Hostname: page-component-78c5997874-lj6df Total loading time: 0 Render date: 2024-11-20T02:33:29.559Z Has data issue: false hasContentIssue false

Between commodification and data protection: Regulatory models governing cross-border information transfers in regional trade agreements

Published online by Cambridge University Press:  20 October 2023

Magdalena Słok-Wódkowska*
Affiliation:
University of Warsaw, Faculty of Law and Administration, Wybrzeże Kościuszkowskie 47, 00-347 Warsaw, Poland
Joanna Mazur*
Affiliation:
University of Warsaw, Faculty of Management, Szturmowa 1/3, 02-678 Warsaw, Poland
*
Corresponding author: Magdalena Słok-Wódkowska; Emails: [email protected]; [email protected]
Corresponding author: Magdalena Słok-Wódkowska; Emails: [email protected]; [email protected]
Rights & Permissions [Opens in a new window]

Abstract

The subject of this analysis is the role that regional trade agreements (RTAs) play in balancing between personal data commodification and protection of privacy and personal data, approached from the perspective of Karl Polanyi’s theory of double movement. We analyse provisions on cross-border information transfers and data protection in order to establish the models for balancing between the ideas of personal data commodification and social protection, understood as allowing for the use of measures that ensure privacy and personal data protection. Our analysis indicates that there are two general models concerning the liberalization of cross-border information transfers: one model restricts states’ ability to restrict data flows while the other is more open to such measures. Next, we identify three primary models governing how data protection is treated in the agreements that liberalize data flows: one that is based on the inclusion of substantive standards of protection in the content of the given agreement; one that uses international standards as a proxy for establishing certain level of protection; and one that is based on national data protection laws. Combining identified models of liberalizing data flows with identified models of ensuring data protection allows us to show that the inclusion of seemingly similar provisions on cross-border data transfers in various RTAs has resulted in developing several different models for balancing between commodification of personal data and data protection.

Type
ORIGINAL ARTICLE
Creative Commons
Creative Common License - CCCreative Common License - BY
This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution and reproduction, provided the original article is properly cited.
Copyright
© The Author(s), 2023. Published by Cambridge University Press on behalf of The Foundation of the Leiden Journal of International Law in association with the Grotius Centre for International Law, Leiden University

1. Introduction

In 1944, the Hungarian economist, lawyer, and political scientist Karl Polanyi published his work The Great Transformation. Footnote 1 In this book, he showed how the commodification of labour, land, and money initiated the process of marketization, understood as an expansion of free market mechanisms to areas previously regulated by different logic. Footnote 2 He called these three types of assets – labour, land, and money – ‘fictitious commodities’, as they initially were not produced for the purpose of being sold. Footnote 3 According to Polanyi’s theory, the process of their marketization provoked a counter movement of social defence – one of social protection. The interplay between marketization and social protection Polanyi called ‘double movement’. Footnote 4 Nowadays, the fictitious commodities concept can include personal data Footnote 5 because with the development of the digital economy they have become subject to marketization, despite the fact that their initial character was not to be commodified and not to be a subject of market transactions. Footnote 6

Our analysis focuses on the role that international economic law, and in particular RTAs, Footnote 7 play in the process of personal data commodification. On the one hand, this law is the regulatory framework that is supposed to facilitate data flow in a reaction to the tendency of restricting such transfers. As this framework refers also to the transfers of personal data, it supports the process of including them as a fictitious commodity in international trade (marketization). On the other hand, it is also law that establishes certain conditions concerning protections of privacy and personal data (social protection). Thus, even if the purpose of RTAs is not data and privacy protection, they constitute an element of regulatory framework governing this issue in international law and the manner in which they approach balancing between marketization and social protection influences the way in which individuals’ rights can (or cannot) be protected by law. Footnote 8 Moreover, while some of the RTAs include provisions concerning specific types of data flows (e.g., government information), they do not address issues such as freedom of information. Thus, it is possible that tension arises between this freedom, included in international human rights treaties, and the RTAs provisions, which lay ground for conditions for data transfers. Footnote 9 However, the focus of this text is on the models of balancing between the protection of the issues directly addressed by RTAs provisions, namely, free flow of data and data and privacy protection.

The reason to focus on RTAs is the fact that they constitute a dynamically developing and complex regulatory framework that is unique in its attempts to capture both the regulation of free data flow and data and privacy protection. Detailed analysis of these provisions, along with answers to the questions to what extent this law enables including personal data in a commodified sphere of international trade and to what extent it provides tools for allowing the protection of data subjects, is vital in light of the plurilateral agreement on e-commerce currently negotiated within the World Trade Organization (WTO), through which regulation of both data protection and cross-border information transfers is expected. Footnote 10 Thus, establishing what is the normative content of the provisions on these topics in RTAs and establishing what are the ways of balancing between allowing for data flows and ensuring data protection is vital for a better understanding of the possible tensions during the negotiations and their outcome.

Our analysis focuses on the provisions concerning the cross-border transfer of information present in 34 RTAs. To understand the role that international economic law plays in the double movement of the commodification of personal data, we confront the content of these provisions on cross-border information transfers with those concerning personal data protection. We use the method of doctrinal legal analysis supported by the process of coding the analysed provisions Footnote 11 in order to distinguish various ways in which these agreements strike a balance between the two sides of double movement.

The article is structured as follows. In Section 2, we describe the theoretical framework. In Section 3, we present the methods and sources on which we base our analysis. In Section 4, we characterize how the RTAs regulate the issue of cross-border transfer of information. Section 5 presents the results of the confrontation between the content on the provisions on data flows with the content of the provisions on data protection. In Section 6, we go back to Polanyi’s theory in order to show how the analysed regulatory framework balances between commodification of data and social protection. The last section offers conclusions.

2. Commodification and social protection in regard to cross-border information transfers

While talking about data, there often appears tension between regulations concerning the free flow of data and data protection. The attempt to manage this tension is visible even in the title of the famous European Union (EU) legal act on data protection, General Data Protection Regulation (GDPR), Footnote 12 which regulates ‘the processing of personal data and … the free movement of such data’, or in the document expressing international political consensus on this issue, namely, the G20 Osaka Leaders’ Declaration, which declares: ‘Cross-border flow of data, information, ideas and knowledge generates higher productivity, greater innovation, and improved sustainable development, while raising challenges related to privacy, data protection, intellectual property rights, and security.’ Footnote 13

These examples show that in light of the development of the digital economy there is an urge to combine these two impulses. Both require regulatory action. On the one hand, to facilitate cross-border information transfers, it is necessary to remove obstacles that may limit it (e.g., localization requirements Footnote 14 ) and, on the other hand, to ensure privacy and data protection, it is necessary to adopt regulatory standards in this area. In the Polanyian framework, facilitation of cross-border information transfers at the expense of privacy or data protection will be perceived as a step towards the commodification of personal data. Footnote 15 It enables using personal data as a commodity that can be easily moved around the globe and processed in places where such operations are most profitable from the perspective of economic gains, while making it more difficult for an individual to enforce his or her rights in the area of data protection law. The countermovement to facilitation of cross-border data transfers entails strengthening the substantive and procedural rights of an individual, the protection of whose personal data shall be guaranteed the priority over ensuring free data flows (in Polanyian terms: social protection).

What is specific about the commodification of personal data is the fact that it concerns the most private spheres of the lives and behaviour of individuals and turns them into information used for gaining economic profits (e.g., through profiling of advertisement). This broadens the scope of assets subjected to commodification, analysed by Polanyi. Moreover, commodification of personal data on a global scale is technically easy, due to the use of digital infrastructures. This is why the countermovement based on regulating the limits for commodification by the regulatory framework is so important. In relation to data commodification, it happens both on the national and international level. However, while RTAs and more generally trade law intends to provide limits for the regulatory freedom of states, it is essential to find the right balance on this level before finding it on the national one.

As both commodification and social protection are general notions, what we attempt to do in our analysis is to identify specific regulatory solutions (e.g., the presence or lack of it in certain elements of the provisions) that support one of side of the double movement. Table 1 presents examples of the types of provisions (or elements of provisions) that support personal data commodification or social protection, understood as measures adopted in order to implement certain safeguards protecting individuals’ rights in the process of personal data commodification. The purpose of this article is to fill the research gap concerning the mapping of various models of balancing between these two aspects of regulating data flows.

Table 1. Examples of the elements or the types of provisions that strengthen either commodification of personal data or their protection

What needs to be stressed is that we do not present the various models as better or worse. We rather want to show that seemingly similar solutions included in the RTAs offer different approaches to models of balancing between ensuring free data flows and protecting personal data.

3. Sources and methods

While the existing literature either provides a general overview of the existing regulatory solutions in this area Footnote 16 or focuses on selected examples of RTAs, Footnote 17 our work presents an in-depth analysis of adopted provisions. Such an approach is used as a measure to identify the means of balancing between the provisions facilitating data commodification and the provisions that support social protection based on such detailed analysis. The material selected for our research includes RTAs in which we identified the presence of provisions on cross-border information transfers Footnote 18 of a general character: they refer to the issue of movement of information or data in the digital environment. Therefore, we did not analyse agreements in which such provisions refer only to, e.g., financial services or only to personal data. Footnote 19 We were able to identify 34 such RTAs that entered into force before 2 January 2023. Footnote 20 To facilitate reading of this article, we collected all basic information, including links to the content of the agreements, in Table 2. In the text, we refer to the full title of the quoted agreement and then, if we cite a given agreement again, provide an abbreviation (in footnotes, we use only the abbreviation).

