Digital: Protecting policy space in data flow rules - some ideas
At the end of my previous post, I suggested that after three years it would have been nice to see some concrete proposals from the United States Trade Representative on what the US government wants on digital trade rules, instead of just the pullback from the data flows, data localisation and source code rules that we saw last year.
That pullback was driven by a desire to protect “policy space”, so I thought in this post I’d sketch out some ideas (not all of them mine!) on how US policy sensitivities could have been addressed instead of abandoning the rules altogether. I’ll focus on just the data rules to keep this relatively brief.
Existing “policy space” protections in the data rules
Before thinking about new proposals, it’s important to note that the existing data rules already contain exceptions and carve-outs to safeguard regulatory interests.
Contrary to what Senator Warren said in the recent USTR Finance Committee hearing, these rules do not provide “blanket protections” to data flows, nor do they require “free data flows in all situations”.1
Instead, usually these rules are subject to some or all of:
Scope carve-outs: including of government procurement and government information (see e.g. the US-Japan DTA, Art 2; USMCA, Art 19.2; CPTPP, Art 14.2), and in the European Union’s agreements also of the gambling, broadcasting, and audio-visual sectors (see e.g. EU-Japan Digital Trade Protocol, Art 8.70(5); EU-New Zealand FTA, Art 12.1(2)(a));
Public policy exceptions: for measures necessary to achieve a “legitimate public policy objective”, subject to tests for arbitrary or unjustifiable discrimination and disguised restrictions on trade (see e.g. the US-Japan DTA, Art 11(2), USMCA; Art 19.11(2); CPTPP, Art 14.11(3));
The WTO General Exceptions: for measures necessary to protect public morals or maintain public order; protect human, animal or plant life or health; and secure compliance with laws and regulations (see e.g. the US-Japan DTA, Art 3; USMCA, Art 32.1(2); CPTPP, Art 29.1);
Security exceptions: including of the broad, “self-judging” nature (see e.g. the US-Japan DTA, Art 4; USMCA, Art 32.2; CPTPP, Art 29.2); and
Exceptions for certain scheduled measures that do not conform with specific Services or Investment Chapter obligations (see e.g. CPTPP, Art 14.2(6); RCEP, Art 12.3(4)).
It may be that the right mix of the above protections could be enough to protect the policy space the US is worried about. Indeed the EU has found a way to agree to versions of the data rules and still keep its GDPR regime, suggesting there is a way to make the rules work with strong privacy protections at least.
What more could be done?
No rule is perfect of course2 and greater certainty and clarity is always a good thing. Depending on precisely what policy space issues the US is most concerned about, here are a few options that could help accommodate them.
The scope of the data flow obligation
First - as Lori Wallach (from Rethink Trade) has flagged, perhaps the concern is with the breadth of the data flow rule, as it applies to data transfers to any country in the world (by ‘covered persons’), not just to data flows between the parties to the relevant agreement. USMCA’s Article 19.11 reads:
1. No Party shall prohibit or restrict the cross-border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business of a covered person.
“Cross-border transfer of information” isn’t typically defined, unlike terms such as “cross-border trade in services” (which is defined as just covering supplies of services between the parties to the agreement). Given that a covered person’s business could involve data centers or facilities in non-parties, the argument would be that therefore this rule would also apply to transfers to those non-parties.
This wouldn’t give the non-party any right to enforce or complain about a breach of this rule (only the party to the agreement could do that). So perhaps this is not a substantive risk or concern in reality.
However, to the extent it is, the EU-New Zealand approach has a straightforward fix. It explicitly limits the rule to transfers that take place between the Parties:
2. To that end, a Party shall not restrict cross-border data flows taking place between the Parties in the context of an activity that is within the scope of this Chapter, by: […]
Shell companies and circumvention
Second (and relatedly) - the current rules generally don’t have any explicit denial of benefits provisions of the kind found in Services and Investment Chapters (e.g. GATS, Art XXVII; CPTPP, Art 9.15). These provisions provide additional comfort that where an entity is just a shell company or is making use of a protection to circumvent measures that restrict trade with a non-party, the parties to the agreement are not required to apply the protection for that entity.
