Is digital trade really the enemy of privacy? Unfortunately, that seems to be message being delivered by many commentators, analysts and policymakers, who have bought into the false notion that the free flow of data across borders can’t exist within strict privacy regimes. There is an opportunity right now — through upcoming trade agreement negotiations — to change this way of thinking and develop policies that both vindicate privacy rights and provide for the essential flow of data across borders.
The appearance of conflict between privacy and digital trade can arise when countries claim they need to implement data localization measures in order to protect the privacy of their citizens. These measures demand that companies store data locally or even ban data from being transferred abroad. This flawed privacy rationale for data transfer restrictions can make it seem as if trade agreements must dismantle privacy protections in order to promote cross border trade.
But the reality is that restrictive measures like these are entirely unnecessary to protect individual privacy. Domestic privacy laws need to regulate international transfers of information only as a way to prevent circumvention of the law. Countries have every right to stop the transfer of data to another jurisdiction when the motive of the transfer is to evade local data protection rules.
But such efforts have nothing to do with core privacy protections that are focused on fair information practices: notice, choice, access, security, purpose specification, use limitation, accountability. Countries can and do differ in the way they implement these practices. The U.S. has national privacy statutes covering specific sectors, such as health information and financial information; state privacy and security rules, such as data breach notification; and residual authority at the U.S. Federal Trade Commission covering privacy and security violations as unfair or deceptive practices. In contrast, the European Union has a single data protection directive covering all sectors.
The need to regulate international transfers to prevent evasion can be met by a simple rule stating that data can be transferred abroad when data protection authorities are satisfied that all local laws will be obeyed.
There are several ways to do this. In the U.S., regulators require financial institutions to comply with U.S. privacy and security rules regardless of where they process and store customer data. They also demand that financial institutions include in their contracts with service providers, both here and abroad, provisions requiring these contractors to live under the same privacy and security rules that bind the financial institutions themselves.
In Europe there is a hybrid system, allowing transfers when the receiving country has an “adequate” privacy regime, or when companies comply with an international agreement such as the U.S. Safe Harbor Framework. Europe also allows transfers when an organization has satisfactory binding corporate rules or contracts with data protection authorities.
In order to protect America’s robust and economically essential digital trade, we must make certain that trade agreements solidify this approach of regulating data flows only to prevent evasion of law. By including in trade agreements provisions allowing data transfers and prohibiting local storage requirements, authorities will ensure the law is upheld without inhibiting trade or compromising privacy.
Exceptions to these general principles can be allowed for the implementation and enforcement of various local laws — including consumer protection and privacy — when these enforcement measures are narrowly crafted and not disguised means of restricting trade. Such provisions are already contained in the existing multilateral trade in service agreement. They need only to be updated and clearly applied to the case of cross border data flows.
Several trade negotiations are underway right now — the Trans Pacific Partnership, the Trade in Services Agreement and the Transatlantic Trade and Investment Partnership. Despite some misleading commentary to the contrary, the U.S. opposes barriers to cross border data flows, while allowing for certain basic protections. According to its published statement of digital trade policy, the U.S. is “…working to confront these discriminatory and protectionist barriers by negotiating specific provisions designed to protect the movement of data, subject to reasonable safeguards that countries put in place to ensure things like the protection of consumer data when exported.”
Making these data flow principles explicit in all our trade agreements will send the message that the U.S. favors both good trade policy and strong privacy protections — and leave no question that we believe the two can, and must, co-exist.