Asia-Pacific Free Trade Deals Clash with GDPR and Convention 108

(2018) 156 Privacy Laws & Business International Report 22-24

5 Pages Posted: 5 Apr 2019

Date Written: November 30, 2018


Two distinct worlds of international agreements – concerning free trade and data protection – are now colliding due to provisions which may impose incompatible obligations on parties to both types of agreements. On the one hand, new Asia-Pacific free trade agreements (FTAs) include strict limits on how legislation can restrict personal data exports or require data localisation. On the other hand, the EU’s GDPR, and Convention 108/108+ require countries’ laws to impose restrictions on data exports if those countries wish to be held to provide ‘adequate’ protection, or to accede to the Convention. Mexico and Japan are the first countries where a clash of these obligations requires resolution, but similar clashes may soon arise in relation to Canada, New Zealand, and potentially other countries. This article explains how and where these conflicts are arising.

The Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP – the ‘new TPP’) comes into force on 30 December 2018 because six of the eleven signatories (Mexico, Canada, Japan, New Zealand, Australia and Singapore) have ratified it and deposited their agreements (only four were needed). It comes into force between ratifying parties. CPTPP’s implications for privacy legislation are primarily that (i) it imposes an onerous Four-Step-Test’ for any exceptions to its prohibition on data export limitations. There are similar data localisation prohibitions. State party dispute settlement provisions can result in a panel awarding monetary assessments against a party, and in some limited situations Investor-state dispute settlement (ISDS) provisions could apply.

The United States – Mexico – Canada Agreement (USMCA – the ‘new NAFTA’) was agreed to on 1 October 2018, but is yet to be ratified and come into force. The test for data export restriction limitations, although using different words, is in substance the same as in the CPTPP. ‘Data localisation’ by requiring local processing is prohibited, and there are no exceptions, unlike the CPTPP.

The requirements of both the CPTPP and the USMCA require careful consideration by any of their Parties who are already Parties to Council of Europe data protection Convention 108 and its 2001 additional Protocol, or intending to accede to Convention 108+, or have obtained an adequacy decision by the EU or are attempting to obtain one under the GDPR. This article considers the position of Mexico, due to its accession to Convention 108 on 1 October 2018, its ratification of CPTPP, and potential ratification of USMCA. It also considers the position of Japan, due to it being about to obtain a positive ‘adequacy’ assessment under the GDPR from the EU, and its ratification of the CPTPP. Canada is in a similar position, and other countries may become so. When worlds collide, the results are unpredictable.

Keywords: privacy, data protection, free trade, FTA, Convention 108, CPTPP, USMCA, adequacy, Canade, Mexico, Japan, USA

Suggested Citation

Greenleaf, Graham, Asia-Pacific Free Trade Deals Clash with GDPR and Convention 108 (November 30, 2018). (2018) 156 Privacy Laws & Business International Report 22-24, Available at SSRN: or

Graham Greenleaf (Contact Author)

Independent Scholar ( email )



Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics