The Data Is in the Details: Cross-Border Data Flows and the Trans-Pacific Partnership

 
 

With an agreement governing privacy protections for data sent between the United States and the European Union ruled invalid, Microsoft seeking to prevent the U.S. government from accessing emails stored in Ireland and the same company also announcing plans to build a new data center in Germany controlled by a German telecom, cross-border data flows between the U.S. and Europe appear to be drying up.

But what about in the Pacific?

Considered the lifeblood of the Internet, cross-border data flows enable everything from Facebook status updates to bank transfers. By taking a look at relevant chapters within the Trans-Pacific Partnership—including e-commerce, financial services, intellectual property, and telecommunication—a broader picture about the potential future of cross-border data flows materializes.

Enjoying this article? Click here to subscribe for full access. Just $5 a month.

In particular, the TPP includes provisions for data privacy, limitations on data localization and access to source code, measures to crackdown on the theft of trade secrets and incentives for increased network connectivity among countries. However, despite these positives, the TPP does leave some wiggle room for countries to skirt their responsibilities and implement policies that might block the free flow of data across borders.

Electronic Commerce

The electronic commerce chapter of the TPP addresses three important areas relevant to cross-border data flows: privacy, data localization and access to software source code.

The TPP calls for each party to adopt legal frameworks that protect the privacy of users’ data, and recommends looking towards existing privacy principles when doing so. However, the TPP neither lists current privacy principles worth adopting nor advocates for a particular regulatory regime.

Parties could look to the Asia-Pacific Economic Cooperation’s Privacy Framework, published in 2008, which features principles such as notice, collection limitation, and accountability. Or parties might consider the Organization for Economic Cooperation and Development’s Privacy Guidelines, a foundational set of privacy principles originally published in 1980 and updated in 2013. As for regulatory regimes, the TPP offers both a sector-specific approach (favored in the U.S.) and a comprehensive approach (favored in Europe) as possibilities.

Overall, the TPP recognizes that privacy plays a crucial role in protecting the integrity of cross-border data flows and people’s confidence in these flows, but provides few concrete steps for increasing privacy protections.

The TPP’s electronic commerce chapter also prevents data localization—the act of storing a user’s data within that user’s country of residence—as a prerequisite for conducting business. Opponents of data localization emphasize that storing data locally is more expensive (more data centers must be built), and less secure (keeping data static impacts resiliency). While those supporting a free and open Internet consider this provision a major win, others worry about a lack of control over their data, seeing it sent abroad and stored in countries with autocratic governments, a weak rule of law, or surveillance programs.

Article 14.17 of the electronic commerce chapter prevents a country from requiring access to source code as a condition for conducting business. However, this protection does not extend to software used for critical infrastructure.

Known for wanting to access source code to ensure there are not so-called national security risks in the software, China may consider this provision closely when deciding whether to join the TPP. Recently, China sought—and gained access to—IBM source code, much to the chagrin of the United States. Although IBM argued the access was highly limited, the United States did not like the precedent it set, as there are significant security ramifications for revealing source code, including enabling a country to establish backdoors.

However, the TPP’s protection against access to source code provides support to private companies who often have to walk a fine line between potentially undermining security and profit-driven desires to enter new markets.

Several of the electronic commerce chapter’s protections also include a paragraph stating countries can adopt measures inconsistent with the protections if it is for “legitimate public policy objectives.”

However, the TPP does not explain what constitutes a legitimate public policy objective, other than to say such objectives cannot be a “means of arbitrary or unjustifiable discrimination,” or a “disguised restriction on trade.”

Countries can easily argue that data localization or accessing source code constitutes a matter of national security, and is therefore a “legitimate public policy objective.” As a result, several of the TPP’s protections may not be protections at all.

Financial Services

The financial services chapter includes agreements governing cross-border financial data flows. Each country permits the transfer and processing of financial data by another country’s financial service supplier. However, several countries add stipulations.

Notably, the stipulations include requiring authorization from a regulator before the transfer and processing of financial data, and specifying which country’s privacy laws will apply to the data being transferred or processed.

The following table compares the different positions of each country regarding the transfer and processing of financial data.

Country

Agree to allow transfer and processing of financial data by financial service suppliers of another country?

Added Stipulations?

Australia Yes No
Brunei Darussalam Yes No
Canada Yes
  • Cross-border financial services supplier maintains a local agent and records in Canada
Chile Yes
  • Regulatory authorization
  • Chile’s privacy laws regulate protection of data
Japan Yes No
Malaysia Yes
  • Agreement does not include electronic payment services for payment card transactions
Mexico Yes
  • Regulatory authorization
  • Mexico’s privacy laws regulate protection of data
New Zealand Yes No
Peru Yes
  • Regulatory authorization
  • Peru’s privacy laws regulate protection of data
Singapore Yes
  • Regulatory authorization
  • Singapore’s privacy laws regulate protection of data
United States Yes No
Vietnam Yes
  • Regulatory authorization
  • Vietnam’s privacy laws regulate protection of data

It is interesting to note which countries took extra precautions to stipulate that it was their own privacy laws that governed the financial data flows (Chile, Mexico, Peru, Singapore, and Vietnam) versus those that didn’t (Australia, Brunei, Canada, Japan, New Zealand, and the United States).

Given the location of financial firms and where transactions take place, cross-border data flows involving financial information may mostly like flow from countries such as Chile, Mexico and Peru towards countries like Australia, Canada and the U.S. Given this dynamic, countries with data flowing out may want to ensure privacy protections, especially given revelations about government surveillance programs.

Vietnam’s autocratic government may want to keep as much control as possible over any type of data.

Intellectual Property

The TPP’s intellectual property chapter seeks to create a legal framework with incentives and limitations that push Internet service providers to crack down on the “unauthorized storage and transmission of copyrighted materials.” The legal framework seeks to reduce the liability of ISPs for copyright infringements that they do not control, initiate, or direct. However, in order to receive these liability protections, ISPs must first qualify for them by meeting certain requirements, including an agreement that ISPs will “expeditiously remove or disable access to material residing on their networks or systems upon obtaining actual knowledge of the copyright infringement.”

Convincing ISPs to crack down on copyright infringements by promising liability protection is a strategy of pressuring Internet intermediaries, a proven approach that has previously been adopted by governments to control content on the Internet. The TPP’s inclusion of such an approach is promising for future success.

Telecommunications

The TPP’s telecommunications chapter improves cross-border data flows by increasing access to and use of public telecommunication services. Establishing agreements for interconnection can broaden the networks that run between the 12 parties of the TPP. Interconnection involves physically linking one telecommunication provider’s equipment and network to those of another’s. Doing so can lead to faster exchange of data, better connectivity, and more bandwidth.

The telecommunications chapter also includes a provision for establishing a committee on telecommunication that will be responsible for ensuring effective implementation of the agreements as well as making sure each country is able to stay responsive to technological and regulatory developments in telecommunications.

It will be interesting to see who the countries appoint to the committee as well as how the committee will fit in with other international telecommunication organization. The United Nation’s International Telecommunications Union has been around since 1865 when it was first focused on the use of radio, but has since expanded to cover satellites and other telecommunication technologies. Additionally, the Asia-Pacific Telecommunity was established in 1976 and covers many (although not all) of the TPP parties.

Samuel Klein is a graduate of The George Washington University, where he worked at GW’s Cyber Security Policy and Research Institute conducting research focused on information privacy, data handling policies, and privacy engineering.

Newsletter
Sign up for our weekly newsletter
The Diplomat Brief