If all TPP countries implemented similarly strong privacy protections, there would be little need to consider alternative mechanisms to enhance public confidence in their privacy through additional legal safeguards. However, the Trouble with the TPP is that it actually weakens privacy protections by treating voluntary undertakings as equivalent to comprehensive privacy laws (prior posts include Day 1: US Blocks Balancing Provisions, Day 2: Locking in Digital Locks, Day 3: Copyright Term Extension, Day 4: Copyright Notice and Takedown Rules, Day 5: Rights Holders “Shall” vs. Users “May”, Day 6: Price of Entry, Day 7: Patent Term Extensions, Day 8: Locking in Biologics Protection, Day 9: Limits on Medical Devices and Pharma Data Collection, Day 10: Criminalization of Trade Secret Law, Day 11: Weak Privacy Standards). The TPP goes further in harming privacy, however, by restricting the use of data localization requirements that might otherwise be used to provide privacy protection.
Data localization has emerged as an increasingly popular legal method for providing some additional assurances about the privacy protection for personal information. Although heavily criticized by those who fear that it harms the free flow of information, requirements that personal information be stored within the local jurisdiction is an unsurprising reaction to concerns about the lost privacy protections if the data is stored elsewhere. Data localization requirements are popping up around the world with European requirements in countries such as Germany, Russia, and Greece; Asian requirements in Taiwan, Vietnam, and Malaysia; Australian requirements for health records, and Latin America requirements in Brazil. Canada has not been immune to the rules either with both British Columbia and Nova Scotia creating localization requirements for government data.
In response to mounting public concern and government regulations, global companies are starting to offer local servers. Last week, Amazon announced plans to establish Canadian-based cloud computing services, and last year Microsoft pledged to do the same. In fact, Microsoft’s general counsel Brad Smith is on record that people should be able to choose where their data resides.
Despite the momentum toward data localization as a privacy protection measure, Article 14.13 of the TPP establishes a restriction on legal requirements to do so:
No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory.
This general provision is subject to at least three exceptions. First, government services are excluded, meaning that the Canadian provincial laws remain in place. Second, there is an exception for financial services, which has sparked protest from some members of the U.S. Congress. The exclusion is reportedly due to demands from the U.S. Treasury, which wanted to retain the right to establish restrictions on financial data flows.
The third exception is cited by supporters of the TPP as evidence that privacy protections are still a possibility. The exception states:
Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 2 to achieve a legitimate public policy objective, provided that the measure:
(a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and
(b) does not impose restrictions on the use or location of computing facilities greater than are required to achieve the objective.
When combined with a 1999 WTO reference to privacy, the argument is that privacy could be viewed as a legitimate public policy objective and therefore qualify for an exception.
The problem is that the historical record overwhelmingly suggests that reliance on this exception will not work. As Public Citizen noted in a study on the general exception language:
the exceptions language being negotiated for the TPP is based on the same construct used in Article XX of the World Trade Organization’s (WTO) General Agreement on Tariffs and Trade (GATT) and Article XIV of the General Agreement on Trade in Services (GATS). This is alarming, as the GATT and GATS exceptions have only ever been successfully employed to actually defend a challenged measure in one of 44 attempts. That is, the exceptions being negotiated in the TPP would, in fact, not provide effective safeguards for domestic policies.
In other words, the exception is illusory since the requirements are so complex (each aspect must be met) that countries relying on the exception have failed in 43 out of 44 cases. For countries concerned about the weakened privacy protections, the TPP restricts the use of data localization requirements as a remedy just as more and more countries are exploring such rules.