1
Personal Data Protection
within WTO’s Trade Framework
Name: Zhen Zhang Student Number: 12306250
Abstract
Recent years have witnessed a rising awareness in data protection across the world. An increasing number of states have created legislative schemes to protect the fundamental rights to data protection, which affect trade in services negatively in various ways. World Trade Organization, as the most universal legal system in regulating trade, aims to liberalize trade and lower trade barriers. Member States of the WTO are obliged to comply with their commitment under GATS including Most-Favoured-Nation Clause, National Treatment and Market Access, etc. Although GATS provides clauses specifically designed for justification of data privacy protection measures, the justification mechanism under Article XIV(c)(ii) is still unclear and under ongoing discussion. This article focuses on the operation of data protection within WTO Framework. More specifically, whether a WTO Member could prohibit or restrict the transfer of personal data within and from its territory without running afoul of their trade commitment.
2
Table of Content
I. INTRODUCTION ... 3
II. AN OVERVIEW OF DATA PROTECTION LEGISLATIONS ... 5
1. The Right to Data Protection as Fundamental Human Right ... 5
2. EU’s Restriction on Cross-border Data Processing ... 6
III. POTENTIAL BREACH OF WTO COMMITMENTS ... 8
1. Digital Trade: Under GATT or GATS Regime? ... 8
2. Potential Breach of MFN Clause (Article II) ... 9
3. Potential Breach of Market Access Commitments (Article XVI) ... 11
VI. DOMESTIC REGULATION (Article VI) ... 13
1. Regulatory Autonomy ... 14
2. Harmonized standards ... 15
VII. GENERAL EXCEPTIONS (Article XIV) ... 16
1. Scope of Subparagraph (c) Article XIV ... 17
2. The “Necessity” test ... 19
3. Chapeau ... 22
(a) “arbitrary or unjustifiable discrimination” ... 23
(b) “Disguised Restriction on International Trade” ... 24
IV. INTERNATIONAL LAW AND DOMESTIC LAW ... 25
3
I. INTRODUCTION
Nowadays, digitally delivered data-processing and business services contribute largely to economic development around the world. These services, ranging from financial accounts to health transcriptions, require a great amount of international data flows. Personal data, labeled as the “currency” of the digital economy1, is being collected, stored, transferred and allocated across multiple jurisdictions every day. It refers to any information that relates to an identified or identifiable living individual. Different pieces of information which collected together can lead to the identification of a particular person, also constitute personal data.2 While it drives the productivity, efficiency and growth of international trade and service business in many ways, the collection of such data raised concomitant and complex privacy concerns. 3
There is an increasing growth in domestic data protection legislations across the world. According to UNCTAD Data Protection and Privacy Legislation Worldwide4, 107 countries have put in place legislation to secure the protection of data and privacy, of which 66 were developing countries. 10% countries are in drafting stages at the moment. The remaining ones either have no legislation or have no data.
Among the countries or regions with data protection legislations, EU and the United States are considered as crucial players due to their dominance in digital trade.5 Within EU legal system, General Data Protection Regulation (GDPR), which came into force since May 2018 replacing the EU Data Protection Directive, is expansive as to its scope of application. In particular, it restricts the transfer of data from its territory to another country or region with “inadequate” data protection level. Meanwhile, the United States has promulgated various privacy regulations on state-by-state and sector-by-sector basis. Among them, the California Consumer
1Ben Rooney, Reading Details Sweeping Changes to EU Data Laws, Wall ST.J. Tech Eur. Blog,
<http://blogs.wsj.com/tech- europe/2012/01/23/reding-details-sweeping-changes-to-e-u-data-laws>, last visit 4th June 2019
2 European Commission, What is personal data,
https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en, last visit 4th June 2019
3
DA MacDonald, Personal Data Privacy and the WTO (2014), Houston Journal of International Law, Vol. 36:3, p 627
4 UNCTAD, Data Protection and Privacy Legislation Worldwide,
<https://unctad.org/en/Pages/DTL/STI_and_ICTs/ICT4D-Legislation/eCom-Data-Protection-Laws.aspx>, last visit: 14th May 2019
5 The term “data privacy” has been used on the assumption that only private information can be protected. By contrast, Europe refers to the broader term “data protection”, which may extend to information that is in the public domain.
4
Privacy Act (CCPA), which is scheduled to become effective on January 1, 2020, is slated to become the most comprehensive data privacy law within the United States and is considered as a coming wave at the federal level. While it does not specifically restrict cross-border data transfer of personal data, the Act excluded such transfer in the context of a merger. 6
As countries rush to establish data protection laws and tighten the control of the cross-border data flows, it is suggested that transnational trade has been affected by legislations in various ways, ranging from the fairly simple ones on micro level to the more complex ones on macro level. Generally, the costs of trade in services are remarkably higher than those of the trade in goods. Services sectors with lower trade costs, themselves associated with lower barriers to services trade, tend to be more productive and to experience higher productivity growth than those with higher trade costs.7
Accordingly, barriers to entry in service sectors are to reduce the incentive of suppliers to invest in digital technologies. Such regulation inevitably sits in conflict with international trade rules, which has been focusing on the liberalization of trade and lowering trade barriers. The World Trade Organization (WTO), as a representation of highest degree of institutionalizing economic globalization, is crucial in the digital trade issues. It aims to lower trade barriers as well as to facilitate trade without discrimination, with which states’ restriction on data transfer, in the context of cross-border trade, is inevitably on a collision course. Although WTO has “general exceptions” as some in-built flexibilities for data privacy protection, it has been pointed out that it fails to provide sufficient and comprehensive mechanism for the justification of such legislation regarding personal data trade.8 More specifically, the critical question has been remained unanswered regarding how WTO would balance the importance of the right to data privacy and the interests of trade.
This article will discuss how personal data protection, one of the fundamental rights, operates within the WTO’s trade framework. In particular, I will discuss whether a WTO Member could prohibit the transfer of personal data within and from its territory without running afoul of their
6
Data Guidance, Comparing privacy laws: GDPR v CCPA, pp.12, < https://fpf.org/wp-content/uploads/2018/11/GDPR_CCPA_Comparison-Guide.pdf>, last visit 18 June 2019
7 Sébastien Miroudot, Ben Shepherd, Regional Trade Agreements and Trade Costs in Services (2015), Robert Schuman Centre for Advanced Studies Research Paper No. RSCAS 2015/85, p13
8 Krista Nadakavukaren Schefer (2011), Social Regulation in the WTO, Bern, Switzerland: Edward Elgar Publishing
5
trade commitment, circumventing the measures imposed by GDPR on cross-border data transfer. Section II of this article provides an overview of the right to data protection and data protection legislations across the world. Section III to Section V contains an introduction of WTO framework, analysis of whether data protection measures might violate WTO obligations and whether it could be justified under general exceptions. In Section VI we conduct a case study on GDPR, which is the strongest regime in data protection at the moment.
