Wiertz Sebastien - Privacy by Sebastien Wiertz (CC BY 2.0) https://flic.kr/p/ahk6nh
Yesterday’s Trouble with the TPP post examined some of the uncertainty created by the surprising e-commerce provision that involves restrictions on source code disclosures. KEI notes that governments have not been shy about requiring source code disclosures in other contexts, such as competition worries. Yet this rule will establish new restrictions, creating concerns about the implications in areas such as privacy. For example, security and Internet experts have been sounding the alarm on the risks associated with exploited wifi routers and pointing to source code disclosures as potential solution.
Dave Farber, former Chief Technologist of the Federal Communications Commission, warns:
In today’s communications driven world, no one collects as much information about its customers as telecom companies. As subscribers increasingly rely on the same company for Internet connectivity, wireless access, local phone service, and television packages, the breadth of personal data collection is truly staggering.
Whether it is geo-location data on where we go, information on what we read online, details on what we watch, or lists identifying with whom we communicate, telecom and cable companies have the capability of pulling together remarkably detailed profiles of millions of Canadians.
My weekly technology law column (Toronto Star version, homepage version) notes that how that information is used and who can gain access to it has emerged as one the most challenging and controversial privacy issues of our time. The companies themselves are tempted by the prospect of “monetizing” the information by using it for marketing purposes, law enforcement wants easy access during criminal investigations, and private litigants frequently demand that the companies hand over the data with minimal oversight.
The Trouble with the TPP and privacy, which includes weak privacy laws, restrictions on data localization, bans on data transfer restrictions, and a failure to obtain privacy assurances from the U.S., also includes the agreement’s weak anti-spam standards. Given the fact that nearly all TPP countries have some form of anti-spam law (with the exception of Brunei), the inclusion of anti-spam provision in the TPP was not surprising, yet the agreement sets the bar far lower than that found in many countries. Article 14.14 states:
Each Party shall adopt or maintain measures regarding unsolicited commercial electronic messages that:
(a) require suppliers of unsolicited commercial electronic messages to facilitate the ability of recipients to prevent ongoing reception of those messages;
(b) require the consent, as specified according to the laws and regulations of each Party, of recipients to receive commercial electronic messages; or
(c) otherwise provide for the minimisation of unsolicited commercial electronic messages.
The TPP provision features two key requirements: anti-spam laws that provide for a binding unsubscribe mechanism and some form of consent. Yet with the standard of consent left wide open, countries are free to adopt weak, ineffective standards and still comply with the TPP requirements. In fact, since spam raises global concerns that frequently requires cross-border co-operation, the TPP would have been an ideal mechanism to strengthen international anti-spam rules and enforcement.
The Trouble with the TPP series focus on privacy has thus far examined weak privacy laws, restrictions on data localization requirements, and a ban on data transfer restrictions. The data transfer restriction post cited one of my recent technology law columns in concluding that the net effect of a recent European privacy case and the TPP provisions is that Canada could end up caught in a global privacy battle in which Europe restricts data transfers with Canada due to surveillance activities and the TPP restricts Canada’s ability address European concerns.
Interestingly, at least one TPP country identified the potential risk of a clash between European privacy rules and the TPP. Australia obtained a side letter with the United States that largely addresses the concern. The letter states:
The Trouble with the TPP yesterday examined the barriers to data localization requirements, an emerging policy choice for countries concerned with weak privacy protections once personal data is transferred outside the country. The TPP goes further in undermining potential privacy protections, however, as it also establishes a ban on data transfer restrictions (prior posts in the series include Day 1: US Blocks Balancing Provisions, Day 2: Locking in Digital Locks, Day 3: Copyright Term Extension, Day 4: Copyright Notice and Takedown Rules, Day 5: Rights Holders “Shall” vs. Users “May”, Day 6: Price of Entry, Day 7: Patent Term Extensions, Day 8: Locking in Biologics Protection, Day 9: Limits on Medical Devices and Pharma Data Collection, Day 10: Criminalization of Trade Secret Law, Day 11: Weak Privacy Standards, Day 12: Restrictions on Data Localization Requirements).
Data transfer restrictions are a key element of the European approach to privacy, which restricts data transfers to those countries with laws that meet the “adequacy” standard for protection. That approach is becoming increasingly popular, particularly in light of the Snowden revelations about governmental surveillance practices. Several TPP countries, including Malaysia, Singapore and Chile, are moving toward data transfer restrictions as are countries such as Brazil and Hong Kong.