It’s well past time to update European Union trade policy for the digital age, as cross-border data flows are an inherent part of the increasingly global economy and international commerce. The European Commission took a step in the right direction with its recently outlined vision for global trade rules covering digital flows. However, the proposed rules create a massive loophole allowing countries to use privacy as a carte blanche justification to enact any and all barriers to data flows—a significant risk given the already expanding range of barriers to data flows around the world. The Commission should revise its proposal and use detailed, nuanced language to narrow its proposal so that it clearly prohibits unjustified barriers to data flows done in the name of “privacy.” Otherwise, the proposal will do more harm than good by putting in place a framework enabling digital trade autarky.
The proposal’s opening section prohibits two key digital trade barriers: policies that block cross-border data flows, such as data localization—where countries force companies to store data within a country’s borders—and rules that force firms to use local cloud computing facilities. China, Russia, Indonesia, Vietnam, and a growing number of other countries have used data localization policies to target a broad range of data—e-commerce, accounting, financial, telecommunication, health, and others. The rise of such data localization policies makes these rules essential if the EU wants to promote an open global digital economy and allow EU firms to engage in robust digital trade.
Yet, the draft proposal’s language banning policies that block cross-border data flows is rendered largely hollow by a follow-on section stating that any participating nation can enact whatever measures it “deems appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data.” Essentially, as long as a country states that data localization is for data privacy, it is valid within the EU trade policy framework, thus legitimizing the very policies the EU vision opposes.
"The bigger problem comes if the EC’s flawed approach becomes the basis for new global rules and norms around digital trade" - Nigel Cory, Information Technology and Innovation Foundation
The European Commission’s draft reflects a non-workable compromise between member states over privacy and data flows. On one side, France, Germany, and a few other nations favor barriers to data flows on privacy and other grounds and strict control over data flows. On the other side Spain, Sweden, Finland, Poland, and others recognize the critical role that the free flow of data plays in supporting digital trade and support stronger free trade measures. Perhaps France and Germany are forgetting that not only do foreign firms rely on German and French data, but French and German multinational firms rely on data collected in other nations. Allowing nations to invoke the “privacy card” to justify data protectionism would mean that French and German multinationals could very well be cut off from foreign digital trade. For example, Volkswagen might not be able to import data back into Germany on the performance of its cars in other nations.