II. AN OVERVIEW OF DATA PROTECTION LEGISLATIONS 1. The Right to Data Protection as Fundamental Human Right
The increasing concern over the right to data protection is closely related to its fundamental status, which is enshrined within various constitutional instruments either as a separate right or as an inner requirement of the right to privacy.
Originally, the right to privacy did not touch upon the issue of data protection due to historical context. The first recognition of the right to privacy dates back to an article published on Harvard Law Review in 1890 by Samuel Warren and Louis Brandeis, where the authors defined it as “the right to be let alone” embodying protections for each individual’s “inviolate personality”9. In this period, there was no existence of internet, let alone digital data of personal information. The scheme of the right to privacy thus does not include data protection at the time.
From the second part of the 20th century, several international and regional instruments began to acknowledge the right to privacy as fundamental human rights and gave it an official definition.10 Article 12 of the Universal Declaration of Human Rights (UDHR) laid down an individual’s right to protection of their private sphere against intrusion from others for the very first time in 1948. Soon after that, European Convention on Human Rights (ECHR) too affirmed in Article 8 this right and provides that everyone has the right to respect for his or her private and family life, home and correspondence.
The appearance of internet since 1990s radically alters the traditional form of privacy protection. Digital files concerning a person’s health, finances, travel and consumption are not – and rarely
9 Dorothy J. Glancy, The invention of the right to Privacy (1979), Arizona Law Review, [Vol.21, pp. 2
6
can be – stored entirely within the physical home. Individuals are now voluntarily giving up personal information for Internet-based service.11 Others appropriate our identities, treating us as objects; by doing so, our standing as autonomous moral agents, controlling how we present ourselves to the world, is thus denied. 12 The way in which our privacy is put at risk is accordingly different, and this leads to the challenge to the traditional scope of the right to privacy. Consequently, the scheme of the right to privacy has expanded and it now indicates that each individual has the complete control of information about his or her “private life, habits, acts and relations”.13
As a response on international level, United Nation adopted a series of resolutions as to “the right to privacy in digital age”. Revised draft resolution on the right to privacy in the digital
age14 explicitly states that “the increasing capabilities of business enterprises to collect, process
and use personal data can pose a risk to the enjoyment of the right to privacy in the digital age”. It also notes that, as a corresponding obligation, states shall “take effective measure to prevent the unlawful retention, processing and use of personal data stored by public authorities and business enterprises”. Despite its non-bonding status, UN resolutions are deemed as strong evidence of state practice and opinio juris.
2. EU’s Restriction on Cross-border Data Processing
In the context of increasing concern over data privacy, EU took a step further and disconnected the right to personal data protection from the right to privacy. The Charter of Fundamental Rights of the EU recognizes the right to personal data protection as an independent human rights and lays down the foundations of the EU data protection framework. 15
In order to ensure that the increasing transfer of data outside of EU/EEA does not circumvent the protection level within the EU, EU secondary law for data protection has imposed expansive application scope. Article 3(1) of GDPR provides that it applies to the processing of personal
11 Ibid, pp. 202 12 Ibid, pp. 202
13 Dorothy J. Glancy, The Invention of the right to privacy (1979), Arizona Law Reivew, Vol 21, pp.2
14 UN, General Assembly, Revised draft resolution on the right to privacy in the digital age (2016), A/C.3/71/L.39/Rev.1, New York; UN, Human Rights Council, The right to privacy in the digital age (2017), A/HRC/34/L.7/Rev.1
15
European Union Agency For Fundamental Rights, Handbook on European data protection law (2018), <https://www.echr.coe.int/Documents/Handbook_data_protection_02ENG.pdf>,last visit: 15 July, 2019
7
data if such processing is “in the context of the activities of an establishment” of a controller or a processor in the EU. CJEU gave broad interpretation to such notion and stated in Google
Spain v AEDP that even processing of personal data abroad is carried out “in the context of an
establishment” in the EU if the activities of such an establishment are inextricably linked to processing of personal data by a foreign controller.16 Furthermore, according to Article 3(2) of GDPR, the processing of personal data by a controller and processor established outside of the EU is also under regulation, so long as the processing activities are related to offering goods or service to EU individuals or to the monitoring of individuals’ behaviour within the EU. Therefore, cross-border data processing services conducted by data service providers originated from non-EU countries could also be covered by the scope of GDPR.
Under Chapter 5 GDPR17, the destination of data processing has to have an adequate level of protection. “Adequate”, according to CJEU, means “essential equivalent” to the level of protection of fundamental rights and freedoms guaranteed by the Charter and the EU’s data protection law.18 According to Article 45 of GDPR, the Commission will have the power to determine whether certain countries, territories, specified sectors or international organizations offer an adequate level of protection for data transfers. The existing list of countries which have previously been approved by the Commission will remain in force, namely: Andorra, Argentina, Canada (where PIPEDA applies), Switzerland, Faero Islands, Guernsey, Israel, Isle of Man, Jersey, Eastern Republic of Uruguay and New Zealand…19 The transfer of data between EU and the eligible countries or regions shall not require any specific authorization. Furthermore, Article 45(2) provides a detailed and non-exhaustive list of criteria which should be taken into account by the Commission in its assessment.
Article 46 of GDPR contains a list of conditions which allows derogation of Article 45. Firstly, in the absence of a Commission’s decision, a controller or processor may only transfer data to a third country if appropriate safeguards have been provided. Secondly, a competent supervisory authority of a Member State could authorize a transfer of data subject to adequate safeguards. Article 47 provides binding corporate rules (BCRs), which supplies legal basis for
16 C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario
Costeja González., ECLI:EU:C:2014:317, para 56
17 Kuner, Regulation of Transborder Data Flows (n 6) 28, Maximillian Schrems v Data Protection Commissioner (n 18) para 73.
18Maximillian Schrems v Data Protection Commissioner (n 18) para 73.
8
international transfers of personal data within a multinational company with establishments in third countries.20
Furthermore, the EU have concluded agreements with countries which it believes that they have the same level of protection. European Union-US serves as a framework for regulating transatlantic exchanges of personal data for commercial purposes between the EU and the United States. The transfer of data under the regime needs no further authorization of European Commission. 21
III. POTENTIAL BREACH OF WTO COMMITMENTS
1. Digital Trade: Under GATT or GATS Regime?
Before diving into analysing how data protection legislations facilitate within WTO framework, the question arises whether digital trade falls under the regime of GATT or GATS?
Although 1998 WTO Work Program on Electronic Commerce has acknowledged the effect of digital technologies on all aspects of trade: in goods, services, or intellectual properties,22 the underlying problem is that neither the GATT nor GATS contain clear guidelines. It is also hard to draw a line between the scope of GATT and GATS from decisions of the Panels or the Appellate Body. The Appellate Body in EC – Bananas III held that the GATT and the GATS may overlap in application to a particular measure and they are not mutually exclusive.23 Indeed, there are a number of overlapping cases and cases where no regime seems to be applicable. An example could be a USB flash drives or similar devices for data processing.24 According to Decision 4.1, only carrier media is embraced by the GATT and it is not a service under the GATS.25 Nonetheless, according to the GATS Service Sectoral Classification List (W/120) and
20 ‘Working Document Establishing a Model Checklist Application for Approval of Binding Corporate Rules’ (14 April 2005)
<http://ec.europa.eu/justice/data-protection/article-29/documentation/opinionrecommendation/files/2005/wp108_en.pdf> accessed 6 June 2019.
21
Privacy Shield Program, <https://www.privacyshield.gov/article?id=General-FAQs>, last visit 4th June 2019 22
WTO, Work Programme on Electronic Commerce, <https://www.wto.org/english/tratop_e/ecom_e/wkprog_e.htm>,
last visit 4th June 2019
23 Appellate Body Report, European Communities – Regime for the importation, sale and distribution of bananas, WT/DS27/AB/R, para 221 & 222
24 Rolf H Weber, Digital Trade in WTO-Law – Taking Stock and Looking Ahead (2010), 5 Asian J. WTO & Int’l Health L & Pol’y 1, 3, pp.1
25
9
the UN Provisional Central Product Classification (CPC), which provide reference for identification of an activity as a good or a service, data processing activities are categorized as being in the computer-related services under “(iii) data processing services” of W/120. 26
Despite of the current situation explained above, much of the debates within and outside the scope of WTO have focused on trade in services. This is because that WTO’s trade in good only refers to tangible goods transactions, intangible products which include support and maintenance will more readily fall under the category of trade in service. The newer generation of information technology products inherently include some sort of support, continuous maintenance, or new content, which transcend the purchase of the product and will more readily fall under the services category.27 Digital trade is therefore considered to be more frequently linked with transactions of non-tangible products. Therefore, I consider that data and the processing of data is within GATS framework.
The EU, as an economic union and an origin party of WTO, is obliged to comply with all the GATS general obligations including Most-Favoured-Nation clause, as well as the specific commitment it made to the GATS: data processing services, database services and other computer services (in the sector of computer and related business services), telecommunications, travel agencies and tour operators, computer reservations systems and financial services (primarily, insurance and banking). The above list has covered the processing of personal data broadly. In other words, the EU has undertaken to provide full-market access. Considering the restriction imposed by GDPR on cross-border data trade and the preferential treatment given to the US under US-EU Privacy Shield, it is conceivable that there is a risk that EU rules could be challenged and found non-compliant with EU’s commitment to WTO.
2. Potential Breach of MFN Clause (Article II)
“Non-discrimination” mechanism is embodied in GATS by two so-called general principles, namely the Most Favoured Nation obligation and the transparency obligation. GDPR’s restriction on transfer of personal data to third countries is capable of violating the EU’s MFN obligation under GATS Article II. Pursuant to MFN clause (Article II of GATS), each Member
26I-Ching Chen, Government Internet Censorship Measures and International law (2018), LIT Verlag Münster,
pp. 170
27 Mira Burri, The Governance of Data and Data Flows in Trade Agreements: The Pitfalls of Legal Adaptation, (2017), UC Davis Law Review, 51, pp. 76
10
State is obliged to extend immediately and unconditionally to services and service suppliers of any other Member “treatment no less favourable than that it accords to like services and service suppliers of any other country.” An argument for bringing GDPR to WTO Dispute Settlement Body is that data services and service suppliers from a Member State have suffered from less favorable treatment than like services and service suppliers from another state with adequate data protection standard. Such argument could particularly ground upon the unilateral agreements concluded between US and the EU as they believe they have the equivalent data protection level. This agreement has granted benefits to the cross-border data transactions between them.
As MFN clause is fundamentally concerned with equality of competitive opportunities a key notion for establishing violation of MFN clause is “likeness”. Thus, the first step to establish “likeness”. “Likeness” is constituted when they are “essentially or generally the same in competitive terms”.28 In principle, there are four general criteria for determining “likeness”: (i) the properties, nature and quality of the products; (ii) the end-uses of the products; (iii) consumers’ tastes and habits or consumers’ perceptions and behavior in respect of the products; and (iv) the tariff classification of the products. 29 Furthermore, the above criteria, although interrelated, shall be examined separately.
While a complex examination of the competitive relationship is usually conducted when establishing “likeness”, dispute settlement bodies adopted a so-called “presumption approach” which was developed under the GATT. It has been concluded that, the likeness of such product can be presumed when a measure is based on the origin of the product exclusively, unless it is shown that such difference in treatment is based on other characteristics “relevant for an assessment of the competitive relationship of the services and service suppliers”.30 However, it should be noted that the scope of such presumption under the GATS would be more limited than GATT, and it will be more limited, and establishing “likeness” based on the presumption may often involve consideration of the service and the service supplier.31 An additional layer of complexity stems from the existence of different modes of supply and their implications for the determination of the origin of services and service suppliers.32
28 Panel Report, China – Electronic Payment Services (16 July 2012) WT/DS413/R, paras 7.701-7.702. 29 Appellate Body Report, EC – Asbestos (18 May 2011), WT/DS316/AB/R, para. 101.
30 Appellate Body Report, Argentina – Financial Services (14 April 2016), WT/DS453/AB/R, paras. 6.36. 31 ibid, paras. 6.38.
11
It is not difficult to observe that GDPR has given preferential treatment to countries with adequate data protection standards. Controllers and processors from third countries not affording adequate protection are treated “less favourably”. Such differentiation is based on the country of origin and thus presumption of likeness shall be applied in this context. As analysed above, the presumption of “likeness” can be applied when a measure is solely based on the origin of the product, unless it is shown that such difference in treatment is based on other characteristics “relevant for an assessment of the competitive relationship of the services and service suppliers”. Therefore, only if EU successfully convince WTO dispute settlement bodies that consumer characteristics of the relevant services and services suppliers are affected by the high level of data protection, the different treatments between countries with adequate data protection level and those with inadequate data protection level will constitute de jure discrimination.
Additionally, the sectorial regime European Union-US Privacy Shield, which was incorporated in an adequacy decision, increases the vulnerability of EU’s data protection regime. It has imposed a presumption of the adequacy of data protection level in the United States and grants benefits to the transfer of data by controllers and processors between the United States and EU.33 Article II of GATS requires that, if a Member grants any advantage to any product originating in the territory of any other country, such advantage must be accorded “immediately and unconditionally” to the like product originating in the territories of all other Member States. Although there are some controversy regarding the meaning of “unconditionally”, it is generally accepted that an advantage granted to the United States by EU shall be accorded unconditionally to any third country regardless of its situation or conduct. It is also argued that “unconditionally” might mean “without any conditions”. Either way, EU-US Privacy Shield is an easy target of the challenge of MFN violation.
