The EU and Japan have announced the conclusion of the final discussions on a trade agreement, the EU-Japan Economic Partnership Agreement (EPA).
Regarding cross-border data flows and data protection, the European Commission’s press release states that recent reforms of their respective privacy legislation offer new opportunities to facilitate data exchanges, including through a simultaneous finding of an adequate level of protection by both sides.
But this is not the full story. Besides the possibility to adopt adequacy decisions, the EPA contains explicit data flow commitments in the financial section, implicit data flow commitments in the services chapter, and a review clause. Especially the implicit data flow commitments do not seem compatible with the fundamental right to the protection of personal data.
In addition, a form of investor-to-state dispute settlement (ISDS/ICS) may be added later. All published trade agreement texts are subject to legal scrubbing (adjustment by legal services).
Allowing cross-border data flows through an adequacy decision is, in principle, the correct way to approach this issue. Such decisions are EU decisions (from the EU point of view). If data protection in Japan deteriorates, or if the EU rejects mass surveillance in Japan, the EU can revoke the adequacy status – in principle.
The approach may not work out in practice. It remains to be seen whether the European Commission would really revoke the adequacy status. But should the EU award Japan adequacy status? Graham Greenleaf argues that Japan has serious issues to overcome: a weak personal information definition; a carve-out for “anonymously processed information”; a cross-border privacy rules back-door for onward transfers to the US; no record of enforcement; trivial or missing remedies; carve-outs for big data; carve out for de-identification. (Update: article)
Will the EU take an independent adequacy decision? Take this formulation in the press release:
“This offers new opportunities to facilitate data exchanges, including through a simultaneous finding of an adequate level of protection by both sides.”
The formulation “simultaneous finding of an adequate level” suggests a negotiated compromise where fundamental rights are traded against economic rights.
Implicit cross-border data flow commitments
Many people overlook implicit data flow commitments. Chapter 8 Section C Cross-Border Trade in Services, contains National treatment and Most-favoured-nation treatment clauses.
Cross-border services imply cross-border data flows. (1) We find a safeguard in Section G Exceptions, Article X1 General exceptions, paragraph 2. It is a GATS article XIV kind of exception with many conditions. Such safeguards are insufficient, see Kristina Irion, Svetlana Yakovleva, and Marija Bartl.
The implicit cross-border data flow commitments do not have sufficient safeguards. This is not compatible with the EU Fundamental rights framework.
Explicit data flow commitment
Chapter 8 Section E Sub-section 5 Financial Services, article 6, Transfers of Information and Processing of Information, contains a cross-border data transfer commitment regarding financial data. Paragraph 2 contains a safeguard:
“2. Nothing in paragraph 1 restricts the right of a Party to protect personal data, personal privacy and the confidentiality of individual records and accounts so long as such right is not used to circumvent the provisions of this Article.”
The strength of the exception is limited by a condition (“so long as …”). (2) The safeguard seems stronger than the one used in the financial sections in the agreements with Korea, Singapore, Vietnam and Ukraine. It is also stronger than the general exception in Section G Exceptions, mentioned above. The safeguard is based on the 1994 Understanding on Commitments in Financial Services (article B. 8).
“The formulation used in CETA is likely more prudent compared to the language proposed in the Agreement with Japan. From the outset, it lays down a better division of labor between trade law and domestic data protection law. Given that the EU trade negotiators tend to work on blueprints of their earlier agreements reverting to the language of the 1994 Understanding on Financial Services and the text of the earlier EU – Singapore Free Trade Agreement 16 would mean a regressive development for the safeguards on data privacy.” (3)
It would seem that it is open to debate which one is stronger, as the formulation in the EU-Canada CETA has weaknesses as well. More importantly, neither safeguards respects the European Parliament demands for TTIP and TiSA. (4)
The draft EPA contains a review clause. Chapter 8 Section F Electronic Commerce Article 12 Free Flow of Data reads:
“The Parties shall reassess the need for inclusion of an article on the free flow of data within three years of the entry into force of this Agreement.”
There is a lot of discussion on free flow of data commitments – while the draft EPA already contains (often overlooked) implicit data flow commitments. The review clause may act as a distraction.
The Commission’s press release notes that negotiations continue on investment protection standards and investment protection dispute resolution. Adding ISDS/ICS or an investment court could have a negative impact on data protection. See here and here.
After writing the first version of this blog, someone alerted me to this analysis, from October 2017: Marija Bartl and Kristina Irion, The Japan EU Economic Partnership Agreement: Flows of Personal Data to the Land of the Rising Sun. Recommended reading.
This article was originally published at https://blog.ffii.org/eu-japan-trade-agreement-not-compatible-with-eu-data-protection/
(Contribution by Ante Wessels, EDRi member Vrijschrift, the Netherlands)
(1) See page 1 (after the Roman numerals) Kristina Irion, Svetlana Yakovleva, and Marija Bartl.
(2) See, in general, without, for now, the part on ISDS, here.
(3) Note there is an important difference between the 1994 Understanding and the EU-Singapore FTA texts. Singapore, 8.54 (2): “Each Party shall, adopt or maintain appropriate safeguards to protect privacy and personal data, including individual records and accounts, as long as these safeguards is not used to circumvent the provisions of this Agreement.” 1994 Understanding, article B.8: “(…) Nothing in this paragraph restricts the right of a Member to protect personal data, personal privacy and the confidentiality of individual records and accounts so long as such right is not used to circumvent the provisions of the Agreement.” The first is a commitment, the second an exception to a commitment.
(4) TTIP 2 (b) (xii); TiSA 1 (c) (iii) reads: “(…) to incorporate a comprehensive, unambiguous, horizontal, self-standing and legally binding provision based on GATS Article XIV which fully exempts the existing and future EU legal framework for the protection of personal data from the scope of this agreement, without any conditions that it must be consistent with other parts of the TiSA; (…)” The articles in the agreements are not unambiguous, and do not fully exempt (…) from the scope of the agreement.