Pacific Trade Pact Covers Data Transfer, Localization

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Donald Aplin

Nov. 5 — Encouraging the free cross-border flow of personal information used for business and restricting the ability of countries to demand local storage of information is included in the text of the Trans-Pacific Partnership (TPP) trade agreement, made public for the first time Nov. 5.

The Electronic Commerce chapter of the text, to a great extent, shows a commitment by the signatory countries—Australia, Brunei Darussalam, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, the U.S. and Vietnam—to expand their cooperation on data transfer and data localization issues, but leaves hard decisions about any conflicts of data protection laws for later resolution.

“They have basically punted privacy down the road,” Jonathan T. Stoelm, a partner at Hogan Lovells LLP in Washington in the firm's International Trade and Investment and International Arbitration practices, told Bloomberg BNA.

Everyone agrees that privacy is important but that there needs to be a balance with the free flow of data in a digital economy, he said. The agreement doesn't effectively address how the balance should be set, Stoelm said.

On the positive side, no large scale trade agreements before this one have even tried to deal with cross-border data flows and interoperability, he said.

The TPP must still be ratified by the 12 Pacific Rim nations that negotiated the landmark deal. There has been some push-back in Congress to the agreement, which is strongly supported by the Obama administration. If finalized, the largest ever regional trade agreement will affect almost 40 percent of the global economy.

Data Transfers 

The Electronic Commerce chapter states that the party countries “shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business,” but also recognizes the economic and social benefits of protecting personal information and requires each signatory country to protect the personal information of consumers engaged in e-commerce.

Under the agreement, countries with their own data protection laws must provide consumers with information on mechanisms of redress regarding the use of their personal information and provide companies with information on what they need to do to comply with the laws.

The agreement obligates signatory countries to work together to find ways to allow cross-border data flows while respecting differences in how countries provide protections for personal information. A party country would be able to stay in compliance with the TPP so long as its data transfer law serves a “legitimate public policy objective.”

Stephen Ezell, vice president of global innovation policy at the Information Technology and Innovation Foundation in Washington, told Bloomberg BNA that the text is “underwhelming.”

The exemption doesn't provide a definition for a legitimate public policy objective, so any law a country declares as an important public policy could remain in place, he said. “You could drive a truck through that.”

Ezell said he doesn't believe this exemption will be widely used because many of the TPP partner countries won't want to appear as if they're sidestepping the agreement. “At the end of the day, I don't think the TPP will prevent anyone from making a policy they want, but I do think they're going to want to appear to be good partners,” Ezell said.

Hogan & Lovell's Stoelm echoed those comments, saying that the TPP language doesn't define what the exemption means so “basically allows privacy laws to restrict cross-border flows without limitation.”

(Click image to enlarge.)

pslr image 11/9/2015

Data Localization.

On the issue of data localization—countries requiring businesses to store information within their borders—the Electronic Commerce chapter of the TPP would prohibit the use or location “of computing facilities in that Party’s territory as a condition for conducting business in that territory.” But the text also states that the signatories “recognise that each Party may have its own regulatory requirements regarding the use of computing facilities, including requirements that seek to ensure the security and confidentiality of communications.”

According to the International Trade Commission, five TPP member countries—Australia, Brunei, Canada, Malaysia and Vietnam—have some kind of data-localization law

Vietnam requires local companies to use only Web search companies, data centers and cloud computing service providers located inside the country.

Australia requires that some types of health data be stored locally and Canada has laws that restrict the use of data centers outside the country to store personal data collected by the government.

Avoiding data localization and instead ensuring free flows of data across countries is important for a digital economy, Daniel Sepulveda, deputy assistant secretary of state and U.S. coordinator for international communications and information policy at the U.S. State Department said at a Geneva press conference in response to a question from Bloomberg BNA.

The TPP countries' “clear rejection” of data localization, despite differences in approaches across the signatories, is significant, he said.

Jeremy Malcolm, senior global policy analyst for the Electronic Frontier Foundation told Bloomberg BNA that “on the surface the provision on data localization seems balanced, since it does contain the flexibility of allowing a party to require localization to further a ‘legitimate public policy objective,' which we would argue includes security and data protection reasons.” But “nothing in the TPP is as clear as it seems,” he said.

The newly released text of the TPP investment chapter “allows a company to sue a country if it believes that its rights have been infringed by domestic laws. Because the private ‘courts' that determine these disputes are investor-friendly, this risks allowing investors to override democratically-passed laws that were made in the public interest,” Malcolm said. In addition, “the United States reserves the right to ‘certify' that other countries have implemented the TPP in a manner that accords with the U.S. interpretation of their obligations.”

Those two things mean “that the apparent flexibility of the data localization provision isn't all that it seems. We might therefore find that provision being misused by foreign companies wishing to gain access to personal data of another country's citizens,” he said.

Spam 

The Electronic Commerce chapter would require signatories to adopt or maintain measures to prevent unsolicited marketing e-mails, or spam.

These measures would require: suppliers to facilitate a way for Internet users to stop receiving unsolicited messages; and recipient consent to receive such messages. Signatories would also have to provide recourse against suppliers who fail to comply with these measures.

Brunei is the only TPP signatory without an anti-spam law.

Trade Secrets, Hacking 

Bloomberg News notes that China isn't a signatory to the deal, but the pact focuses on a major point of friction between the world’s two biggest economies by requiring the participating countries to outlaw theft of trade secrets, explicitly including thefts through computer hacking.

After massive breaches of commercial and government databases in recent years, U.S. trade officials say they hope the rules won't only deter hacking from within the 12 TPP countries, but also set an international precedent that becomes a norm in agreements with other nations, eventually including China.

Whois.

The Intellectual Property chapter of the agreement would obligate country-code top-level domain operators to maintain publicly available Whois registrant data. All of the signatories already have Whois processes in place. Because some are in the early stages of the effort, the inclusion in the TPP is seen as a way to ensure that no country backtracks from their commitment.

The TPP would obligate participating countries to require online public access to contact information about domain name registrants, subject to local privacy law and relevant administrative privacy policies.

Parties to the TPP also would have to ensure that copyright holders are able to get access from Internet service providers to the identity of alleged copyright infringers but only when “consistent with principles of due process and privacy.”

With assistance from Bryce Baschuk in Geneva; and Angela Greiling Keane, Mike Dorning, Joseph Wright, Alex Ruoff and Alexis Kramer in Washington

To contact the reporter on this story: Donald G. Aplin in Washington at daplin@bna.com

To contact the editor responsible for this story: Jimmy H. Koo at jkoo@bna.com