3. Potential Breach of Market Access Commitments (Article XVI)
The WTO Member States also agreed upon a schedule of “specific commitments” regarding “market access” (Article XVI of GATS). In the context of data processing services, market access is an important provision. Unlike the “negative list” approach of GATT, GATS adopted
12
“positive list” approach, which has a lower liberalization effect because WTO Member States may voluntarily, rather than compulsorily, enter into commitment in respect of specific services sectors and sub-sectors.34 The commitment a Member makes is therefore a specific set of rules that is generally based on each Member’s own policy objectives.
Under Article XVI of the GATS, “market access” addresses quantitative restrictions to trade in services. The underlying principle is technological neutrality35. That is, it applies to those services provided in a traditional format, but also through electronic means. As held by the Panel in US-Gambling, “if a Member desires to exclude market access with respect to the supply of a service through one, several or all means of delivery included in mode 1, it should do so explicitly in its schedule.” Accordingly, a Member State which has made specific commitment to the data processing service sector shall be bound regardless of whether the service is delivered by technological means.
The EU has made full commitment and it shall grant market access in the data processing sector in accordance with their schedules. A full commitment of market access means a prohibition to maintain predominantly quantitative barriers included in the exhaustive list of Article XVI:2. Accordingly, non-quantitative limitations are in principle not included under the regime of Article XVI. At first glance, limitation on the transfer of personal data to third countries does not prohibit or limit the quota of service suppliers in a way that would conflict with market access commitment.
Nevertheless, the problem would occur when a Member State restricts market access to a service supplier originate from another Member State knowing inadequate standards. The issue is whether high data protection standards establish a per se quantitative limitation and thus, are inconsistent with GATS or whether such quotas constitute only a qualitative restriction.36
34
European Parliament, Comparing international trade policies: the EU, United States, EFTA and Japanese PTA strategies, <
http://www.europarl.europa.eu/RegData/etudes/etudes/join/2013/433753/EXPO-INTA_ET%282013%29433753_EN.pdf>, last visit: 15th July, pp. 12
35 Third Party Written Submission by the European Communities, China - Measures Affecting Trading Rights and Distribution Services for Certain Publications and Audiovisual Entertainment Products, DS363, para 46 36 Shin-yi Peng, Digitalization of Services, the GATS and the Protection of Personal Data, in
KOMMUNIKATION: FESTSCHRIFT FÜ R ROLF H. WEBER ZUM 60 GEBURTSTAG (RolfSethe, 2011), pp. 759
13
Restriction on transfer of data by GDPR is arguably a “zero quota” requirement, which can constitute a violation of EU’s market access commitment.37 The position taken by WTO dispute settlement bodies of US-Gambling can be applied here by analogy. In US-Gambling case, The United States prohibited the remote supply of gambling and betting services, while the GDPR prohibits transfers of personal data to inadequate third countries. The Appellate Body ruled that an origin-neutral prohibition on remote gambling was “in effect” a “zero quota”. It constitutes a quantitative limitation imposed on a number of service suppliers and that such limitation violated Article XVI:2 of GATS. Accordingly, origin-neutral data protection law with very high standards could also lead to a “zero quota” of data processing services, because it could be impossible for some countries to fulfil the criteria due to their lack of technological infrastructure and resources.
Some literature, however, suggests that, the above analysis overlooked the derogations provided by EU data protection law. As Article 46 of GDPR provides a number of legal conditions to transfer personal data lawfully to third countries which do not afford an adequate level of personal data protection, a finding of GATS inconsistent “zero quota” market access barriers can hardly be made.38
VI. DOMESTIC REGULATION (Article VI)
Domestic regulation and the general exception clause are the two pillars for justification of WTO obligation violations by a Member State with high data protection standards. According to the fourth paragraph of the preamble of the GATS, WTO recognizes “the right of Member States to regulate, and to introduce new regulations, on the supply of services within their territories in order to meet national policy objectives”, the application scope of which extends to all the measures in the sectors under specific commitments. However, a strict separation of Article VI and Article XVI of the GATS must apply. The dispute settlement bodies have held that the scope of the two provisions are mutually exclusive39 and Article VI is restricted to measures of general application40. GDPR, as a measure of general application which has effect
37 Reyes, supra note 36, pp. 141; RH Weber, Regulatory Autonomy and Privacy Standards under the GATS (2012), Asian Journal of WTO & International Health Law & Policy 25. pp.353
38 Svetlana Yakovleva, Kristina Irion, supra note 22, p20
39 Panel Report, US-Gambling (10 November 2004), WT/DS285/R para 6.338 & 6.355.
40 Markus Krajewski, Services Liberalization in Regional Trade Agreements: Lessons for GATS “Unfinished
14
on trade in services, is subject to GATS Article VI:1 on domestic regulation in the sectors for which the EU has made specific commitment.
While it is desirable to protect specific interests of consumers and prevent discrimination in a regional market in order to achieve socially necessary levels of availability and continuity of a service41, domestic regulation has potential effect on cross-border trade in services. Thus Article VI stipulated the specific requirements for qualified measures. Article VI:4 and VI:5 addressed to the substantive issue, whereas Article VI:1-3 and Article VI:6 concerns procedural issues. Article VI:4 of the GATS applies a so-called necessity test to the trade barriers created by the domestic regulations. More specifically, regulatory measures should not “constitute unnecessary barriers to trade in services” and not be “more burdensome than necessary to ensure the quality of the service”. Article VI:2 requires procedural guarantees for review of administrative decisions affecting trade in services, whereas Article VI:3 sets forth requirements to authorisation procedures, technical standards and licensing requirements. Article VI:6 concerns procedural guarantees for competence verification of professional services providers.
1. Regulatory Autonomy
Data protection legislation needs to survive the test of Article VI to fall under state’s regulatory autonomy. According to Article VI:1, for GDPR which has affected trade in service to fall within EU’s power to regulate and thus to be justified, it should be administered in a “reasonable, impartial and objective” manner.42 This provision embodies the fundamental standard of domestic regulation. However, Article VI is ambiguous regarding the substantive meaning of “reasonable, impartial and objective”. In the absence of any such guidance from the WTO could utilize, the literature suggests two competing standards imported from other WTO provisions.
Under the first standard, Article VI:1 imposes a substantive proportionality requirement through the concept of “reasonableness”.43 A proportionality requirement under Article VI:1 is thought to mean that the requirements imposed by the measure cannot be disproportionate to the objective pursued. Such test requires a balancing exercise between the trade restrictiveness
41 Reyes, supra note 36, pp. 22
43 Joel P Trachtman, Lessons for the GATS from Existing WTO Rules on Domestic Regulation, Domestic (2003), Regulation and Service Trade Liberalization, Oxford University Press, p66
15
of a measure and the policy objective to protect personal data privacy.44 Therefore, the regulation on transfer of data imposed by GDPR cannot be disproportionate to the policy objective, which is to protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.45 GDPR is vulnerable under this assessment since that there is obviously less restrictive means available, i.e. EU-US Privacy Shield.
