The European Commission should revise its proposed rules for cross-border data flows to clearly prohibit unjustified barriers done in the name of "privacy."
By Nigel Cory
The bigger problem comes if the EC’s flawed approach becomes the basis for new global rules and norms around digital tradeInformation Technology and Innovation Foundation
It’s well past time to update European Union trade policy for the digital age, as cross-border data flows are an inherent part of the increasingly global economy and international commerce. The European Commission took a step in the right direction with its recently outlined vision for global trade rules covering digital flows. However, the proposed rules create a massive loophole allowing countries to use privacy as a carte blanche justification to enact any and all barriers to data flows—a significant risk given the already expanding range of barriers to data flows around the world. The Commission should revise its proposal and use detailed, nuanced language to narrow its proposal so that it clearly prohibits unjustified barriers to data flows done in the name of “privacy.” Otherwise, the proposal will do more harm than good by putting in place a framework enabling digital trade autarky.
The proposal’s opening section prohibits two key digital trade barriers: policies that block cross-border data flows, such as data localization—where countries force companies to store data within a country’s borders—and rules that force firms to use local cloud computing facilities. China, Russia, Indonesia, Vietnam, and a growing number of other countries have used data localization policies to target a broad range of data—e-commerce, accounting, financial, telecommunication, health, and others. The rise of such data localization policies makes these rules essential if the EU wants to promote an open global digital economy and allow EU firms to engage in robust digital trade.
Yet, the draft proposal’s language banning policies that block cross-border data flows is rendered largely hollow by a follow-on section stating that any participating nation can enact whatever measures it “deems appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data.” Essentially, as long as a country states that data localization is for data privacy, it is valid within the EU trade policy framework, thus legitimizing the very policies the EU vision opposes.
The European Commission’s draft reflects a non-workable compromise between member states over privacy and data flows. On one side, France, Germany, and a few other nations favor barriers to data flows on privacy and other grounds and strict control over data flows. On the other side Spain, Sweden, Finland, Poland, and others recognize the critical role that the free flow of data plays in supporting digital trade and support stronger free trade measures. Perhaps France and Germany are forgetting that not only do foreign firms rely on German and French data, but French and German multinational firms rely on data collected in other nations. Allowing nations to invoke the “privacy card” to justify data protectionism would mean that French and German multinationals could very well be cut off from foreign digital trade. For example, Volkswagen might not be able to import data back into Germany on the performance of its cars in other nations.
The bigger problem comes if the European Commission’s flawed approach becomes the basis for new global rules and norms around digital trade, as the same language could be used to justify barriers to data flows whenever a country deals with an issue that arises due to cross-border data flows. Instead of a broad, self-judging exception for privacy, the Commission should develop a framework that covers the sizable range of legitimate privacy policies that countries use, and most importantly, one which emphasizes that firms will be held accountable for ensuring that a country’s data protection rules flow with the data, regardless of what the privacy policies are in the nations where the data is stored. It should also explicitly prohibit policies that are clearly illegitimate, such as data localization. No country should be allowed to create rules restricting cross-border transfer of personal data for commercial purposes. This will require some tough debates between member states, but until this is finally done and resolved, the European Commission’s ability to contribute to efforts to shape genuinely free digital trade rules will remain limited.
Nigel Cory (@nigelcory) is an associate director covering trade policy at the Information Technology and Innovation Foundation (ITIF).
Opinions expressed in View articles do not reflect those of euronews.