Privacy is not a commodity to be traded
Trade has often been a positive driver in encouraging countries to adopt data protection laws, to ensure compliance and ability to conduct business with the European Union and other privacy-respecting partners. However, when free trade agreements are negotiated in secret and influenced by powerful business interests, the result is a severe watering down of existing privacy protections.
There is a high risk of this happening in the free trade negotiations between the European Union and the United States (US), which are being launched on the 8th July in Washington. One of the hot topics in the agreement regards “data flows”, a euphemistically named term that in reality means the flow of personal user information. The problem is that data protection and privacy provisions in the US are far below best practice standards. Since recent lobbying efforts by American corporations and its government sought to undermine the EU data protection Regulation currently being debated in Brussels, supporters of the trade agreement who would like weaker privacy protections are likely to find more fertile ground behind closed doors of trade negotiations.
What is the TTIP?
Both the member countries of the European Union and the U.S. Congress have agreed to move forward on negotiations of a free trade agreement, called Transatlantic Trade and Investment Partnership –TTIP. What makes this particular bi-lateral trade deal special is its almost entire focus on rules and regulations and standards in order to achieve “an ambitious level of regulatory compatibility” through “mutual recognition”, “enhanced co-operation” and “harmonisation”. And everything - sectors of goods and services - is potentially under the hammer, bar perhaps the audio-visual services (at the insistence of France) .
The economic reason for all this is that common rules would make it much easier and cheaper for US and EU business to operate on both sides of the Atlantic, and hence, it is argued, a lifeline for development and be able to compete with the emerging superpowers of China, India and Brazil. And since both partners have common democratic values and similar goals in labour, environmental and consumer protection, this should be a win-win situation for people on both sides of the Atlantic.
In theory, an agreement that aims at regulatory convergence should be acceptable if it adopts the highest standards currently in force by either partner, while allowing each of them to continue to legislate to higher standards after the agreement is made. In practice, in several sectors, this would be nearly impossible because the two regulatory systems are not just very different, but they are based on different fundamental values.
This is certainly the case with privacy and data protection. In the EU there is general data protection legislation (under current revision ) underpinned by the fundamental Right to Privacy as enshrined in the Charter of Fundamental Rights, as well as the constitutions of several of the member countries. Personal information can be processed only if it complies with the law, or the owner of the information (the “data subject”) agrees. In the US there is no such statutory recognition of privacy as a fundamental right, and personal information maybe processed freely, unless it concerns children under 13, or health or financial services, which are all subject to specific sectoral legislation.
Threat to privacy protections
With such fundamental value differences, any negotiation on convergence or mutual recognition for privacy protections would seem utopian; as a topical example, the European Justice Commissioner Viviane Reding has been negotiating an Umbrella Agreement with the US Attorney General, Eric Holder, for the exchange of data in the law enforcement sector for over two years, with no resolution after 15 negotiating rounds .
In the commercial sector, the EU has bent over backwards to facilitate flows of personal data across the Atlantic, with the special arrangement of Safe Harbor in operation since 2000. This is a sort of partial adequacy regime whereby companies self-declare and self-police that they will conform to its principles, which are similar but not identical to those in the data protection legislation. In essence, there is no effective oversight, while enforcement is complaint driven.
The new proposed general data protection Regulation, currently undergoing debate and complex negotiations in Brussels, as drafted, would perpetuate this unsatisfactory state of affairs and if anything would make data transfers to third countries even easier, without provision of verifiable guarantees of following the minimum EU standards. The proposed Directive, dealing with data protection by law enforcement authorities, has even weaker third country transfer provisions as our analysis has shown.
Big business stepping in
Despite all these efforts, it is deeply concerning that virtually all the major US-linked business groups are strongly advocating and campaigning to have data protections included in the Transatlantic trade agreement. To be sure, they are calling it cross-border data flows, not data protection or privacy, but this distinction is purely semantic. Data protection is meant to protect cross-border data flows as much as in-border ones; so any trade negotiations that includes data flows necessarily additionally include data protection and privacy.
Business groups such as the purpose-formed Coalition for Privacy and Free Trade, the Digital Trade Coalition, The Internet Association, the Transatlantic Business Council, and others, are all urging The US Trade Representative to include cross-border data flows in the TTIP as a matter of priority. Overall, the primary purpose is to lock in the status quo in a long-term trade agreement - the current EU legislation and the existing Safe Harbor agreements. Clearly, such a lock-in would make future revisions both of the “Safe Harbor” agreement and of the legislation much more difficult, in a sector of fast moving technologies. This is referred to as “interoperability” between different regimes, also important for setting a precedent and a global standard.
Concerns have arisen that these negotiations will start a race to the bottom, after reading submissions and listening to assurances from EU trade officials that data protection will not be included in negotiations, but that data flows will be. Regulatory convergence is just an euphemism for deregulation or self-regulation, and at each turn these concerns seem fully justified.
If this comes to be, the revised data protection legislation in the EU will have a huge gaping hole in it through which all our data will leak out with little protections across the Atlantic and beyond.
There is hope is that the recent revelations about Prism and the NSA have alerted EU parliamentarians and negotiating member governments to cease bickering, stop watering down the draft legislation, hurry up, and produce a robust and hole-proof data protection Regulation in the interest of people on both sides of the Atlantic.
Privacy is not a commodity to be traded in secret negotiations; and the privacy community and civil and digital rights advocates will not tolerate for this to be so.