U.S., EU Privacy Spat Might Shift to World Trade Organization

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Bryce Baschuk and Michael Scaturro

Jan. 28 — The World Trade Organization may become the next battleground in the debate over forced data localization rules and data flow restrictions, U.S. and European Union privacy analysts said during a Jan. 28 conference in Brussels.

In recent years U.S. companies have sought to include language in trade deals that permit the free flow of data across international borders and prohibit data localization requirements—which are national rules that force businesses to store consumer information within their borders.

Privacy-minded EU policy makers have resisted efforts to limit data localization, citing the revelations of expansive U.S. surveillance programs on European citizens as justification for imposing data transfer restrictions.

EU Parliament Member, Jan Philipp Albrecht said that Article 14 of the WTO's General Agreement on Trade in Services (GATS) is sufficient legal grounding to sanction data localization requirements and data transfer restrictions

“GATS 14 completely covers this exception for personal data — I would say that it is water tight, even,” Albrecht said at the Computers, Privacy and Data Protection conference in Brussels

Discriminatory Treatment

Article 14 of the GATS includes an exception that allows countries to impose regulations that protect “the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.”

U.S. privacy analysts counter that while GATS does provide an exemption for domestic privacy rules, the agreement does not permit trade-related data restrictions that unfairly discriminate against a particular nation.

Indeed, Article 14 specifically notes that privacy-related measures are exempt as long as they are not applied in a manner that would “constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade in services,” according to the text.

“GATS Article 14 allows for data protection, but the question is: Is the regulation discriminatory?” asked Cameron Kerry, a senior counsel at Sidley Austin LLP in Washington.

“Failing to apply the same standards to the United States—or failing to extend to the U.S. the same latitude to balance fundamental rights and safeguards—could violate national treatment,” said Kerry, the former general counsel and acting secretary of the U.S. Department of Commerce.

Impact on Cloud Computing

The debate comes amid heightened tensions between U.S. and EU policy makers who are negotiating an agreement to replace the invalidated U.S.-EU Safe Harbor framework that had previously guided the way U.S.-based companies—such as Google Inc., Facebook Inc. and Amazon.com Inc. —managed data generated by EU citizens.

In October 2015 the European Court of Justice struck down the U.S.-EU Safe Harbor program and found its provisions were not stringent enough to adequately protect the privacy of EU citizens in line with EU privacy standards.

Under the invalidated Safe Harbor program, U.S. companies were previously permitted to self-certify to the U.S. Department of Commerce their compliance with privacy principles similar to those found in the EU Data Protection Directive (95/46/EC).

The invalidation affected not only some 4,400 U.S. companies certified in the program but untold thousands of EU companies that relied on the certification to transfer personal data to those companies.

“GATS Article 14 is a being viewed as a nuclear option that is actually bringing people back to the bargaining table on privacy,” said Joseph Alhadeff, the vice president for global public policy and chief privacy officer at Oracle Corp.

“If you make us put a data center in every country, you can say goodbye to the cloud,” Alhadeff said.

Regional, Plurilateral Implications

The issue is expected to gain steam this year due to the proliferation of ambitious regional and plurilateral trade agreements that seek to include new rules to govern the explosion of digital commerce in the 21st century.

The recently concluded Trans-Pacific Partnership is considered a bellwether accord in the digital rights debate as it contains specific language to ensure cross-border data transfers and prohibit data localization laws among its 12 parties.

EU and U.S. negotiators involved with the Transatlantic Trade and Investment Partnership are weighing whether to include such provisions into their regional trade agreement.

The topic is also being considered among a subset of WTO members participating in the negotiations for a Trade in Services Agreement and could play into the discussion of any forthcoming plurilateral trade agreement on digital commerce.

To contact the reporter on this story: Bryce Baschuk in Geneva at correspondents@bna.com; Michael Scaturro in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Jerome Ashton at jashton@bna.com

Request Bloomberg Law Privacy and Data Security