The Trouble with the TPP continues this week with a series of posts on the TPP and privacy (prior posts include Day 1: US Blocks Balancing Provisions, Day 2: Locking in Digital Locks, Day 3: Copyright Term Extension, Day 4: Copyright Notice and Takedown Rules, Day 5: Rights Holders “Shall” vs. Users “May”, Day 6: Price of Entry, Day 7: Patent Term Extensions, Day 8: Locking in Biologics Protection, Day 9: Limits on Medical Devices and Pharma Data Collection, Day 10: Criminalization of Trade Secret Law). The inclusion of privacy within the TPP has been touted by governments as one of the benefits of the agreement, but the privacy provisions are so weak as to move global privacy backwards, weakening emerging international standards and locking countries into rules that restrict their ability to establish additional privacy safeguards.
While some have questioned the concerns associated with privacy and the TPP by arguing that it is it a trade agreement, not a privacy treaty, the reality is that the commercial importance of big data has never been greater. Indeed, it is odd to see some emphasize the importance of increased, harmonized intellectual property protections but simultaneously express satisfaction with bare minimum privacy protections that provide companies with a patchwork of rules and consumers without standardized protections. Personal information is a critical part of e-commerce and the need for public confidence in privacy protections alongside corporate certainty about their rights and obligations with the personal information they collect should be beyond debate.
For most TPP countries, the starting point for privacy protection is a national privacy law modeled on the OECD privacy principles. In fact, the majority of the TPP, including Canada, Mexico, Peru, Australia, New Zealand, Malaysia, Japan, and Singapore, have national privacy laws (Chile is developing a privacy law). Moreover, many of these countries have privacy or data protection commissioners with some form of enforcement powers as well as additional rules on issues such as mandatory disclosure of security breaches (overview of Latin America rules, Asia rules). The key exception is the United States, which does not have an omnibus privacy law nor a privacy commissioner, relying instead on FTC enforcement of privacy policies.
Rather than setting the TPP privacy bar at having a national privacy law based on the OECD principles, the agreement weakens the shift toward a minimum standard of privacy protection. Article 14.8 looks promising with respect to privacy protection:
each Party shall adopt or maintain a legal framework that provides for the protection of the personal information of the users of electronic commerce. In the development of its legal framework for the protection of personal information, each Party should take into account principles and guidelines of relevant international bodies
Unfortunately, the provision is subject to a footnote that effectively eviscerates the requirement for a privacy legal framework:
For greater certainty, a Party may comply with the obligation in this paragraph by adopting or maintaining measures such as a comprehensive privacy, personal information or personal data protection laws, sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy.
The footnote effectively means that the TPP’s privacy requirements can be met without the need for any privacy law at all. Enforcing voluntary undertakings isn’t a privacy law, it’s an anti-fraud approach that requires companies to be truthful about their privacy promises. If the law does not feature specific requirements for the consent, use, and disclosure of personal information, it isn’t a privacy law. The TPP weakens global privacy protections by failing to establish a minimum privacy law standard and then makes matters worse by limiting the ability for member countries to establish some additional safeguards. More on those limitations throughout the coming week.