Over the past couple years, I've been looking at how digital trade agreements set out data flows obligations and exceptions. I've got a new one to examine, as the EU has published a pre-legal scrub version of its digital trade agreement with Singapore, building on their previously signed FTA. In prior posts, I've looked at the EU-Japan trade agreement and the EU-NZ trade agreement provisions in this area, so I'll throw in some comparisons to those agreements.
First off, I'll just note quickly the appearance of the right to regulate in Article 3 of the EU-Singapore digital trade agreement:
The Parties reaffirm their right to regulate within their territories to achieve legitimate policy objectives, such as the protection of public health, social services, public education, safety, environment or public morals, social or consumer protection, privacy and data protection, and the promotion and protection of cultural diversity.
I'm skeptical that these provisions have much impact, but someone seems to like putting them in there (the EU-NZ agreement has one too).
Now we get to the core data flows obligations:
ARTICLE 5 - Cross-border data flows
1. The Parties are committed to ensuring the cross-border transfer of data by electronic means where this activity is for the conduct of the business of a covered person.
2. To that end, a Party shall not adopt or maintain measures which prohibit or restrict the cross-border transfer of data set out in paragraph 1 by:
a. requiring the use of computing facilities or network elements in the Party's territory for processing of data, including by imposing the use of computing facilities or network elements that are certified or approved in the territory of the Party;
b. requiring the localisation of data in the Party's territory for storage or processing;
c. prohibiting storage or processing of data in the territory of the other Party;
d. making the cross-border transfer of data contingent upon use of computing facilities or network elements in the Party’s territory or upon localisation requirements in the Party’s territory; or
e. prohibiting the transfer of data into the territory of the Party.
In the same Article, we then get an exception for "legitimate public policy objectives":
4. Nothing in this Article shall prevent a Party from adopting or maintaining a measure inconsistent with paragraph 2 to achieve a legitimate public policy objective FN1, provided that the measure:
a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and
b) does not impose restrictions on transfers of information greater than are necessary to achieve the objective. FN2FN1: For the purpose of this Article, “legitimate public policy objective” shall be interpreted in an objective manner and shall enable the pursuit of objectives such as to protect public security, public morals, or human, animal or plant life or health, to maintain public order, to protect other fundamental interests of society such as social cohesion, online safety, cybersecurity, safe and trustworthy artificial intelligence, or protecting against the dissemination of disinformation, or other comparable objectives of public interest, taking into account the evolving nature of digital technologies and related challenges.
FN2: For greater certainty, this provision does not affect the interpretation of other exceptions in this Agreement and their application to this Article and the right of a Party to invoke any of them.
The structure of data flows obligations and exceptions here looks a little more like the EU-Japan version than the EU-NZ one, with standalone public policy exceptions embedded directly within the data flows obligations Article.
One thing that was noteworthy about the EU-NZ digital chapter was the separate Article on "Protection of personal data and privacy" that seems to be a broad exception-like provision, of a scope that is a bit uncertain to me. The EU-Singapore agreement also has something that is perhaps along these lines:
ARTICLE 6 – Personal data protection
1. Parties recognise that individuals have a right to privacy and the protection of personal data and that high and enforceable standards in this regard contribute to trust in the digital economy and to the development of trade.
2. Each Party shall adopt or maintain a legal framework that provides for the protection of the personal data of individuals....
4. Each Party shall ensure that its legal framework under paragraph 2 provides non-discriminatory protection of personal data for natural persons.
...
11. Nothing in this Agreement shall prevent a Party from adopting or maintaining measures under its respective legal frameworks referred to in Paragraph 2 that it deems appropriate, including through the adoption and application of rules for the cross-border transfer of personal data, provided that the law of the Party provides for instruments enabling transfers under conditions of general application for the protection of the data transferred.
12. Each Party shall inform the other Party about any measure it adopts or maintains according to paragraph 11.
The wording here is different from the EU-NZ one, with the EU-Singapore version reading more like a traditional trade agreement exception ("Nothing in this Agreement shall prevent ..."), but the "deems appropriate" language in para. 11 perhaps gives it a similar scope to what we saw in EU-NZ, with a broad exception for privacy and personal data protection.
And then finally, in case the various exceptions and exception-like provisions set out above don't give the respondent what it wants, some of the exceptions set out in the EU-Singapore FTA apply to these digital trade agreement obligations as well, so you can try them too:
ARTICLE 29 – General exceptions
Articles 2.14 and 8.62 of the Free Trade Agreement shall apply mutatis mutandis to this Agreement.
ARTICLE 30 – Security exceptions
Article 16.11 of the Free Trade Agreement shall apply mutatis mutandis to this Agreement.
I have no idea whether we are ever going to see litigation under any of the digital trade texts that are proliferating these days, but if we do, making sense of the provisions of any particular agreement, given the context of all the textual variations in other digital agreements, is going to be a challenge.