Abstract
The WTO is not well-known for being an institution that regulates the free flow of personal data across borders. The trade agreements under the auspices of the WTO either predate or coincide with the invention and early development of the internet. When the WTO was created in 1994, its members agreed to create rules for trade in services. Tim Wu observed that as a consequence, and almost by accident, “the WTO has put itself in an oversight position for most of the national laws and practices that regulate the Internet.” Wu (Chicago J Int Law 7(1), 264, 2006). Over a quarter century later, the internet has become indispensable for trade in services, facilitating not only communication and payment between parties involved in any transaction, but also as a platform for the transmission of the services themselves, and the driving technology for the creation of new services. The first section of this chapter shows how cross-border flows of personal data (on the internet) have become intertwined with the supply of many digital services (Sect. 4.1). The second section describes how the rules of the WTO on trade in services are relevant for the regulation of cross-border flows of personal data (Sect. 4.2). These multilateral trade rules can be used as proxies to distinguish between legitimate regulatory concerns and protectionism. Regarding the regulation of cross-border flows of personal data, these rules allow for the legal assessment of the line between data protection and data protectionism. The third section of this chapter analyzes whether the EU’s fundamental rights-based regulation of data transfers interferes with the rules of the WTO on trade in services (Sect. 4.3). The fourth section assesses whether the interferences that have been identified can be justified under the relevant exceptions to the rules of the WTO on trade in services (Sect. 4.4).
You have full access to this open access chapter, Download chapter PDF
The WTO is not well-known for being an institution that regulates the free flow of personal data across borders. The trade agreements under the auspices of the WTO either predate or coincide with the invention and early development of the internet. When the WTO was created in 1994, its members agreed to create rules for trade in services. Tim Wu observed that as a consequence, and almost by accident, “the WTO has put itself in an oversight position for most of the national laws and practices that regulate the Internet.” Wu (2006). Over a quarter century later, the internet has become indispensable for trade in services, facilitating not only communication and payment between parties involved in any transaction, but also as a platform for the transmission of the services themselves, and the driving technology for the creation of new services. The first section of this chapter shows how cross-border flows of personal data (on the internet) have become intertwined with the supply of many digital services (Sect. 4.1). The second section describes how the rules of the WTO on trade in services are relevant for the regulation of cross-border flows of personal data (Sect. 4.2). These multilateral trade rules can be used as proxies to distinguish between legitimate regulatory concerns and protectionism. Regarding the regulation of cross-border flows of personal data, these rules allow for the legal assessment of the line between data protection and data protectionism. The third section of this chapter analyzes whether the EU’s fundamental rights-based regulation of data transfers interferes with the rules of the WTO on trade in services (Sect. 4.3). The fourth section assesses whether the interferences that have been identified can be justified under the relevant exceptions to the rules of the WTO on trade in services (Sect. 4.4).
1 Data Flows and Trade in Digital Services
Internet connectivity is rising around the world. The flow of information across the internet’s electronic highways has replaced physical proximity for trade in services. Economists estimate that already 50% of the world’s traded services are digitized (Sect. 4.1.1). A consequence of this development are data localization policies. They require that data is locally stored, processed, and/or accessed. Governments offer a variety of arguments for data localization policies; from avoiding foreign surveillance and promoting users’ security and privacy to bolstering domestic law enforcement and securing domestic economic development. The common denominator of these policies is that they affect trade in digital services. In this regard, the EU’s fundamental rights-based regulation of data transfers may also have the effect of a data localization policy (Sect. 4.1.2). Many digital services rely on cross-border flows of personal data. Some services require systematic, structural, and continuous flows of personal data (Sect. 4.1.3), other services require only occasional flows of personal data (Sect. 4.1.4).
1.1 Trade in Digital Services
The internet is growing fast and has brought both disruption and innovation.Footnote 1 It has become indispensable for trade, facilitating not only communication and payment between parties involved in any transaction, but also acting as a platform for the transmission of goods and services, and the driving technological force for the creation of new products. This research focuses on digital services because they are usually associated with cross-border flows of personal data. For a long time, many services were considered to be non-tradable because it is in their nature that the provision coincides with the consumption and thus requires physical proximity and the interaction of the seller and the buyer.Footnote 2 When services were first considered as trade, it was usually the movements of individuals or organizations across borders that brought sellers and buyers into physical and temporal proximity. The internet has created new means of supply: electronic highways that allow sellers and buyers to remain apart while exchanging digital services.Footnote 3 The flow of information across the network bridge replaces physical proximity. Economists estimate that already 50% of the world’s traded services are digitized.Footnote 4 In short, the once non-tradable became hyper-tradable.Footnote 5
1.2 Data Localization
A consequence of the growth of the internet are data localization policies. There is no settled definition for data localization, but it is widely understood that such policies limit the free flow of data across borders.Footnote 6 Data localization policies take different forms. They may include rules preventing information from being sent outside a country, requirements to obtain prior consent of data subjects before information about them is transmitted across borders, obligations to store copies of information domestically, and even taxes on the export of data.Footnote 7 Governments offer a variety of arguments for data localization policies; from avoiding foreign surveillance and promoting users’ security and privacy, to bolstering domestic law enforcement and securing economic development. Martina Ferracane created a taxonomy for data localization policies based on restrictions on cross-border data flows:Footnote 8
-
A.
