Series
Blogs
Series
Blogs
International transfers of personal data may be living on borrowed time. The US Safe Harbor scheme was struck down by Schrems I (C‑362/14) and the latest iteration of that litigation, Schrems III, now imperils both its successor, the EU-U.S. Privacy Shield and the Standard Contractual Clauses.
The loss of these transfer mechanisms would create significant barriers to the transfer of personal data to the US and other third countries. We consider if these barriers are compatible with the EU’s WTO commitments and whether they could be challenged as a disguised restriction on trade in services.
International transfers of personal data
The General Data Protection Regulation contains a restriction on transferring personal data to third countries that do not provide an adequate level of protection. These provisions are similar to those under the earlier Data Protection Directive and are, in part, an anti-avoidance mechanism. They prevent strict European data protection laws from being circumvented by simply transferring that personal data to a third country.
These restrictions are not absolute. The European Commission can find a jurisdiction has “adequate” data protection laws. To date, only a handful of adequacy findings have been made and the European Commission will need to use its discretion when selecting future candidate countries carefully if it is to minimise the risk of the EU breaching its Most Favoured Nation obligations.
Transfers are also permitted if a transfer mechanism has been implemented or a derogation applies (such as where the relevant individual has consented to the transfer or the transfer is needed to perform a contract). The problem is that the derogations only apply narrowly, and the transfer mechanisms are under attack.
In Schrems I (C‑362/14), the Court of Justice struck down the US Safe Harbor. This has been followed by the pending Schrems III case in which the Irish Court has referred further questions to the CJEU. Those questions relate not just to the validity of the Standard Contractual Clauses but also the EU-U.S. Privacy Shield (see questions 9 & 10). The reference to the CJEU has also been made in the context of a very critical judgment by the Irish High Court on the privacy rights available to EU citizens under US law.
The loss of Standard Contractual Clauses and the EU-U.S. Privacy Shield would create very significant practical barriers to international transfers of personal data.
The impact of trade law
This starts to raise the question of the interaction between privacy and trade law. Any measure regulating the cross-border flow of personal data could have an effect on trade in services, for the simple reason that the transfer of personal data is an important element for the provision of many services, particularly cross-border services (“Mode 1”) and services supplied via consumption abroad (“Mode 2”).
A restriction on the cross-border transfer of personal data would, in many situations, violate national treatment commitments by providing less favourable treatment for foreign service suppliers. A prohibition would also violate market access commitments in respect of any service that necessarily depends on the data transfer, such that prohibiting data transfers is tantamount to a prohibition on supplying the service (following the reasoning of the panel on “integrated services” in China – Electronic Payment Systems (WT/DS413/R)).
As the EU has made unlimited national treatment commitments for Modes 1 and 2 for a number of relevant services – including data base services and data processing services – there is a prima facie question whether the General Data Protection Regulation is inconsistent with the EU’s legal obligations to other WTO Members.
Is data protection exempt from trade law considerations?
Of course, within the EU the protection of personal data is a fundamental right under Article 8 of the EU Charter of Fundamental Rights and the EU could argue that General Data Protection Regulation falls squarely within the privacy exception in Article XIV(c) GATS, which permits measures:
“necessary to secure compliance with laws or regulations… relating to the protection of the privacy of individuals in relation to the processing and dissemination of personal data.”
However, there may be greater room for debate over whether the General Data Protection Regulation would meet the two-pronged chapeau test:
1. Does it objectively constitute arbitrary or unjustifiable discrimination between countries where like conditions prevail?
2. Might it be a disguised restriction on trade in services?
These two tests raise all kinds of interesting issues. One example concerns government surveillance. Under the General Data Protection Regulation, transfers of personal data across national borders within the EEA are permitted, regardless of whether and how the government in the recipient state can access that data in the name of national security (although those national security measures may not escape EU law entirely, see Privacy International (IPT_15_110_CH)). In contrast, the General Data Protection Regulation expressly requires the European Commission to take government surveillance into account when deciding whether to make an adequacy determination for a third country.
This is de jure discrimination, and it could be difficult to justify, especially given that other mechanisms under the General Data Protection Regulation for transferring personal data to third countries (such as using Standard Contractual Clauses) also do not address concerns about government surveillance.
As data becomes more important to the global economy, and Schrems III raises the stakes for international data transfers, a collision between privacy and trade law becomes ever more likely.
Written by Samuel Coldicutt and Nivedita Sen, PhD candidate at the Graduate Institute of International and Development Studies in Geneva.