Table 2. The list of analysed RTAs

To identify the RTAs relevant for our analysis, we combined two methods. First, we relied on the identification of the relevant agreements in the Trade Agreements Provisions on Electronic-commerce and Data (TAPED) database. Footnote 21 We selected agreements that the authors of the database coded as containing provisions on cross-border information transfers (or data transfers, or data flows) in their e-commerce chapter Footnote 22 and identified the agreements that, during the preparation of the analysis, were already legally binding. Second, we confronted the results of this search with the results of the application of automated text analysis conducted on the ToTA (Texts of Trade Agreements) database. Footnote 23 We defined the sequences of characters Footnote 24 that appear in the provisions on data flows and we searched treaties for occurrences. Next, manually, we compared the results of this search with the results based on the TAPED query, and, finally, identified a set of 32 agreements which were subjected to the analysis presented below. Combining these two approaches allowed us to improve the results that would have been achieved if we had based our research only on one of these two sources. We were able to verify the timeline of adoption of the provisions on data flows in the RTAs more precisely (see Section 4). And, since TAPED includes RTAs both in English and in Spanish, we were able to include RTAs that are solely available in Spanish (ToTA collects the texts of RTAs available in English). Next, we added the most recent agreements (Regional Comprehensive Economic Partnership – RCEP and Digital Economy Partnership Agreement – DEPA), reaching the final set of 34 RTAs.

The method of our analysis is based on an approach that reverses the processes used to create a database such as TAPED. While we selected material based on landscape mapping performed in order to create TAPED, we analysed it through the lens of a close reading of the relevant provisions. Our goal was to trace the various regulatory models present in the provisions, which even though they consider the same subject, quite often approach it in different ways. To achieve this aim we, again, used two different tools. First, we created a table in Excel that contained all the provisions relevant to our research as well as initial coding of the provisions. Second, we conducted the same process using Atlas.ti. This strategy allowed us to verify our approach to the initial coding by confronting it with the results achieved through the use of the Atlas.ti software. It should be stressed that the coding process served a different purpose than the coding in TAPED: instead of focusing on the similarities between the RTAs to check if they included a particular type of provision, we were looking for differences between these provisions to discover the various regulatory models present in the analysed RTAs.

4. Cross-border information transfers in international economic law

The analysed RTAs do not contain definitions of terms such as ‘data transfer’, ‘information transfer’, ‘data flow’, ‘data’, or ‘information’. The only definition that appears in the analysed agreements (23 of them) related to the matters discussed in this text is the definition of ‘personal data’ or ‘personal information’. In most of the agreements, this term is understood either as ‘any information about an identified or identifiable natural person’ (12 agreements Footnote 25 ) or as ‘any information, including data, about an identified or identifiable natural person’ (11 agreements Footnote 26 ). What is more telling is that the definitions repeated in various agreements are variations of these definitions, e.g., in Article 13.1 of the Indonesia-Australia Comprehensive Economic Partnership Agreement (IA-CEPA) agreement, which defines personal information as ‘any information, including data or opinions, about an identified or identifiable natural person’, adding opinions to the catalogue of the elements understood as personal information or Article 9.1(g) of Free Trade Agreement between the Democratic Socialist Republic of Sri Lanka and the Republic of Singapore (LKA-SGP), which defines personal data, not personal information, and therefore reverses the usual order of the elements of the definition (‘any data, including information’ instead of ‘any information, including data’).

These examples show us that the legal terminology describing the digital economy is still in the making. As we lack a definition of such terms as ‘information’ or ‘data’ itself, it is impossible to fully grasp the difference between their meanings. For the purposes of this analysis, it is enough to note that the provisions on cross-border transfers usually – and contrary to, e.g., EU law, which refers to data transfer or data flow – refer to ‘information’ (except for the agreements to which the EU is a party). In the case of definitions of ‘personal information’, data is presented solely as a particular type of information. Thus, it may be assumed that the purpose of using the term ‘information’ is to cover the broad spectrum of information transfers, out of which the transfer of personal information is only one type (and personal data is only a type of personal information). In this article, we mostly use terms such as ‘cross-border information transfer’, ‘cross-border data transfer’ or ‘flow’ interchangeably, but, if it is significant in light of the given provision, we underscore such terminological aspects.

In this section, we describe the regulatory models adopted in RTAs that refer to this issue: (i) a model based on declaration of importance and the need of co-operation on this issue; (ii) a model based on liberalization in its two main variants, as well as the outliers that liberalize cross-border information transfers in an atypical manner. Footnote 27

4.1 Importance of co-operation

The first agreement Footnote 28 in which the provision on cross-border transfer of information appeared was the Dominican Republic-Central America-United States Free Trade Agreement (CAFTA-DR), Footnote 29 signed in 2004. Footnote 30 The agreement, in Article 14.5 titled ‘Cooperation’, referred to the importance of ‘working to maintain cross-border flows of information as an essential element in fostering a vibrant environment for electronic commerce’ in the light of e-commerce development. Such a manner of addressing the issue of cross-border flows of information – either merely noticing the importance of this phenomena or foreseeing the co-operation on this matter – has dominated in international economic law until 2014. Altogether, the provision that repeats the phrasing that first appears in CAFTA-DR is present in 15 agreements, Footnote 31 all of which were signed before 2016 (Table 3).

Table 3. Types of provisions on cross-border data-transfers (own elaboration). The provisions which are to a certain extent diverge from the dominating model are commented with italics

There are three agreements that mention the necessity of co-operation regarding data flows or stress their importance in a different way. First, the agreement between Hong Kong and New Zealand (HKG-NZL) signed in 2010 simply states that the parties agree to co-operate, among others, in respect to the maintenance of an open trading environment for the free flow of information and services. Footnote 32 Second, the Singapore-Australia Digital Economy Agreement (SADEA), signed in 2020, states that the parties shall endeavour to co-operate on capacity-building in the region on issues including mechanisms to facilitate the cross-border transfer of information. Footnote 33 The difference between these two agreements is that while in the case of HKG-NZL this provision is the only one that addressed the issue of information flows, SADEA contains a number of provisions dealing with this issue. Footnote 34 Thus, a vague statement underscoring the intention to co-operate in this area has different significance in the agreement signed in 2010, and in the one signed in 2020, which includes specific solutions on regulation of free flow of information. The third outlier is the agreement between Singapore and the EU (EU-SGP), which, as the only one out of the identified RTAs, refers in one Article to, on the one hand, the importance of the free flow of information and, on the other hand, the need to protect intellectual property rights (IPRs). Footnote 35

The common characteristic of this model is the lack of any obligation that would force the parties to undertake steps to ensure the free movement of information in a cross-border context. As they are phrased in purely aspirational language, they do not include any enforceable obligations. Footnote 36 While the inclusion of this provision indicates the direction in which the parties declare their intent to follow (data commodification), it does not specify how such cross-border transfer of information should be protected from states’ regulatory interventions.

The phrasing of the provision (‘maintain cross-border flows of information’) suggests that the flows are already taking place, and the parties’ should either facilitate such transfer of information or avoid regulatory intervention. This, firstly, shows that even though this model does not constitute enforceable obligations for the parties to liberalize cross-border information transfers, it enhances the process of personal data commodification and underscores its importance for digital economy. Secondly, the provision can be interpreted as an example of the marketization part of the double movement: the flows are already taking place and this liberalization is to be maintained. To curb its scope, it is necessary for the social protection element of double movement to be applied and, therefore, only provisions on data protection would provide the framework within which data flows could take place.

4.2 Liberalization

In 2007, another way of referring to cross-border transfer of information appeared in the Free Trade Agreement between the United States of America and the Republic of Korea (KOR-US). It was based on the statement that the parties ‘shall endeavor to refrain from imposing or maintaining unnecessary barriers to electronic information flows across borders’. Footnote 37 As its phrasing is stronger than in the RTAs described above, it may be perceived as the beginning of the strengthened and more direct liberalization trend, Footnote 38 which resulted in 19 agreements containing the provisions that aim to remove the barriers for data flow, all of which were signed between 2014 and 2020. Due to small but significant differences between them, we describe them as belonging to two main groups: (i) one which establishes free flow of data as a rule and foresees narrow exceptions, and (ii) one that underscores the importance of the space for national regulation of cross-border information transfers. Additionally, (iii) there are certain outliers which also foresee the liberalization of data flows.

4.2.1 Free flow of data as a rule and narrow exceptions

A sub-model of the liberalization model which prioritizes the free flow of data and leave little space for national regulation is present in three agreements: United States-Mexico-Canada Agreement (USMCA) Footnote 39 signed in 2018, Agreement between the United States of America and Japan Concerning Digital Trade (US-JAP) Footnote 40 signed in 2019, and Japan-UK Comprehensive Economic Partnership Agreement (UK-JAP) Footnote 41 signed in 2020. The provision is identical in the first two of these agreements and includes two elements: (i) the prohibition of prohibiting or restricting the cross-border transfer of information by electronic means, if this activity takes place as a part of conducting the business of a covered person (with a direct reference to transfers of personal information, as covered by this provision); (ii) foreseeing the possible exceptions implemented in order to achieve a legitimate public policy objective, as long as they are not applied in a manner that would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade, and are proportionate. Article 8.84(3) of UK-JAP adds a paragraph that states that this Article does not apply to government procurement, or information held or processed by or on behalf of a Party, or measures by a Party related to that information, including measures related to its collection. Such a sub-model of liberalizing cross-border transfer of information results in establishing, as a rule, free flow of data (thus, their commodification), and limits the states’ possibilities to implement regulatory measures that would set the conditions for cross-border information transfers.

