Beyond Brexit: where might trade policy lead UK data protection?

It is widely considered that minimising barriers to trade flows must be a priority for policy makers in the international trade context, and with the shift to a digital economy, the regulation of personal data transfers will play a more central role. To date, there is no broad consensus on cross-border data protection.¹The UK is leaving the European Union ("EU") and seeking both a deep and comprehensive future trading arrangement with the EU and enhanced trading relationships around the world (especially in services). Together with global developments like the e-commerce chapter of the Trans Pacific Partnership, the balance between privacy regulation, EU adequacy and trade liberalisation could be challenged in the coming years, for the EU and its trading partners. This article explores some of the tensions.

The EU Model

The EU currently has one of the most robust and mature data protection regimes in the world and, with its exterritorial reach, it sets out the standard required if organisations want to offer goods and services within the European Economic Area. 

At the heart of data protection legislation are concepts of transparency (clear customer understanding of how personal data is used), consumer control (affording a customer the right to control how their personal data is used) and security (implementing standards to ensure that personal data is held in appropriately secure technologies). If implemented and managed correctly these concepts build trust in technologies and businesses, which is essential for a vibrant digital economy. However, increasingly there is a tension at play between access to innovative and competitive products and services with a seamless, user friendly interface, and data protection legislation affording control to the consumer. Regulators have struggled to keep up with the rapidly developing innovative technologies and new business models developed around the use of data. 

Transfers of Personal Data outside the European Economic Area

Under the new EU General Data Protection Regulation ("GDPR"), there is a general prohibition on transferring personal data outside the European Economic Area unless the recipient country ensures an "adequate" level of data protection, as determined by the European Commission. If the recipient country is not deemed adequate, the other options for a compliant transfer include binding corporate rules, model clauses approved by the European Commission and industry approved codes of conduct or certifications.

What happens to the UK data protection regime after Brexit

The European Commission has made it clear that, in the absence of an adequacy decision as part of the transitional arrangement, when the UK leaves the EU (on 30 March 2019, which is expected to be followed by a transition period effectively on ‘standstill’ terms until 31 December 2020²), the UK will be treated as a third country.³ An adequacy decision will therefore be crucial to maintaining stability and current EU trade patterns without substantial disruption or additional costs of compliance for UK based organisations. 

The warning from the Commission comes despite the UK authorities committing to implementing laws equivalent to the GDPR with the aim of obtaining an adequacy decision from the European Commission. The UK Government has stated that on leaving the EU, current trade flows from the UK should also be able to continue between the UK and third countries with an existing adequacy decision on the same basis.⁴  

Looking ahead however, the UK could find itself in a compromising position. If, in pursuit of trade liberalisation the UK's post-Brexit approach to international transfers is more relaxed than that of the EU, the European Commission might refuse or revoke an adequacy decision for the UK's post-Brexit data protection regime, resulting in pressure for data localisation business models in the EU (see below).

Being bound to the European data protection framework is not without uncertainty

Existing frameworks for European data transfers are also under constant pressure. The continuation of a complaint brought against Facebook Ireland that queries the validity of the transfer mechanism of standard contractual clauses, which if successful could see model clauses being invalidated (the so-called “Schrems 2.0”case), has been referred to the CJEU,⁵ and adequacy decisions are revocable and open to challenge (the invalidation of the Safe Harbour regime and review of the US Privacy Shield  are examples of this).

Organisations relying on model clauses are watching with great anticipation for the outcome of the CJEU consideration of Schrems 2.0. A decision invalidating the model clauses would mean organisations would need to work out a new mechanism for transferring data outside of the European Economic Area to any of the vast majority of countries that are not adequate for the purposes of EU law. A decision is expected in 12-18 months.

In parallel, there is an increasing perception that an individual's data is not safe overseas, potentially fostered by continuing and high profile media coverage of snooping revelations (for example the WikiLeaks revelations in 2017 regarding the CIA and MI5) as well as data security breaches affecting millions. The combined effect of such challenges and the growing view that personal data is safer within the EU, is to dissuade some market participants from exporting data. This puts some exporters under increasing pressure to maintain separate data centres in Europe (for example, Microsoft and Amazon) with the impact being increased costs to consumers or reducing the products and services sold in Europe, or both.

The Commission’s work on data localisation has focussed on measures within the EU,⁶ and commentators have raised concerns that the GDPR itself could cause businesses and users in the EU to be cut off from innovative and competitive data solutions being developed across the rest of the world.⁷ 

The GDPR entails restrictions on use of data that don’t just impact traditional international organisations but will affect any UK operators using cloud type solutions, including SMEs who have been able to enter markets benefiting from low cost infrastructure, and incumbent providers who have been able to improve their offerings and innovate using outsourced platforms and products. Businesses may struggle to leverage data to progress industry and technology innovations, for example in areas like big data analytics, healthcare and AI. 

The debate in the EU

Against this backdrop of the domestic regulatory position, EU policymakers have recently turned their attention to data flows in an international trade context. In a letter to the European Commission in May 2017, 13 member state governments called on the Commission to “urgently present a concrete and ambitious text proposal for an EU position on data flows” for the free trade agreement with Japan that was being negotiated. “Ambitious rules on data flows and data localisation should be part of all future EU trade agreements,” they said. “Regulations limiting citizens and entrepreneurs to use, transfer, download and upload their data across the globe gives the wrong signal: stay at home. While the message should be: be welcome feel at home and spur innovation”. This was to no avail. The Japan EU Economic Partnership Agreement (JEEPA), as finalised in December 2017, did not achieve any progress in the area of data, just a line to say the parties would return to the issue in a few years.⁸

The European Commission has reportedly approved draft legal text that effectively prioritises privacy over trade gains.⁹ The provisions seek to eliminate restrictions on cross-border data flows that require the localization of data in a party’s territory for storage or processing, but this will be subject to “full compliance with and without prejudice to the EU’s data protection and data privacy rules.” The text is described by the Commission as having been “drafted in the understanding that, as the protection of personal data is non-negotiable, future trade and investment agreements addressing these issues shall not deviate from these horizontal provisions”.