Strict restrictions on cross-border data flows:
-
I.
Local storage requirement
-
II.
Local storage and processing requirement
-
III.
Ban on data transfer (local storage, processing, and access requirement)
-
I.
-
B.
Conditional restrictions on cross-border data flows:
-
IV.
Conditional flow regime in which conditions apply to the recipient country
-
V.
Conditional flow regime in which conditions apply to the controller/processor
-
IV.
Ferracane distinguishes between strict restrictions on cross-border data flows and conditional restrictions on cross-border data flows:
-
Strict restrictions apply without conditions for the recipient country or the controller/processor. Local storage means that data cannot be transferred unless a copy of the data is stored domestically. As long as a copy is saved in the territory of the country where it is produced, data storage and processing can also take place outside the country and companies can operate as usual. A local storage and processing requirement requires companies to use data centers located in the country for the main processing of the data. Companies must either build data centers or switch to local providers for data processing solutions (or leave the market altogether). A ban on data transfers also requires companies to access the data only locally.
-
Conditional data flow regimes apply conditions to the recipient country and/or to the data controller or data processor (see Fig. 4.1). The cross-border flow of personal data is prohibited unless these conditions are fulfilled. If the conditions are not satisfied, then such a data flow regime constitutes a ban on data transfers (i.e. a requirement for local storage, processing, and access).
The regulation of data transfers in the EU constitutes a conditional data flow regime. It entails legal mechanisms for the transfer of personal data with conditions that apply to the recipient country (adequacy decisions according to Article 45 GDPR), legal mechanisms with conditions that apply to the data exporter and data importer in which conditions for the recipient country also play a role (instruments providing appropriate safeguards according to Article 46 GDPR), and legal mechanisms with conditions that apply only to the data exporter (derogations for specific situations according to Article 49 GDPR). Should the respective conditions not be fulfilled, the transfer of personal data is prohibited.Footnote 9
The regulation of data transfers in the EU has the effect of a data localization policy.Footnote 10 Exporters of personal data may be subject to data localization in the EU if they require systematic, structural, and continuous transfers of personal data for the supply of their services and the recipient country lacks an adequacy decision or the data exporter cannot ensure a level of protection that is essentially equivalent to that guaranteed within the EU for the respective data transfers with the instruments providing appropriate safeguards. In addition, data exporter may be subject to data localization in the EU if they require occasional transfers of personal data for the supply of their services and the data transfers are not necessary for the performance of a contract and data subjects do not consent to the respective transfers of personal data.
1.3 Services with Systematic Flows of Personal Data
Personal data is increasingly intertwined with trade in digital services. Personal data can be an input factor to customize or make a service better, but it can also be a factor of production because some services are impossible to provide without it. In addition, personal data can be a form of payment for the delivery of services in so far as companies monetize the free delivery of their services by using consumers’ personal data to better target advertising. Finally, personal data can also be a service itself because it contains valuable information that is sold to companies for different purposes.Footnote 11 Digital services therefore often require cross-border flows of personal data. Research on the interface of personal data and international trade law so far has not distinguished between different types of services.Footnote 12 These distinctions are necessary for a detailed analysis of international trade law.Footnote 13 The most important distinction that has to be made is between services that require systematic, structural, and continuous cross-border flows of personal data and those that do not. The following list entails examples for services that require systematic, structural, and continuous cross-border flows of personal data: cloud computing services (Sect. 4.1.3.1), search engine services (Sect. 4.1.3.2), social network services (Sect. 4.1.3.3), internet of things services (Sect. 4.1.3.4), and sharing economy platform services (Sect. 4.1.3.5).
1.3.1 Cloud Computing Services
Cloud computing is a term used to refer to the delivery of computing services over the internet. It allows for tapping into data and software from the internet, rather than accessing it offline via a personal device or a local server.Footnote 14 Cloud computing has a hybrid nature as a service. It can be a service itself and, at the same time, it enables many other digital services. Three forms of cloud computing must be distinguished:
-
Software as a service (SaaS): The cloud provider offers software applications on its computing infrastructure and the consumer uses the provider’s application on various client devices.
-
Platform as a service (PaaS): The cloud provider offers tools and programming languages on its computing infrastructure and the consumer-producers can create or acquire applications with them.
-
Infrastructure as a service (IaaS): The cloud provider only offers the computing infrastructure and the consumer can rent it for processing, storage, and other computing activities.
Cloud computing services may involve cross-border flows of personal data when servers are (also) located outside of the EU.