Moreover, the USMCA and US-JAP agreements include a direct reference to the relationship between cross-border data flows and data protection. In Article 19.8(3) USMCA, the following statement underscores that restriction to data flows should be limited, even if they concern personal data: ‘The Parties also recognise the importance of ensuring compliance with measures to protect personal information and ensuring that any restrictions on cross-border flows of personal information are necessary and proportionate to the risks presented.’ The same statement was repeated in Article 15(4) of the US-JAP agreement. The presence of this provision indicates that ensuring freedom of cross-border data flows should be prioritized over developing data-protection regimes. Thus, when just the provisions on cross-border information transfers in the analysed RTAs are considered, these three agreements represent the sub-model that to the greatest extent favours personal data commodification. This sub-model restricts the states’ powers to regulate issues concerning data protection to what is ‘proportionate’ and (or) ‘necessary’, therefore, limiting the possibilities of developing regulatory measures supporting the countermovement to data commodification.

4.2.2 Underscoring the importance of the space for national regulation of cross-border information transfers

Even though the most common type of provision liberalizing cross-border transfer of information was formed during the negotiations of Trans-Pacific Partnership, Footnote 42 the first signed agreement including this type of provision was PAAP 2015. Since then, it was included in nine other agreements. Footnote 43 This sub-model of regulating cross-border information transfers begins with (i) the recognition ‘that each Party may have its own regulatory requirements concerning the transfer of information by electronic means’. What follows, is (ii) allowing the cross-border transfer of information by electronic means when this activity is for the conduct of the business of a covered person (with a direct reference to transfers of personal information, as covered by this provision Footnote 44 ). The last paragraph (iii) foresees the possible exceptions implemented in order to achieve a legitimate public policy objective, Footnote 45 as long as they do not constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade Footnote 46 and are proportionate, Footnote 47 or are necessary for the protection of its essential security interests. Footnote 48

This sub-model of regulating the free flow of data raises certain doubts, due to its ambiguous structure. The provision starts with providing the states with the power to regulate cross-border data flow (thus, limiting commodification by being able to establish the conditions for cross-border transfers of information) but follows to ensure the necessity to allow the free flow of data, to which the exceptions not only should be interpreted narrowly but also should fulfil the conditions enumerated in the provision (thus, ensuring the broad scope of commodification as a rule, to which limits should be perceived as exceptions). Such structure of the provisions undermines the significance of the first paragraph, which enables states to set the regulatory conditions for cross-border information transfers.

Let us examine the hypothetical example of a situation in which one of the parties decides to adopt a strict data protection regulation that would address the conditions on which cross-border information transfers can take place by, e.g., implementing the adequacy decision mechanism Footnote 49 . Although it seems to be in line with the content of the first paragraph, it may be scrutinized as a measure that hampers the free flow of data foreseen in the second paragraph, and therefore be subject to the control as an exception based on the third paragraph. The necessity or the proportionality of such a solution is doubtful as it is possible to consider less intrusive (especially from the point of view of international trade) regulatory measures that would ensure the adequate level of data protection. Thus, despite the theoretical possibility of regulating conditions of information transfers in national legislation, such measures could be perceived as an infringement of the RTA’s provisions. As a result, this sub-model does not significantly differ from the previous one, also favouring personal data commodification.

4.2.3 Outliers

Next to the above-described KOR-US agreement, there are two other outliers that establish different ways of liberalizing cross-border information transfers. First, Tratado de Libre Comercio entre los Estados Unidos Mexicanos y la República de Panamá (MEX-PAN), signed in 2014 (thus, before all the typical liberalizing agreements), in Article 14.10 reads:

Each Party shall allow its persons and the persons of the other Party to transmit electronic information, from and to its territory, when required by said person, in accordance with the applicable legislation on the protection of personal data and taking into consideration international practices.

In terms of providing the space for national regulation, the provision foresees such a possibility regarding legislation on personal data. Considering the implementation of exceptions to the overall liberalization of data flows, the provision does not invoke them directly, however, it enables referring to the general exceptions on the basis of Article XIV of the General Agreement on Trade in Services (GATS). Thus, the possibility of invoking public policy goals, including measures that are ‘necessary to secure compliance with laws or regulations which are not inconsistent with the provisions of this Agreement including those relating to the protection of the privacy of individuals in relation to the processing and dissemination of personal data’, Footnote 50 exists.

The second outlier is the Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part (TCA), which uses the type of provision on cross-border data flows that the EU considers as a template for its currently negotiated agreements. Footnote 51 In comparison to the approach adopted in the above-described RTAs, the way that cross-border data flows are regulated in this agreement is limited, but also more concrete. It refers to the prohibition of restricting cross-border data flows by specific measures, namely, requiring the use of computing facilities or network elements in the party’s territory for processing or requiring the localization of data in the party’s territory for storage or processing. The content of this provision is therefore more similar to the provisions present in some of the RTAs, which are titled ‘Location of Computing Facilities’ Footnote 52 than to the provisions on cross-border information transfers. This type of provision may be read not only as a data flow facilitator but also as a link between the provisions on data flow and those prohibiting data localization. Footnote 53

The type of provision on cross-border data flows that is present in the TCA, which addresses particular barriers instead of the general ones, seems to be more focused on ensuring the possibility of social protection (understood as leaving the space for regulation on, e.g., data protection) than invoking general exceptions in typical liberalizing provisions on cross-border information transfer. It does not allow for general commodification, but rather set the limits for it, by indicating only specific barriers that should be removed. It also is in line with the EU’s attempt to shape its RTAs in a manner that allows for more space for realizing its policy in regard to data protection. The liberalizing models described above could lead to undermining EU’s rules on data transfers, based, among others, on adequacy decisions. The differences between liberalizing approach and the approach of the EU, which is focused on addressing only particular barriers to data flows, are especially relevant in the light of the way in which the exceptions are interpreted in international economic law.

4.2.4 Regulatory models concerning cross-border transfer of information in RTAs in light of international economic law’s notions concerning the possibility to invoke exceptions

What is common to the provisions that establish the free flow of data as a rule and those that leave more space for national legislation is ensuring the free flow of cross-border transfer of information, including personal information. These two sub-models differ in what is stressed in their content. The first one focuses on the need to ensure the free flow of information (commodification), while the second one explicitly refers to the parties’ ability to set their own regulatory requirements concerning this issue. Thus, the second sub-model leaves more space for national regulation concerning the conditions on which cross-border information transfers can take place. This potentially supports social protection, especially in the case that no substantive standards of protection are foreseen in the given agreement.

In both these models, the social protection part of the double movement depends heavily on the interpretation of the exceptions related to public policy objectives. In terms of exceptions to free data flow, which may be foreseen by the states, the approach in both liberalizing sub-models seems to be the same: they should be interpreted strictly and may not lead to arbitrary or unjustifiable discrimination. However, the level of leniency in assessment of compliance of national measures with data flow requirements used by potential adjudicators remains unclear, as there is no consistent interpretation in the so far delivered case law. Footnote 54

Both sub-models refer to notions well-established in international economic law, as, firstly, the legitimate public policy objective. Even though this notion has not been a part of the General Agreement on Tariffs and Trade (GATT) or GATS, it is well-established in international economic law. Footnote 55 The concept of legitimate public policy creates a broader scope for exceptions compared to the catalogues included in Article XX of GATT, Footnote 56 and Article XIV of GATS, which is usually considered as able to encompass goals such as consumer protection or cybersecurity. Footnote 57 At the same time, it means that the party invoking an exception is obliged to prove that a measure is non-protectionist and non-discriminatory. Potential adjudicators would also have to assess which public policy objectives are sufficiently important to justify restrictions on data flow. Footnote 58 On the one hand it gives potential adjudicators some space for assessment, as there is no closed catalogue of the public policy objectives that can be achieved, as in GATT and GATS. Footnote 59 On the other hand, in order to be invoked such a public policy aim needs to be ‘ascertainable’, which is understood as being objectively assessed and non-protectionist. Footnote 60 It forces them to explicitly assess which of these goals is more important. Footnote 61

Secondly, both models refer to measures that are ‘necessary’. It is one of the most important conditions for invoking exceptions in economic law. Necessity tests, which were developed by numerous judgments of the WTO panels and Appellate Body, Footnote 62 require assessment of whether there is a common interest for protected goals, which includes the assessment of the extent to which the measure contributes to the realization of the objective, and the extent to which the measure is restrictive. Footnote 63 One can assume that the interpretation of the necessity in provisions related to data flows would be similar to the test used in the WTO law. It means that assessment of compliance of regulations on data protection requires, as WTO’s Appellate Body stated, ‘“weighing and balancing” a series of factors, including the importance of the objective, the contribution of the measure to that objective, and the trade-restrictiveness of the measure’, Footnote 64 which does not provide a clear answer on whether data protection may supersede data flow. Whereas there might be space for friendly and lenient interpretation that would enable invoking exceptions related to ‘public policy objectives’ which may be interpreted as encompassing various aims, there are also some concerns that the notion is too vague and leaves space for questioning specific measures.

