There's a new FTA digital chapter to analyze, with the EU-New Zealand FTA coming into force soon. Let's take a look at the data flows provisions, with the EU-Japan text in the back of our minds as a comparison.
The EU-NZ digital trade chapter is here. Early on it has a right to regulate provision:
ARTICLE 12.3
Right to regulateThe Parties reaffirm each Party's right to regulate within their territories to achieve legitimate policy objectives, such as the protection of human, animal or plant life or health, social services, public education, safety, the environment, including climate change, public morals, social or consumer protection, animal welfare, privacy and data protection, the promotion and protection of cultural diversity, and, in the case of New Zealand, the promotion or protection of the rights, interests, duties and responsibilities of Māori.
While this provision can't be invoked as an exception, I can imagine it will be invoked as context for the interpretation of other provisions, and could have some impact that way.
Moving to the data flows obligation, this provision says:
ARTICLE 12.4
Cross-border data flows1. The Parties are committed to ensuring cross-border data flows to facilitate trade in the digital economy and recognise that each Party may have its own regulatory requirements in this regard.
2. To that end, a Party shall not restrict cross-border data flows taking place between the Parties in the context of an activity that is within the scope of this Chapter, by:
(a) requiring the use of computing facilities or network elements in its territory for data processing, including by requiring the use of computing facilities or network elements that are certified or approved in the territory of the Party;
(b) requiring the localisation of data in its territory;
(c) prohibiting storage or processing of data in the territory of the other Party; or
(d) making the cross-border transfer of data contingent upon the use of computing facilities or network elements in its territory or upon localisation requirements in its territory.
3. For greater certainty, the Parties understand that nothing in this Article prevents the Parties from adopting or maintaining measures in accordance with Article 25.1 (General exceptions) to achieve the public policy objectives referred to therein, which, for the purposes of this Article, shall be interpreted, where relevant, in a manner that takes into account the evolutionary nature of the digital technologies. The preceding sentence does not affect the application of other exceptions in this Agreement to this Article.
...
It's interesting to compare this obligation to the EU - Japan cross-border data flows language. One key difference is the reference in paragraph 3 of the EU-NZ obligation to the Article 25.1 general exceptions, something that is not found in the EU-Japan text. Of course, the Article 25.1 exception would apply even without paragraph 3, but there it is anyway, "for greater certainty." One thing it does add is a clear statement that any interpretation must "take into account the evolutionary nature of the digital technologies," which probably would have been taken into account anyway, but I guess you never know for sure.
Another difference is that the EU-Japan text has an exception that is specific to the data flows obligation, whereas the EU-NZ text does not. Instead, the EU-NZ text relies on the exceptions chapter for defenses that the measures are based on public policy objectives. In this regard, paragraph 1 of the aforementioned Article 25.1 says that the GATT Article XX exceptions apply to the digital trade chapter (along with other chapters):
1. For the purposes of Chapter 2 (National treatment and market access for goods), Chapter 4 (Customs and trade facilitation), Section B (Investment liberalisation) of Chapter 10 (Trade in services and investment), Chapter 12 (Digital trade), Chapter 13 (Energy and raw materials) and Chapter 17 (State-owned enterprises), Article XX of GATT 1994 and its interpretative Notes and Supplementary Provisions are incorporated into and made part of this Agreement, mutatis mutandis.
Paragraph 2 of Article 25.1 then sets out what seems like a similar standalone exception:
2. Subject to the requirement that such measures are not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on investment or trade in services, nothing in Chapter 10 (Trade in services and investment), Chapter 11 (Capital movements, payments and transfers), Chapter 12 (Digital trade), Chapter 13 (Energy and raw materials) and Chapter 17 (State-owned enterprises) shall be construed to prevent the adoption or enforcement by either Party of measures:
(a) necessary to protect public security or public morals or to maintain public order;1
(b) necessary to protect human, animal or plant life or health;
(c) necessary to secure compliance with laws or regulations which are not inconsistent with the provisions of this Agreement including those relating to:
(i) the prevention of deceptive and fraudulent practices or to deal with the effects of a
default on contracts;
(ii) the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts;
(iii) safety.1 The public security and public order exceptions may be invoked only where a genuine and sufficiently serious threat is posed to one of the fundamental interests of society.