The EU position has been driven by the campaigns for, respectively, liberalisation in the interests of free trade, and caution against trade agreements that might undermine privacy protections.¹⁰ These recent developments indicate that the privacy lobby is winning. But who are they really protecting? The EU’s approach will make liberalisation of data flows conditional on the EU being satisfied of the data protection and privacy rules of the other party, essentially cementing its existing unilateral practice of adequacy recognition. Given the EU is an outlier in this area, this is likely to make the process in its trade agreements somewhat asymmetrical. It may also leave some countries needing to balance their own objectives between liberalising measures within and compliance with their other trade agreements (such as the TPP, discussed below), and liberalising data flows from maintaining adequacy with the EU. This would include Canada and New Zealand, who already have adequacy, Japan which is looking to achieve it, and Mexico, which is in the process of updating its FTA with the EU. It could potentially, over time, include the UK, if the balance of its interests were to shift – for example if its trade in services (almost two thirds of which is already with non-EU countries¹¹) orients still further away from the EU, and domestic interests react against the GDPR.

The WTO Rules

Provisions in trade agreements tend to affirm, and sometimes build on default commitments by WTO members in the General Agreement in Trade in Services ("GATS"). The GATS includes a general obligation to apply regulation in a non-discriminatory way and specific commitments on market access and national treatment, in sectors expressly agreed by member countries.There is a general exception in Article XIV allowing non-compliant measures for “the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts”. This is subject to the requirement that such measures are not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade in services. There is also a specific treatment (similarly caveated) of data flows in financial services in the Understanding on Financial Services.¹² In terms of free trade agreements, the Comprehensive Economic and Trade Agreement between the EU and Canada ("CETA") specifically refers to privacy and data protection in the chapters on financial services, telecommunications and e-commerce, and provisions on cross border services and domestic regulation are relevant but do not directly refer to data or privacy. There is no specific prohibition on data localisation or requirement to allow data transfers, except in respect of financial services, where transfers are required to be in accordance with the legislation governing the protection of personal information in the territory where the data originated. CETA also includes a general exception for measures to protect personal data in near identical terms to the GATS exception described above.

While no case challenging a country’s privacy or data protection regulation has yet been brought in the WTO, concerns have been raised that, under both the GATS and CETA, there is a risk that, for example, the rules on transfer to third countries, or Commission determinations on adequacy could be challenged.¹³ It would seem that this school of thought has given rise to the reported position of the Commission for future trade agreements, under which privacy rules are intended to be beyond challenge, even on the limited grounds that would be available under the GATS and CETA.

The Global Challenge

The Trans Pacific Partnership (TPP)¹⁴ is widely considered the most liberalising and forward looking trade agreement achieved to date with respect to services generally, and e-commerce and data in particular. It requires parties to allow the cross-border transfer of information by electronic means, including personal information, where required for the conduct of business covered by the agreement. There is also a prohibition on any party requiring businesses covered by the agreement to “use or locate computing facilities in that party’s territory as a condition for conducting business in that territory”. As with the GATS and CETA, there is an exception for measures to achieve a public policy objective, as long as such measures are not a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade, and do not impose a restriction on transfers of information greater than required to achieve the objective. The latter condition of proportionality is an additional test that is not included in CETA or the GATS, and underlines the liberalising intent of the TPP parties. Both Canada and New Zealand are parties to the TPP, and have adequacy recognition from the Commission though they may need to update their laws to retain recognition post-GDPR as the Commission reviews adequacy determinations. It remains to be seen whether it will be possible to maintain adequacy and meet the tests for application of the policy exception under the TPP if it entails blocking transfers of data to other TPP members, or other barriers. UK policy makers will no doubt be looking on with interest.

Looking Ahead

While economic stability and regulatory certainty remain the priority for the UK government, businesses should be paying close attention to direction of the EU in this area. Is data protection to be non-negotiable, in the words of the Commission letter, or is a more flexible approach to support innovation and competition called for, and might it be available to UK policy makers in the longer term?

It will remain important that individuals’ personal data and privacy rights are respected, and that they have appropriate remedies available where such rights are violated. However, as Elizabeth Denham of the ICO said in her evidence on Artificial Intelligence to the House of Lords "[i]t's innovation and privacy, not innovation or privacy". The challenge is to facilitate the trade in data that gives rise to such innovation, whilst also protecting data in a stable, clear and proportionate manner.

There is little evidence to show that data localisation results in fewer security breaches and therefore to build consumer confidence and trust, it may be that increased focus in cyber security practices and standards (as the UK intends following its Cyber Security Regulations and Incentives Review) could provide the customer comfort being sought without further restrictions on data movement. Whether this will be a priority for UK government and businesses if its adequacy is under threat remains to be seen.

With special thanks to Associate Gita Shivarattan and and Victoria Hewson - Counsel to the Special Trade Commission Legatum Institute.