The digital sector is a fundamental driver of change in today’s world. Stirred by the online hyperconnectivity among people and business, the world economy has become more and more digitised. The resource at the core of this process is data – and there are different categories of it: personal or non-personal, private or public, sensitive or non-sensitive, governmental or commercial. Each particular category determines its implications of processing and is subject to different data governance frameworks. To this end, overlapping national and international regulations poses multiple compliance challenges for companies operating in different jurisdictions. In addition, the flows of data have national security and privacy implications – with cyber espionage, cyberattacks, and mass surveillance being only a few of them.
Data transfers are the lifeblood of economic and social interactions – panta rhei – an ancient Greek term meaning 'everything flows’ part of the philosophy of Heraclitus who, presumably, was not talking about data at the time. With the digital economy now making up a substantial share of the overall global economy, restrictions on data flows among countries are a significant barrier to global trade in services based in different markets. Generally, restrictions either stipulate that data created in a jurisdiction or market must be stored and analysed there, or that the receiving jurisdiction must fulfil additional requirements for data transfers. These restrictions may affect countries’ legal commitments under various trade agreements, including the General Agreement on Trade in Services.
While imposing these restrictions is primarily a state prerogative, one of the central pieces of legislation in this regard is the General Data Protection Regulation (GDPR) adopted by the European Union in 2016. The GDPR aimed to protect the personal data of individuals and not only gave them power to control its use but also instituted a conditional flow regime for third country transfers. Under the GDPR, both the recipient state and the transferring entity must fulfil specific conditions. One way to transfer data is through the provisions of an adequacy decision - adopted by the European Commission - which deems the third country as having an equal level of data protection as the one enshrined in the EU Convention on Human Rights. In the absence of an adequacy decision, data can still be transferred and processed if the transferee fulfils certain conditions, such as the explicit consent of the data subject, or the presence of contractual constraints on the use of the data in the form of model contract clauses (or Standards Contractual Clauses or SCCs) or Binding Corporate Rules.
In July 2020 in the landmark Schrems II judgement, the European Court of Justice (ECJ) invalidated an adequacy decision named ‘Privacy Shield’ - a major agreement for transferring data from the EU to the United States. In its judgement, the ECJ has stated that on account of invasive US surveillance programmes, the adequacy decision was invalid, and added that personal data transferred to non-EU countries must enjoy protection from government intrusion. Additionally, it set out stricter requirements for the transfer of personal data based on SCCs. To this end, the European Data Protection Board has published a recommendation and the EU essential guarantees which provide companies with a six-step plan for assessing the global data flows in line with EU law. Given the concerns relating to the state authorities’ large ability to have access to data transferred to authoritarian states such as China or Russia, the uncertainty related to the international transfers remains in place. In practice, companies have already started to implement enhanced methods that would ensure compliance such as pseudonymisation or encryption, aiming to avoid legal action from European regulatory and judicial authorities.
In the meantime, the EU signed another agreement with the UK and in order to solve the lack of legal framework for data transfer after Brexit, with many provisions on data privacy and data transfers included. On this agreement, the European Data Protection Supervisor said that such agreement ‘must remain an exception’ and should not be present on other international agreements, showing once again the tension provoked by the Schrems II judgement.
Meanwhile, the global data privacy landscape is rapidly growing in complexity. New data protection frameworks are discussed and drafted in multiple countries, such as China, Australia, Singapore, and India. In the US, discussions on a comprehensive federal privacy law are seeking political momentum. Many of these frameworks are influenced by the GDPR’s extraterritorial applicability, making it a reference point for the handling of multinational personal data. The GDPR’s success had reinforced the EU’s normative power, which was described by the Columbia Professor Anu Bradford as the Brussels effect.
On the international level, there is no comprehensive multilateral framework that would regulate the data transfer under international law. One relevant instrument is the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, adopted in 1980 and revised in 2013. Once again, discussions are ongoing to review these guidelines to solve new issues. As the Guidelines aim to strengthen and harmonise the privacy enforcement national legislations while upholding human rights and facilitating the international flows of data, many are advocating for these guidelines to discuss what is an appropriate level of surveillance and government access to data. Recently, the World Economic Forum (WEF) has called for a Global Data Convention, while the World Trade Organization (WTO) is preparing a joint initiative on e-commerce co-owned by Japan, Australia and Singapore.
Conclusions
When it comes to data, the balance between the privacy concerns, the free trade, and national security needs is a difficult one to strike. As data flows are critical for the functioning of a global digitised economy, an international environment of trust for data flows is needed. Most essentially, countries have to agree on common international legal standards that would allow the free and safe flow of data. In the absence of global rules, countries develop national privacy legislation which creates difficulties when it comes to interoperability among data regimes.
The piecemeal approach of bilateral free trade agreements which include provisions on data flows may hinder innovation, multilateral cooperation and might in the end create ‘data heavens’ – jurisdictions with legal environments friendly to unregulated data. Accordingly, the efforts on adopting a Global Data Convention based on existing human rights and international law principles are essential. But for a solution to be truly global, all countries have to come to the negotiation table. Given the concerns over government surveillance in authoritarian countries and large discrepancies among democracies, it is unclear in what way and how willing those governments will be to join a multilateral solution.
As for the EU, as stated by the Advocate General Saugmandsgaard Øe in his Opinion on the Schrems II case, a balance should be struck between the need to assert the fundamental values recognised in the EU legal order and the need to show a reasonable degree of pragmatism in order to allow interaction with other parts of the world.
Comments