Author: Vittal Balasubrahmanyam
The General Data Protection Regulation (GDPR)[1] came into effect on the 25th of May 2018. The provisions of the regulation are uniform throughout all the 27 member states of the European union. The GDPR is applicable over any corporation that deals in the processing of personal data of the residents of the member nations of the EU and citizens of the EU regardless of where they are situated globally. As per the GDPR, personal data is any data or information that could directly or indirectly reveal the identity of an individual. As per the provisions of Article 5 of the GDPR, all entities that deal in data transmission are required to have organizational and technical barriers in place, in order to safeguard data collected from users[2] and to process the data collected in a‘lawful, fair and transparent manner’[3]. In cases where organizations are not in compliance with the GDPR, they are liable for a fine to the extent of 4% of the global turnover of the organization or EUR 20 million[4]. This paper would look to question and understand whether the measures adopted by the EU are violative of the General Agreement on Trade in Services (GATS)[5] and further dwell into questioning the validity of its’ overarching jurisdiction.
The EU through the GDPR, appears to be in clear violation of Article II of the GATS[6][7], which talks about the principle of Most-Favored Nation (MFN). The EU clearly accords favour to; (a) Countries that fall within the EEA; (b) other cherry-picked nations that the EU deems to have acceptable standards of Data Protection Laws[8]. The EU may contest that they have the right to regulate upon matters that concern “privacy” based upon the general exceptions mentioned under Article XIV (c) of the GATS[9][10]. However, it would be interesting to consider the possibility of the EU’s claims failing the two-tiered chapeau test[11]. In my opinion, it would be likely for the EU to pass the test, considering the fact that they have been very careful while granting permission to countries to transfer personal data[12][13]. There does not, as of date, seem to be any evidence that points towards the arbitrary discrimination against like countries[14]. Therefore, the EU does not as yet seem to be in violation of the WTO regulations for the enforcement of the GDPR.
The GDPR however, does have some other issues which I find extremely problematic, the primary one being the fact that the GDPR is in essence filled with measures that are extra-territorial in nature. The WTO is yet to come to a consensus when it comes to regards with measures taken by governments that are extra-territorial in nature. There have been various instances where this has been an issue in the international community, with specific regard to the GDPR, the Telegram case[15] which was recently decided by a New York federal court judge[16] shows that there is clear disparity in the implementation of the GDPR in jurisdictions other than the EU[17].
While the EU may not be in violation of the provisions of the WTO through their implementation of the GDPR, they should really consider revamping the laws to help deal with the lacunas present in current WTO regulations.
[1] EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ 2016 L 119/1.
[2] WTO (2018), World Trade Report 2018: The future of world trade: How Digital Technologies are Transforming Global Commerce, WTO, Geneva, <https://doi.org/10.30875/f309483f-en>
[3] Supra n 1
[4] Ibid
[5] GATS: General Agreement on Trade in Services, Apr. 15, 1994, Marrakesh Agreement Establishing the World Trade Organization, Annex 1B, 1869 U.N.T.S. 183, 33 I.L.M. 1167 (1994)
[6] Ibid
[7] Article II(1) of the GATS states, “With respect to any measure covered by this Agreement, each Member shall accord immediately and unconditionally to services and service suppliers of any other Member treatment no less favourable than that it accords to like services and service suppliers of any other country.”
[8] The EU restricts the flow of personal data outside of the European Economic Area (EEA), with certain exceptions wherein the Data Protection Directive determining the adequacy of the Data Protection Laws of a nation is one of them.
[9] Supra n 5
[10] Article XIV (c) of the GATS states, “necessary to secure compliance with laws or regulations which are not inconsistent with the provisions of this Agreement including those relating to: (i) the prevention of deceptive and fraudulent practices or to deal with the effects of a default on services contracts; (ii) the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts; (iii) safety;”
[11]To pass the chapeau test, a measure must; not objectively be arbitrary or discriminatory towards countries “where like conditions prevail”; the measure taken must also not be a disguised attempt at restriction of trade in services.
[12] A total of 12 nations have been deemed as “Third countries” that have adequate levels of protection to engage in transfer of personal data.
[13] Third Countries | General Data Protection Regulation (GDPR), “Third Countries | General Data Protection Regulation (GDPR)”. 2020. General Data Protection Regulation (GDPR). <https://gdpr-info.eu/issues/third-countries/>
[14] Testing GDPR’s WTO readiness | TradeLinks | Linklaters, “Testing GDPR’s WTO Readiness | Tradelinks |Linklaters”. 2020. Linklaters.Com. <https://www.linklaters.com/en/insights/blogs/tradelinks/testing-the-gdprs-wto-readiness>
[15] SEC v. Telegram Group Inc. et al., No. 19 Civ. 9439 (PKC)
[16] The court held that Telegram was required to disclose the data of its’ users so that the SEC can conduct its investigations to the fullest potential. Thus, essentially stating that the GDPR’s protection of personal data does not outweigh the US’s Discovery interests.
[17] GDPR vs US Discovery: US Court Makes Clear Non-US Entities Can’t Avoid Discovery | DigiLinks | Insights | Linklaters, “GDPR Vs US Discovery: US Court Makes Clear Non-US Entities Can’T Avoid Discovery| Digilinks | Insights | Linklaters”. 2020. Linklaters.com.
<https://www.linklaters.com/en/insights/blogs/digilinks/2020/january/gdpr-vs-us-discovery>
About The Law 