1.3.2 Search Engine Services
Search engines crawl the internet and index the results for search queries.Footnote 15 Consumers get access to databases containing a plethora of websites and the information contained therein. Search engines are usually cloud-based. Alphabet is a well-known example of a company that operates a search engine (Google) and exports large amounts of personal data from individuals using their search engine in the EU to the US. However, this cross-border flow of personal data is not directly linked to the supply of search engine services. In the ECJ case Google Spain and Google, the referring Audiencia Nacional (Spanish National High Court) established that Google does not merely give access with its search engine to content hosted on the indexed websites, but takes advantage of the users’ search activity and includes, in return for payment, advertising associated with the users’ search terms.Footnote 16 Alphabet has recourse to its subsidiaries in EU member states, such as Google Spain, for promoting the sale of its advertising space. Even though the ECJ held that Alphabet’s “advertising activity […] is separate from its search engine service,” the Court also found that the activities “are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed.”Footnote 17 Accordingly, search engines do not necessarily require cross-border flows of personal data for the supply search engine services, but for the corresponding targeted advertising services.
1.3.3 Social Network Services
Social networks are online platforms encompassing digital relationships between individuals, groups, organizations, or even entire societies. The structure of a social network is determined by interactions between persons or entities. Users share values and beliefs among the community and form social links with other users of the network.Footnote 18 Facebook is a well-known example of a company that operates a social network and exports a large amount of personal data of users residing in the EU to its parent company Meta in the US.Footnote 19 Although the cross-border flows of personal data are also used for targeted advertising services, social networks still require those data flows for the supply of their main services. Social networks use the information that users upload to connect them with other users of the network.
1.3.4 Internet of Things Services
The term “internet of things” (IoT) refers to the interconnection of computing devices embedded in everyday objects, enabling them to send and receive data. The IoT allows companies to create large sets of data generated by sensors on the respective objects, analyze it, train algorithms with it, and find patterns that can be used either in the supply of services or in the creation of new services. Companies using IoT sensor data often store and process the collected data in servers located outside of the EU.Footnote 20 Two examples can illustrate how IoT services require cross-border flows of personal data:
-
The first example of IoT services relates to vehicles. Vehicles such as automobiles are increasingly connected to the internet and transmit information to the manufacturer and other service providers. This information may include client data, the vehicle serial number or any other unique identifier of the vehicle such as the license plate number, geolocation data, technical data relating to the state of the vehicle and its parts, the driver’s biometric data and data relating to the use of the vehicle by the driver or the occupants.Footnote 21 This information includes personal data and allows the manufacturer and other service providers to supply specific services across borders such as maintenance services or services relating to improvements of the driving experience. These services may involve cross-border flows of personal data.
The second example of IoT services relates to fridges. Smart fridges take care of food management by assessing the contents of the refrigerator with the help of sensors. They can track food preferences as well as search and even order groceries from online stores. Various traits of the smart fridge owners’ eating behaviors can be inferred based on the collected data. Smart fridges also use client data and credit card information. This information includes personal data and allows the manufacturer or other service providers to supply specific services across borders such as restocking services. Those services may involve cross-border flows of personal data.
1.3.5 Sharing Economy Platform Services
The term “sharing economy” refers to a “peer-to-peer-based activity of obtaining, giving, or sharing access to goods and services, coordinated through community-based online services.”Footnote 22 Companies usually provide a web-based or mobile application, which suppliers and customers use to buy and sell goods or services. These companies offer a platform service. In offering that platform, the companies themselves also supply a service. Two examples can illustrate how sharing economy platform services require cross-border flows of personal data:
-
The first example relates to lodging. Companies provide a platform for arranging lodging, primarily homestays, or tourism experiences. The companies do not own any of the real estate listings, nor do they host events, they only act as a broker, receiving commission from each booking over their platform. Airbnb is a well-known example of such a company. The application coordinating the bookings involves cross-border flows of personal data.
The second example relates to passenger transportation. Companies provide a platform for arranging ride-hailing or transportation services. Again, the companies do not own any of the cars used for the services nor do they usually employ the drivers of the cars. The companies only act as a broker, receiving commission from each booking over their platform. Uber is a well-known example of such a company. The application coordinating the bookings involves cross-border flows of personal data.
1.4 Services with Occasional Flows of Personal Data
Not all digital services require systematic, structural, and continuous cross-border flows of personal data for their performance. The following list entails examples of services that only require occasional cross-border flows of personal data: travel agency services (Sect. 4.1.4.1), digital medical services (Sect. 4.1.4.2), and legal services (Sect. 4.1.4.3).
1.4.1 Travel Agency Services
Travel agencies organize voyages, holidays, and other international activities for their clients. They often must transfer personal data of their clients in their communication with hotels or other commercial partners for the organization of their clients’ stay abroad. These cross-border flows of personal data are occasional and tailored to the specific wishes of the clients.Footnote 23
1.4.2 Digital Medical Services
Digital medical services supplied across borders include e-health applications for online diagnosis and medical transcription.Footnote 24 The handling of personal data concerning the health of an individual is subject to the strict rules on processing of special categories of personal data in Article 9 GDPR. Where data is aggregated for the supply of digital medical services, it is possible to anonymize the personal data of an individual or a number of individuals.Footnote 25 This is difficult for personalized services. In that case, there will be occasional flows of personal data that are tailored to the specific wishes or needs of the patient.Footnote 26
1.4.3 Legal Services
The legal industry is an industry founded upon the exchange of information. Lawyers often face transactions involving multiple countries and are required to provide services and advice in more than one jurisdiction. Legal services supplied across borders include document review, due diligence in large-scale litigation or corporate transactions, basic contract drafting, and legal research.Footnote 27 The information necessary for the supply of digital legal services may involve personal data.Footnote 28 The supply of digital legal services is on demand and personalized to individuals, and thus cross-border flows of personal data are usually only occasional.
