The EU and Japan announced they will start negotiations towards data flow provisions in a revamped digital chapter in their bilateral free trade agreement.
When their FTA was adopted and came into force in early 2019, the two sides had left out the chapter that tackles the critical issue of cross-border data flows. Instead they agreed to convene three years later to start negotiations.
EU member states recently adopted a mandate giving the European Commission powers to negotiate.
In their mandate, EU capitals say that “the negotiations should result in rules covering cross-border data flows addressing unjustified data localisation requirements, while neither negotiating nor affecting the EU’s personal data protection rules and should be in line with the EU legal framework, notably on the protection of personal and non-personal data and cybersecurity.“
The commission itself only requested a mandate from capitals once it received sufficient signals from Japan that the terms Brussels is considering for this chapter can be discussed.
The reason for the delay in adopting a digital chapter was twofold. Back then the EU had not formalised its common position on cross-border data flows for trade agreement. And Japan was not keen on the way the EU approaches the topic, as it prefers the way the data flow issue is dealt with in the trade agreement it likes to champion, the CPTPP.
EU approach to data flows in trade agreement firmed up
The EU basically wants three things. a) free flows of data across border to ease business, b) non EU governments to commit never to force companies to hold data on local servers and hence stopping EU investors from repatriating data, and c) the recognition by trading partners that protection of personal data is a human right that overrides all other relevant considerations, including the constraints posed by international trade rules.
Brussels considers that the conditions set in general trade rules such as the GATS’s article XIV are too constraining.
The WTO’s rules – established back in the early 1990s when the internet didn’t exist – in fact allow governments to waive their free trade rules to protect data privacy. But they enjoin governments to take proportional measures and ensure that these are actually necessary to fulfil those objectives.
As a result of a lengthy internal debate, the EU came up with a compromise position in its FTAs which it now imposes – barring minor negotiable tweaks here and there – on its agreement partners.
Two precedents were set in this regard in the EU UK Trade and Cooperation Agreement of late 2020 and the recently concluded EU New Zealand free trade agreement: the relevant provisions are shown in the table below.
The provisions do exactly what the EU has set itself as goal: ban forced data localisation requirements, but offer a lot of room for data privacy policies.
From the perspective of Brussels, guaranteeing to its partners a principle that data will not be blocked is easier to do with partners whose data privacy legislation it considers trustworthy. In the case of Japan, the EU has issued a data ‘adequacy’ decision already. New Zealand also enjoys an adequacy decision – and so does the UK albeit for a limited time period.
Japan is interested in concluding this deal with the EU as it guarantees its industries and companies seamless data flows across their respective jurisdictions.
The EU sees this the same way. “Unjustified data localisation requirements can raise the cost of conducting business across borders. An example could be, mandating companies to keep data within a certain territory or making the cross-border transfer of data contingent upon the use of computing facilities or network elements in the country’s territory, for protectionist reasons,” the commission wrote in its statement to the press on the launch of the Japan talks today.
The negotiations with Tokyo are set to start on 24 October.
TABLE: Data flow provisions in EU UK Trade and Cooperation Agreement and in EU New Zealand free trade agreeement
| Topic | EU UK TCA | EU NZ FTA |
|---|---|---|
| Cross-border data flows | "1. The Parties are committed to ensuring cross-border data flows to facilitate trade in the digital economy. To that end, cross-border data flows shall not be restricted between the Parties by a Party: (a) requiring the use of computing facilities or network elements in the Party's territory for processing, including by imposing the use of computing facilities or network elements that are certified or approved in the territory of a Party; (b) requiring the localisation of data in the Party's territory for storage or processing; (c) prohibiting the storage or processing in the territory of the other Party; or (d) making the cross-border transfer of data contingent upon use of computing facilities or network elements in the Parties' territory or upon localisation requirements in the Parties' territory. 2. The Parties shall keep the implementation of this provision under review and assess its functioning within three years of the date of entry into force of this Agreement (....)" | "1. The Parties are committed to ensuring cross-border data flows to facilitate trade in the digital economy and recognise that each Party may have its own regulatory requirements in this regard. 2. To that end, cross-border data flows carried out in the context of activity that is within the scope of this chapter shall not be restricted between the Parties by: (a) requiring the use of computing facilities or network elements in the Party's territory for processing, including by imposing the use of computing facilities or network elements that are certified or approved in the territory of the Party; (b) requiring the localisation of data in the Party's territory for storage or processing; (c) prohibiting storage or processing in the territory of the other Party; (d) making the cross-border transfer of data contingent upon use of computing facilities or network elements in the Party’s territory or upon localisation requirements in the Party’s territory. 3. For greater certainty, the Parties understand that nothing in this Article prevents Parties from adopting or maintaining measures in accordance with Article X.1 (General Exceptions) to achieve the public policy objectives referred to therein, which, for the purpose of this Article, shall be interpreted, where relevant, in a manner that takes into account the evolutionary nature of the digital technologies (...)" |
| Protection of personal data and privacy | Each Party recognises that individuals have a right to the protection of personal data and privacy and that high standards in this regard contribute to trust in the digital economy and to the development of trade. 2. Nothing in this Agreement shall prevent a Party from adopting or maintaining measures on the protection of personal data and privacy, including with respect to cross-border data transfers, provided that the law of the Party provides for instruments enabling transfers under conditions of general application1 for the protection of the data transferred. 3. Each Party shall inform the other Party about any measure referred to in paragraph 2 that it adopts or maintains | "1. Each Party recognises that the protection of personal data and privacy is a fundamental right and that high standards in this regard contribute to enhancing consumer confidence and trust in the digital trade. 2. Each Party may adopt and maintain the measures it deems appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data. Nothing in this agreement shall affect the protection of personal data and privacy afforded by the Parties’ respective measures. 3. Each Party shall inform the other Party about any measures it adopts or maintains according to paragraph 2. 4. Each Party shall publish information on the protection of personal data and privacy that it provides to users of digital trade, including on: (a) how individuals can pursue a remedy; and (b) guidance and other information regarding compliance of businesses with applicable legal requirements. 5. For the purposes of this agreement, ‘personal data’ means any information relating to an identified or identifiable natural person." |