Paragraph 1 focuses on trade in goods and paragraph 2 focuses on "investment and trade in services," but it seems like both exceptions would apply in the context of digital trade.
Also of relevance is that Article 25.2 provides a security exception and Article 25.6 provides a Treaty of Waitangi exception. (Related to the Treaty of Waitangi, Article 12.1, paragraph 2 says the digital chapter does not apply to: "(c) measures adopted or maintained by New Zealand that it deems necessary to protect or promote Māori rights, interests, duties and responsibilities1 in respect of matters covered by this Chapter, including in fulfilment of New Zealand's obligations under te Tiriti o Waitangi / the Treaty of Waitangi, provided that such measures are not used as a means of arbitrary or unjustified discrimination against persons of the other Party or a disguised restriction on trade enabled by electronic means. Chapter 26 (Dispute settlement) does not apply to the interpretation of te Tiriti o Waitangi / the Treaty of Waitangi, including as to the nature of the rights and obligations arising under it.")
A question all of this leaves me with is the following: How much are all the variations in data flows obligations and exceptions language going to matter if we ever get to international adjudication of digital trade regulations? Maybe not that much, because they use roughly the same language. However, it will certainly give parties a lot of material with which to argue for their preferred interpretation of a particular agreement.
ADDED:
In the comments, Lori Wallach points me to Article 12.5 on protection of personal data and privacy, which I had missed:
Protection of personal data and privacy
1. Each Party recognises that the protection of personal data and privacy is a fundamental right and that high standards in this regard contribute to enhancing consumer confidence and trust in digital trade.
2. Each Party may adopt or maintain measures it deems appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data. Nothing in this Agreement shall affect the protection of personal data and privacy afforded by the Parties' respective measures.3. Each Party shall inform the other Party about any measures referred to in paragraph 2 that it adopts or maintains.
4. Each Party shall publish information on the protection of personal data and privacy that it provides to users of digital trade, including:
(a) how individuals can pursue a remedy for a breach of protection of personal data or privacy arising from digital trade; and
(b) guidance and other information regarding compliance of businesses with applicable legal requirements protecting personal data and privacy.
Paragraph 2 is an interesting provision. It seems like it falls somewhere in between a typical exception and the "right to regulate" provision I noted above. I'm not quite sure how it would be interpreted and applied.
ANOTHER ADDITION:
Let me elaborate a bit more on my confusion about this provision, and why at first glance it didn't strike me as a typical exception.
For one thing, exceptions are often labeled as exceptions in the title of the provision. It seems to me that if you want to make clear that you are creating an exception, you should label it that way.
Of course, an exception doesn't have to be labeled as an exception. But if it is not labeled, it would be useful to tie it to the obligation for which it is an exception in a clear way. For example, the exception could be in the same article as the obligation, and then be tied textually with wording such as "nothing in this article shall prevent a party from taking a measure to ... "
Even that is not strictly necessary, but still it would be helpful to have a tie between the supposed exception and the obligation. Here, paragraph 2 says "[e]ach Party may adopt or maintain measures it deems appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data." That language does have a tie to the cross-border data flows obligations of Article 12.4, so that is an element in favor of Article 12.5 being an exception.
I would have liked to see some "nothing in this agreement shall prevent" language though. Instead, Article 12.5, paragraph 2, sentence 1 talks about what a party "may" do. That seems a bit softer to me. Sentence 2 is also interesting in this regard: "Nothing in this Agreement shall affect the protection of personal data and privacy afforded by the Parties' respective measures." That's a variation on the traditional "nothing in this agreement shall prevent"-style language, and also seems a bit softer to me. What does it mean to say the agreement shall not "affect" these things?
I'd be very curious if there are similarly worded provisions in other international agreements, and how they were interpreted. I took a quick glance around the internet, but didn't see anything. At this point, my view on whether this is an exception, self-judging or not, is ... I guess so? But given its unique wording, I have some uncertainty about its scope.