Digital Trade Agreements | EU GDPR and WTO Necessity Test
Since 2018, Gonghaojun has provided technical support for negotiations on digital trade agreements. I am glad to see that: On September 16, China officially applied for joining the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). But at the same time, some CPTPP member states have questioned whether my country’s data cross-border and data localization regulations can meet the disciplinary requirements of the relevant provisions of the CPTPP. The answer to this question is a systematic project. Gonghaojun will share with you some research materials formed in the process of providing technical support that are not used in the official report.
Whether my country can successfully join the CPTPP, an important question is whether the “required” mentioned in Articles 14.11 and 14.13 of the CPTPP has adopted the “necessity test” in WTO case law. It is well known that the threshold for the “necessity test” is particularly high, and few of the existing cases have been able to pass the national law of the State party.
If the “required” mentioned by the CPTPP is equivalent to the “necessity test”, it will not be easy for our country. But at present, in addition to the discussion by the negotiating experts of CPTPP member states that the CPTPP intends to distance itself from the WTO, can we have any other assurances?
Therefore, the first article focuses on the question of whether the EU’s GDPR can pass the WTO’s necessity test. Preliminary analysis shows that the EU itself does not believe that the GDPR will pass the necessity test.
But why focus on the EU? The EU will not join the CPTPP. Does the study of the EU help my country to join the CPTPP? Because at present, the United Kingdom is in the negotiation of joining the CPTPP, and Japan is full of confidence in the United Kingdom’s participation (but Japan has expressed serious doubts about my country). But the UK has incorporated the GDPR in its domestic legislation and has received a sufficiency determination from the European Commission. If the UK is eventually able to join the CPTPP, it will directly show that the required (required) mentioned in Articles 14.11 and 14.13 of the CPTPP does not apply the necessity test in WTO case law. It is true that this research path is a bit detoured, but it is also a helpless move.
As far as the cross-border flow of data and the localization of computing facilities are concerned, the EU has never accepted texts similar to 14.11 and 14.13 of the CPTPP in bilateral and multilateral free trade agreements. The existing view believes that the main reason is that the EU has concerns about whether its own GDPR can pass the GATS general exception. This annex presents a thematic study on this subject.
1. Introduction to the control mechanism of GDPR data cross-border flow
1. Basic requirements
Article 44 of the GDPR sets out the basic principles for the cross-border movement of personal data in the EU, the core of which is to ensure that in the case of cross-border transfers, the level of personal data protection provided by the GDPR is “not undermined”. That said, the level of protection afforded by the GDPR should follow the flow of personal data. According to the logic of the GDPR, the protection of personal data is a fundamental human right. Therefore, the main purpose of protecting personal information in cross-border scenarios is to protect the legitimate rights and interests of individuals, even if the data has already flowed out of the country. This requirement has been developed by the European Court of Justice into the “essentially equivalent” principle in its jurisprudence, that is, it does not require that the laws of the data receiving countries are consistent with the GDPR, but should provide a “substantially equivalent” level of protection.
2. Specific measures
From the perspective of GDPR, there are three main changes when data flows out of the country compared with the flow of data in China: First, the applicable laws and regulations are different after data flow out; Third, the channels for personal data subjects to safeguard their legitimate rights and interests have become fewer and more difficult. Therefore, the main design of the GDPR data cross-border flow system mainly focuses on solving the above three problems. In terms of specific system design, the GDPR stipulates a wealth of cross-border data transmission mechanisms in Chapter 5. Since the mechanisms such as recognition and code of conduct have not been formally implemented, this section will focus on standard standard contract terms, binding company guidelines and sufficiency. Three mechanisms are identified.
Under the GDPR, standard contract clauses (SCCs) are contract templates adopted by the European Commission or regulators for business-to-business cross-border transfers of EU citizens’ personal data outside the EU. SCC determines the level of protection of data after leaving the country through the principle of fixed data protection after leaving the country). At the same time, the SCC has also introduced an accountability system. Through the division of legal responsibilities, domestic organizations are clearly defined as the main accountability body, which provides convenience for domestic regulatory authorities to pursue accountability. Of course, domestic entities can also continue to pursue the responsibility of overseas entities through contracts. In addition, the SCC also stipulates in its contract that personal data subjects can have some specific rights based on the contract.
