The Australia-EU FTA Data Flows Obligations and Exceptions
The digital trade chapter of the recently released Australia-EU FTA text is a new data point, so to speak, in looking at how governments are crafting international data flows obligations and exceptions, as part of an effort to constrain domestic regulations in this area while still providing the space to pursue legitimate public policies.
Reading through the text from start to finish, the first relevant provision here is the "right to regulate" one:
ARTICLE 11.3
Right to regulate
The Parties reaffirm each Party's right to regulate within their territories in pursuit of legitimate public policy objectives, such as the protection of health, social services, public education, safety, the environment, including climate change, public morals, social or consumer protection, animal welfare, privacy and data protection, security of energy supply, the promotion and protection of cultural diversity and, in the case of Australia, the promotion and protection of the rights and interests of Australian First Nations peoples.
I'm not sure how much policy space these "right to regulate" provisions create. I don't want to say they have zero impact, as they could provide a bit of guidance in the direction of interpreting the obligations more narrowly or the exceptions more broadly. But I don't see them as a substitute for well-crafted exceptions.
Next up in the text we have the actual exceptions. In this regard, the digital trade chapter refers to the exceptions in other chapters:
ARTICLE 11.4
Exceptions
For greater certainty, nothing in this Chapter prevents a Party from adopting or maintaining a measure that meets the requirements of Article 23.1 (General exceptions), Article 23.2 (Security exceptions) or Article 9.z (Measures for prudential reasons – Investment Liberalisation and Trade in Services Chapter (Section E.3)).
The text of the Article 23 exceptions chapter is here. With regard to digital trade, the exceptions chapter first incorporates GATT Article XX and applies it to the digital trade chapter (among others):
ARTICLE 23.1
General exceptions
1. For the purposes of Chapter 2 (Trade in Goods), Chapter 4 (Customs and trade facilitation), Section B (Investment liberalisation) of Chapter 9 (Investment liberalisation and trade in services), Chapter 11 (Digital trade), Chapter 12 (Energy and resources) and Chapter 16 (State-owned enterprises), Article XX of GATT 1994, including its Notes and Supplementary Provisions, is incorporated into and made part of this Agreement, mutatis mutandis.
Then in the next paragraph, it adds some additional, but similar sounding, exceptions that also apply to the digital trade chapter:
2. Subject to the requirement that such measures are not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on investment liberalization or trade in services, nothing in Chapter 9 (Investment liberalisation and trade in services), Chapter 11 (Digital trade), Chapter 12 (Energy and resources) and Chapter 16 (State-owned enterprises) shall be construed to prevent the adoption or enforcement by a Party of measures:
(a) necessary to protect public security or public morals or to maintain public order1 ;
(b) necessary to protect human, animal or plant life or health; or
(c) necessary to secure compliance with laws or regulations which are not inconsistent with the provisions of this Agreement, including those relating to:
(i) the prevention of deceptive and fraudulent practices or to deal with the effects of a default on contracts;
(ii) the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts; or
(iii) safety.
Footnote 1 states: "The public security and public order exceptions may be invoked only where a genuine and sufficiently serious threat is posed to one of the fundamental interests of society."
Finally, the security exceptions are set out in Article 23.2 and mirror pretty closely those in GATT Article XXI. (And the Article 9 exceptions are here).
These exceptions then apply to the following obligations on data flows:
ARTICLE 11.5
Cross-border data flows
1. The Parties are committed to ensuring cross-border data flows to facilitate trade in the digital economy. To that end, cross-border data flows shall not be restricted between the Parties:
(a) requiring the use of computing facilities or network elements in the Party's territory for processing, including by imposing the use of computing facilities or network elements that are certified or approved in the territory of Party;
(b) requiring the localisation of data in the Party's territory for storage or processing;
(c) prohibiting storage or processing in the territory of the other Party;
(d) making the cross-border transfer of data contingent upon use of computing facilities or network elements in the Party's territory or upon localisation requirements in the Party's territory; or
(e) requiring the approval prior to the transfer of data to the territory of the other Party.2
Note that there is a footnote to para. 1(e), which governs "requiring the approval prior to the transfer of data to the territory of the other Party." This footnote sets out additional exceptions – which come across to me as a bit easier to satisfy – that apply just for this sub-paragraph:
2 For greater certainty, point (e) of paragraph 1 does not prevent a Party from:
(a) subjecting the use of a specific transfer instrument or a particular cross-border transfer of data to approval on grounds relating to the protection of personal data and privacy, in accordance with Article 11.6 (Protection of personal information);
(b) requiring the certification or conformity assessment of information and communication technology products, services and processes, including Artificial Intelligence, before their commercialisation or use in its territory, to ensure compliance with laws and regulations consistent with this Agreement or for cybersecurity purposes, in accordance with Article 23.1 (General exceptions), Article 23.2 (Security exceptions), Article 9.z (Measures for prudential reasons – Investment Liberalisation and Trade in Services Chapter (Section E.3) or Article 11.6 (Protection of personal information);
(c) requiring that re-users of data protected by intellectual property rights or confidentiality obligations resulting from domestic laws and regulations consistent with this Agreement, respect such rights or obligations when transferring the data across borders, including with regard to access requests by courts and authorities of third countries, in compliance with Article 23.4 (Treatment of Information).
So what to make of all these obligations, exceptions, and whatever the "right to regulate" provision is? As a general point here, I want to say that I hope government officials negotiating these digital trade chapters, as well as any freestanding digital agreements, are aware of the ways their own government and other governments are regulating in these areas, and are thinking about how the international rules they are crafting might apply to the domestic regulations. Do they have the balance right with the language they are using in the international rules? I'm not sure they do, but it's difficult to evaluate this in the abstract. We are going to need some disputes and case law to know exactly what balance has been created. My instinct is that we could run into many of the same problems we have experienced previously with how the GATT and the GATS apply to domestic regulation of goods and services. But we'll have to wait and see.