For example, CPTPP’s investment Denial of Benefits Article reads:
Article 9.15: Denial of Benefits
1. A Party may deny the benefits of this Chapter to an investor of another Party that is an enterprise of that other Party and to investments of that investor if the enterprise:
(a) is owned or controlled by a person of a non-Party or of the denying Party; and
(b) has no substantial business activities in the territory of any Party other than the denying Party.
2. A Party may deny the benefits of this Chapter to an investor of another Party that is an enterprise of that other Party and to investments of that investor if persons of a non-Party own or control the enterprise and the denying Party adopts or maintains measures with respect to the non-Party or a person of the non-Party that prohibit transactions with the enterprise or that would be violated or circumvented if the benefits of this Chapter were accorded to the enterprise or to its investments.
In the case of data rules, perhaps much of these concerns would be covered by the public policy exceptions. However, with some amendments, similar language to the above could be used to provide extra and more explicit comfort at least in relation to (a) shell companies controlled by a non-party entity; and (b) transfers that would result in a breach of other measures restricting data flows to a non-party.
Better public policy exceptions
Third - USTR Tai has said that the current exceptions to the data rules make USTR “extremely nervous” when considering how to defend certain measures being considered by Congress.
Simon Lester has offered some useful proposals on how the legitimate public policy objective exception could be improved - by loosening the requirements for its use (by dropping the necessity test) and clarifying what it covers (by providing a non-exhaustive list of examples of legitimate public policy objectives):
Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with the obligations above to achieve a legitimate public policy objective (including the protection of personal data or privacy, public security, public morals, human, animal or plant life or health, the maintenance of public order, or other similar objectives of public interest), provided that the measure is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail.
This seems like a sensible place to start. If there are more specific policy issues of concern, specific exceptions on those areas can be added (such as the one for privacy in Article 12.5 of the EU-New Zealand Digital Trade Chapter), or indeed additional carve-outs from the Scope of the Chapter or the data rules.
Rethinking enforcement
Finally - if there is heightened sensitivity around the data rules and the potential for technological changes to require new regulations that might breach these rules, then taking a different approach to dispute settlement and enforcement might provide some comfort.
Some options include:
Disapplying dispute settlement for a transitional period to allow the parties time to understand and implement their obligations (see e.g. RCEP, Art 12.17) (this is something Simon also suggested).
Putting in place a consultation or mediation process, such as a process involving the agreement’s committee structure and/or potentially a mediator, to help resolve issues in implementation (including potentially with the power to suggest amendments to the rules).
Perhaps considering a streamlined ‘advisory opinion’ system to enable parties to arrange for independent adjudication of differences in their reading and implementation of rules.
More radically, an emergency safeguard mechanism that forces a discussion/negotiation regarding the rules where a party identifies that unforeseen technological developments make the rules no longer fit for purpose.
I’d suggest that to maximise the value of any transitional period without dispute settlement this should be accompanied by fulsome notification requirements (i.e. so the parties are aware of what regulations are being put in place and better understand potential issues with the data rules). A specific review of the rules prior to dispute settlement beginning to apply would also be useful to enable any lessons from the transition period to be implemented through amendments to the rules.
I’m not suggesting that all of the above are great ideas in themselves or are even necessary to ‘fix’ the data rules. However, they show that there are proposals and ideas out there that USTR could have been drawing on and working with over the last three years to set out a more positive vision for digital trade. This would have been far preferable than its ‘pullback’, which will only serve to set back efforts to find appropriate forms of these rules and encourage increased data protectionism.
Senator Warren’s comments included the following: “Now Big Tech is running this play and one of the demands is blanket protections for the quote “free flow of data”, which they want to guarantee big tech companies' right to sell Americans personal information anywhere in the world. In other words, Big Tech wants to keep auctioning off your data to the highest bidder even when that means that your data makes it to the Chinese or Russian government. … So now Big Tech is making the same claim that if we will just let Big Tech sell off our data wherever they want, China will become a more open democratic country. You know, President Biden has not been fooled by this. In February, he issued an executive order to prevent Big Tech companies from transferring huge swaths of Americans' financial, health, and other data to China and other countries of concern. Ambassador Tai, how would the President's Data Security Executive Order square with Big Tech demand for free data flows in all situations? And let me just ask, is this why you rejected Big Tech demands so that the US government can take actions like the President's order to protect Americans' data from adversaries?”
Simon Lester has previously had some valid critiques of existing drafting of digital trade rules.