Binding corporate rules (BCR), mainly applicable to multinational companies and group companies, also focus on the above three aspects. Multinational companies and group companies can formulate personal data protection rules that restrict the cross-border transfer of data between enterprises. If the EU recognizes the data protection level provided by the BCR, cross-border data transfer within the group can be carried out without additional approval. The guarantee mechanism of the BCR is that even if the protection level of the country where the multinational branch is located is relatively low, the branch still needs to comply with the BCR and provide data protection according to the principles stipulated by the BCR. Specifically, a particular company needs to determine the primary reporting country when submitting a BCR application. Once the main reporting country is determined, the subject of the company in the main reporting country will be the subject of all legal responsibilities related to the export of data – that is, the supervisory authority and the personal data subject can pursue legal responsibility through the domestic company subject.
The adequacy determination is the core cross-border data flow mechanism of the GDPR. Only the country where the data recipient is located has a level of personal data protection substantially equivalent to that of the EU, and the data can be transferred across borders to it. Article 45 of the GDPR clearly states the relevant factors to be considered when determining adequacy, including the degree of the rule of law and the protection of basic human rights, the existence of an independent and effectively functioning supervisory authority, etc. The adequacy determination of a country or region means the recognition of the laws and regulations of the country or region; it means the recognition of the country or region’s supervisory authority’s enforcement of data protection; it also means the recognition of the convenience for individuals to exercise their rights . Therefore, sufficiency determination is a very careful process that requires comprehensive inspection. Currently, the EU confirms that countries such as the UK, Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay have equivalent data protection level.
In addition, Article 49 of the GDPR also provides for exceptions based on the public interest, for filing, exercising or defending legal claims, or for cross-border flows involving only occasional, small amounts of data, allowing for the absence of the above three mechanisms. Data flows across borders. From the above perspective, individuals agree that they cannot “make up for” the three changes brought about by data going abroad. So GDPR does not make personal consent a prerequisite for going abroad. In practice, if consent is used as a condition for personal information to exit the country, the main scenarios are occasional, single, and small in number, and other exit systems (such as adequacy determination, standard format clauses, binding company guidelines, etc.) where not applicable.
2. Viewing GDPR from the GATS General Exception
First, the specific impact of the GDPR on international trade in services may affect the “measurement and balance” required by the “necessity test”. For example, on July 16, 2020, the Court of Justice of the European Union made a judgment in the highly concerned Schrems II case, finding that because the level of data protection in the United States failed to meet EU standards, the EU and the United States reached a cross-border data transfer mechanism between the United States and the United States in 2016” The EU-US Privacy Shield agreement is invalid. At the same time, in its judgment, the Court of Justice of the European Union upheld the continuation of the EU Standard Contractual Clauses (“SCC”), but both the data exporter and the recipient are obliged to assess whether the data is cross-border in a third country “on a case-by-case basis”. Provides an adequate level of data protection; additional safeguards can be added if necessary. Once the data recipient finds that it cannot comply with the SCC (for example, a third-country law enforcement assistance request does not allow the recipient to disclose to the exporter), the recipient is obliged to immediately notify the data exporter that it cannot comply with the SCC, and the exporter should suspend or terminate the data cross-border; If the exporter decides to proceed with the cross-border transfer, it should notify its data protection supervisory authority. Unless there is a “data protection adequacy” determination by the European Commission for a third country, the data protection supervisory authority should suspend once the data protection supervisory authority believes that the SCC cannot be complied with in the local country and cannot otherwise provide a level of data protection equivalent to the EU Or prohibit the transfer of data to third countries. The EU and member states must implement the court’s new interpretation of the GDPR provisions. Due to the extremely difficult assessment and implementation of additional protection measures and significant uncertainty, the specific restrictions on trade in services in the GDPR will affect the judgment of the necessity test.