Under the second suggested standard, Article VI:1 only applies to the administration of data protection law. Accordingly, a country-by-country administrative approach without formal assessment criteria to govern data transfer is easy to be challenged. 46 Under this interpretation, the administration of GDPR is easy to be found biased because the adequacy determinations are administered on a country-by-country basis rather than transfer-by-transfer. The EU will also face problems in explaining why the Isle of Man and Jersey underwent an adequacy determination while larger technological countries like Japan, South Korea and India have not.
2. Harmonized standards
The harmonization of data protection standards could overcome many problems of differently designed domestic regulations. Article VI:4 contains a negotiating mandate for the Council for Trade in Service with the objective of getting more positive commitments from the WTO Member States. Council for Trade in Services established the Working Party on Professional
Services (WPPS) on 1 March 1995 "to examine and report on the disciplines necessary to ensure
that measures relating to qualification requirements and procedures, technical standards and licensing requirements in the field of professional services do not constitute unnecessary barriers to trade".47 On 26 April 1999, the Council for Trade in Services adopted a Decision on Domestic Regulation (S/L/70), which established Working Party on Domestic Regulation (WPDR) and terminated the existence of WPPS.48 Currently, a separate set of “horizontal” disciplines on domestic regulation is under negotiation. The core feature of these “horizontal”
44 Carla L. Reyes, WTO-Compliant Protection of Fundamental Rights: Lessons from the EU Privacy Directive, Melbourne Journal of International Law, pp. 19
45 Article 1(2) GDPR 46 Ibid, pp. 19
47 Council for Trade in Services, WTO, Article VI:4 of the GATS: Disciplines on Domestic Regulation Applicable to All Services, S/C/W/96, para 2
16
disciplines is they are not sector-specific and will apply to all measure affecting trade in services within the scope of GATS.49
Nevertheless, the disciplines for data protection are still left undefined. It is because the fact that the implementation of privacy principles touches upon fundamental governmental and sovereignty questions,50. And there is no such international organization, let alone WTO, with universal jurisdiction over such issues. The issue of how to curtail protectionism without infringing the recognized right of countries to regulate the supply of services in their territories still constitutes a formidable challenge for WTO Member States.51
To sum up, the interpretation of Article VI GATS at present on domestic regulation does not leave a wide discretion for Member States. 52A high data protection legislation like GDPR which constitutes restriction on transnational trade in services is vulnerable to be challenged in dispute resolution procedures. However, there is also no such universal standards for data protection law, thus the assessment by WTO jurisprudence is still unpredictable and uncertain.
VII. GENERAL EXCEPTIONS (Article XIV)
WTO law has some in-built flexibilities53 provided by the “general exceptions” listed by the GATT Article XX and GATS Article XIV. These general exceptions are set to allow Member States to adopt measures, which may otherwise violate a Member State’s general and specific commitments, to protect non-trade interests including public morals, public orders and other essential social interests, so long as those measures are not disguised restrictions on trade in services.54 Parallel to Article XX GATT, GATS provides mechanism for justification. The general exceptions are listed in Article XIV of the GATS, which can be invoked by the Member States to justify their breaches of obligations. More specifically, three categories of general
49 WTO, WTO negotiations on domestic regulation disciplines,
https://www.wto.org/english/tratop_e/serv_e/dom_reg_negs_e.htm, last visit 4th June 2019 50 Shin-yi Peng, supra note 31, pp 765.
51 Luis Abugattas Maijluf, UNCTAD, Domestic Regulation and the GATS: Challenges for Developing Countries (2018), Policy Paper on Trade in Services and Sustainable Development: Domestic Regulation
52 Rolf H Weber, supra note 14, pp. 36
53Krista Nadakavukaren Schefer, Social Regulation in the WTO (2011), Bern, Switzerland: Edward Elgar
Publishing, pp.3
54 “a responding party must make a prima facie case that its challenged measure is ‘necessary.’” Appellate Body Report, United States – Measures Affecting the Cross-Border Supply of Gambling and Betting Services (7 April, 2005), WT/DS285/AB/R, para 323
17
exceptions are listed: measures necessary to protect public morals or to maintain public order; restrictions necessary to protect human, animal or plant life or health; restrictions necessary to secure compliance with laws or regulations which are not inconsistent with the provisions of the GATS.
Although there are textual differences between Article XX and Article XIV, the mechanism of application of the two Articles are similar. While the assessment is on a case-by-case basis, WTO jurisprudence has developed a relatively comprehensive mechanism for interpreting GATT Article XX which has been applied to GATS Article XIV by analogy.55
After being found breach of WTO obligations, EU may invoke Article XIV(c)(ii) as justification. The issue here is whether the prima facie violations could be justified by the general exception of GATS, which provides that a Member may adopt a measure:
“necessary to secure compliance with laws or regulations which are not inconsistent with the provisions of this Agreement including those relating to:
the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts;”
A well-known two-tier test is applied if a Member State invokes the above general exception provision.56 The Appellate Body in Brazil – Retreaded Tyres provides a comprehensive mechanism for analyzing whether a measure can be justified by WTO general exceptions. Accordingly, it first considers whether the measure falls within the scope of Article XIV (c)(ii). Secondly, a Member may not apply it in an arbitrary and discriminatory manner against the requirement of chapeau.
1. Scope of Subparagraph (c) Article XIV
55 DA MacDonald, supra note 3, pp. 639
56 Appellate Body Report, Brazil – Measures Affecting Imports of Retreaded Tyres (3 December, 2007), WT/DS332/AB/R, para 119–124
18
Similar to Article XX(d) GATT, subparagraph (c) of Article XIV GATS only covers those measures designed to secure compliance with other laws and regulations, rather than measures that pursue a particular policy objective directly. A two-part test for determining whether a measure falls under the scope of Article XX(d) GATT was established by the Appellate Body in Korea- Various Measures on Beef case:
First, the measure must be one designed to “secure compliance” with laws or regulations that are not themselves inconsistent with some provision of the GATT 1994. Second, the measure must be necessary to secure such compliance. 57
In Canada – Wheat Exports and Grain Imports, the Panel went further and explained that, the measure for which justification is claimed must firstly secure compliance with other laws or regulations; and those other laws or regulations must not be inconsistent with the provisions of the GATT 1994.58
Additionally, in Mexico-Taxes on Soft Drinks, the Appellate Body noted that the question of whether a particular legal instrument is “law or regulation” within the meaning of subparagraph (d) is logically distinct from the question of whether the measure is designed to “secure compliance” with that law or regulation. With respect to the first question, “laws or regulations” refers to domestic laws or regulations and does not include obligations under international law. Regarding the second question, a measure is designed “to secure compliance” with a law or regulation need not demonstrate that the measure will certainly achieve compliance. However, it should at least seek to be suitable to meet the respective objectives to contribute to securing such compliance.59
In the context of personal data protection legislation, for a respondent to justify its high level data protection which is in breach of WTO obligations, it needs to demonstrate that, firstly, the measure is to secure compliance with other laws or regulations where the right to data protection is contained. Secondly, the respondent needs to prove that the measure is necessary to secure compliance. Although it is not required that the contested measure will achieve
57 Appellate Body Report, Korea – Various Measures on Beef (11 December 2000), WT/DS161/R, WT/DS169/R, para 157
58 Panel Report, Canada – Measures Relating to Exports of Wheat and Treatment of Imported Grain, WTO Doc WT/DS276/R (6 April 2004), para 6.218
19
compliance, it should be suitable to meet the objective. Furthermore, the other laws or regulations shall not be in conflict with GATT 1994.