Thirdly, there also are other well established requirements concerning exceptions in trade agreements (‘means of arbitrary or unjustifiable discrimination or a disguised restriction on trade’), which are, on the one hand, typical for trade agreements’ provisions on transfers of goods or services, but, on the other hand, their interpretation still raises a lot of controversies. In the case of goods, it is easier to compare the regulatory requirements that refer to the national and to foreign products. In the case of the requirements regarding data flows, such comparisons are more difficult. Therefore, the reference to notions well-established in international economic law in relation to the free flow of data can lead to even more controversies and doubts.

In light of these concerns, what has been suggested in the literature is that:

… clarifying the scope of ‘legitimate public policy objective’ with an illustrative list will be helpful. For example, the list should specify that cybersecurity, privacy, online consumer protection and protecting public order qualify as “legitimate public policy objectives”. Further, the exceptions available under Article XIV and Article XIVbis GATS should clearly remain applicable for examination of data restrictive measures. For example, a WTO member should remain free to restrict data flows or require data localisation if it is necessary for achieving compliance with domestic laws, for protecting public morals or maintaining public order, or to protect essential security interests. Footnote 65

While laws and regulations relating to ‘the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts’ are explicitly allowed under Article XIV(c)(iii) of GATS, they are also subjected to the above-described condition of necessity. Due to the narrow interpretation of the exceptions available under GATS in international economic law, their significance for the states’ ability to implement restrictions concerning cross-border information transfers may be limited.

Therefore, it is justified to shift from the question of the potential impact of the general exceptions in international economic law – which are subjected to the condition of necessity – to the question whether the adopted agreements support the view of accepting data protection as a public policy objective? In order to examine this issue, it is necessary to scrutinize how these RTAs define the relation between the states’ right to regulate personal data protection and their obligation to ensure the free flow of data.

Interesting limitations to this interpretation are foreseen in RCEP. Its footnote 14 to Article 12.15(3)(a) foresees the competence for the parties to decide what is a necessary, legitimate public policy objective that can justify implementing exceptions to cross-border data flows: ‘For the purposes of this subparagraph, the Parties affirm that the necessity behind the implementation of such legitimate public policy shall be decided by the implementing Party.’ This shows a possibility of including instructions concerning an interpretation of an agreement that goes against the narrow reading of exceptions in the content of the agreement itself. However, the example of RCEP simultaneously illustrates that leaving space for national regulation may not unequivocally serve the purpose of protecting rights of individuals. Article 12.15(3)(b) foresees the possibility for the states to adopt or maintain ‘any measure that it considers necessary for the protection of its essential security interests. Such measures shall not be disputed by other Parties’. Footnote 66 Thus, it is possible to implement measures, e.g., limiting rights of data subjects, based on the national security exception, which cannot be disputed by other parties of the agreement. The example of RCEP, thus, shows the ambivalence of granting the states more freedom in regard to the implementation of the national regulation.

5. Cross-border data flows vs. data protection in international economic law

For the analysis of the ways in which RTAs address the question of balancing between ensuring cross-border data flows and data protection, we selected a set of agreements that contain provisions introducing a certain level of liberalization of cross-border information transfers. This choice is motivated by the fact that the first type of provisions on cross-border information transfers (discussed in Section 4.1) merely mentions the importance of this issue and, due to its aspirational phrasing, is not enforceable. Thus, our initial set for analysis in this section included 19 agreements. Out of this set, KOR-US does not contain any specific provisions on personal information, except for a brief remark in Article 15.8 on cross-border information flows, that the parties ‘acknowledg[e] the importance of protecting personal information’. We include both the South Asian Free Trade Area (SAFTA) and the Singapore-Australia Digital Economy Agreement (SADEA) in order to show the evolution that took place due to the adoption of the more recent agreement. Thus, our final set for the analysis includes 18 RTAs. Footnote 67

We identified ten elements of provisions on data protection that appear in the analysed agreements (Table 4). Two types of these provisions concern the issue of sharing (or exchanging) and publishing information on data protection laws. While these types of obligations may prove useful from the perspective of data subjects and the companies that look for the relevant information, they do not bring anything to the issue of balancing between data protection and cross-border information transfers. Similarly, the recognition of benefits that data protection laws bring to customers in the digital environment as well as the provisions on promotion of compatibility of regulatory solutions implemented by the parties do not directly address the issue of balancing between the facilitation of cross-border data flows and ensuring data protection. Based on the remaining six types of identified provisions, we identified three main models of regulating the interplay between data protection and cross-border information flows, which we discuss below.

Table 4. Types of provisions on data protection in RTAs which contain provisions on liberalisation of cross-border information transfers (own elaboration). Italics in the column ‘Relation to data flow…’ mark the RTAs provisions that were discussed in section 4

5.1 Substantive standards of protection as a threshold for balancing between data protection and cross-border transfer of information

The first model of balancing between ensuring cross-border transfers of information and data protection is based on the inclusion of substantive standards or principles concerning data protection in the content of the agreement. Such a solution is present in six RTAs. In CHL-URY and ARG-CHL, it takes the form of a footnote that enumerates the principles that should be followed in the data protection laws of the parties: the principle of prior consent, legitimacy, purpose, proportionality, quality, security, responsibility and information. Footnote 68 Moreover, these two agreements include a provision that obliges the parties to encourage the use of security or encryption mechanisms for processing of personal data. Footnote 69 While this provision does not create any concrete obligations for the parties, it indicates certain direction in which the parties aim to follow.

The USMCA, in Article 19.8(3), and Digital Economy Partnership Agreement (DEPA), in Article 4.2, refer to the following catalogue of principles: limitation on collection, choice, data quality, purpose specification, use limitation, security safeguards, transparency, individual participation, and accountability, while SADEA, also in Article 19.8(3), mentions all these principles, except for choice. Thus, the parties to these agreements should base their national regulations on data protection on these principles. Moreover, SADEA and USMCA directly indicate mechanisms that the parties should recognize as providing a sufficient level of protection in regard to data transfers. SADEA’s Article 17(8) and USMCA’s Article 19.8(6) reads that the parties recognize that the APEC Cross-Border Privacy Rules system ‘is a valid mechanism to facilitate cross-border information transfers while protecting personal information’. Footnote 70

An interesting solution was included in DEPA, which in Article 4.2(8) refers to the obligation of the parties to encourage adoption of data protection trustmarks by businesses that would help verify conformance to personal data protection standards and best practices. In regard to such data trustmarks, the parties shall endeavour to mutually recognize them as ‘a valid mechanism to facilitate cross-border information transfers while protecting personal information’. Footnote 71 While none of the elements of these provisions is obligatory, they provide grounds for further development of more flexible mechanisms that would – as directly invoked in the agreement – facilitate cross-border information transfers (commodification of personal data) while protecting personal information (social protection). This, linked with the fact that DEPA directly enumerates principles underpinning a robust legal framework for the protection of personal information, provides more legal certainty in regard to the standards that should be followed when developing personal data protection regulatory frameworks. Both cross-border information transfers and standards concerning data protection are included in a substantially developed manner, which constitutes a more comprehensive and complex approach to the question of balancing between these two, included in the agreement itself.

An agreement that diverges from this model is Article 202 of TCA, which simply states that ‘individuals have a right to the protection of personal data and privacy’ and does not include more details on what such a right to the protection of personal data and privacy should entail. This article foresees the obligation for the parties to unilaterally adopt law concerning data protection that ‘provides for instruments enabling transfers under conditions of general application for the protection of the data transferred’.

5.2 Reference to international standards of protection as a proxy for substantive standards of protection

The second regulatory model refers to international standards that should be followed by the parties in their data-protection laws. Such a provision is present in 14 out of the 18 analysed agreements. Footnote 72 All these agreements also contain a provision that states that the parties ‘shall adopt or maintain a legal framework that provides for the protection of the personal information of persons who conduct or engage in electronic transactions’ (category ‘adopting/ maintaining national regulation’ in Table 4). Thus, international standards should be considered as a basis for such a national legal framework, and therefore, indirectly create substantive standards that should be obeyed by the states. Such an interpretation can be confirmed by Article 8.7(2) of the CHL-URY agreement, which, by reference to international standards, indicates the principles listed above as substantive standards of protection. Moreover, as the domestic regulations on data protection can be questioned as non-compliant with data-flow requirements by the other parties of a given agreement, there might be the need to invoke exceptions to justify them. In such cases, international standards may be much easier to defend as meeting a necessity test.

While some of the agreements do not specify what shall be understood under the obligation that ‘each Party should take into account principles and guidelines of relevant international bodies’, two of the agreements refer in more detail to this issue. USMCA Footnote 73 and SADEA Footnote 74 provide examples of the APEC Privacy Framework (SADEA specifies APEC Cross-Border Privacy Rules – CBPR) and the OECD Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (USMCA specifies that it refers to the 2013 version). These references to guidelines and documents that do not have legally binding force prove that they are nonetheless important for forming substantive standards of protection.

