Asia-Pacific Free Trade Deals Clash with GDPR and Convention 108

(2018) 156 Privacy Laws & Business International Report 22-24

5 Pages Posted: 5 Apr 2019

See all articles by Graham Greenleaf

Graham Greenleaf

University of New South Wales, Faculty of Law

Date Written: November 30, 2018

Abstract

Two distinct worlds of international agreements – concerning free trade and data protection – are now colliding due to provisions which may impose incompatible obligations on parties to both types of agreements. On the one hand, new Asia-Pacific free trade agreements (FTAs) include strict limits on how legislation can restrict personal data exports or require data localisation. On the other hand, the EU’s GDPR, and Convention 108/108+ require countries’ laws to impose restrictions on data exports if those countries wish to be held to provide ‘adequate’ protection, or to accede to the Convention. Mexico and Japan are the first countries where a clash of these obligations requires resolution, but similar clashes may soon arise in relation to Canada, New Zealand, and potentially other countries. This article explains how and where these conflicts are arising.

The Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP – the ‘new TPP’) comes into force on 30 December 2018 because six of the eleven signatories (Mexico, Canada, Japan, New Zealand, Australia and Singapore) have ratified it and deposited their agreements (only four were needed). It comes into force between ratifying parties. CPTPP’s implications for privacy legislation are primarily that (i) it imposes an onerous Four-Step-Test’ for any exceptions to its prohibition on data export limitations. There are similar data localisation prohibitions. State party dispute settlement provisions can result in a panel awarding monetary assessments against a party, and in some limited situations Investor-state dispute settlement (ISDS) provisions could apply.

The United States – Mexico – Canada Agreement (USMCA – the ‘new NAFTA’) was agreed to on 1 October 2018, but is yet to be ratified and come into force. The test for data export restriction limitations, although using different words, is in substance the same as in the CPTPP. ‘Data localisation’ by requiring local processing is prohibited, and there are no exceptions, unlike the CPTPP.

The requirements of both the CPTPP and the USMCA require careful consideration by any of their Parties who are already Parties to Council of Europe data protection Convention 108 and its 2001 additional Protocol, or intending to accede to Convention 108+, or have obtained an adequacy decision by the EU or are attempting to obtain one under the GDPR. This article considers the position of Mexico, due to its accession to Convention 108 on 1 October 2018, its ratification of CPTPP, and potential ratification of USMCA. It also considers the position of Japan, due to it being about to obtain a positive ‘adequacy’ assessment under the GDPR from the EU, and its ratification of the CPTPP. Canada is in a similar position, and other countries may become so. When worlds collide, the results are unpredictable.

Keywords: privacy, data protection, free trade, FTA, Convention 108, CPTPP, USMCA, adequacy, Canade, Mexico, Japan, USA

Suggested Citation

Greenleaf, Graham, Asia-Pacific Free Trade Deals Clash with GDPR and Convention 108 (November 30, 2018). (2018) 156 Privacy Laws & Business International Report 22-24. Available at SSRN: https://ssrn.com/abstract=3352288 or http://dx.doi.org/10.2139/ssrn.3352288

Graham Greenleaf (Contact Author)

University of New South Wales, Faculty of Law ( email )

Sydney, New South Wales 2052
Australia
+61 2 9385 2233 (Phone)
+61 2 9385 1175 (Fax)

HOME PAGE: http://www2.austlii.edu.au/~graham

Register to save articles to
your library

Register

Paper statistics

Downloads
56
Abstract Views
496
rank
366,560
PlumX Metrics