Continuing our summer tour of the European Commission’s Berlaymont building this week, let me walk you to the Trade office. Why trade? The EU doesn’t negotiate data protection after all. Indeed, but if you like solving Rubik’s cubes, here is one for you.
In 2018 the EU member states endorsed negotiating provisions for data flows and protection in future EU trade agreements. They spell out the EU is “committed to ensuring cross-border data flows to facilitate trade in the digital economy,” and it does not negotiate the fundamental rights of personal data and privacy protection. Further, they add that “each Party may adopt and maintain the safeguards it deems appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data.”
Since then, this position has been promoted in several bilateral and multilateral negotiations, for instance, with Australia, New Zealand and the U.K., and in the ongoing Joint Statement Initiative on ecommerce negotiations at the World Trade Organization, convening over 80 economies.
Over the past two years, though, the EU position has been challenged, including by half of its member states, for being too rigid and not allowing the EU to negotiate optimal conditions for the digital economy to thrive. The needle moved slightly in the post-Brexit EU-U.K. Trade and Cooperation Agreement that now governs the relationship between the bloc and its former member state.
While the TCA largely reflects the EU provisions, a few notable changes show they are not immutable, to the chagrin of the European Data Protection Supervisor. Until then, it wasn't certain that flexibility was an option, given that in 2018 promoting the newly adopted EU General Data Protection Regulation had a significant impact on drafting these trade provisions. Among other changes, the TCA requires the parties to provide "for instruments enabling transfers under conditions of general application for the protection of the data transferred.” To date, no other EU trade agreement contains such requirements.
Another interesting set of EU provisions from a data protection perspective pertains to restrictions on cross-border data flows. The EU position prevents requiring the use of computing facilities, network elements or localization of data in a trading partner’s territory for storage or processing. Within the European Commission, the Directorate Generals for Trade and Justice, which oversee data protection matters, have made it abundantly clear they support cross-border data flows, oppose the unjustified use of data localization and similar restrictions, and they have said so formally to third countries such as India.
That said, the digital corners of the commission are promoting technical instruments, particularly cybersecurity certification, that would require that certain maintenance operations and data processed by cloud service providers be located in the EU and require specific domestic company ownership conditions.
The key question here, setting aside the merits of such an approach from a data protection and cybersecurity perspective, is whether cybersecurity certification requirements would fall under the finite list of restrictions to cross-border data flows that the EU itself is promoting, putting it at odds with its own World Trade Organization commitments and aforementioned trade objectives.