Simultaneously, six agreements contain a footnote that provides details on how the party can comply with the obligation of adopting or maintaining national regulation concerning privacy:

For greater certainty, a Party may comply with the obligation in this paragraph by adopting or maintaining measures such as a comprehensive privacy, personal information or personal data protection laws, sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy. Footnote 75

The inclusion of ‘laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy’ may to a certain extent undermine the significance of these regulatory models of privacy protection, as it leaves the adoption of substantive standards of protection to the enterprises.

What is important to underscore is that ten out of the agreements that are based on this kind of regulatory model include a provision on non-discriminatory practices that the parties shall adopt in protecting persons who conduct or engage in electronic transactions from personal information protection violations occurring within its jurisdiction (category ‘non-discrimination’ in Table 4). In the case of these agreements, it seems to be an obligation of the parties to ensure that the level of protection guaranteed to the nationals of this state would be equal to the one that would protect the foreigners from the other party.

5.3 Relying merely on national regulation

Two of the agreements analysed in this section, LKA-SGP Footnote 76 and US-JAP, Footnote 77 include a provision that merely obliges the parties to adopt a domestic legal framework for the protection of the personal data of users of electronic commerce. As they do not contain any reference to international standards, they provide the parties with a certain level of liberty concerning adopting law that the parties consider ‘adequate’ (LKA-SGP) for this purpose. Moreover, US-JAP includes a provision that obliges the parties to ensure ‘that any restrictions on cross-border flows of personal information are necessary and proportionate to the risks presented’, which, in light of the interpretation of the terms such as ‘necessary’ and ‘proportionate’ in international economic law, may be perceived as a limitation for the development of personal data-protection framework, which should be adjusted to the needs of ensuring cross-border information transfers.

An outlier in this group is BRA-CHL agreement. On the one hand, it does not include any substantive standards or references to international standards concerning data protection. On the other hand, it is more developed than LKA-SGP and US-JAP provisions, as it refers to, e.g., non-discrimination and the need to develop security measures for data protection. Despite these references, it eventually relies on the national regulations and, therefore, belongs to this model.

6. Between commodification and social protection of personal data and privacy

The balance between commodification and social protection in the analysed RTAs is shaped as a result of the cross between two axes. One describes the way in which the given RTA presents data flows: as subjected to data protection rules (TCA); as subjected to national regulations which have to follow the conditions enumerated in the given RTA (e.g., CHL-URY, CPTPP, AUS-PER); or as a priority (USMCA, UK-JAP, US-JAP). The second axis shows how RTAs approach the issue of data and privacy protection: whether they include references to substantive standards concerning data protection; refer to international standards in this regard; rely on national regulation; or foresee limitations concerning national regulations. What is evident from our study is that there is more than one model of approaching this balance and that even the agreements focused strictly on the regulation of digital economy provide examples of various perspectives on this issue (e.g., DEPA significantly differs in this regard from US-JAP, even though both of these RTAs are digital trade agreements).

Table 5 shows that almost all of the RTAs which include the general provisions on data flows (except for the TCA which represent different model of provisions on this topic) are built on a contradiction. On the one hand, they leave some space for national regulation to ensure data and privacy protection. On the other hand, they treat this regulation either as an exception to the general liberalization of data flows (USMCA, UK-JAP, US-JAP), or invoke conditions concerning the way in which national regulations should be formed (conditions which will limit the states’ possibilities in regard to ensuring privacy and data protection – as explained in Section 4.2.4). In light of this paradox the references to substantive standards concerning data protection and privacy may be interpreted as a limitation which does not establish a minimum standard of protection but rather constitutes the highest level of protection which would be considered as allowed under these RTAs.

Table 5. Various models of balancing between ensuring data protection and facilitating data flows. Thick black rectangle marks the RTAs which include limitations concerning the possibility to invoke exceptions. Dotted line marks the RTAs which include mechanisms for data transfers. SAFTA is in grey, as it was replaced with SADEA. TCA is bolded, as it includes an alternative approach to the regulation of data flows

An example of this strategy is the balance formed by the provisions in the USMCA. On the one hand, it foresees certain substantive standards of protection and directly indicates mechanisms that can be used for personal data transfers. On the other hand, the USMCA contains a provision that allows only necessary and proportionate restrictions concerning cross-border data flows. Thus, any attempt at adopting regulatory requirements regarding personal data transfers that would diverge from the standards described in USMCA could be challenged as not proportional and not necessary. As a result, the USMCA leaves more space for personal data commodification and next to none for the development of social protection mechanisms.

A similar problem can be indicated in regard to the model which refers to the international standards while providing certain space for national regulation. On the one hand, as it does not explain what should be understood under international standards, the model seems to allow for a substantial personal data commodification. On the other hand, it is possible to argue that the developments of international standards in this regard Footnote 78 can be used by the states to justify the implementation of stronger safeguards for data and privacy protection. It remains to be seen what kind of standards will be considered as justifiable under this model of balancing between data flow and data and privacy protection.

7. Conclusions

The strategy present in some of the RTAs to generally liberalize the flow of data without providing specific safeguards concerning personal data protection is problematic in light of a human-rights based approach to data and privacy protection. As Kristina Irion notes in the context of the above-mentioned G20 Osaka Leaders’ Declaration on the free flow of data:

The endorsement of “Data Free Flow with Trust” perfectly encapsulates the influential narrative of innovation, growth and development associated with cross-border data flow while leaving the intricacies of protecting human rights and societal values to domestic institutions that are themselves increasingly contested in an interdependent world. Footnote 79

Recently, the debate on the role of RTAs in setting the regulatory framework for data protection has received renewed attention. Footnote 80 While Anupam Chander and Paul Schwartz argue for a treaty concerning data and privacy protection under WTO, Footnote 81 Kristina Irion, Margot Kaminski, and Svetlana Yakovleva show the threats of subjecting privacy and data protection to the trade law regime and argue that trade law is not the right forum to regulate cross-border personal data flows. Footnote 82

Our work shows that the threats indicated by these authors are not limited to the RTAs which liberalize data flows to the greatest extent (mostly the ones to which the US, the UK, and Japan are parties, e.g., US-JAP, UK-JAP). The dominant model of the provisions on cross-border data transfers supports commodification of data at the expense of ensuring the protection of the rights of data subjects. This movement goes strongly in the direction of personal data commodification and might undermine the existing and future data protection regulations by treating them as exceptions to the general rule of liberalization. As most of the analysed RTAs refer to the regulation of data flows as an exception to the general rule liberalizing cross-border information transfers, and therefore limits the possibilities of the states to develop high standards of personal data protection in this regard, it seems vital to adopt regulatory solutions that would shift the balance in the direction of protecting – not commodifying – personal data.

One option would be to acknowledge the unique character of personal data by clearly prioritizing the possibility of implementing measures which serve their protection. RTAs nowadays are entangled in the conundrum of, on the one hand, underscoring the need to ensure data protection, and, on the other hand, subjecting it to control in accordance with data protection rules with the obligation to ensure the free flow of data. This mechanism makes it difficult to unequivocally state that the current system would allow for strong data and privacy protection (as we show in Section 4.2.4). Thus, clear prioritization of data and privacy protection may be perceived as one of the available solutions to this problem.

Another option is creating a regulatory framework governing data flow in international law that would be based on the removal of particular types of barriers (like the EU’s approach) or on the liberalization of flows of particular types of data. Footnote 83 The development of substantive provisions concerning a particular type of data is not only a theoretical concept. The RTAs already include regulations concerning specific types of data, e.g., government information, the flow of which is regulated separately in some of RTAs, namely, USMCA, US-JAP, DEPA, SADEA, TCA, UK-JAP. Such an approach could be perceived as historically justified (e.g., inspired by the division of goods into various categories in terms of tariffs imposed on them). Additionally, the implementation of various levels of protection depending on the type of data considered may combat the unwillingness of certain states to adopt regulatory measures concerning the free flow of data.

The currently dominating explicit inclusion of personal data in the categories of information that should be allowed to move freely across borders is yet another dimension of commodification in the Polanyian sense. With regulation that enhances such an approach to personal data being adopted in RTAs, it is difficult for citizens, non-governmental organizations, and other actors representing society to effectively demand the adoption of measures that would constitute a countermovement to commodification and allow for the social protection of data subjects. However, as the multilateral regulatory framework governing personal data commodification in international economic law is currently negotiated, it is the right time to underscore that the countermovement to personal data commodification – the protection of privacy, personal data, ensuring the rights of data subjects – either has to be included in the adopted provisions, or personal data and privacy should be left out of the scope of adopted solutions. The first option could take the form of prioritization of data and privacy protection by, e.g., allowing unequivocally the adoption of national regulations, which would not be subjected to strict interpretation as the exceptions to the general rule of free flow of data. The second option could be developed in the form of an approach that focuses on removing particular obstacles to cross-border information transfers or liberalizing particular types of data, not on the general liberalization of commodified personal data flows.

Footnotes

*

This research was funded by the National Science Centre, Poland (project number 2019/35/B/HS5/02107). Joanna Mazur is also supported by the Foundation for Polish Science (FNP).

We would like to thank the members of the Research Group on Law, Science, Technology & Society (LSTS) of the Vrije Universiteit Brussel who participated in the WRG session during which we presented this article for their insightful comments and questions, and prof. dr. Gloria González Fuster for providing us with the opportunity to present this work. We would also like to thank prof. dr. Renata Włoch for her comments and Łukasz Nawaro for his support in the process of identifying the relevant RTAs, namely, conducting the automated search in the database.

