Regulating the flow of data

By Luis Millán September 30, 201330 September 2013

Are trade negotiations the appropriate forum for deciding on international standards for data privacy laws?

Regulating the flow of data

Illustration: Stephanie Wunderlich

At first glance, the link between the free flow of data, privacy, and trade agreements seems tenuous at best. But with global internet traffic expected to triple over the next five years, business lobby groups are concerned that the flourishing digital economy could be undermined by the emergence of tougher data privacy laws in different corners of the world.

It’s no wonder then that as Canada, the U.S. and nine other countries are negotiating a multilateral trade agreement called the Trans-Pacific Partnership (TPP), the Canadian Chamber of Commerce has joined the U.S. Chamber of Commerce calling for a provision that would prohibit “digital protectionism.” Business is pushing for new free-trade rules that would strike an “appropriate balance” between the rights of individuals and the need for firms to gather, store and transfer business and personal data. They want to limit the ability of governments to block cross-border flows personal and financial data, contending that data protection restrictions should rely on market forces. Ultimately, business is hoping an agreement can be reached over data standards during the TPP talks that can serve as a blueprint for other free-trade deals.

“The intent is to reach a standard for the flow of data that can be duplicated,” says Scott Smith, director of intellectual property and innovation policy at the Canadian Chamber, which represents 200,000 businesses across the country. “You can’t separate data standards from the digital economy. Trying to keep data within borders or regulate the flow of data for procurement or protectionist reasons will interrupt the digital economy.”

A growing number of nations have adopted or are considering implementing new robust privacy laws, a movement that has gathered momentum in the wake of revelations by former U.S. National Security Agency whistleblower Edward Snowden about wide-ranging government surveillance. The European Union is in the midst of bolstering and consolidating its fractured online data privacy legal framework. TPP members such as Australia and New Zealand are also considering strengthening existing privacy laws, and may possibly even follow the lead of other TPP members like Brunei and Vietnam by introducing new data residency laws that will compel companies to store data they collect only on in-country servers. These developments alarm businesses worried that such stringent data privacy regulations are in effect trade barriers that will stifle efficiency, lead to additional costs, create uncertainty over its application and implementation, and disrupt international trade. Hence the need for an international data standard, according to Ottawa privacy lawyer Kris Klein. “If the flow of data standards is done on an ad hoc basis, it creates a lot of uncertainty,” says Klein, a partner with nNovation LLP. “That is why, if it was approached on a more global scale, and a set of nations agreed to a set of certain principles and implemented a law recognizing those principles, then you would walk away from a lot of problems that we have seen in the last 10-15 years.”

Not everyone is swayed by the business rationale behind the push for international data standards. Businesses probably expect — “and if they don’t, they should” — that every time they enter into a new jurisdiction to carry on business that they are going to have to deal with a different set of rules and regulations, be they for employment standards, health and safety regulations, or even product labelling, says Vancouver litigator Stephen Antle of Borden Ladner Gervais LLP. “Data is not particularly unique,” adds Antle, a chartered arbitrator. “It is just another thing that they should expect to deal with differently. Sure by all means harmonize it but don’t expect it to be uniform.”

Nor are all privacy experts are convinced that trade negotiations are the appropriate forum for discussions over data standards. The host of issues surrounding data privacy are too complex to be held in trade talks, maintains John Beardwood of Fasken Martineau DuMoulin LLP. For one thing, he has serious reservations about trade negotiators’ expertise to deal with the finer points of data privacy issues. For another, while global data flows may appear to dissolve national borders, that is to some extent an illusion. National governments have different views on the kind of information that should be shared, and regulate accordingly. Bridging the gap can be a long and daunting exercise. “How would members of the TPP do this?” Beardwood asks rhetorically, noting that it took Canada, the U.S. and the European Union years to reach an agreement that allowed companies in the three jurisdictions to share data with each other. “How as a matter of practicality do you even arrive at common standards based on different data and privacy regimes that are heading in different directions?

In the unlikely event that a common framework for the flow of data can be reached in the TPP free-trade talks, it would probably constrain national governments and their regulators from forging their own unique privacy policies, notes David Fraser, a Halifax privacy expert with McInnes Cooper. Legislators and regulators would likely have little leeway to deal with local concerns that may arise over how personal data should be handled and by whom. “In a way it is a no-brainer that consistent rules and harmonized legislation is much better than huge variability in different places, but in international trade agreements countries make commitments that they are then expected to abide by and they would not be able to come up with laws that are contrary to it,” says Fraser.

That is arguably more troubling because in seeking to reconcile privacy concerns and data protection standards with the promotion of trans-border data flows, nobody really knows which privacy regime might be used as a model in the TPP trade agreement. “Do we go with the notion of a high-water mark where everybody follows the lead of the most restrictive data protection regime, or do we go to the lowest common denominator and actually reduce the protection for personal information? The devil is in the details,” says Fraser. Indeed it is, says Antle. While there is “nothing inherently good or bad” about having a harmonized regional standard protecting the use of personal information, Antle points out that it is difficult to “intelligently debate the merits of whatever is being proposed in the TPP negotiations without knowing what the content is.” Basic questions such as what the data standards are going to be, how exactly are they going to protect whatever it is that they decide to protect, and whether there is going to be teeth in the agreement if a company violates standards have yet to be addressed publicly.

Antle, like others, will have to wait for answers. Though TPP negotiations have been going on for years, an official release of the draft text has yet to be published, providing fodder to critics who have long denounced the process for its lack of transparency. The federal government too has been castigated for holding consultations over the matter with a select few voices, including the Canadian Chamber but excluding civil society groups. “Data standards are in my view an expression of public policy,” says Antle. “These negotiations are state-to-state. The issue is what is my state going to do? It seems to me that we are being asked to sacrifice privacy to enhance business efficiency. That is a policy decision. It comes back to the devil being in the details of what is being discussed. But we don’t know what we are being asked to sacrifice yet.”

In the end, the Snowden leaks may wind up playing a vital role in deciding the fate of data standards in the TPP multilateral trade talks. Beardwood believes they have handed privacy regulators ammunition. “It points to the difficulty of having a global free-flowing network of data whereby you are prohibited from imposing restrictions on data going outside your borders,” says Beardwood. Even the Canadian Chamber’s Smith acknowledges that the government surveillance disclosures may prove to be a turning point. “It certainly has created some challenges in how some countries are viewing data protection right now so it may stall some of these discussions.”

Luis Millàn is a legal journalist based in Wakefield, Que.
 

Filed Under:
Comments
No comments


Leave message



 
 Security code