Based on a couple recent meetings I was a part of, I thought it might be helpful to put together some specific proposals for digital trade provisions related to data flow obligations and exceptions, in the context of international economic agreements. The Biden administration appears to be having some internal disagreements on this issue, and maybe this could help -- or maybe not, who knows! Anyway, here goes.
As is probably clear from prior posts I've done on this subject, I have some concerns about the digital trade language that has been used in certain trade agreements, in particular on the exceptions. What I'm going to do in the first two sections here is look at a couple past examples of trade agreement data flow language on both obligations and exceptions, and then suggest a modified version for the exceptions. The last section is more of a general point that doesn't require much in the way of drafting suggestions.
1. Substantive Obligations
Starting with the obligations on data flows, here are a couple examples of approaches taken in existing agreements or recent proposals:
Article 19.11: Cross-Border Transfer of Information by Electronic Means
1. No Party shall prohibit or restrict the cross-border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business of a covered person.
Article 4.3: Cross-Border Transfer of Information by Electronic Means
The Parties affirm their level of commitments relating to cross-border transfer of information by electronic means, in particular, but not exclusively:
1. The Parties recognise that each Party may have its own regulatory requirements concerning the transfer of information by electronic means.
2. Each Party shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.
ARTICLE 8.81
Cross-border transfer of information by electronic means
1. The Parties are committed to ensuring the cross-border transfer of information by electronic means where this activity is for the conduct of the business of a covered person.
2. To that end, a Party shall not adopt or maintain measures which prohibit or restrict the cross-border transfer of information set out in paragraph 1 by:
(a) requiring the use of computing facilities or network elements in the territory of the Party for information processing, including by requiring the use of computing facilities or network elements that are certified or approved in the territory of the Party;
(b) requiring the localisation of information in the territory of the Party for storage or processing;
(c) prohibiting storage or processing of information in the territory of the other Party;
(d) making the cross-border transfer of information contingent upon use of computing facilities or network elements in the territory of the Party or upon localisation requirements in the territory of the Party;
(e) prohibiting the transfer of information into the territory of the Party; or
(f) requiring the approval of the Party prior to the transfer of information to the territory of the other Party.1___________________________________
1 For greater certainty, subparagraph 2(f) does not prevent a Party from:
(a) subjecting the use of a specific transfer instrument or a particular cross-border transfer of information to approval on grounds relating to the protection of personal data and privacy, in compliance with paragraph 4;
(b) requiring the certification or conformity assessment of ICT products, services and processes, including Artificial Intelligence, before their commercialisation or use in its territory, to ensure compliance with laws and regulations consistent with this Agreement or for cybersecurity purposes, in compliance with paragraphs 3 and 4, and Articles 1.5, 8.3 and 8.65; or
(c) requiring that re-users of information protected by intellectual property rights or confidentiality obligations resulting from domestic laws and regulations consistent with this Agreement, respect such rights or obligations when transferring the information across borders, including with regard to access requests by courts and authorities of third countries, in compliance with Article 8.3.
It's worth noting that the EU-Japan proposed text brings obligations related to location of computing facilities into the main data flow obligations, whereas USMCA and DEPA separate them into obligations that follow the general data flow obligation (DEPA then follows this obligation with a specific exception, whereas USMCA does not).
I don't have strong feelings about which approach to choose here. I guess I like that the EU-Japan proposed text is detailed and comprehensive. The use of such a detailed provision does run the risk of a panel overcomplicating things by interpreting the provision to death, but I think it may help identify more clearly the problems the drafters are trying to address. The key, however, is the exceptions, which I'll get to now.
2. Exceptions
My view of exceptions in the traditional trade agreement context is that the results have come out fine, in the sense that the governments that lost cases when invoking the exceptions generally deserved to lose. However, some of the reasoning related to particular terms has been hard to follow, in part because of the complexity of the terms themselves. Replicating these provisions in the context of a new policy area provides an opportunity to rethink the approach. Let's look at some exceptions provisions that have been used or proposed in the context of data flows:
USCMA:
Article 19.11: Cross-Border Transfer of Information by Electronic Means
...