References

1 For the purposes of this article, we use the third edition of K. Polanyi, The Great Transformation. The Political and Economic Origins of Our Times (2001). For examples of the general works of Polanyi’s theory see F. Block and K. Polanyi, ‘Karl Polanyi and the Writing of “The Great Transformation”’, (2003) 32 Theory and Society 275; F. L. Block and M. R. Somers, The Power of Market Fundamentalism: Karl Polanyi’s Critique (2014); J. Beckert, ‘The Great Transformation of Embeddedness: Karl Polanyi and the New Economic Sociology’, in C. Hann and K. Hart (eds.), Market and Society: The Great Transformation Today (2009), 38; A. Buğra and K. Ağartan (eds.), Reading Karl Polanyi for the Twenty-First Century: Market Economy as a Political Project (2007); J. R. Stanfield, ‘The Institutional Economics of Karl Polanyi’, (1980) 14 Journal of Economic Issues 593.

2 ‘Broadly, the proposition holds that all economic systems known to us up to the end of feudalism in Western Europe were organised either on the principle of reciprocity or redistribution, or householding, or some combination of the three.’ See Polanyi, ibid., at 57.

3 Ibid., at 71–80.

4 ‘For a century the dynamics of modern society was governed by a double movement: the market expanded continuously but this movement was met by a countermovement checking the expansion in definite directions. Vital though such a countermovement was for the protection of society, in the last analysis it was incompatible with the self-regulation of the market, and thus with the market system itself.’ Ibid., at 136.

5 See G. Grabher and J. König, ‘Disruption, Embedded. A Polanyian Framing of the Platform Economy’, (2020) 14 Sociologica 95; M. Bottis and G. Bouchagiar, ‘Personal Data v. Big Data: Challenges of Commodification of Personal Data’, (2018) 8 Open Journal of Philosophy 206; A. Athique, ‘Integrated Commodities in the Digital Economy’, (2020) 42 Media, Culture & Society 554.

6 The famous description of this issue, not in Polanyian terms, is Shoshana’s Zuboff’s category of data exhaust, commodified by big tech: see S. Zuboff, The Age of Surveillance Capitalism: The Fight for a Human Future at the New Frontier of Power (2019). For the work on this issue, with reference to Polyanian framework, see J. E. Cohen, Between Truth and Power: The Legal Constructions of Informational Capitalism (2019).

7 RTAs are only one of the instruments used in the regulation of cross-border data transfers in international law, for others. See J. López-González, F. Casalini and T. Nemoto, ‘Mapping Approaches to Cross-Border Data Flows’, in I. Borchert and L. A. Winters (eds.), Addressing Impediments to Digital Trade (2021), 45.

8 There is a growing need for a shift in the role international law plays, as it is expected to provide fairer regulatory framework that takes into account values other than economic gains. See, for example, J. Chaisse, H. Gao and Ch. Lo, ‘Introduction: Trade Policies in the Post-TPP Era’, in J. Chaisse, H. Gao and Ch. Lo (eds.), Paradigm Shift in International Economic Law Rule-Making TPP as a New Model for Trade Agreements? (2017), 1, at 8.

9 On this issue see J. Mazur and M. Słok-Wódkowska, ‘Access to Information and Data in International Law’, (2022) 91(2) Nordic Journal of International Law 310.

10 Which is confirmed by the leaked file of the text of the e-commerce plurilateral agreement negotiated under the WTO, see World Trade Organization, ‘Electronic Commerce Negotiations: Consolidated Negotiating Text’ (leaked), available at www.bilaterals.org/IMG/pdf/wto_plurilateral_ecommerce_draft_consolidated_text.pdf. On the literature suggesting the possible developments in this area see A. D. Mitchell and N. Mishra, ‘Regulating Cross-Border Data Flows in a Data-Driven World: How WTO Law Can Contribute’, (2019) 22 Journal of International Economic Law 389; A. D. Mitchell and N. Mishra, ‘WTO Law and Cross-Border Data Flows: An Unfinished Agenda’, in M. Burri (ed.), Big Data and Global Trade Law (2021), 83. For news on the recent developments see the WTO’s website, available at www.wto.org/english/tratop_e/ecom_e/joint_statement_e.htm.

11 For an explanation of the methods and source see Section 3, infra.

12 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.

13 G20, ‘G20 Osaka Leaders’ Declaration’, available at www.consilium.europa.eu/media/40124/final_g20_osaka_leaders_declaration.pdf.

14 See D. Svantesson, ‘Data Localisation Trends and Challenges: Considerations for the Review of the Privacy Guidelines’, (2020) OECD Digital Economy Papers, No. 301, OECD Publishing, Paris.

15 Another term to describe this phenomenon is ‘appropriation’ of privacy or personal data. See A. Strowel, ‘Big Data and Data Appropriation in the EU’, in T. Aplin (ed.), Research Handbook on Intellectual Property and Digital Technologies (2020), 107; T. H. Engström, ‘Corporate Appropriation of Privacy: The Transformation of the Personal and Public Spheres’, (1997) 7 Ethics & Behavior 239.

16 E.g., Borchert and Winters, supra note 7; M. Wu, ‘Digital Trade-Related Provisions in Regional Trade Agreements: Existing Models and Lessons for the Multilateral Trade System’, (2017) RTA Exchange: International Centre for Trade and Sustainable Development (ICTSD) and the Inter-American Development Bank (IDB), at 22–3, available at https://www.zbw.eu/econis-archiv/bitstream/11159/1643/1/rta_exchange-digital_trade-mark_wu-final-1.pdf; M. Irfan, ‘Data Flows, Data Localisation, Source Code: Issues, Regulations and Trade Agreements’, (2019) CUTS International, available at www.cuts-geneva.org/pdf/WTOSSEA2018-Study-Data_Flows_Localisation_Source_Code.pdf; M. Elsig and S. Klotz, ‘Data Flow-Related Provisions in Preferential Trade Agreements: Trends and Patterns of Diffusion’, in M. Burri (ed.), Big Data and Global Trade Law (2021), 42; T. Naef, Data Protection without Data Protectionism: The Right to Protection of Personal Data and Data Transfers in EU Law and International Trade Law (2023), 369.

17 E.g., M. Burri, ‘The Governance of Data and Data Flows in Trade Agreements: The Pitfalls of Legal Adaptation’, (2017) 51 University of California Davis Law Review 65; M. Burri, ‘The Regulation of Data Flows Through Trade Agreements’, (2017) 48 Georgetown Journal of International Law 407; S. A. Aaronson and P. Leblond, ‘Another Digital Divide: The Rise of Data Realms and Its Implications for the WTO’, (2018) 21 Journal of International Economic Law 245; X. Wang, ‘Online Personal Data Protection and Data Flows Under the RCEP: A Nostalgic New Start?’, (2022) 56(4) Journal of World Trade 657.

18 The articles containing regulation of data flow have various titles, e.g., ‘Cross-Border Transfer of Information by Electronic Means’, ‘Cross-Border Information Flows’, ‘Free Flow of Data’, ‘Movement of Information’, ‘Cross-Border Data Flows’. For our terminological approach see Section 4, infra.

19 Therefore, we excluded agreements which – like the EU-Algeria Association Agreement – refer directly to data flow, but only in relation to the free movement of personal data (Art. 45).

20 The set RTAs selected for the analysis includes one pair of agreements that was concluded between the same parties (SAFTA in 2016 and SADEA in 2020) and out of which both contained provisions on data flows (the latter substantially developed the regulatory framework concerning this issue). We include both of them as separate agreements in order to show how the approach to certain issues evolved. We also do not count PAAP 2015 as an agreement separate to PAAP, as it is the additional protocol to PAAP. However, it also substantially developed the solutions concerning data flows, thus, we include it as a separate document in our analysis.

21 M. Burri and M. Elsig, ‘A New Dataset on Data-Related Trade Provisions (TAPED)’, available at www.unilu.ch/en/faculties/faculty-of-law/professorships/managing-director-internationalisation/research/taped/.

22 Code: ‘1.28.1 [ecommerce_cross_border_information_transfer] Does the e-commerce chapter include provisions on data flows?’. We considered inclusion of RTAs which include code: ‘2.1 [data_flow_free_movement] Does the agreement include a provision on the free movement of data?’, however, the character of their provisions is not compatible with the topic of our research and, therefore, we did not include four RTAs which include code 2.1 and do not include code 1.28.1. M. Burri and M. Elsig, ‘Codebook (2020/06/08)’, available at www.unilu.ch/en/faculties/faculty-of-law/professorships/managing-director-internationalisation/research/taped/.

23 W. Alschner, J. Seiermann and D. Skougarevskiy, ‘ToTA: Texts of Trade Agreements’, available at mappinginvestmenttreaties.com/rta/.

24 The sequences of character included: free flows of(…)info; crossborder flows of(…)info; transborder flows of(…)info; free flow of(…)info; crossborder flow of(…)info; transborder flow of(…)info; free flows of(…)data; crossborder flows of(…)data; transborder flows of(…)data; free flow of(…)data; crossborder flow of(…)data; transborder flow of(…)data; free (…)data flow; crossborder (…)data flow; transborder (…)data flow; free transfer of(…)info; crossborder transfer of(…)info; transborder transfer of(…)info; free transfer of(…)data; crossborder transfer of(…)data; transborder transfer of(…)data. ‘(…)’ means, that between the given words any 20 characters could appear (e.g., ‘crossborder (…)data flow’ would include ‘crossborder personal data flow’).

