There seems to be a lot of experimentation going on these days with exceptions for the protection of personal data/privacy in digital trade agreements/chapters. I've talked about the some of these exceptions in prior posts, but to be honest I think I missed some nuances as I was looking at the bigger picture of data flows obligations and exceptions. In this post, I'm going to focus on several examples of exception provisions that refer to concerns around privacy, and then one additional example of exceptions that could cover privacy without mentioning it explicitly.
First up is the EU-Japan Economic Partnership Agreement. A recently added Annex to that agreement establishes obligations related to data flows in paragraphs 1 and 2, and then right after these obligations it sets out the following public policy exceptions:
...
3. Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraphs 1 and 2 to achieve a legitimate public policy objective2, provided that the measure:
(a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade; and
(b) does not impose restrictions on transfers of information that are greater than necessary to achieve the objective.34. Nothing in this Article shall prevent a Party from adopting or maintaining measures on the protection of personal data and privacy, including with respect to cross-border transfers of information, provided that the law of the Party provides for instruments enabling transfers under conditions of general application4 for the protection of the information transferred.
...-----------------
2 For the purpose of this Article, "legitimate public policy objective" shall be interpreted in an objective manner and shall enable the pursuit of objectives such as the protection of public security, public morals, or human, animal or plant life or health, or the maintenance of public order or other similar objectives of public interest, taking into account the evolving nature of digital technologies.
3 For greater certainty, this provision does not affect the interpretation of other exceptions in this Agreement and their application to this Article and the right of a Party to invoke any of them.
4 For greater certainty, in line with the horizontal nature of the protection of personal data and privacy, "conditions of general application" refer to conditions formulated in objective terms that apply horizontally to an unidentified number of economic operators and thus cover a range of situations and cases.
What's confusing here is that paragraph 3 looks like a fairly typical public policy exception, but then right after it is paragraph 4, which covers one specific public policy (personal data and privacy) and works differently than paragraph 3.
One key difference is that paragraph 3 makes explicit reference to inconsistencies with paragraphs 1 and 2, whereas paragraph 4 does not. That omission has to mean something, but what exactly? Does it limit the application of paragraph 4 as an exception to the data flows obligations of paragraphs 1 and 2 in some way?
Another difference is that paragraph 4 doesn't have typical qualifiers such as a necessity test or a requirement that it not be administered in a manner that constitutes arbitrary or unjustifiable discrimination. It does, however, have one that says: "provided that the law of the Party provides for instruments enabling transfers under conditions of general application for the protection of the information transferred." This seems narrower than a general non-discrimination obligation. Does this suggest that a government has more discretion under paragraph 4 than under paragraph 3? If so, how much discretion? Is it a simple means-ends test that considers objectively whether the measures at issue are "on the protection of personal data and privacy," and then turns to the proviso for "enabling transfers under conditions of general application"?
Next up is the EU-NZ FTA digital chapter, which I discussed here (and which is what got me thinking about privacy exceptions). The data flows obligations are in Article 12.4, and then Article 12.5 on protection of personal data and privacy states:
Protection of personal data and privacy
1. Each Party recognises that the protection of personal data and privacy is a fundamental right and that high standards in this regard contribute to enhancing consumer confidence and trust in digital trade.
2. Each Party may adopt or maintain measures it deems appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data. Nothing in this Agreement shall affect the protection of personal data and privacy afforded by the Parties' respective measures.3. Each Party shall inform the other Party about any measures referred to in paragraph 2 that it adopts or maintains.
4. Each Party shall publish information on the protection of personal data and privacy that it provides to users of digital trade, including:
(a) how individuals can pursue a remedy for a breach of protection of personal data or privacy arising from digital trade; and
(b) guidance and other information regarding compliance of businesses with applicable legal requirements protecting personal data and privacy.
As I said as an addition to the earlier post on the EU-NZ FTA, while an exception doesn't have to be labeled as an exception, if it is not labeled as such, then it would be useful to tie it to the obligation for which it provides an exception in a clear way. For example, the exception could be in the same article as the obligation, and then be tied textually with wording such as "nothing in this article shall prevent a party from taking a measure to ... ". While this is not strictly necessary, it would still be helpful to have a tie between the supposed exception and the obligation. Here, paragraph 2 says "[e]ach Party may adopt or maintain measures it deems appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data." That language does have a tie to the cross-border data flows obligations of Article 12.4, so that is an element in favor of Article 12.5 being treated as an exception.