It is pretty straightforward that Chapter 5 of GDPR on transfer of personal data to third countries is designed to secure compliance with EU’s substantial data protection law, and thus fall under the scheme of Article XIV(c)(ii). However, the measure imposed by GDPR also has to survive the “necessity” test and the assessment under chapeau of GATS Article XIV.
2. The “Necessity” test
The list of the justification reasons is not only a “closed list” of pre-defined purposes, but state measures restricting cross-border trade in services also have be “necessary” to achieve the policy objective in question.60 There is a significant degree of controversy and unpredictability whenever WTO adjudicating bodies apply GATS Article XIV, which was discussed above. Early cases attached a great importance with the existence of alternative measures. The Panel in US-Spring Assemblies examined whether there is a “satisfactory and effective alternative” when interpreting the concept of “necessity” under Article XX. It notes that a measure cannot be regarded as necessary when an alternative measure which the regulating State could reasonably be expected to employ and which is not inconsistent with other GATT provisions is available to it. 61 The most common used approach at present is “weighing and balancing” between the measure’s contribution to objective pursued and its negative impact on trade.
In Brazil – Retreaded Tyres, the Appellate Body explained the 2 steps required for determining whether a measure is “necessary”. Firstly, the analysis of “weighing and balancing” test should begin with an assessment of the “relative importance” of the protection of personal data pursued by GDPR. Of course, all of the interests set out in the Article XI GATS and Article XX GATT are essential,62 including “the protection of the privacy of individuals in relation to the processing and dissemination of personal data” under Article XVI(c)(ii). Although the Appellate Body in Korea-Beef has noted that not all of the measures that pursues objectives falling within Article XI or Article XX are necessarily of vital importance,63 the WTO
60 Cottier, Delimatsis & Diebold, Article XIV GATS: General Exceptions (2008), MAX Planck Commentaries on
World Trad Law – Trade in Services, Leiden/Boston: Martinus Nijhoff Publishers, Vol. 6, pp. 293
61 Panel Report, US-Spring Assemblies, (26 May 1983), L/5333 – 30S/107, para 58 62 Appellate Body Report, US – Shrimp, para 121.
20
jurisprudence has not yet found an objective pursued by Member States of negligible significance until now.
Secondly, the dispute settlement body should then go on to assess other factors, which will usually include the contribution that the measure makes to its objective, as well as the restrictive impact of the measure on international commerce, “in the light” of the importance of the measure. 64 In China - Publications and Audiovisual Products, the Appellate Body elaborated that a Member which chooses to adopt a very restrictive measure has to ensure that the measure is carefully designed to achieve its purpose. 65 It is not necessary for the measure to actually make a contribution. However, the measure should be likely to make a contribution.66
In the case of GDPR, on the one hand, the contribution of the restriction on transfer of personal data to ensuring compliance with EU’s data protection is moderately secured by the way it is implemented. GDPR has established a relatively well-rounded procedure for Commission to reach an adequacy decision. Article 45 provides a list of elements of which the Commission shall take account. Article 93 provides the procedural regulations by referring to Regulation (EU) No. 182/2011. However, it is also argued that due to the lack of transparency, adequacy decisions of the Commission are to a considerable extent distorted by political and economic factors.67 On the other hand, while GDPR has created negative effect on trade because it is costly and time consuming68, it does not impose an absolute ban on transfer. The transfers of data from and to the third countries which has an adequate level of personal data protection is not always limited. The derogation list and BCRs contained within Article 46 and Article 47 GDPR might ease such negative effect. The above two factors in weighing and balancing test might end in a tie depending upon the WTO dispute settlement body.
In Korea – Various Measures on Beef, a hallmark case regarding the interpretation of “necessity”, the Appellate Body found that while the word ‘necessary’ can sometimes mean ‘indispensible’ or ‘inevitable’, it is often used as ‘an adjective expressing degrees’. It went on and stated that “other measures, too, may fall within the ambit of this exception.” To qualify as ‘necessary’, a measure does not need to be indispensable to the objective in question, nor does
64 Appellate Body Report, Brazil – Retreaded Tyres
65 Appellate Body Report, China – Publications and Audiovisual Products, para 310 66 Ibid, para 315
67 Svetlana Yakovleva, Kristina Irion, supra note 77, pp. 29 68 Reyes, supra note 32, pp. 32.
21
it need to be an inevitable response to the problem it addresses. Nevertheless, the standard will not be met merely because the measure makes a contribution to its objective.69 The Appellate Body considered that
the term “necessary” refers to a range of degrees of necessity. At one end of this continuum lies “necessary” understood as “indispensable”; at the other end, is “necessary” taken to mean as “making a contribution to”. We considered that a “necessary” measure is, in this continuum, located significantly closer to the pole of “indispensable” than to the opposite pole of simply “making a contribution to”.70
It should be noted there is a potential paradox within the mechanism created by Korea-Beef which cannot be overlooked. Some scholarships suggest that the Appellate Body vaguely introduced “proportionality test” and affirmed that “Member States of the WTO have the right to determine for themselves the level of enforcement of their WTO-consistent laws and regulations.” Such a statement has inevitable tension with weighing and balancing analysis. Because proportionality analysis would demand the measure be appropriate; that is, their costs in trade restrictions must not be excessive in relation to the benefits for the public policy aim.71 Accordingly, free trade might outweigh another member’s interest in data protection, and a measure might be unjustifiable even if there was no reasonable alternative available.
Afterwards, the focus will be shift to whether a reasonably available alternative exists. At this stage, the burden of proof lies upon on the claimant and then EU shall prove that it is not a “genuine alternative” or it is “not reasonably available”. The dispute settlement body shall apply factors of balancing in assessment of whether there is an alternative measure which is reasonably available.72
The key here is that the alternative needs to be less trade restrictive. The Appellate Body in US
– Gambling further explained that measures proposed by the complaint will not be reasonably
69 Indira Carr, Jahid Bhuiyan and Shawkat Alam, International Trade Law and WTO (2012), Federation Press, pp. 14
70 Appellate Body Report, Korea – Various Measures on Beef, supra 48, para 161
71 Ingo Venzke, Making General Exceptions: the Spell of Precedents in Developing Article XX GATT into
Standards for Domestic Regulatory Policy, pp. 1133
22
available where they are prohibitively expensive or technically difficult or would not meet the respondent’s level of protection.73 In China-Publications and Audiovisual Products, the Appellate Body emphasized that the mere fact of extra costs or burdens would be insufficient to show that a proposed alternative was not “reasonably available”.74 Additionally, any measure proposed by the complainant must meet the level of protection or enforcement chosen by the respondent. The alternative measure for GDPR might be privacy shield concluded between EU and the US, which has established a channel for the free flow of cross-border data transfer. Such privacy shield is clearly less trade restrictive and meets the level of EU’s personal data protection. Nevertheless, multinational negotiation might be arguably more time consuming than “adequacy” assessment by the EU Commission. It is unrealistic to require every country to impose a similar level of data protection as the technological, social and economic development differs in different countries.