1.5 Summary
The EU’s fundamental rights-based regulation of data transfers is a conditional data flow regime that has the effect of a data localization policy. Different digital services require different types of cross-border flows of personal data. Data exporters may be subject to data localization in the EU if they require systematic, structural, and continuous flows of personal data across borders for the supply of their services and the destination country lacks an adequacy decision or a data exporter cannot ensure a level of protection that is essentially equivalent to that guaranteed within the EU. Data exporters may also be subject to data localization in the EU if they require occasional flows of personal data across borders for the supply of their digital services and the transfer of personal data is not necessary for the performance of a contract and the data subject does not consent to the transfer of personal data.
2 Data Flows and the Law on Trade in Services
Multilateral trade rules can be used as proxies to distinguish legitimate regulatory concerns and protectionism. The rules for trade in services in WTO law are codified in the GATS (Sect. 4.2.1). In addition, the GATS Annex on Telecommunications specifically requires WTO members to grant access to their internet network. The use of foreign internet networks is quintessential for cross-border flows of personal data (Sect. 4.2.2). When the GATS was drafted, many digital services that now rely on the free flow of personal data were not yet invented. Nevertheless, I show that most digital services are covered by the commitments in the schedules of WTO members (Sect. 4.2.3). Current negotiations at the WTO also turn to personal data as an important asset for the global economy. The conclusion of the e-commerce negotiations might see the inclusion of a provision on the free flow of personal data across borders in WTO law (Sect. 4.2.4).
2.1 General Agreement on Trade in Services
The GATS aims at protecting the equality of competitive opportunities for companies in domestic markets, irrespective of their origin or the origin of their services, all while recognizing the right of WTO members to regulate in order to meet domestic public policy objectives. The GATS applies to measures that affect trade in services (Sect. 4.2.1.1). It entails general obligations for WTO members (Sect. 4.2.1.2) and obligations subject to the specific commitments in their schedules (Sect. 4.2.1.3). Different exceptions can justify GATS-inconsistent measures (Sect. 4.2.1.4).
2.1.1 Scope
The GATS does not offer a definition of services (Sect. 4.2.1.1.1). It rather encompasses four modes by which services can be traded (Sect. 4.2.1.1.2). The liberalization of trade in services follows a positive list approach. A WTO member is required to open its markets to foreign services and service suppliers when it commits to do so in its schedule of specific commitments (Sect. 4.2.1.1.3). The rules in the GATS apply when measures of WTO members affect trade in services (Sect. 4.2.1.1.4).
2.1.1.1 Services
The GATS does not offer a definition of services.Footnote 29 Article I:3(b) GATS describes services as “any services in any sector except supplied in the exercise of governmental authority.” In the context of the GATS, services need to be classified along different sectors. The GATT Secretariat provided a list of classifications to the negotiating parties in 1991.Footnote 30 The Service Sectoral Classification List (W/120) consists of 11 broad service sectors and a residual category “Other Services Not Included Elsewhere.” The W/120 is intended to be comprehensive.Footnote 31 It is further divided into over 150 subsectors. Each sector and various subsectors also include a residual category “Other Services.” The subsectors are normally annotated with the relevant numbers of the 1991 Provisional Central Product Classification (CPCprov), which was prepared by the UN for the purpose of trade statistics.Footnote 32 The CPCprov numbers in the W/120 classification also point to the corresponding explanatory notes in the CPCprov that describe what is covered by the listed services. Although the W/120 is not a mandatory classification system, almost all WTO members follow the structure of the W/120 for the classification of services when scheduling their commitments under the GATS.
2.1.1.2 Supply of Services
The supply of services is defined in Article XXVIII(b) GATS and includes the production, distribution, marketing, sale, and delivery of a service. The GATS encompasses four modes by which services can be supplied:
-
Mode 1, cross-border supply: The service provider is domiciled in its own country and delivers the services to a customer domiciled in another WTO member (Article I:2(a) GATS).
-
Mode 2, consumption abroad: The service is used by a customer in the country of origin of the service supplier, but the customer using the service comes from a different WTO member (Article I:2(b) GATS).
-
Mode 3, commercial presence: The service provider establishes a domicile within the territory of another WTO member, and the service is delivered by this commercial presence to a customer within the same territory (Article I:2(c) GATS).
-
Mode 4, presence of natural persons: The service provider is present with natural persons within the territory of another WTO member and the service is delivered by the natural persons to a customer within the same territory (Article I:2(d) GATS).