On the other hand, instead of using "nothing in this agreement shall prevent" language, Article 12.5, paragraph 2, sentence 1 talks about what a party "may" do. That seems a bit softer to me, and more like a "right to regulate" provision, which tend not to have much impact. In addition, sentence 2 reads more like a traditional exception, albeit with some different wording: "Nothing in this Agreement shall affect the protection of personal data and privacy afforded by the Parties' respective measures." That's a variation on the traditional "nothing in this agreement shall prevent"-style language, and also seems a bit softer to me. What does it mean to say the agreement shall not "affect" these things? Does this involve some kind of "means-ends" test as well? Would the adjudicator have to determine whether the measures protect personal data and privacy, and then ensure that the agreement does not "affect" (undermine?) this protection?
Third, we have the March 2024 Draft Chair's Text of the WTO E-Commerce JSI, which uses a version of the EU-NZ text but relies on the more traditional "nothing shall prevent" language and labels the provision as an "exception":
Article 7: Personal Data Protection Exception
Nothing in this Agreement shall prevent a Party from adopting or maintaining measures on the protection of personal data and privacy, including with respect to cross-border data transfers, provided that the law of the Party provides for instruments enabling transfers under conditions of general application1 for the protection of the data transferred.
1 For greater certainty, "conditions of general application" refer to conditions formulated in objective terms that apply horizontally to an unidentified number of economic operators and thus cover a range of situations and cases.
Of course, there are no data flows obligation in the JSI text at the moment, so that changes the role and impact of this exception.
Finally, let's look at the RCEP. First, in the e-commerce chapter, the RCEP offers the following instruction to adopt personal information/privacy protections:
Article 12.8: Online Personal Information Protection
1. Each Party shall adopt or maintain a legal framework which ensures the protection of personal information of the users of electronic commerce.7, 8
8 For greater certainty, a Party may comply with the obligation under this paragraph by adopting or maintaining measures such as comprehensive privacy or personal information protection laws and regulations, sector-specific laws and regulations covering the protection of personal information, or laws and regulations that provide for the enforcement of contractual obligations assumed by juridical persons relating to the protection of personal information.
But this kind of provision is different from ones that contain data flows obligations and personal data/privacy exceptions.
In addition, there are a number of exception provisions of relevance here, although they don't mention privacy explicitly, and I'm including these provisions in order to illustrate that privacy could be covered by broader public policy/security exceptions provisions. In the e-commerce chapter, we have the following obligations and exceptions:
Article 12.14: Location of Computing Facilities
...
2. No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that Party’s territory.11
3. Nothing in this Article shall prevent a Party from adopting or maintaining:
(a) any measure inconsistent with paragraph 2 that it considers necessary to achieve a legitimate public policy objective,12 provided that the measure is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; or
(b) any measure that it considers necessary for the protection of its essential security interests. Such measures shall not be disputed by other Parties.
-----
12 For the purposes of this subparagraph, the Parties affirm that the necessity behind the implementation of such legitimate public policy shall be decided by the implementing Party
...
Article 12.15: Cross-border Transfer of Information by Electronic Means
...
2. A Party shall not prevent cross-border transfer of information by electronic means where such activity is for the conduct of the business of a covered person.13
3. Nothing in this Article shall prevent a Party from adopting or maintaining:
(a) any measure inconsistent with paragraph 2 that it considers necessary to achieve a legitimate public policy objective,14 provided that the measure is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; or
(b) any measure that it considers necessary for the protection of its essential security interests. Such measures shall not be disputed by other Parties.
---
14 For the purposes of this subparagraph, the Parties affirm that the necessity behind the implementation of such legitimate public policy shall be decided by the implementing Party.
And then there is this in the exceptions chapter:
Article 17.13: Security Exceptions
Nothing in this Agreement shall be construed:
...
(b) to prevent any Party from taking any action which it considers necessary for the protection of its essential security interests:
...
(iii) taken so as to protect critical public infrastructures7 including communications, power, and water infrastructures;
------
7 For greater certainty, this includes critical public infrastructures whether publicly or privately owned.
The RCEP public policy and security exceptions could be used to cover privacy issues, and provide discretion along the same lines as what the GATT exceptions do. But perhaps of more importance here is that dispute settlement does not apply to the RCEP e-commerce chapter: "No Party shall have recourse to dispute settlement under Chapter 19 (Dispute Settlement) for any matter arising under this Chapter."
So what's the big takeaway from all this? I guess one thing is that if litigation on these issues ever comes, adjudicators are going to have some challenges in defining the scope of these privacy exceptions. The wording differs from traditional trade agreement exceptions in a number of ways, and adjudicators will have to decide what those differences mean. I would imagine they will end up at a place with a good deal of deference to domestic regulators, while stopping short of saying the exceptions are totally self-judging. But where specifically they end up and how they get there will be interesting.