Update April 2018
The EU and Japan have concluded the legal scrub of the EU-Japan Economic Partnership Agreement (EPA). The council may already decide on ratification on 22 May 2018. No EU member state ratification is needed.
Regarding cross-border data flows and data protection, a European Commission’s press release states that recent reforms of their respective privacy legislation offers new opportunities to facilitate data exchanges, including through a simultaneous finding of an adequate level of protection by both sides.
But this is not the full story. Besides the possibility to adopt adequacy decisions, the EPA contains explicit data flow commitments in the financial section, implicit data flow commitments in the services chapter, and a review clause. Especially the implicit data flow commitments do not seem compatible with the fundamental right to the protection of personal data.
In addition, a form of investor-to-state dispute settlement (ISDS/ICS) may be added later. See also EU-Japan trade agreement’s intellectual property chapter limits options for reform.
Allowing cross-border data flows through an adequacy decision is, in principle, the correct way. Such decisions are EU decisions (from the EU point of view). If data protection in Japan deteriorates, or if the EU rejects mass surveillance in Japan, the EU can revoke the adequacy status – in principle.
The approach may not work out in practice. It remains to be seen whether the European Commission would really revoke the adequacy status.
But should the EU award Japan adequacy status? Graham Greenleaf argues that Japan has serious issues to overcome: a weak personal information definition; a carve-out for ‘anonymously processed information’; a cross-border privacy rules back-door for onward transfers to the US; no record of enforcement; trivial or missing remedies; carve-outs for big data; carve out for de-indentification. See also this article.
Will the EU take an independent adequacy decision? Take this formulation in the press release:
“This offers new opportunities to facilitate data exchanges, including through a simultaneous finding of an adequate level of protection by both sides.”
The formulation “simultaneous finding of an adequate level” suggests horse-trading.
Implicit cross-border data flow commitments
Many people overlook implicit data flow commitments. Chapter 8, Section C Cross-Border Trade in Services contains National treatment and Most-favoured-nation treatment clauses (articles 8.16 and 8.17).
Cross-border services imply cross-border data flows. 1 We find a safeguard in article 8.3 General exceptions. It is a GATS article XIV kind of exception with many conditions. Such safeguards are insufficient, see Kristina Irion, Svetlana Yakovleva, and Marija Bartl.
The implicit cross-border data flow commitments do not have a sufficient safeguard. This is not compatible with the EU Fundamental rights system.
Explicit data flow commitment
Article 8.63 contains a cross-border data transfer commitment regarding financial data. Paragraph 2 contains a safeguard:
“2. Nothing in paragraph 1 restricts the right of a Party to protect personal data, personal privacy and the confidentiality of individual records and accounts so long as that right is not used to circumvent Sections B to D and this Sub-Section.”
The strength of the exception is limited by a condition (“so long as …”). 2 The safeguard seems stronger than the one used in the financial sections in the agreements with Korea, Singapore, Vietnam and Ukraine. It is also stronger than the general exception in Section G Exceptions, mentioned above. The safeguard is based on the 1994 Understanding on Commitments in Financial Services (article B. 8).
Marija Bartl and Kristina Irion noted regarding a slightly different earlier version (the change does not seem important to their assessment):
“The formulation used in CETA is likely more prudent compared to the language proposed in the Agreement with Japan. From the outset, it lays down a better division of labor between trade law and domestic data protection law. Given that the EU trade negotiators tend to work on blueprints of their earlier agreements reverting to the language of the 1994 Understanding on Financial Services and the text of the earlier EU – Singapore Free Trade Agreement 16 would mean a regressive development for the safeguards on data privacy.” 3
It would seem to me it is open to debate which one is stronger, as the formulation in EU-Canada CETA has weaknesses as well. Noteworthy, both safeguards do not meet the European Parliament demands for TTIP and TiSA. 4
The draft EPA contains a review clause; article 8.81 reads:
“The Parties shall reassess within three years of the date of entry into force of this Agreement the need for inclusion of provisions on the free flow of data into this Agreement.”
There is a lot of discussion on free flow of data commitments – while the draft EPA already contains (often overlooked) implicit data flow commitments. The review clause may act as a distraction.
A commission’s press release notes that negotiations continue on investment protection standards and investment protection dispute resolution. Adding ISDS/ICS or an investment court could have a negative impact on data protection. See here and here.
After writing the first version of this blog, someone alerted me to this analysis, from October 2017: Marija Bartl and Kristina Irion, The Japan EU Economic Partnership Agreement: Flows of Personal Data to the Land of the Rising Sun. Recommended reading.
See page 1 (after the Roman numerals) Kristina Irion, Svetlana Yakovleva, and Marija Bartl.
Note there is an important difference between the 1994 Understanding and the EU-Singapore FTA texts. Singapore, 8.54 (2): “Each Party shall, adopt or maintain appropriate safeguards to protect privacy and personal data, including individual records and accounts, as long as these safeguards is not used to circumvent the provisions of this Agreement.” 1994 Understanding, article B.8: “(…) Nothing in this paragraph restricts the right of a Member to protect personal data, personal privacy and the confidentiality of individual records and accounts so long as such right is not used to circumvent the provisions of the Agreement.” The first is a commitment, the second an exception to a commitment.
TTIP 2 (b) (xii) ; TiSA 1 (c) (iii) reads: “(…) to incorporate a comprehensive, unambiguous, horizontal, self-standing and legally binding provision based on GATS Article XIV which fully exempts the existing and future EU legal framework for the protection of personal data from the scope of this agreement, without any conditions that it must be consistent with other parts of the TiSA; (…)” The articles in the agreements are not unambiguous, and do not fully exempt (…) from the scope of the agreement