The four modes are not only of definitional value for trade in services, they are also used as a pattern to schedule the specific commitments of WTO members.Footnote 33
2.1.1.3 Schedules
The GATS regulates trade in services with a positive list approach.Footnote 34 A WTO member is only bound to open its markets to foreign services and service suppliers when it commits to do so in its schedule of specific commitments. Article XX:1 GATS requires each WTO member to submit such a schedule that specifies:
-
(a)
the terms, limitations, and conditions on market access;
-
(b)
conditions and qualifications on national treatment;
-
(c)
undertakings relating to additional commitments;
-
(d)
where appropriate the time-frame for implementation of such commitments; and
-
(e)
the day of entry into force of such commitments.
Most WTO members base their schedule on the Service Sectoral Classification List (W/120) provided by the GATT Secretariat. In practice, the schedules of WTO members represent a codification of the conditions in their market upon which a foreign service provider can rely and which can be enforced in WTO dispute settlement. A WTO member can modify or withdraw a commitment only according to the rules in Article XXI GATS, usually by making concessions in the form of compensatory adjustments in other areas.Footnote 35 The schedules of specific commitments of the WTO members are appended to the GATS and form an integral part of the Agreement according to Article XX:3 GATS. They are legally binding and subject to WTO dispute settlement as explicitly stated in Article XXIII:1 GATS.
2.1.1.4 Measures Affecting Trade in Services
The GATS applies to measures affecting trade in services according to Article I:1 GATS. The AB explained in Canada – Autos that the “determination of whether a measure is, in fact, covered by the GATS must be made before the consistency of that measure with any substantive obligation of the GATS can be assessed.”Footnote 36 The threshold examination involves two elements.Footnote 37 There must be trade in services and there must be a measure of a WTO member state that affects this trade in services. The AB concluded in EC – Bananas III that “the use of the term ‘affecting’ reflects the intent of the drafters to give a broad reach to the GATS.”Footnote 38 Importantly, for a measure to be considered to affect trade in services it is not necessary that the measure directly addresses such trade.Footnote 39 The panel underlined in EC – Bananas III that the “GATS encompasses any measure of a Member to the extent it affects the supply of a service regardless of whether such measure directly governs the supply of a service or whether it regulates other matters but nevertheless affects trade in services.”Footnote 40 Many services require cross-border flows of personal data.Footnote 41 Any restriction on such data flows would affect trade in those services. Even if the EU system for data transfers does not directly govern the supply of services, it falls within the scope of the GATS.
2.1.2 General Obligations
The GATS entails general obligations that apply to all measures affecting trade in services, irrespective of the specific commitments undertaken by WTO members in their schedules. Two general obligations in the GATS are especially important for cross-border flows of personal data: The most-favored nation (MFN) treatment obligation in Article II GATS (Sect. 4.2.1.2.1) and the domestic regulation obligation in Article VI GATS (Sect. 4.2.1.2.2).
2.1.2.1 MFN Treatment
The core general obligation of the GATS is the MFN treatment obligation in Article II GATS. It requires each WTO member to accord immediately and unconditionally to services and service suppliers of any other WTO member treatment no less favorable than that it accords to like services and service suppliers of any other country. The MFN treatment obligation prohibits discrimination between different foreign services and services suppliers. It captures both de jure and de facto discrimination.Footnote 42 The MFN treatment obligation applies to any measure affecting trade in services irrespective of whether specific commitments have been undertaken.Footnote 43 WTO members were allowed to list exemptions from the MFN treatment obligation in the Annex on Article II Exemptions until the date of entry into force of the WTO Agreement on 1 January 1995. Paragraph 6 Annex on Article II Exemptions states that, in principle, the exemptions should not exceed ten years.Footnote 44 The EU did not list any exemption from the MFN treatment obligation relating to cross-border flows of personal data, or data protection in general.Footnote 45
Article II:1 GATS identifies a mode for comparison and establishes that there shall be no discrimination against services and service suppliers of any WTO member compared to like services and services suppliers of any other country. The basis of comparison is the likeness of services and service suppliers. The AB clarified in Argentina – Financial Services that the phrase “like services and service suppliers” should be seen as “an integrated element for the likeness analysis.”Footnote 46 It serves to assess the competitive relationship of the services and service suppliers at issue.Footnote 47 The criteria traditionally employed as analytical tools for assessing likeness in the context of trade in goods may also be employed in assessing likeness in the context of trade in services, provided that they are adapted as appropriate to account for the specific characteristics of trade in services.Footnote 48 The four criteria are properties, nature, and quality of the products; the end-uses of the products; consumers’ tastes and habits or consumers’ perceptions and behavior in respect of the products; and the tariff classification of the products.Footnote 49 The AB implied in Argentina – Financial Services that a consideration of the nature and characteristics of a service transaction may be seen as an appropriate adaptation of the original criterion of properties.Footnote 50 Similarly, the AB stated with respect to the original criterion of tariff classification that the classification under the CPCprov will be relevant for trade in services.Footnote 51
It could be asserted that a high level of data protection influences the likeness analysis in so far as it affects the nature and characteristics of a service transaction as well as consumers’ perceptions and behavior in respect of a service and service supplier. Such an assertion stands on shaky ground. It would require a very specific example to prove that a high level of data protection can alter the very nature or important characteristics of a service transaction. For example, the level of data protection in a state does not affect the nature and the characteristics of search engine services. The search engine services might be more customized to an individual when supplied by a state with a low level of data protection. Nevertheless, the very nature or important characteristics of search engine services are not altered. Even consumers’ perceptions and behavior in respect to a service and service supplier are not different based on the level of data protection. Individual consumers clearly value data protection and privacy, but often act irrationally so that the result that their preferences do not manifest in their choices.Footnote 52 End-use and classification under the CPCprov are the same regardless of the level of data protection. A high level of data protection cannot (yet) be held to have distinctively altered the competitive relationship between services and service suppliers for the purposes of the GATS.Footnote 53
Article II:1 GATS requires treatment no less favorable between like services and service suppliers of any country. The concept of “treatment no less favorable” focuses on a measure’s modification of the conditions of competition.Footnote 54 This legal standard is met in cases in which a WTO member intrudes into the competitive relationship between service suppliers or services. It is not sufficient under Article II GATS to accord a WTO member similar treatment to that accorded to another country. By virtue of the MFN treatment obligation, the WTO member is rather to be given exactly the same treatment as the other country.Footnote 55 That treatment must be afforded immediately and unconditionally.
