while industry is not asking trade negotiators to become privacy professionals, there are ways to promote trade and comply with national privacy laws. The panelists presented options that exist for ensuring cross-border data flow interoperability while at the same time complying with national laws, including but not limited to, privacy. Hopefully, this will help energize discussions in TISA on data flow provisions fit for the 21s century.