I've done several posts on digital trade provisions in which I set out the data flow obligations and the exceptions, and consider whether the drafters have struck a good balance in terms of promoting data flows while preserving regulatory space. A recent draft amendment to the existing EU-Japan Economic Partnership Agreement provides another example to assess.
If I'm understanding this all correctly, the existing EU-Japan Economic Partnership Agreement covers some e-commerce issues in Articles 8.70-81, but left the free flow of data for future work:
ARTICLE 8.81
Free flow of data
The Parties shall reassess within three years of the date of entry into force of this Agreement the need for inclusion of provisions on the free flow of data into this Agreement.
The parties seem to have done their reassessment, as last week the EU published a "Proposal for a COUNCIL DECISION on the conclusion, on behalf of the European Union, of the Protocol amending the Agreement between the European Union and Japan for an Economic Partnership regarding free flow of data." An Annex to that proposal contains the relevant legal text, which sets out the following obligations related to data flows:
ARTICLE 8.81
Cross-border transfer of information by electronic means
1. The Parties are committed to ensuring the cross-border transfer of information by electronic means where this activity is for the conduct of the business of a covered person.
2. To that end, a Party shall not adopt or maintain measures which prohibit or restrict the cross-border transfer of information set out in paragraph 1 by:
(a) requiring the use of computing facilities or network elements in the territory of the Party for information processing, including by requiring the use of computing facilities or network elements that are certified or approved in the territory of the Party;
(b) requiring the localisation of information in the territory of the Party for storage or processing;
(c) prohibiting storage or processing of information in the territory of the other Party;
(d) making the cross-border transfer of information contingent upon use of computing facilities or network elements in the territory of the Party or upon localisation requirements in the territory of the Party;
(e) prohibiting the transfer of information into the territory of the Party; or
(f) requiring the approval of the Party prior to the transfer of information to the territory of the other Party.1___________________________________
1 For greater certainty, subparagraph 2(f) does not prevent a Party from:
(a) subjecting the use of a specific transfer instrument or a particular cross-border transfer of information to approval on grounds relating to the protection of personal data and privacy, in compliance with paragraph 4;
(b) requiring the certification or conformity assessment of ICT products, services and processes, including Artificial Intelligence, before their commercialisation or use in its territory, to ensure compliance with laws and regulations consistent with this Agreement or for cybersecurity purposes, in compliance with paragraphs 3 and 4, and Articles 1.5, 8.3 and 8.65; or
(c) requiring that re-users of information protected by intellectual property rights or confidentiality obligations resulting from domestic laws and regulations consistent with this Agreement, respect such rights or obligations when transferring the information across borders, including with regard to access requests by courts and authorities of third countries, in compliance with Article 8.3.
Right after the obligations, the following exceptions are set out:
3. Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraphs 1 and 2 to achieve a legitimate public policy objective2, provided that the measure:
(a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade; and
(b) does not impose restrictions on transfers of information that are greater than necessary to achieve the objective.34. Nothing in this Article shall prevent a Party from adopting or maintaining measures on the protection of personal data and privacy, including with respect to cross-border transfers of information, provided that the law of the Party provides for instruments enabling transfers under conditions of general application4 for the protection of the information transferred.
5. This Article does not apply to cross-border transfer of information held or processed by or on behalf of a Party.-----------------
2 For the purpose of this Article, "legitimate public policy objective" shall be interpreted in an objective manner and shall enable the pursuit of objectives such as the protection of public security, public morals, or human, animal or plant life or health, or the maintenance of public order or other similar objectives of public interest, taking into account the evolving nature of digital technologies.
3 For greater certainty, this provision does not affect the interpretation of other exceptions in this Agreement and their application to this Article and the right of a Party to invoke any of them.
4 For greater certainty, in line with the horizontal nature of the protection of personal data and privacy, "conditions of general application" refer to conditions formulated in objective terms that apply horizontally to an unidentified number of economic operators and thus cover a range of situations and cases.