3. Chapeau
If the restriction on transfer of data to third countries imposed by Chapter 5 GDPR is considered necessary, the application of this section by the Commission still needs to withstand the test of the chapeau of GATS Article XIV. The focus here shall shift from the measure itself to how the measure is applied. It must be shown that the measure meets the requirement of the chapeau:
“such measure are not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade in services, nothing in this Agreement shall be construed to prevent the adoption or enforcement by any Member of measures.” Still too introductory; laying the law down in general
The drafting history indicates that the purpose and object of the chapeau is generally to prevent abuse of the exceptions.75 It is an expression of the principle of good faith. This principle, at once a general principle of law as well as a general principle of international law, controls the exercise of rights by states. Therefore, chapeau firstly requires that the contested measure must
73 Appellate Body Report, US – Gambling, para 308
74 Appellate Body Report, China – Publications and Audiovisual Products, para 310 75 Appellate Body Report, US – Gasoline, para 22
23
not be applied in a manner that constitutes “arbitrary or unjustifiable discrimination”, and the measure must not be a “disguised restriction on international trade.”
(a) “arbitrary or unjustifiable discrimination”
The implementation of GDPR by the Commission obviously constitutes a discrimination, since that transfer of personal data to controllers or processors from some countries is prohibited, while those from other countries are allowed. US-Shrimp case shed light on the difference between permissible discrimination and “arbitrary or unjustifiable” discrimination. the United States’ measure led to “unjustifiable discrimination” because it demanded other Member States to adopt “essentially the same comprehensive regulatory program” as the one operating in the United States. The measure also did not provide any sufficient flexibility for countries in different conditions.76 Furthermore, the United States had made serious efforts to negotiate an international agreement on shrimp imports with some countries but not others, i.e. Inter-American Convention, which had provided a longer time for those countries to comply with this measure. The Appellate Body concluded that the “cumulative effect” of these differences in treatment constituted “unjustifiable discrimination”.77
Additionally, the Appellate Body held that the measure also constituted “arbitrary discrimination”. Firstly, the measure contains rigid and unbending requirement, disregarding the conditions in different countries. Secondly, the certification process by which countries were approved to import shrimp into the United States was not transparent and applicants were denied due process.78 Thirdly, there was no appeal mechanism available.
The situation of EU resembles that of the United States in US-Shrimp case, where the measure adopted by the United States was found unjustifiable discrimination. Firstly, EU has concluded agreements with the United States while the Article 45 is universally applied to other WTO Member States without any negotiation. In US-Shrimp, the measure adopted by the United States was found unjustifiable and arbitrary because it “unilaterally applied its import prohibition without engaging in negotiations with some Member States, while it did with others.” The Appellate Body rules that it is to “heighten the disruptive and discriminatory influence of
76 Appellate Body Report, US – Shrimp, para 164. 77 Ibid, para 166-176.
24
the import prohibition and underscore its unjustifiability”. Secondly, the time of adequacy determinations by the Commission differs from country to country. Some countries did not even undergo any assessment under the Commission. In US-Shrimp case, the United States afforded countries different amount of time for compliance with its turtle protection scope.
Therefore, in this context, data protection measures adopted by Member States shall, when determining the adequacy of the level of data protection in other countries, be flexible rather than rigid. Furthermore, such procedure shall be transparent and under due process, a reasonable review mechanism should also be available. Additionally, the respondent shall, if multilateral negotiation is possible, put an effort on the establishment of international agreement
(b) “Disguised Restriction on International Trade”
In US-Gasoline, the Appellate Body noted that although the chapeau contains three separate prohibitions, they are not mutually exclusive. “Arbitrary or unjustifiable discrimination” demonstrates that a measure is a “disguised restriction on international trade”. However, the Appellate Body also made clear that this does not exhaust the meaning of “disguised restriction” and it has its own independent content. 79
In EC-Asbestos, the Panel explained that the meaning of “disguised restriction on international trade” and states that “to disguise” is, in particular, “conceal beneath deceptive appearance, counterfeit”, “alter so as to deceive”, “misrepresent”, “dissimulate”.80 Thus, in the case of GDPR, the analysis shall focus on whether the measure resulting in discrimination relates to the legitimate objective of personal data protection. The mere fact that a measure has the effect of protecting domestic industry does not demonstrate that it is “disguised”.
Furthermore, while Article 45(3) of GDPR has laid down the fundamental rule of procedures, the transparency of the decision is doubtful since that the reasons for Commission’s decision are not properly published. It is indicated in US-Tuna from Canada and US-Automotive Springs that a restriction might be “disguised” if it is not properly publicized. The Appellate Body’s
79 Appellate Body Report, US – Gasoline, para 25 80 Panel Report, EC – Asbestos, para 8.236
25
approach in Australia-Salmon further shows that an insufficient basis for a measure might mean that it is a disguised restriction on international trade.81
To sum up, although states are free to choose the level of human right, all the analysis at the end comes down to the question: how would WTO balance the interest of trade and human rights? While GATS specifically reserve Member States’ right to regulate important domestic interests, it is still possible that the interest of free trade might outweigh another member’s interest in data protection. After all, WTO’s main mission is to protect trade interests. It is also well known for its self-contained regime and it does not necessarily need to deal with international human rights obligation directly. However, WTO Members must comply with their human rights obligations and with their WTO obligations at the same time. Article 3.2 of the WTO’s Understanding on Rules and Procedures Governing the Settlement of Disputes thus states that, where possible, the Appellate Body and Panels should construe a WTO provision in conformity with customary international law. 82 In the case of the right to data protection, it is still unclear whether it has obtained the status of a binding rule of customary international law, or if it remains an optional obligation which state may elect to assume.83 Its vague status will definitely create difficulties in analysis.
IV. INTERNATIONAL LAW AND DOMESTIC LAW
An inevitable issue here is the separate jurisdiction of international and domestic legal order. While internal law cannot be invoked as a waiver of international responsibility or compliance with treaty obligation, international community is not regarded as a higher authority, and international law will only be regarded as formal authority when domestic law renders it binding. International law leaves it to the state to choose between implementing its international obligations by providing for their direct effect in the domestic legal order, or by transforming them into domestic law by special national legislation.
