WORKSHOP

SUMMARY

WORKSHOP • 26 JUNE 2018

MEET THE AUTHOR SERIES

"Threats to EU concepts of ‘adequacy’ from trade agreements and data export agreements in the Asia-Pacific"

by Laura Drechsler, Brussels Privacy Hub, LSTS, VUB

SUMMARY

On 26 June 2018, the Brussels Privacy Hub organised a fourth edition in its Brussels Privacy Hub Meets the Author- events series titled "Threats to EU concepts of ‘adequacy’ from trade agreements and data export agreements in the Asia-Pacific" with Professor Graham Greenleaf (University of New South Wales, Australia), who also joined the Hub as a visiting scholar for the week of 25 June to 1 July 2018.

Professor Greenleaf guided a debate on possible threats posed by trade agreements to privacy. This debate was based on his recent publications, Greenleaf, G ‘Looming Free Trade Agreements Pose Threats to Privacy’ (2018) 152 Privacy Laws & Business International Report 23-27 (April 2018), Greenleaf, G, 'Questioning ‘Adequacy’ (Pt II) – South Korea' (2018) 151 Privacy Laws & Business International Report 14-16 (February 2018) and Greenleaf, G, 'Questioning 'Adequacy' (Pt I) – Japan' (2017) 150 Privacy Laws & Business International Report, 1, 6-11 (December 2017). These works and the general theme of the interrelationship between trade, data protection and adequacy concepts, were discussed with him by Fabian Delcros (DG Justice, European Commission) and Professor Christopher Kuner (Brussels Privacy Hub). The debate was moderated by Dr Hielke Hijmans (Brussels Privacy Hub).

The debate started with introductory comments by Hijmans who first highlighted some general issues with the adequacy assessment in EU data protection law. He noted that, as Greenleaf often pointed out in his writings, one of the issues with the adequacy assessment was the lack of transparency of its process, which makes it difficult to assess the different stages of the assessment. Against this background, it was also very complex to define the meaning of an “essential equivalent” standard of data protection, the standard required for a positive adequacy finding according to the Court of Justice of the European Union (CJEU) decision in Schrems.

Hijmans continued to offer some thoughts on the topic of the debate, namely the relation between free trade agreements and data protection. He remarked that the European Union (EU) has tried to strictly separate free trade negotiations and data protection in the past, but that it was possible that this approach was not anymore feasible or desirable due to the close interconnections between free trade and privacy. Thus, trade agreements could be seen as a potential threat to data protection. Hijmans also linked this concern with the growing conversion of data protection law across the globe, where according to Greenleaf 126 countries have a data protection law (data from June 2018). Such conversion could lead to harmonisation and potentially perhaps to an UN agreement, which might alleviate conflicts between free trade and data protection but also leave open the question on how to deal with existing data protection tools, such as Convention 108.

These introductory remarks were followed by a short presentation of Greenleaf on the main points of his articles in the area of free trade and data protection. He explained that the common thread of the three papers discussed could be found in the different challenges modern developments pose to the adequacy system for data transfers outside of Europe.

A first challenge addressed in the papers was for Greenleaf the lack of transparency, that has already been mentioned by Hijmans. For him it was vital that decisions concerning adequacy would be surrounded by as much transparency as possible as these decisions have a large influence on the future of data protection. Unfortunately, before the General Data Protection Regulation (GDPR) adequacy decisions under the Data Protection Directive (DPD) were conducted in secrecy, the only public document being the Article 29 Working Party opinion, published at the end, if the assessment was positive. According to Greenleaf, that secrecy led to a lack of third party involvement on the ongoing adequacy assessment. Such involvement could improve adequacy decisions and assist in avoiding some challenges at the CJEU.

For him, it remained to be seen whether the GDPR will offer improved transparency compared to the secrecy under the DPD. As an example of a lack of transparency, he mentioned the ongoing adequacy assessment of Japan, were many of the most crucial documents were either not made public at all or only available in Japanese. Furthermore, one interpretation of the GDPR would be that opinions by the European Data Protection Board (EDPB) on adequacy proceedings would only be made available to the European Commission and not to the public.