Second, if the complainant invokes “less restrictive alternatives” that can ensure compliance with data protection laws, the “necessity” of the measures needed to ensure compliance is ultimately questioned. The internationally recognized GDPR provides the highest level of protection for personal data, and these protections are prevented from being circumvented by rules governing the cross-border flow of data. Test these rules against data protection frameworks in other countries, notably APEC’s CBRPs regime, which the US vigorously promotes, and WTO adjudication bodies may consider that there are some less restrictive alternatives to ensuring compliance with EU data protection law measure. Specifically, the purpose of CBPRs is to ensure the realization of the nine principles in the APEC privacy framework in member economies through specific mechanisms, providing guiding principles and standards for the protection of personal information privacy in the Asia-Pacific region, and ultimately promoting personal information in the region. To achieve barrier-free flow on the basis of protection, and promote the development of cross-border e-commerce in the Asia-Pacific region. In essence, the basic logic of CBPRs promoting the cross-border flow of personal data is that if different companies in different countries make a unified commitment and follow the nine personal data protection principles proposed by the APEC Privacy Framework, personal data will flow between these companies. should be unhindered. Accordingly, since these companies use the same set of principles to protect personal data, countries participating in CBPRs can no longer use the protection of personal data as a reason to hinder the cross-border flow of personal data.
Third, even if GDPR rules governing the cross-border movement of data are deemed necessary, there is a view that potentially inconsistent implementation of these provisions will not stand the test of the GATS Article 14 chapeau. For example, the two judgments of the European Court of Justice in the Schrems case have in fact highlighted the “adequacy determination” and “binding company guidelines” as the most reliable and stable tools for cross-border data flow. The former requires a comprehensive and detailed assessment of the data-receiving country by the European Commission, and the latter also requires a comprehensive and detailed assessment of the submitted corporate guidelines by EU member state data protection authorities, both of which rely on the EU’s unilateral discretion. Especially for the adequacy determination, the European Commission once stated in a formal communication: whether to start the “adequacy determination” process for a certain country, the main aspects considered, including the commercial and trade relations between a specific country and the EU, data flow situation, whether a given country is a leader in privacy and data protection in its region, and whether a given country’s political relationship with the EU, in particular, shares common values and goals.
3. The text proposed by the EU on the cross-border flow of data and the localization of computing facilities
Judging from the WTO merger negotiation text, the EU’s provisions on cross-border data flow and localization of computing facilities are divided into two paragraphs. This annex is referred to as Article A and Article B. Among them, Article A mainly regulates the cross-border flow of data (including various types of data, including personal data). Article B mainly makes special provisions on personal data on the basis of A.
Look at Article A first. Article A requires: Governments should not restrict the cross-border flow of data, which includes four specific aspects: (1) Not to require the use of computing equipment or network elements within the territory of one party for data processing, including requiring the use of Certified or approved computing equipment or network elements; (2) shall not require localized storage or processing of data in one party; (3) shall not prohibit data storage or processing in another party; (4) shall not use computing in one party’s territory Equipment or network elements, or whether the localization requirements within a party’s territory are met in advance, as a precondition for the cross-border flow of data. Therefore, Article A mainly functions to prohibit data localization.
Look at Article B again. Section B is primarily concerned with personal data, so it essentially “carries out” an exception for personal data on the basis of Section A to comply with the GDPR. Article B stipulates: (1) All parties recognize that the protection of personal data and privacy is a fundamental right, and setting higher standards in this regard will contribute to the development of mutual trust and trade in the digital economy. (2) Each party may take and maintain such safeguards as it deems appropriate, including adopting and implementing rules for cross-border transfers of personal data, to ensure the protection of personal data and privacy. Nothing in this Agreement affects the protection of personal data and privacy provided by each party’s safeguards.
From the point of view of Article B, the effect achieved is that the EU (including other signatory countries that accept this Article) can adopt policies, legislation, measures, etc. that they deem appropriate to protect personal data and privacy, including cross-border transfer of personal data. Mobility is specifically regulated. Such regulatory measures can include data (and facility) localization provisions.
In other words, the EU does not accept that its GDPR needs to be tested for necessity, but instead proposes a new text from scratch. (Finish)