Today, the EU and Japan announced political agreement in principle on an Economic Partnership Agreement. Overall, this should be a positive development for EU and Japanese workers, consumers, and businesses. But, it does fall short in one crucial regard. There is no binding data flow obligation yet. SIIA put out a statement on this gap today. Instead of a binding data flow commitment now, the two sides agreed to conclude an accord on data flows in early 2018.
Given the widely recognized current and future economic importance of data flows for goods and services trade, it is not logical to exclude data flows. To mention just one widely cited study, McKinsey estimated that data flows in 2014 increased global GDP by $2.8 trillion. Yes methodologies in studies can always be questioned, but there is an overwhelming consensus on the economic importance of cross-border data flows.
Prime Minister Shinzo Abe and European Commission President Claude Juncker declared that the EU’s General Data Protection Regulation (GDPR) and Japan’s Act on the Protection of Personal Information (APPI) “have further increased the convergence between their two systems, which rest notably on an overarching privacy law, a core set of individual rights and enforcement by independent supervisory authorities.” Given this stated legal convergence, the EU and Japan seek to facilitate data exchanges, including possibly through a “simultaneous finding of an adequate level of protection by both sides.”
The suggestion that cross-border data flows should somehow be conditioned upon countries adopting “overarching privacy law” is misplaced because not all countries will adopt such laws. This does not necessarily mean that those countries do not protect personal information. The analysis of a country’s respect for personal information should be based on the totality of law affecting personal information in that country, not just on whether there is an “overarching privacy law.” And, there should be a recognition of actual enforcement, not just potential enforcement, afforded by the law.
SIIA’s view is obviously informed by the fact that while the United States does not have an overarching privacy law, important personal data such as health, financial, children, student, and other data are protected in the United States. The U.S. Federal Trade Commission uses its authority to protect consumers from unfair and deceptive acts and practices to enforce baseline privacy rules. Moreover, there is robust enforcement of privacy law in the United States with numerous cases and fines.
This is why SIIA is an advocate of interoperability mechanisms such as the EU-U.S. Privacy Shield, model contracts, binding corporate rules, the APEC Cross-Border Privacy Rules system, etc. Such mechanisms allow data to flow from one country to another while at the same time respecting national privacy laws. The EU-Japan Economic Partnership Agreement could include an immediate binding cross-border data flow commitment that allows for such interoperability mechanisms, while at the same time safeguarding the EU’s data protection rules.
So, the EU-Japan Economic Partnership Agreement is a disappointment from a cross-border data flows perspective. The EU and Japan could have come to an agreement now on this important subject.
Going forward, it will be important for the two sides to agree on a data flow obligation that includes exceptions based on standard trade exceptions rules found in provisions such as the General Agreement on Trade in Services (GATS) Article 14. Exceptions based on an EU “concept paper” leaked this spring would reduce the obligation’s effect. SIIA encourages the parties to reach a robust data flow agreement in the time frame set out in its new economic partnership agreement.