25 In alphabetical order: Art. 11.1 ARG-CHL; Art. 10.1 BRA-CHL; Art. 1509 CAN-COL; Art. 13.9 CAN-KOR; Art. 15.10 CAN-PER; Art. 16.9 COL-CRI; Art. 6.1(d) TCA (instead of identified or identifiable individual: data subject); Understanding 3, Art. 1(d) EU-SGP; Art. 14.1 MEX-PAN (personal data, not personal information); Art. 14.10 KOR-PER; Art. 13.1 PAAP; and Art. 13.1 PAAP 2015.

26 In alphabetical order: Art. 11.14 A-HKFTA; Art. 13.1 AUS-PER; Art. 8.1 CHL-URY; Art. 14.1 CPTPP; Art. 1.3 DEPA; Art. 13.1 IA-CEPA (data or opinions); Art. 9.1(g) LKA-SGP (any data, including information); Art. 14.1(w) SADEA; Art. 14.1(2)(l) SAFTA; Art. 1(dd) US-JAP; Art. 19.1 USMCA.

27 Out of the analysed RTAs, three include provisions that foresee the need to consider regulation of cross-border information transfers in the future: (i) Art. 13.11 of PAAP, which was in amended in 2015 with a protocol that changed the manner of regulation of this issue in this agreement; (ii) TCA, which includes substantive regulatory solutions concerning this issue (see Section 4.2.3, infra), and, next to them, Art. 201(2), which concerns an assessment of the functioning of the adopted solutions; and (iii) Art. 8.81 of the JEEPA, which is the only agreement that, except for establishing the need to discuss this matter in the future, does not contain any other substantive provision on this matter. Thus, we exclude this agreement from our analysis.

28 As there may be a significant difference between the date of signing the agreement and its entering into force, we decided to base the chronological order of the agreements on the date of their signing.

29 Central America’s countries that are parties to this agreement, are Costa Rica, El Salvador, Guatemala, Honduras, and Nicaragua.

30 Mira Burri notes that the ‘first agreement having such a provision is the 2006 Taiwan–Nicaragua FTA, where as part of the cooperation activities, the parties affirmed the importance of working “to maintain cross-border flows of information as an essential element to promote a dynamic environment for electronic commerce”’. – M. Burri, ‘Data Flows and Global Trade Law’, in M. Burri (ed.), Big Data and Global Trade Law (2021), 11 at 26. Our research indicates that the same provision was present already in CAFTA-DR signed in 2004, and Panama-Singapore FTA (PNM-SGP), signed more than three months before the Taiwan-Nicaragua FTA (TWN-NIC). For an explanation of how we made this finding, see Section 3, supra. Also, it is worth to note that the first agreement in which the relevant provisions are enforceable was signed after the publication of the major work on transborder data flows and privacy by C. Kuner, Transborder Data Flows and Data Privacy Law (2013), which shows the dynamic character of the development of international economic law in this regard.

31 The relevant articles: Art. 14.5(c) CAFTA-DR; Art. 13.4(c) PNM-SGP; Art. 14.05(c) TWN-NIC; Art. 14.5(c) PNM-US; Art. 1508 CAN-PER; Art. 1507(1)(c) CAN-COL; Art. 14.9(c) KOR-PER; Art. 15.5(d) CEN AM-MEX; Art. 16.7(1)(c) COL-CRI; Art. 16.5(c) CAN-HND; Art. 13.12(c) PAAP; Art. 14.11(c) MEX-PAN; Art. 13.7(c) CAN-KOR; Art. 13.12(c) PAAP 2015; Art. 9.12(5) JPN-MNG.

32 Ch. 10, Art. 2 HKG-NZL.

33 Art. 37 SADEA.

34 The main solution belonging to a liberalizing regulatory model is discussed below. However, SADEA also implements a novelty in regard to cross-border information-transfer regulation in the RTAs, namely, the provision entitled ‘Data innovation’, which states, among others, that: ‘[t]he Parties shall endeavour to support data innovation through: (a) collaborating on data-sharing projects, including projects involving researchers, academics and industry, using regulatory sandboxes as required to demonstrate the benefits of the cross-border transfer of information by electronic means’ – Art. 26(2) SADEA.

35 Art. 8.57(3) EU-SGP. We have not identified such a direct reference to IPRs in any other agreement.

36 Enforceability is understood as creating a clear legal obligation, which is not aspirational and can be legally enforced, which means that it has not been excluded from the dispute settlement system within a given RTA. For information about which of the analysed provisions are enforceable (phrased in a plain way and covered by the dispute-settlement procedure foreseen in a given RTA), see the last column in Table 2. For a further explanation of the general concept of enforceability, see H. Horn, P. C. Mavroidis and A. Sapir, ‘Beyond the WTO? An Anatomy of EU and US Preferential Trade Agreements’, (2010) 33 The World Economy 1565.

37 Art. 15.8 KOR-US.

38 See Burri, supra note 30, at 27.

39 Art. 19.11 USMCA.

40 Art. 11 US-JAP.

41 Art. 8.84 UK-JAP.

42 For the importance of TPP see, e.g., N. Mishra, ‘The Role of the Trans-Pacific Partnership Agreement in the Internet Ecosystem: Uneasy Liaison or Synergistic Alliance?’, (2017) 20 Journal of International Economic Law 31 and T. Streinz, ‘Digital Megaregulation Uncontested? TPP’s Model for the Global Digital Economy’, in B. Kingsbury et al. (eds.), Megaregulation Contested: Global Economic Ordering After TPP (2019), 312.

43 In chronological order: Art. 13.11 PAAP 2015; Art. 8.10 CHL-URY; Art. 13 SAFTA; Art. 11.6 ARG-CHL; Art. 9.9 LKA-SGP; Art. 13.11 AUS-PER; Art. 14.11 CPTPP; Art. 10.12 BRA-CHL; Art. 13.11 IA CEPA; Art. 11.7 A-HKFTA; Art. 4.3 DEPA; Art. 12.15 RCEP; Art. 23 SADEA (which replaced SAFTA). This model has been also used in not yet in force Digital Economy Agreement between the United Kingdom of Great Britain and Northern Ireland and the Republic of Singapore (Art. 8.61-F), available at assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1060050/CS_Singapore_1.2002_UK_Singapore_Digital_Economy_Agreement.pdf as well as UK-Ukraine Digital Trade Agreement (agreement explainer available at www.gov.uk/government/publications/uk-ukraine-digital-trade-agreement-agreement-explainer/uk-ukraine-dta-agreement-explainer#data-flows).

44 Except for CHL-ARG, BRA-CHL, and RCEP which do not contain such an element.

45 Except for CHL-URY, which contains the same elements, however, in reversed order, with the reference to the national legislation at the end.

46 PAAP 2015; CHL-URY; SAFTA; ARG-CHL; LKA-SGP; AUS-PER; CPTPP; BRA-CHL; IA CEPA; A-HKFTA; DEPA; RCEP; SADEA.

47 SAFTA; CPTPP; IA CEPA; DEPA; SADEA.

48 IA CEPA; RCEP.

49 To see detailed analysis of compliance of adequacy decision with Japanese trade obligation, including Art. 14.11 CPTPP and DEPA, see S. Yakovleva, ‘Testing Restrictions on Onward Transfers of EU Personal Data Against Free Data Flow Obligations in the CPTPP and US-Japan Digital Trade Agreement’, (2023) Amsterdam Law School Research Paper No. 2023-20, Institute for Information Law Research Paper No. 2023-05, available at dx.doi.org/10.2139/ssrn.4423959.

50 1994 General Agreement on Trade in Services (Marrakesh Agreement Establishing the World Trade Organization, Annex IB), 1869 UNTS 183, Art. XIV.

51 Art. 201 TCA. See European Commission, ‘Horizontal Provisions for Cross-Border Data Flows and for Personal Data Protection in EU Trade and Investment Agreements’, available at www.politico.eu/wp-content/uploads/2018/02/Data-flow-provisions-POLITICO.pdf; European Commission, ‘EU Proposal for Provisions on Cross-Border Data Flows and Protection of Personal Data and Privacy’, available at web.archive.org/web/20221001183315/https://trade.ec.europa.eu/doclib/docs/2018/july/tradoc_157130.pdf. Almost identical provision has been included in the already-negotiated new EU-Chile Advanced Framework Agreement, Art. 19.4, available at policy.trade.ec.europa.eu/eu-trade-relationships-country-and-region/countries-and-regions/chile/eu-chile-agreement/text-agreement_en. Similar, but with significant differences, model has been used in the newly negotiated EU-New Zealand Free Trade Agreement, which have been signed on the 9 July 2023, but have not yet entered into force, (policy.trade.ec.europa.eu/eu-trade-relationships-country-and-region/countries-and-regions/new-zealand/eu-new-zealand-agreement/text-agreement_en) as well as in the text proposed by the EU of the EU-Australia agreement (policy.trade.ec.europa.eu/eu-trade-relationships-country-and-region/countries-and-regions/australia/eu-australia-agreement/documents_en in Digital Trade chapter, Art. 5), and EU-Tunisia agreement (policy.trade.ec.europa.eu/eu-trade-relationships-country-and-region/countries-and-regions/tunisia/eu-tunisia-dcfta-documents_en in Digital Trade chapter, Art. 5), which are under negotiation. For in-depth study of the roots of differences in the EU’s approach in comparison to the USA’s see S. Yakovleva, ‘Privacy Protection(ism): The Latest Wave of Trade Constraints on Regulatory Autonomy’, (2020) 74 University of Miami Law Review 416 (see also her PhD thesis, S. Yakovleva, Governing cross-border data flows (2021), available at =dare.uva.nl/search?identifier=cf54d2a9-cd41-42c2-94f1-24c81f8a3abd).

