European Data Protection Supervisor
European Data Protection Supervisor

Less is sometimes more

Less is sometimes more

Monday, 18 December, 2017

We are approaching the holiday season, a period of excess and over-indulgence followed by doomed resolutions to live more healthily and frugally in the New Year.

Data protection of course has always been about dignity and restraint. It is based on the idea that respect for humans means being careful with what you do with information about them. 

But data protection in the EU has also always been about helping to oil the cogs of commerce inside the internal market. Common standards meant that it didn’t matter where personal data travelled within the Union; what mattered instead were the safeguards in place for individuals, as well as accountability of controllers and processors.  

One of the many signals of data protection being now truly part of the mainstream of public policy is the recent discussions on the proper relationship between trade and data, including personal data. Apart from a general exception, the General Agreement on Tariffs and Trade - signed in 1994 as the first multilateral treaty on the liberalisation of international trade - makes no mention of data flows. Indeed the WTO’s own website could not be more categorical: “The WTO has had nothing whatever to do with Internet privacy”.

Now, however, with the digital economy developing at a very fast pace, an EU institutional trend to address the issue of restrictive measures to trade (so-called “digital protectionism”) has emerged. The pursued objective is to support the interests of EU businesses and to enable them to be competitive on markets outside EU. The trade agreements at stake also aim at supporting third countries’ businesses. This has led to the idea of inserting into the trade agreements negotiated by the European Commission specific clauses that would on the one hand ensure the “free flow of data”, and on the other hand, prohibit “unjustified” data localisation restrictions by third countries.

Independent data protection authorities, having always in mind their two fold role of safeguarding the rights of data subjects and facilitating lawful movement of personal data within the internal market, fully understand and support the trade interests of EU businesses. 

That is precisely why we support a genuine guarantee that EU data protection law will not be endangered by any third country agreement. The rights to data protection and to privacy, as fundamental rights, are non-negotiable, as President Juncker himself made this very clear in his State of the European Union address of 14 September 2016.

Very recently, the Resolution on “Towards a digital trade strategy” (2017/2065(INI)) adopted by the Plenary assembly of the European Parliament on 12 December also recalled the same position that fundamental rights such as the protection of personal data, should not be subject to trade negotiations.

I too have repeatedly taken the position that data protection should not be subject to trade negotiations. To quote one of the founders of modern European data protection, Professor Spiros Simitis, “It’s not bananas we are talking about!”

References to the free flow of data are by their nature ambiguous, because it is increasingly difficult, if not impossible, to distinguish personal data from data which does not relate to an identified or identifiable individual. Moreover, such a provision would potentially introduce a conflict with the EU data protection rules – including rules on international data transfers.  Therefore I am not convinced that any “free flow of data”, any so-called “data protection carve-out clauses” (i.e. clauses aiming to protect and guarantee the EU data protection rules in complement to a free flow of data principle) or “anti-circumvention” clauses (i.e. clauses limiting the scope of the carve-out in situations where a party intends to restrict trade for reasons unrelated to data protection) are a viable solution.

Of course, our concerns are first related to agreements that may involve personal data, by considering their wide definition. First of all, negotiators would have to ensure that the scope of the “carve-out” encompasses all situations where personal data might be involved. “Anti-circumvention “clauses are in particular dangerous, as they would inevitably create a risk for our data protection rules.  Carve-out clauses would need to apply horizontally and unconditionally to all data processing, as soon as personal data are involved - a provision whose practical application is questionable, at best.  

Data localisation rules, meanwhile, might create the risk of watering down the existing EU data protection rules or preventing the adoption of further data protection rules in the future. Inserting data protection in the scope of trade agreements negotiations may also create a general risk by opening the possibility for a third country to challenge EU data protection law as a disguised restriction on free flow of data.

Therefore, for the avoidance of doubt and to minimise unintended adverse consequences, I recommend keeping personal data issues fully and explicitly out of the scope of the EU’s trade agreements.  Otherwise there will always be the risk, despite the best intentions of the negotiators, that trade agreements provisions have a direct or indirect impact on how personal data is treated, including how it is transferred, in ways which conflict with or result in violation of the letter and spirit of the EU data protection framework. For an object lesson, we only need to look to the experience of the draft EU-Canada PNR agreement.

In fact, current and future EU data protection rules already offer tools for the free flow of personal data. The General Data Protection Regulation provides for even more tools and more flexibility such as, for example, the possibility to transfer data on the basis of codes of conduct or certification and the possibility to adopt adequacy decisions for a sector of activity or a part of a third-country’s territory. By contrast, the EU has so far only adopted adequacy decisions with four of its 20 largest trading partners. This highlights the need for dialogue with third countries who share our commitment to looking after the interests of individuals in the digitised society.

I believe that the best way to address barriers to data flow is not trade deals but rather to make better use of existing and new tools for personal data transfers. These discussions can and should take place in parallel, like the current talks with Japan.

Trade deals are already complicated enough. The EU has invested enormous energy and care into reforming its data protection framework. Let’s put those new rules into action rather than attempting to submerge them into wider trade arrangements about commercial interests, not basic rights. We may find that less is more.

From all of us at EDPS we wish you a restful and enjoyable Christmas break and a prosperous 2018.