As we approach the next round of negotiations between the EU and the US on the Transatlantic Trade and Investment Partnership (“TTIP”), which will take place in Arlington, Virginia from May 19 to May 23, 2014, the inclusion of provisions allowing free data flows between the parties in the final Agreement becomes, once again, the subject of a heated debate with respect to the suitability of such inclusion given the fundamental differences between the legal systems of the US and the EU. Below we identify some of these fundamental differences and suggest potential solutions that would allow data flows provisions to make it to the final Agreement.
I. Legal Culture and Government Structure
Differences between common and civil law systems determine the different approach with respect to personal data relevant legislation. Significantly, judicially-created U.S. law results in fewer statutory restrictions in the flow of data. In addition, the US federal organization of the state as compared to the semi federal non economically unified structure of the EU gives leeway to a sovereign-based approach and different legal and judicial interpretation of data flows, thus creating legal uncertainties and inconsistencies in the application of the law.
Similar differences in approach can also be observed with respect to international trade law, affecting further the substantive elements of the respective trade policies adopted. In particular, the United States have traditionally refused to accept certain mainstream provisions of international customary law and have insisted on maintaining an insistent objector’s position in the international legal order. This approach, together with the size of the US economy and the volume of international trade transactions in which the country is involved, makes a potential alignment with trade policies of the EU even more difficult. The courts of the latter have developed jurisprudence (see the Kadi I and II cases and the relevant Opinions of Advocate General Maduro) which supports the further integration of the EU in the international legal order – with those remaining separate though – and proves the Union’s commitment to the respect of all customary and treaty international law obligations.
II. Conceptual differences
U.S. law treats data as a sui generis commodity that can be freely traded. US legislation lowers the threshold of protection of all types of personal data to enhance their commercial nature and allow for its efficient processing by US corporations.
EU law traditionally treats data as part of a fundamental rights enlistment. Data protection is an inextricable part of the EU Digital’s agenda. Similar rationales which are shaped by the need to protect data privacy as a fundamental right of the individual appear in a number of recent legislative texts and proposals. The efforts of the EU to create a uniform data protection regime throughout the European Economic Area that would prompt multinational corporations to reconsider their entire business strategy in this part of the world have received international attention and have been heavily criticized by reputable scholars, attorneys and other legal professionals.
III. Potential violations of existing legislation
The inclusion of a data flows chapter in TTIP would necessarily entail potential breaches in EU data protection legislation, especially as this will be shaped after the adoption of the new Data Protection Regulation. Free and highly unregulated data flows between the two parties to the Agreement under a reciprocal arrangement that would not comply with EU standards but which would operate on an ad hoc commercially oriented exception to the uniform application of EU legislation would not be desirable.
In addition, compliance with EU legislation would be problematic especially with respect to jurisdictional issues. As TTIP is not envisaged to introduce a jurisdictional clause, parties would need to consider the procedural aspect of potential claims stemming from violations of their respective national legislations.
Another big question mark is the dispute resolution system to which violations of the provisions of a hypothetical TTIP chapter would be brought. It would be absurd to expect an investment arbitration proceeding to deal with data flows issues as the exposure of international commercial and investment tribunals to similar issues is extremely limited if not completely inexistent. In addition, it would need to be determined whether such disputes are overall arbitral; this debate only has its individual value.
IV. Bridging the gap: Existing Paradigms
A system that would allow data flows without violations of the existing legislation in the EU and the US could have as a starting point the existing data transfer arrangements between the EU and the US.
For example, exchange of personal data between the EU and the US for the purposes of law enforcement, including the prevention and combating of terrorism and other forms of serious crime, is governed by a number of agreements at EU level. These are the Mutual Legal Assistance Agreement, the Agreement on the use and transfer of Passenger Name Records (PNR), the Agreement on the processing and transfer of Financial Messaging Data for the purpose of the Terrorist Finance Tracking Program (TFTP) and the Agreement between Europol and the US. These Agreements respond to important security challenges and meet the common security interests of the EU and US, whilst providing a high level of protection of personal data.
Bridging regulatory regimes of different legal and institutional traditions is a difficult task. It becomes even more difficult when this needs to take place in the context of a trade agreement that should also per se focus on economic realities. However, the increasing importance of the digital economy, which has developed a potential to cover more industries and reshape modern economies while creating more inequalities in development between different parts of the world calls for extensive uniform data flows regimes.
Optimizing the potential of the EU economy cannot take place without abandoning certain aspects of stringent regulatory commitment to principles of moral value. At the same time, strengthening the US economy through increased exports and enhancing the presence of US high tech companies in Europe requires an actual understanding of the EU data protection framework and a deeper commitment to international law.