52 For examples see Art. 14.3 CPTPP; Art. 13.12 AUS-PER; Art. 13.12 IA CEPA; Art. 11.8 A-HKFTA; Art. 12 US-JAP; Art. 19.12 USMCA.

53 As data localization requirements are often seen as one of the most important barriers to digital trade and economy, see N. Mishra, ‘Privacy, Cybersecurity, and GATS Article XIV: A New Frontier for Trade and Internet Regulation?’, (2020) 19 World Trade Review 341; Svantesson, supra note 14.

54 Although traditionally in cases such as US-Shrimps (Appellate Body report United States – Import Prohibition of Certain Shrimp and Shrimp Products, adopted 6 November 1998, WT/DS58/AB/R, para. 187) the notion of ‘arbitrary or unjustifiable discrimination’ is understood quite broadly, some authors argued that there is a change in international adjudication especially in relation to services: P. Delimatsis and L. Gargne, ‘General Exceptions under the GATS – A Legal Commentary on Article XIV GATS’, (2020) TILEC Discussion Paper No. DP2020-027, available at dx.doi.org/10.2139/ssrn.3757464.

55 See D. A. Desierto, ‘Balancing National Public Policy and Free Trade’, (2015) 27(2) Pace International Law Review 549; D. A. Desierto, ‘Public Policy in International Investment and Trade Law: Community Expectations and Functional Decision-Making’, (2014) 26 Florida Journal of International Law 51.

56 1947 General Agreement on Tariffs and Trade, 55 UNTS 187, Art. XX.

57 See Mitchell and Mishra (2019), supra note 10, at 400.

58 See N. F. Diebold, ‘Standards of Non-Discrimination in International Economic Law’, (2011) 60 International and Comparative Law Quarterly 831; A. D. Mitchell and J. Hepburn, ‘Don’t Fence Me In: Reforming Trade and Investment Law to Better Facilitate Cross-Border Data Transfer’, (2017) 19 Yale Journal of Law & Technology 182.

59 See, for example, M. Burri, ‘Interfacing Privacy and Trade’, (2021) 53 Case Western Reserve Journal of International Law 35, at 71.

60 For such interpretation see A. Mitchell, D. Heaton and C. Henckels, Non-discrimination and the Role of Regulatory Purpose in International Trade and Investment Law (2016), at 15–18.

61 In the WTO case law the outcome of the assessment is dependent on perception of the importance of the value that is protected: F. Fontanelli, ‘Necessity Killed the GATT – Art XX GATT and the Misleading Rhetoric about “Weighing and Balancing”’, (2012) 5(2) European Journal of Legal Studies 36, at 65–6.

62 See Appellate Body report European Communities – Measures Prohibiting the Importation and Marketing of Seal Products, adopted 22 May 2014, B-2014-1 – AB-2014-2, WT/DS400/AB/R, WT/DS401/AB/R, at 5.169 and other reports invoked there. See also G. Muller, ‘The Necessity Test and Trade in Services: Unfinished Business?’, (2015) 49 Journal of World Trade 951, 958–65; for some comments on data flow and necessity test see Mitchell and Hepburn, supra note 58, at 204.

63 See G. Verhoosel, National Treatment and WTO Dispute Settlement: Adjudicating the Boundaries of Regulatory Autonomy (2002), at 36.

64 Appellate Body report European Communities – Measures Prohibiting the Importation and Marketing of Seal Products, adopted 22 May 2014, B-2014-1 – AB-2014-2, WT/DS400/AB/R, WT/DS401/AB/R, at 5.169.

65 See Mitchell and Mishra (2021), supra note 10, at 102.

66 For the analysis of this issue see G. Zheng, ‘Trilemma and Tripartition: The Regulatory Paradigms of Cross-Border Personal Data Transfer in the EU, the U.S. and China’, (2021) 43 Computer Law & Security Review 1 (article number: 105610), at 14; F. Casalini, J. López González and T. Nemoto, ‘Mapping commonalities in regulatory approaches to cross-border data transfers’ (2021) OECD Trade Policy Papers, No. 248, OECD Publishing, Paris, at 24, 27.

67 Art. 14.8 and Art. 14.11 MEX-PAN; Art. 13.8 and Art. 13.12 PAAP 2015; Arts. 8.6-8.7 and 8.13 CHL-URY; Art. 9 SAFTA; Art. 11.5 and Art. 11.9 ARG-CHL; Art. 9.7 and Art. 9.12 LKA-SGP; Art. 13.8 and Art. 13.14 AUS-PER; Art. 14.8 and Art. 14.15 CPTPP; Art. 10.8 BRA-CHL; Art. 19.8 and Art. 19.14 USMCA; Art. 13.3 and Art. 13.7 IA CEPA; Art. 11.9 and Art. 11.13 A-HKFTA; Art. 15 US-JAP; Art. 12.8 RCEP; Art. 4.2 DEPA; Art. 17, Art. 33, and Art. 3 SADEA; Art. 8.80 and Art. 8.83 UK-JAP; Art. 202 TCA.

68 Art. 8.2(5)(f) CHL-URY; Art. 11.2(5)(f) ARG-CHL.

69 ‘The Parties will promote the use of security mechanisms for the personal information of users, and their dissociation, in cases where said data is provided to third parties, in accordance with their legal system.’ Art. 8.7(4) CHL-URY and Art. 11.5(6) ARG-CHL. Such a provision is also present in Art. 10.8(6) BRA-CHL, however, BRA-CHL does not include a reference to any substantive standards of protection.

70 SAFTA did not include these two elements of the provision on cross-border information transfer.

71 Art. 4.2(10) DEPA.

72 Interestingly, except for PAAP 2015 and DEPA, all of this type of RTA have Australia among the parties.

73 Art. 19.8(2) USMCA.

74 Art. 17.2 SADEA.

75 Art. 8.80(2) UK-JAP; Art. 14.8(2) CPTPP; Art. 19.8(2) USMCA; Art. 9(2) SAFTA, which was replaced by Art. 17 SADEA; Art. 4.2(3) DEPA. Interestingly, SADEA adds to the term ‘privacy’ used in this type of footnote, the term ‘data protection’: ‘… sector- specific laws covering data protection or privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to data protection or privacy’.

76 Art. 9.7(2) LKA-SGP.

77 Art. 15(1) US-JAP.

78 Such as the Council of Europe Convention 108+ (Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, CETS No. 223).

79 K. Irion, ‘Panta Rhei: A European Perspective on Ensuring a High Level of Protection of Human Rights in a World in Which Everything Flows’, in M. Burri (ed.), Big Data and Global Trade Law (2021), 231, at 234.

80 Which is a continuation of an ongoing debate. See, for early work in this area, J. R. Reidenberg, ‘Resolving Conflicting International Data Privacy Rules in Cyberspace’, (1999–2000) 52 Stanford Law Review 1315 or, for the return of the scholarship to this issue, S. Aaronson, ‘Why Trade Agreements are not Setting Information Free: The Lost History and Reinvigorated Debate over Cross-Border Data Flows, Human Rights, and National Security’, (2015) 14(4) World Trade Review 671.

81 A. Chander and P. M. Schwartz, ‘Privacy and/or Trade’, (2023) 90(1) University Chicago Law Review 49.

82 K. Irion, M. E. Kaminski and S. Yakovleva, ‘Privacy Peg, Trade Hole: Why We (Still) Shouldn’t Put Data Privacy in Trade Law’, (2023) University of Chicago Law Review Online, available at lawreviewblog.uchicago.edu/2023/03/27/irion-kaminski-yakovleva/.

83 For such an approach see N. Sen, ‘Understanding the Role of the WTO in International Data Flows: Taking the Liberalization or the Regulatory Autonomy Path?’, (2018) 21 Journal of International Economic Law 323.

Figure 0

Table 1. Examples of the elements or the types of provisions that strengthen either commodification of personal data or their protection

Figure 1

Table 2. The list of analysed RTAs

Figure 2

Table 3. Types of provisions on cross-border data-transfers (own elaboration). The provisions which are to a certain extent diverge from the dominating model are commented with italics

Figure 3

Table 4. Types of provisions on data protection in RTAs which contain provisions on liberalisation of cross-border information transfers (own elaboration). Italics in the column ‘Relation to data flow…’ mark the RTAs provisions that were discussed in section 4

Figure 4

Table 5. Various models of balancing between ensuring data protection and facilitating data flows. Thick black rectangle marks the RTAs which include limitations concerning the possibility to invoke exceptions. Dotted line marks the RTAs which include mechanisms for data transfers. SAFTA is in grey, as it was replaced with SADEA. TCA is bolded, as it includes an alternative approach to the regulation of data flows