Here are a few thoughts on all this.
First, I like that there is a non-exhaustive list of "legitimate public policy objectives" that are covered. Governments need some flexibility in this regard, and a broad, non-exhaustive approach works best here. A closed list that people have to work hard to fit policies into, as with GATT Article XX, is not ideal. (I find some of the wording of FN. 2 hard to follow, but I don't think it will have too much of an impact on the interpretive result, so I'm not going to worry too much about it.)
Second, I think the non-discrimination standard in paragraph 3(a), borrowed from the Article XX chapeau, is a useful way of rooting out disguised protectionism. (I'm not sure "disguised restriction on trade" is needed at this point though. It may be worth rethinking that, as "arbitrary or unjustifiable discrimination between countries where like conditions prevail" may do everything we need.)
Third, I'm skeptical of necessity tests such as the one in paragraph 3(b), as it seems to me that panels and the Appellate Body have struggled with interpreting and applying them.
Fourth, it's not totally clear to me why you need paragraph 4 in addition paragraph 3. I suppose it's just a specific application of the paragraph 3 exception in the context of policies related to personal data and privacy, with guidance on exactly how the drafters wants that analysis to be carried out, so I guess it's fine.
Fifth, if I'm reading this correctly, there are no general exceptions set out somewhere else in the agreement that apply in addition to the exceptions above, which I think is the right approach. Overlapping exceptions, with a specific one in the obligation itself and a general one somewhere else, can confuse things.
CORRECTION: I had to delete my fifth point, as trade lawyer Devon Whittle pointed me to a general exceptions provision that I had missed:
ARTICLE 8.3
General exceptions
...
2. Subject to the requirement that such measures are not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on establishment or trade in services, nothing in Sections B to F shall be construed as preventing a Party from adopting or enforcing measures which are:
(a) necessary to protect public security or public morals or to maintain public order;[FN 1]
(b) necessary to protect human, animal or plant life or health; [FN. 2]
(c) necessary to secure compliance with laws or regulations which are not inconsistent with the provisions of this Chapter including those relating to:
(i) the prevention of deceptive and fraudulent practices or to deal with the effects of a default on contracts;
(ii) the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts; or
(iii) safety; or(d) inconsistent with paragraphs 1 and 2 of Article 8.8 and paragraph 1 of Article 8.16 provided that the difference in treatment is aimed at ensuring the equitable or effective [FN. 3] imposition or collection of direct taxes in respect of economic activities, entrepreneurs, services or service suppliers of the other Party
---------------------------------------------
[FN. 1] The public security and public order exceptions may be invoked only where a genuine and sufficiently serious threat is posed to one of the fundamental interests of society.
[FN. 2] The Parties understand that the measures referred to in subparagraph (b) include environmental measures necessary to protect human, animal or plant life or health.
[FN. 3] Measures that are aimed at ensuring the equitable or effective imposition or collection of direct taxes include measures taken by a Party under its taxation system which:
(a) apply to non-resident entrepreneurs and service suppliers in recognition of the fact that the tax obligation of non-residents is determined with respect to taxable items sourced or located in the Party's territory;
(b) apply to non-residents in order to ensure the imposition or collection of taxes in the Party's territory;
(c) apply to non-residents or residents in order to prevent the avoidance or evasion of taxes, including compliance measures;
(d) apply to consumers of services supplied in or from the territory of the other Party in order to ensure the imposition or collection of taxes on such consumers derived from sources in the Party's territory;
(e) distinguish entrepreneurs and service suppliers subject to tax on worldwide taxable items from other entrepreneurs and service suppliers, in recognition of the difference in the nature of the tax base between them; or
(f) determine, allocate or apportion income, profit, gain, loss, deduction or credit of resident persons or branches, or between related persons or branches of the same person, in order to safeguard the Party's tax base.
Tax terms or concepts in subparagraph 2(d), including this footnote, are determined according to tax definitions and concepts, or equivalent or similar definitions and concepts, under the domestic law of the Party taking the measure.