2.1.2.2 Domestic Regulation
A second important general obligation is the domestic regulation obligation in Article VI GATS. The preamble of the GATS entails two potentially antagonizing objectives.Footnote 56 First, the preamble expresses the wish to expand trade in services as a means of promoting the economic growth of all trading partners. Second, the preamble also recognizes the right of WTO members to regulate and introduce new regulations on the supply of services within their territories in order to meet national policy objectives. The panel in US – Gambling underlined that “regulatory sovereignty is an essential pillar of the progressive liberalization of trade in services, but this sovereignty ends whenever rights of other Members under the GATS are impaired.”Footnote 57 The panel also stressed that “Members maintain the sovereign right to regulate within the parameters of Article VI of the GATS.”Footnote 58
Four paragraphs of Article VI GATS relate to the application, administration, and review of regulatory measures and therefore provide procedural standards (Article VI:1-3 and 6 GATS). Two paragraphs relate to the content of regulatory measures and therefore provide substantive guidance (Article VI:4 and 5 GATS).Footnote 59 Article VI:1 and 2 GATS are particularly important for cross-border flows of personal data and the supply of services.Footnote 60
Article VI:1 GATS obligates WTO members to administer measures of general application affecting trade in services in sectors where specific commitments are undertaken in “a reasonable, objective, and impartial manner.”Footnote 61 A measure of general application covers a range of cases and situations and thus affects an unidentified number of economic operators.Footnote 62 The EU system for data transfers is a measure of general application.
There is little guidance as to what makes something “reasonable, objective and impartial.” Joel Trachtman has argued that Article VI:1 GATS might imply a proportionality requirement, meaning that the regulatory burden imposed on foreign services and service suppliers must not be disproportionate in relation to the policy objective pursued.Footnote 63 It seems that this would produce an overlap with the requirements for the application of general exceptions in Article XIV GATS.Footnote 64 Furthermore, the negotiation history of the GATS does not support this argument. The negotiators explicitly refused to impose a general necessity test on domestic regulation.Footnote 65
The ordinary meaning of the terms and previous panel reports on Article X:3(a) GATT—which is the equivalent provision for trade in goods—give indications regarding the applicable standards.Footnote 66 The administration of a measure is “reasonable” if it is in accordance with generally accepted standards of rationality and of sound judgment.Footnote 67 There must be a rational reason for the conduct in question.Footnote 68 For the administration of a measure to be “objective,” its application should not be arbitrary.Footnote 69 Lastly, the administration of a measure is “impartial” if the application of the relevant laws and regulations is fair, unbiased, and unprejudiced.Footnote 70 Giving special consideration or privileges to one party or commercial interest without giving the same consideration or privileges to other parties or commercial interests is not impartial.Footnote 71 Even though the three standards in Article VI:1 GATS are closely linked and serve similar functions, they are separate legal obligations.Footnote 72 All three must be satisfied if Article VI:1 GATS is not to be interfered with. However, to constitute an interference with Article VI:1 GATS, there must be “a significant impact on the overall administration of the law, and not simply on the outcome in the single case in question.”Footnote 73
Article VI:2(a) GATS requires WTO members to maintain practicable, judicial, arbitral or administrative tribunals or procedures that provide for the prompt review of administrative decisions affecting trade in services, and where justified, appropriate remediesFootnote 74 The requirement of providing review and appeal procedures leave considerable discretion to WTO members.Footnote 75 In cases in which the procedures are not independent from the institution entrusted with the relevant administrative decision, WTO members must at least ensure that the procedures are objective and impartial.Footnote 76 An appropriate remedy involves either the possibility of replacing an incorrect administrative decision, or the awarding of compensation for suffered economic loss of the service supplier.Footnote 77
2.1.3 Obligations Subject to Specific Commitments
The GATS also entails obligations subject to the specific commitments undertaken by WTO members in their schedules. Two obligations are important for cross-border flows of personal data: The market access obligation in Article XVI GATS (Sect. 4.2.1.3.1) and the national treatment obligation in Article XVII GATS (Sect. 4.2.1.3.2).Footnote 78
2.1.3.1 Market Access
The market access obligation in Article XVI GATS requires WTO members to accord services and service suppliers of other WTO members treatment no less favorable than that provided for under the terms, limitations, and conditions agreed and specified in their schedules.Footnote 79 Market access is not a general concept under GATS.Footnote 80 The obligation to grant market access cannot be equated with common terms (such as entry or admission) that imply the general ability to perform business activities in a given market. Article XVI:2 GATS provides a list with a well-defined set of quantitative restrictions that may hamper the ability to supply a service and are thus forbidden.Footnote 81 The list with forbidden market access restrictions is exhaustive.Footnote 82 Other measures are not covered under Article XVI GATS.Footnote 83 Importantly, the list does not relate to the quality of the supplied service.Footnote 84
In US – Gambling, the WTO adjudicative bodies dealt with the question of whether a complete ban on the cross-border supply of a service should be regarded as a market access limitation falling within the ambit of Article XVI:2(a) and (c) GATS. According to the two provisions, WTO members may not maintain or adopt:
-
(a) limitations on the number of service suppliers whether in the form of numerical quotas, monopolies, exclusive service suppliers or the requirements of an economic needs test.
