After the “Privacy shield” was adopted on 12 July 2016, the European Commission started internal discussions about whether or not to include “data flows” and “data localisation” clauses in Transatlantic Trade and Investment Partnership (TTIP) and in the Trade in Services Agreement (TiSA). It appears that the European Commission Directorate-General for Justice and Consumers (DG Justice) initially accepted the inclusion of clauses on forced, unjustified “data localisation”, but not on transfers of data. However, according to EurActiv, DG Justice has backed down and accepted a weakening of its position on data protection and privacy in order to placate industry, after a campaign based on dubious assertions and backed up by the US government.
Now, the European Commission President Jean-Claude Juncker and the Vice-President Frans Timmermans seem to be prepared to defend core principles of EU law and the rights of EU citizens. They are allegedly blocking the “compromise” to water down protections because “the deal might poke holes in the EU data protection rules that are set to go into effect in 2018”. Weakening privacy and data protection of European citizens through the inclusion of “data flows” in trade agreements has global corporate sponsorship. The EU should resist. There are three main reasons for this:
1. Data flows must not be part of trade agreements
Trade negotiations are not suitable for shaping rules affecting the fundamental rights to privacy and data protection. If the EU was unable to ensure protections of fundamental rights in the Privacy Shield (see here, here and here), on what basis could it think that trade agreements would achieve a better result? Is the apparently ideological rush to include “data flows” in trade agreements worth the risk of making a dubious compromise that would put the whole agreement in doubt?
Data transfers are and can be ensured in other legal fora. Personal data flows are ensured in the EU legal framework by several mechanisms, such as binding corporate rules, modal clauses, adequacy decisions or special arrangements, of which the EU-US Privacy Shield is an example, albeit not a stellar one. The General Data Protection Regulation (GDPR) even provides more alternatives to transfer data of EU citizens abroad, such as self-certification. In addition, the European Commission is expected to issue a “Free flow of data initiative”, apparently only for commercial data.
2. Including data flows in trade agreements like TTIP or TiSA would have huge implications
On 13 July 2016, the University of Amsterdam issued an independent study that EDRi, BEUC, TACD and CDD commissioned in order to ascertain whether fears with regard to both privacy and data protection in trade agreements were founded. The study concluded the risks are real, and a great deal of effort needs to be put into making trade agreements data protection- and privacy-proof. This is our take:
Unless parties want to change their legal framework to truly protect human rights online, trade agreements’ vague commitments to protect data protection and privacy will be meaningless in practice.
Exceptions and safeguards protecting personal data and privacy are being suggested as a means to address the concerns about fundamental rights. However, these clauses can only be activated if certain conditions are complied with, such as:
- that privacy and data protection measures cannot be inconsistent with other obligations of the agreement. Would the EU legal measures on data protection be inconsistent with the obligation to ensure “a free flow of data”? According to the lobby group CCIA, the response could well be “yes” (cf. “Europe might want to consider whether its 20th century localised data protection framework is well suited in the 21st century interconnected digital world”). To guard against such extreme positions, the European Parliament asked the Commission not to include such conditionality; or
- that privacy and data protection measures should take “international standards” into consideration. As the EU is a standard setter in privacy and data protection, this creates the risk of a race to the bottom and could prevent other countries from adopting measures which defend privacy and data protection as much as (or more than) the EU.
Even if trade agreements had strong exceptions and safeguards, they could be undermined by:
- trade dispute settlement mechanisms of trade agreements, as the Charter of Fundamental Rights will obviously not be considered; and by
- national security exceptions. Trade agreements contain exceptions on “essential security interests” that establish that nothing in the trade agreement shall prevent any Party to the agreement from adopting measures to protect “essential security interests”. This means that if a party to the agreement wanted to conduct mass surveillance, for example, the trade deal would not ensure the protection of the privacy and personal information of individuals. This is very worrisome, as the Snowden revelations and other scandals have shown. The European Parliament has warned the Commission that their consent to TTIP could be endangered if “US blanket mass surveillance activities are not completely abandoned”.
Conditions, suspensions or prohibitions of transfers of EU citizens’ personal data outside the EU must be possible if fundamental rights are violated or circumvented, as the European Parliament has proposed to the Commission. This position is absent from all of the clauses seen in current trade proposals. In fact, the EU is currently negotiating on trade agreements whose drafts include provisions on data protection that are fundamentally broken. The existence, application or enforcement of the laws adopted by the Parties to a trade agreement relating to their fundamental rights requirements must not be considered as a violation of any trade agreement.
3. Blackmail tactics of industry lobbyists
The hollow-sounding and specious arguments that the “global tech sector” use, such as that they take “the fundamental right to privacy very seriously”; and that without data flows (as if they would suddenly, mysteriously, stop), no trade agreements will be or can be concluded; or that the EU could be perceived as “data protectionist” are far from credible. Even some industry actors (e.g. eBay) had admitted to the Commission that the inclusion of data flows are not a priority for them because they rely on binding corporate rules to transfer data from EU citizens.
Having lobbied unsuccessfully against the General Data Protection Regulation (GDPR), having successfully lobbied for a flawed, inevitably temporary “Privacy Shield”, having incomprehensibly asked the Commission to repeal the e-Privacy Directive, it is understandable that industry lobbyists, backed by the US government want to:
- ensure there are legal means available to challenge privacy and data protection measures, with the weak excuse that fundamental rights are barriers to trade;
- prevent other countries to adopt high standards on data protection and privacy; and
- make sure whatever protections on privacy and personal data are contingent on a nebulous and unpredictable understanding of “necessity” and “proportionality” in trade agreements, whereby fundamental rights will always be deprioritised compared with trade concerns.
It is also understandable that after hearing that the Commission was opposing to include data flows, they increased their lobbying and resorted to “independent” “think tanks” like ECIPE to multiply their message.
The European Commission should do better. As Evgeny Morozof argues, when policy is dictated by corporations, the protection of your privacy starts being seen as a barrier to economic growth. By defending the protection of privacy and personal information of all, the EU will gain influence and credibility. Data protection and privacy are not barriers to trade. Quite the opposite, privacy is an asset of economic growth; it’s a business opportunity to regain trust. Making void assurances and general statements that are not reflected in the actual text of the agreements would not be enough. The European Parliament has strongly reiterated this approach and even asked the Commission to “immediately and formally oppose the US proposals on movement of information”.
This is exactly what the EU should do.