2. This Article does not prevent a Party from adopting or maintaining a measure inconsistent with paragraph 1 that is necessary to achieve a legitimate public policy objective, provided that the measure:
(a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and
(b) does not impose restrictions on transfers of information greater than are necessary to achieve the objective.5
5 A measure does not meet the conditions of this paragraph if it accords different treatment to data transfers solely on the basis that they are cross-border in a manner that modifies the conditions of competition to the detriment of service suppliers of another Party.
DEPA
Article 4.3: Cross-Border Transfer of Information by Electronic Means
...
3. Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 2 to achieve a legitimate public policy objective, provided that the measure:
(a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and
(b) does not impose restrictions on transfers of information greater than are required to achieve the objective.
EU-Japan EPA proposed text
ARTICLE 8.81
Cross-border transfer of information by electronic means
...
3. Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraphs 1 and 2 to achieve a legitimate public policy objective2, provided that the measure:
(a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade; and
(b) does not impose restrictions on transfers of information that are greater than necessary to achieve the objective.34. Nothing in this Article shall prevent a Party from adopting or maintaining measures on the protection of personal data and privacy, including with respect to cross-border transfers of information, provided that the law of the Party provides for instruments enabling transfers under conditions of general application4 for the protection of the information transferred.
5. This Article does not apply to cross-border transfer of information held or processed by or on behalf of a Party.-----------------
2 For the purpose of this Article, "legitimate public policy objective" shall be interpreted in an objective manner and shall enable the pursuit of objectives such as the protection of public security, public morals, or human, animal or plant life or health, or the maintenance of public order or other similar objectives of public interest, taking into account the evolving nature of digital technologies.
3 For greater certainty, this provision does not affect the interpretation of other exceptions in this Agreement and their application to this Article and the right of a Party to invoke any of them.
4 For greater certainty, in line with the horizontal nature of the protection of personal data and privacy, "conditions of general application" refer to conditions formulated in objective terms that apply horizontally to an unidentified number of economic operators and thus cover a range of situations and cases.
In deciding on the right approach to exceptions here, taking into account the sensitivity of these regulatory issues, I would err on the side of providing a bit more flexibility here than we have sometimes seen in trade agreements, including the ones above. With this in mind, I suggest text that is along the following lines:
Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with the obligations above to achieve a legitimate public policy objective (including the protection of personal data or privacy, public security, public morals, human, animal or plant life or health, the maintenance of public order, or other similar objectives of public interest), provided that the measure is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail.
Here are the key changes in my text as compared to prior trade and/or digital trade exception provisions: No necessity test, but rather just a means-ends relationship between the measure and its objective; no disguised restriction on international trade element, because the arbitrary or unjustifiable discrimination element does everything you need; and a non-exhaustive list of policy objectives. Overall, this should provide a simpler and more flexible exception, leading to plenty of policy space for those worried that their domestic regulations will come into conflict with these international rules. Basically, as long as you avoid nationality-based discrimination in your regulations, you will be fine.
As an additional point, the exceptions above are all specific to the data flow obligations. I don't think it makes sense to have, as some agreements do, two sets of exceptions applying here, one that is specific to the data provisions and one that is a general exception that applies to all obligations. It's better to get the right balance in one exception, so either the general exception can be reworked or we can just rely on a specific exception for data flows.
3. Enforcement
The final issue here is enforcement. In a typical trade agreement, obligations are subject to dispute settlement. When a complaint is brought, a panel makes the decision on whether a challenged domestic measure is consistent with the obligations (taking into account any exceptions).
Should this same approach apply to digital trade issue such as data flow obligations and exceptions? Probably at some point, but this policy area is still a fairly new one. Do we want to see domestic digital regulations adjudicated in international dispute proceedings right away? I can imagine that we may want some time to better understand how the principles would apply here before the litigation starts. To that end, maybe it makes sense to first set up a committee under the agreement in question that can meet regularly to discuss the domestic regulations being developed, through which governments can get a sense of how the international principles above (and the rest of the digital trade agreement) might apply to real world regulations.
Thus, perhaps the text could just have a marker to revisit the issue of dispute settlement in three years or so to decide whether it should apply to digital trade rules, or dispute settlement could just take effect automatically for digital trade rules after three years. Eventually dispute settlement should apply, but maybe we don't need that sort of controversial litigation taking place on day one.