-
(c) limitations on the total number of service operations or on the total quantity of service output expressed in terms of designated numerical units in the form of quotas or the requirement of an economic needs test.
The AB stated “that the thrust of sub-paragraph (a) is not on the form of limitations, but on their numerical, or quantitative, nature.”Footnote 85 Consequently, the AB found that a measure that totally prohibits the supply of certain services effectively limits to zero the number of service suppliers. The AB explained that such a prohibition results in a zero quota and hence constitutes a market access limitation that takes the form of a numerical quota, as zero is quantitative in nature, and, thus, numerical.Footnote 86
With regard to subparagraph (c), the panel defined service output as the result of the production of the service.Footnote 87 The panel found, and the AB confirmed, that the measure in question “imposes a ‘limitation on the total number of service operations... expressed... in the form of quotas’ contrary to Article XVI:2(c) of the GATS.”Footnote 88
The underlying rationale of this jurisprudence is that WTO members should not be allowed to circumvent their market access commitments by prohibiting the entry into their markets of services and service suppliers either overall and directly, or indirectly with regard to essential characteristics of a service (e.g. the electronic supply).Footnote 89 Article XVI GATS has a wide scope in order to guarantee the access to the market as committed by WTO members in their schedules. The market access obligations cover regulatory measures that make it factually impossible to supply a service.
2.1.3.2 National Treatment
The national treatment obligation in Article XVII GATS requires WTO members to accord to services and service suppliers of other WTO members treatment no less favorable than that it accords to its own like services and service suppliers in respect of all measures affecting the supply of services.Footnote 90 The national treatment obligation also uses the concept of “likeness” and establishes that there shall be no negative discrimination against foreign services and service suppliers compared to like services and services suppliers located in the EU.
Formally identical and formally different treatment can amount to less favorable treatment according to Article XVII:2 GATS. The national treatment obligation captures both de jure and de facto discrimination.Footnote 91 It prohibits measures which openly link a difference in treatment to the origin of a service or service supplier. It also prohibits measures that do not distinguish between services and service suppliers on the basis of their origin but with respect to a neutral criterion that still modifies the conditions of competition in favor of domestic services and service suppliers. The decisive aspect of less favorable treatment is the modification of the competition to the detriment of foreign services or service suppliers according to Article XVII:3 GATS.Footnote 92
The interpretative Footnote 10 to Article XVII GATS stresses that specific commitments assumed under the national treatment obligation should not be construed to require any WTO member to compensate for any inherent competitive disadvantages, which result from the foreign character of the relevant services or service suppliers.Footnote 93 An inherent disadvantage due to the foreign nature of a service or service supplier must be distinguished from a disadvantage caused by de facto discrimination.Footnote 94
2.1.4 Exceptions
The GATS entails different exceptions to justify interferences with the obligations under GATS. Article V GATS allows exceptions from the MFN treatment obligation for economic integration (Sect. 4.2.1.4.1); Article XIV GATS provides general exceptions for public policy objectives that apply to all provisions and existing commitments under the GATS (Sect. 4.2.1.4.2); and Article XIV bis GATS foresees the security exceptions that are also applicable to all provisions and existing commitments under the GATS (Sect. 4.2.1.4.3).
