In a March 30, 2017 opinion piece, “Don’t trade away data protection,” two leading Members of the European Parliament, Viviane Reding and Jan-Phillip Albrecht, suggest “strengthening data protection safeguards in the General Exception (known as GATS XIV) and E-Commerce chapters, and removing necessity and consistency tests.” The idea behind the proposal is to make absolutely certain that the General Data Protection Regulation (GDPR) and perhaps other parts of the EU privacy acquis could not be successfully challenged as inconsistent with an affirmative cross-border data flow obligation. This is a topic SIIA will comment on again in the coming months, likely in a longer form Issue Brief. This blog discusses the proposal to remove the necessity test.
Reding/Albrecht acknowledge the economic importance of data flows and say that “data flows should not be unduly prohibited by means of disguised trade barriers whose only purpose is to force companies to store data in their home country.” The recognition of the economic importance of data flows is positive as is the acknowledgement that disguised trade barriers exist sometimes.
Nonetheless, Reding/Albrecht consider that accepting an affirmative obligation to allow data flows without eliminating the necessity test would be a danger to the EU Privacy system. However, this is a misunderstanding of how the necessity test would work to protect both privacy and the free flow of data. The necessity test is not an unreasonable burden, and it is one that the EU’s privacy laws would easily pass. After all, the necessity test is the standard rule applied to determine whether any violation of a trade agreement is permissible. For example, if a country bans an import of a hazardous material in order to protect health and safety – another fundamental right – it must still justify the ban as being necessary to the country’s objective. True, keeping the necessity test would prevent the EU from putting in place a total ban on transfers of data abroad, even if a business is fully compliant with GDPR. But the current mechanisms for international transfers under standard clauses, corporate rules and regional agreements like the privacy shield ensure that EU data restrictions could not be successfully challenged.
This gets to SIIA’s main “ask” with respect to cross-border data flows. We request that there be functioning interoperability mechanisms. Interoperability does not require "unconditional flow of data" or "deregulation." Instead, interoperability is critical to assure consumers and businesses that their data will be protected as it flows across borders and is subject to different privacy frameworks. There are different kinds of mechanisms. But to take one that now has roughly 2,000 participating companies, the EU-US Privacy Shield, it functions as a means of ensuring that companies comply with EU data protection requirements. So the EU gains assurances that its citizens data are protected in a manner it deems fit. It does not interfere in any substantive way with domestic EU privacy legislation.
So removing the necessity test is not needed in order to accomplish the EU objective of protecting the GDPR.
But, the removal of the necessity test hurts the goal of global free flow of data, which the EU wants. There are countries that do impose data localization requirements for mercantilist or other reasons. They do not offer interoperability mechanisms for cross-border data flows. They often insert these trade restrictive provisions in data protection laws or regulations. Successfully challenging these data localization laws, regulations, and/or practices would be virtually impossible without a necessity test. This cannot be an outcome that is consistent both with EU fundamental privacy principles and its interests in promoting economic growth.