EU law, unlike national law, is still a branch of international law. In principle, there is still a strong commitment of EU to the international community. Accordingly, EU need to comply
81 Glyn Ayres & Andrew D. Mitchell, General and Security Exceptions under the GATT and the GATS (2012), International Trade Law and WTO, Indira Carr, Jahid Bhuiyan and Shawkat Alam, eds., Federation Press, pp.29 82 Sarah Joseph, Blame it on the WTO? A Human Rights Critique (2013), Oxford: Oxford University Press, pp. 215
26
with its WTO obligations. Otherwise, it will have to afford international responsibility. However, EU is, in the meantime, an independent jurisdiction from WTO legal order based on the principle of autonomy. WTO dispute settlement bodies is constrained within WTO legal order and would not be bound by any precedents within EU. Conversely, EU tends not to afford multilateral agreements and the rulings of international tribunals direct effect on the grounds that they are not self-executing. More specifically, this follows the “no direct effect” provisions included within EU Council’s Decision approving the WTO Agreement and Annexes to it and within the EU Services Schedule.84 A hierarchy within EU legal order has adopted since the judgement of Kadi I and Kadi II. That is, a separation is made between ordinary EU primary law and primary law that concerns the foundations of the Union. Norms of jus cogens from the EU treaties cannot be derogate, where the displacement of primary EU law by international law is not allowed.
While non-compliance of WTO will, of course, result in international responsibility of EU85, such character of EU legal order ensures that WTO obligations or judgments of WTO jurisprudence cannot be invoked directly to challenge EU secondary law. Furthermore, private parties are not able to exercise their rights under the GATS within EU legal system directly. That is, WTO framework cannot, by all means, invalidate or override any provision of both EU primary and secondary law automatically. 86
V. CONCLUSION
While the value of personal data in digital trade is without doubt, the right to data protection has developed into a fundamental right which is parallel to or contained within the concept of the right to privacy. This article analyzes the tension between internet-based business and the increasing attention on data privacy, as well as how WTO could shed light on it. Two main questions are presented with a case study on GDPR: first, whether personal data legislation could constitute a violation of the GATS, with a presumption that it falls under GATS regime. Second, once a violation is established, whether it could be justified by the WTO general exceptions.
84 Council Decision 94/800/EC of 22 December 1994 concerning the conclusion on behalf of the European Community, as regards matters within its competence, of the agreements reached in the Uruguay Round multilateral negotiations (1986-1994) [1994] OJ L336/1, recital 11 of the Preamble.
85 According to Vienna Convention on the Law of Treaties Article 86 Svetlana Yakovleva, Kristina Irion, supra note 77, pp. 27
27
Level of data protection in different countries varies. Thus a country with high level data protection will usually restrict or prohibit the transfer of data to another country with lower data protection. Such mechanism is easy to be found as de jure discrimination and constitute a violation of WTO commitments. To overrule a challenge under MFN clause, the key here is to preclude the application of presumption of “likeness” by establishing that consumer characteristics of service or service suppliers are affected by the data protection legislation. Regarding Market Access challenge, a rigid prohibition of transfer of data might constitute a “zero quota” and thus constitute a violation of market access commitment. But what about a flexible restriction with a list of conditions where transfer of data to another country with inadequate data protection is allowed? Would it still be found as a violation of market access commitment? Probably yes, since that countries with inadequate data protection level are still given more restrictive access to the market.
Additionally, the absence of WTO jurisprudence in data protection justification under GATS leaves many question unresolved. Most importantly, how would WTO panel balance the data privacy and free trade when Article XIV(c)(ii) is invoked? Would it find that the prohibition or restriction of transfer of data to third country is to protect “very important interests that can be characterized as ‘vital and important in the highest degree’”87? A further question is, in what way the implementation of adequacy assessment, which has been adopted in many data protection scheme, would not be found discriminating? My opinion is that a high level of data protection legislation, even transparent and under due process, probably will still be outweighed by the interest of trade. Not only because the unclear status of the right to data protection in international law, but also because the inherent conflict among developed, developing and underdeveloped digital market. High standard for cross-border data transfer will inevitably break the process of global digital market integration, which is significant for the development of internet and data trade. In the big data era, it is doubtful that WTO will allow developed countries to set high data protection standard and create a hurdle to the global digital market development without a second thought. In conclusion, with the rising recognition of data protection as an important public policy objective, the above questions should gain urgency as trade agreement negotiation proceeds. The risk of WTO challenge should also bring attentions when Member States decide to set a high level of data protection.
28
Bibilography
1 Alan Moore (2008), Defining Privacy, 39 Journal of Social Philosophy 3
2 Athey, S., Catalini, C., & Tucker, C. (2017). The Digital Privacy Paradox: Small Money,
Small Costs, Small Talk. Working Paper National Bureau of Ecnomic Research. Autoriteit
Persoonsgegevens. (2016a, Juli 6). Boetebeleidsregels Autoriteit Persoonsgegevens. Retrieved from Autoriteit Persoonsgegevens
3 Belanger, F., & Crossler, R. E. (2011). Privacy in the digital age: a review of information
privacy research in information systems. MIS Quearterly, 1017-1042.
4 Beresford, A. R., Kübler, D., & Preibusch, S. (2012). Unwillingness to pay for privacy: A
field experiment. Economics Letters, 117(1), 25-27.
5 Bignami, F. (2004). Three Generations of Participation Rights before the European Commission. Law and Contemporary Problems, 68(1)
6 Birbosia, E. and Rorive, I. (2010). ‘In search of a balance between the right to equality and other fundamental rights’, European Union Commission Thematic Report
7 Burri, M., & Schär, R. (2016). The Reform of the EU Data Protection Framework: Outlining Key Changes and Assessing Their Fitness for a Data-Driven Economy. Journal of Information Policy, 6, 479-511
8 Carla L. Reyes (2011), WTO-Compliant Protection of Fundamental Rights: Lessons from
the EU Privacy Directive, Melbourne Journal of International Law, 12, pp. 163-166
9 Carey, P., & Carey, P. (2009). Data protection: A practical guide to UK and EU law. Oxford: Oxford University Press.
10 Curtin, D.M. (2000). Citizens’ Fundamental Right of Access to EU Information: An Evolving Digital Passepartout? Common Market Law Review, 37(1),
11 DA MacDonald (2014), Personal Data Privacy and the WTO, Houston Journal of International Law, 11, pp 625-653
12 Daniel J. Solove (2007), ‘I've Got Nothing to Hide' and Other Misunderstandings of
Privacy, San Diego Law Review, Vol. 44
13 De Hert P. & Gutwirth S. (2009) ‘Data Protection in the Case Law of Strasbourg and
Luxemburg: Constitutionalisation in Action’ in Gutwirth S., Y. Poullet, P. De Hert, J.
Nouwt & C. De Terwangne (Eds), Reinventing data protection?, Dordrecht: Springer Science
14 De Witte, B. (2001). The legal status of the charter: Vital question or non-issue. Maastricht Journal of European and Comparative Law 8(1), 81-89.