Greenleaf argued that the lack of transparency was similar for trade negotiations and agreements. While secrecy for trade could sometimes be considered appropriate to achieve certain necessary trade-offs, such secrecy was harmful in his opinion when human rights were at stake. He found that for example rules on data export which touch on the human rights of privacy and data protection should be negotiated with public input.

Finally, Greenleaf summarised his articles by pointing out two main challenges to the current adequacy system. First, interoperability of systems of data protection in various regions in the world could result in lowering protection (“an internal threat”), second, there are attempts to make restrictions on data flows as contained in the GDPR illegal by referring to trade law as contained in the General Agreement on Trade in Services (GATS) (“an external threat”).

This summary by Greenleaf was followed by Delcros, who explained the institutional perspective on the mentioned issues. He agreed that there was indeed a current trend, initially promoted by US tech interests and reflected in the Trans-Pacific-Partnership (TPP), to try to use trade agreements and trade law to curtail strong data protection rules. To counter this trend and promote the EU data protection values, the European Commission has drafted its own language on data protection and data flows to be inserted in future EU trade agreements.

Delcros then developed further on the relationship between trade and data protection laws. He explained that GATS could not be considered a real obstacle to data protection rules, since Article 14 of the GATS Agreement allows for an exception to trade rules (including of the principle of equal treatment of all WTO Members) for reasons of the protection of the right to privacy. Such an exception allows to treat countries differently according to the manner they offer protection to privacy, as the EU has done by e.g. having an adequacy decision for New Zealand but not for Australia, as the standard of data protection was different in both countries (for example: in Australia data protection rules are not applicable to small and medium-sized enterprises (SMEs)). The TPP that the US initially negotiated (but did not join in the end) would make such difference of treatment much more difficult as it does not allow to take differences in protection into account. This attempt to promote a certain vision of data protection through trade agreements could also be explained by the fact that the US, contrary to the EU, cannot negotiate full adequacy decisions because it lacks a comprehensive federal data protection law.

Delcros then pointed to the need to combat protectionist measures like forced data localisation provisions (an obligation to store personal data in a specific country), also when they are adopted in the name of data protection. He insisted on the interest of including rules in trade agreements to discipline this type of protectionist measures. Such provisions could be found in the Chinese cybersecurity act and the Indonesians are also considering this in their draft data protection law. The European Commission has drafted horizontal clauses for future trade agreements against such forced location provisions while simultaneously acknowledging the right of each country to decide its own approach to protecting privacy. For Delcros, such clauses should protect the GDPR from second-guessing by trade courts.

Delcros also discussed the relations between adequacy decisions and other international data transfer frameworks like the one promoted by the Asia Pacific Economic Cooperation (APEC). For Delcros, since under the APEC data are less protected than under the GDPR, one should ensure that, when an APEC country benefits from adequacy, strict provisions on international transfers are in place to prevent automatic onwards transfer of EU personal data to other APEC countries. This issue, which was rightly identified by Greenleaf in some of his articles, was raised in the adequacy negotiations with Japan and solved by including supplementary provisions that prevent automatic onward transfers from Japan to other APEC members.

On the issue of transparency in adequacy discussions, Delcros also insisted that one should also consider the fact that adequacy decisions involve nationally sensitive issues, such as surveillance and the intelligence services.

Another perspective on the issues raised by Greenleaf was offered by Kuner, who agreed on the lack of transparency of adequacy findings and pitied that no solution was found in the GDPR to allow for more public access under the new rules. While he understood the sensitive-issue-argument raised by Delcros, he did not consider it relevant as an adequacy assessment would be a legal study on the standard of data protection in a certain country not the revelation of state secrets. An advantage of a more transparent approach would also be an avoidance of opposition against the decision within civil society, as experienced with the Privacy Shield, as the public would have more opportunities to interact with the text.

Remarking on the standard of “essential equivalence” of data protection established by the CJEU in Schrems, Kuner noted that this standard should be able to prevent undermining of the EU level of protection by privacy frameworks such as the APEC framework. Any agreement undermining this standard would eventually by challenged at the CJEU, who has invalidated agreements based on data protection arguments before, notably in Opinion 1/15. For Kuner, such differing framework would therefore not pose that much of a threat. For him, the ongoing wave of data nationalisation tendency within the EU and outside could pose more of a challenge, as it would make it more and more difficult to find a third country adequate. He explained that effective data protection in case of data transfers was not possible without adequacy findings and some process of assessing third countries.

In this context, Kuner criticised the lack of a comparative law methodology within adequacy decisions, as it seems that instead of a methodology of comparing concepts, the European Commission was comparing wording of legislation, not considering a potential data protection culture within inter alia case law and practice. Moreover, while the GDPR offered more criteria for what needs to be considered as part of an adequacy assessment, the process as a whole was more and more politicised and losing its legal focus. Kuner considered it of utmost importance that this trend was being reversed and the legal analysis underlying adequacy assessments becomes the main point again.

Kuner concluded by remarking that a global standard for data protection achieved within an UN agreement could present a step forward. However, due to the scope of application of the GDPR to international organisations, including the UN, there was currently not much goodwill on the UN’s side, which could hamper the common ground for such an agreement.

The event continued with some reactions by Greenleaf to the different discussants. He clarified that he agrees that the CJEU offers a strong protection for data protection. However, cases might take too long to be decided creating legal uncertainty in the meantime. He argued that more transparency of the adequacy process within both the European Commission and the EDPB with opportunities for third party experts to provide input would be a preferable approach, as it would lead to better adequacy decisions in the first place. As Kuner, he lamented the lack of visible comparative law methodology in adequacy decisions, which for him also stemmed from the lack of transparency of the whole process. Additionally, Greenleaf advocated for transparency also regarding those assessments that ended negatively, as e.g. the one for India, where a comparative methodology was employed but the results were never made publicly available.

Regarding a potential UN agreements, Greenleaf came out strongly against, arguing that the existing Convention 108 of the Council of Europe, that was open for accession by non-Council of Europe members, would offer a much better existing avenue. Negotiating a new agreement would in his opinion risk lower standards as included in the Convention 108, especially if the US was involved. He therefore welcomed the recent push by the European Commission for global adoption of Convention 108.

Greenleaf disagreed with the approach by the European Commission, explained by Delcros, regarding APEC, as for him this approach did not offer enough protection against potential automatic onward transfers to other APEC members, at least judging from the Commission’s apparent arrangements made in relation to the Japan adequacy decision, which were too vague.

In a final round of reaction, Delcros defended the Commission’s methodology for adequacy decisions and clarified that this exercise involves more than the assessment of legal texts as in practice, the Commission would alsotake into account the legal culture and practice within a country. Besides, once the adequacy decision is taken, its implementation is closely and regularly monitored by the Commission. He also argued for the Commission’s solution for APEC within the Japan adequacy decision, which clearly states that all onward transfers from japan need to benefit from the same level of protection as initial transfers from the EU to Japan, thereby excluding automatic transfers to other APEC members.

Kuner highlighted in his final reaction the issue, that for the past 20 years much of the debate surrounding adequacy decisions focused on data transfer to the United States;  adequacy was decided and negotiated in that context. However, for Kuner the US did not represent a good model, as they were a rather special case as the close economic ties between the EU ad the US posed nearly a necessity to come to some kind of arrangement. This focus led to a lack of general rules on how to assess and establish adequacy, which will have to be established now. For him, this was the more urgent considering that the current arrangement (the Privacy Shield) with the US might not survive, either as a result of the pending challenges at the CJEU or because of an intervention of the current US president, who could perceive the Privacy Shield as a further unfair trade restriction imposed on the US by outside powers. For the future, this would bring interesting challenges, as there was no experience in dealing with a country such as for example China. The beginning of new approaches could already be seen in the negotiations with Japan, where for the first time the adequacy assessment was mutual, meaning that Japan was also assessing whether the EU system for data protection was adequate for transfers to the EU.

Finally, Greenleaf remarked on the global effect of the GDPR, and how many countries especially in Africa, have taken over large bits of it into their national legislation. Additionally, companies working with international companies are increasingly asked for GDPR compliance, as global corporation opt to have just one privacy regime (GDPR).

The debate was followed by a lively discussion with the audience.