2.1.4.1 Economic Integration
The economic integration exception in Article V GATS allows WTO members to deviate from the MFN treatment obligation as a consequence of having entered into an economic integration agreement liberalizing trade in services.Footnote 95 It is in the very nature of economic integration agreements to accord preferential treatment to the contracting parties.Footnote 96 As a deviation from the MFN treatment obligation, economic integration agreements have to comply with the following three conditions in Article V GATS:
-
Article V:1(a) GATS requires that an economic integration agreement liberalizing trade in services must have substantial sectoral coverage.Footnote 97 The interpretative Footnote 1 to Article V GATS explains that this condition is understood in terms of number of sectors, volume of trade affected, and modes of supply. It clarifies that the condition entails both qualitative and quantitative requirements.Footnote 98 With regard to the economic integration exception in the GATT, the AB held that substantially all the trade (the wording used in Article XXIV:8(b) GATT) “is not the same as all the trade,” and that it is “something considerably more than merely some of the trade.”Footnote 99 The same reasoning also applies to trade in services. Article V GATS does not require all sectors to be covered but rather that an economic integration agreement excludes no more than a very limited number of sectors.Footnote 100 The panel in Canada – Autos noted that “the purpose of Article V is to allow for ambitious liberalization to take place at a regional level, while at the same time guarding against undermining the MFN obligation by engaging in minor preferential arrangements.”Footnote 101
-
Article V:1(b) GATS requires the elimination of substantially all discrimination in the sectors covered, by granting national treatment to the contracting parties.Footnote 102 Economic integration agreements liberalizing trade in services need to bring about a level playing field between domestic and foreign services and service suppliers on the markets of the contracting parties.
Article V:4 GATS prohibits so-called fortress integration.Footnote 103 Economic integration agreements liberalizing trade in services should be designed to facilitate trade between the contracting parties and not raise the overall level of barriers to trade in services for other WTO members compared to the level prior to the conclusion of the agreement.Footnote 104
2.1.4.2 General Exceptions
The preamble of the GATS not only expresses the intention to expand trade in services as a means of promoting the economic growth of all trading partners, but also the right of WTO members to regulate in order to meet national policy objectives. This right is guaranteed with the general exceptions of Article XIV GATS. The general exceptions require a two-tier analysis of a measure that interferes with a GATS obligation.Footnote 105 First, a measure must fall within the scope of the paragraphs of Article XIV GATS. Second, a measure must also satisfy the requirements of the chapeau of Article XIV GATS. The analysis under the paragraphs of Article XIV GATS focuses on the content of a measure whereas the analysis under the chapeau is directed toward the application of a measure.Footnote 106 The design of the general exceptions in Article XIV GATS is basically the same as the design of the general exceptions in Article XX GATT. This is why the adjudicative bodies of the WTO frequently refer to the interpretation of the general exceptions in Article XX GATT when they apply the general exceptions in Article XIV GATS.Footnote 107
2.1.4.2.1 Privacy Exception
The subparagraphs of Article XIV GATS entail a list of pre-defined public policy objectives. The most important one for restrictions on cross-border flows of personal data is the privacy exception in Article XIV(c)(ii) GATS:
nothing in this Agreement shall be construed to prevent the adoption or enforcement by any Member of measures necessary:
- (c)
to secure compliance with laws or regulations which are not inconsistent with the provisions of this Agreement including those relating to
- (ii)
the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.
The privacy exception in Article XIV(c)(ii) GATS requires that a GATS-inconsistent measure is necessary to secure compliance with GATS-consistent laws or regulations.Footnote 108 The reference to “secure compliance” means that the measures for which justification is sought must enforce the relevant laws and regulations.Footnote 109 The privacy exception also requires a necessity test. The AB explained in US – Gambling that necessity should be determined through a process of weighing and balancing a series of factors.Footnote 110 The AB characterized this process as a determination of whether a WTO-consistent alternative measure is available, which a WTO member could reasonably be expected to employ, or whether a less WTO-inconsistent measure is reasonably available.Footnote 111 The relevant considerations are the relative importance of the interest at issue, the contribution of the measure to the realization of the ends pursued by it, and the restrictive impact of the measure on international commerce.Footnote 112
The negotiation history of the privacy exception reveals a close relationship between the privacy exception and the EU’s fundamental rights-based regulation of data transfers. A former official of the European Commission told Abraham Newman in an interview that the EC went into the negotiations of the GATS with the goal of exempting rules for the protection of data privacy.Footnote 113 The records of the Group of Negotiations on Services (GNS) show that the EC stressed at a meeting from 5-9 June 1989 that domestic regulation of data privacy “might mean that personal data could not be transmitted across borders without guarantees of equivalent protection for that data in a foreign country.”Footnote 114 This was before the Commission proposed the first draft for Directive 95/46/EC on 13 September 1990.Footnote 115
The EC circulated its first draft framework proposal for the GATS in the beginning of June 1990.Footnote 116 This draft included an exception for the protection of personal data and individual privacy in Article XV(c).Footnote 117 At the first meeting of the sectoral ad hoc Working Group on Telecommunications Services from 5-6 June 1990, the EC stressed with regard to a possible annex for telecommunications services that “annex provisions might also need to be considered in regard to the protection of data transmitted over networks as well as the need to protect information of a personal and private nature.”Footnote 118 At the second meeting of this working group from 9-11 July 1990, the US stated that “[t]he issue of privacy was not specific to the telecommunications sector and should be addressed in the framework.”Footnote 119 At that point, the first draft of Directive 95/46/EC was still not published and the negotiation parties could not have been aware of its impact on trade.
Shortly after, the so-called July Text from 1990––essentially the first official draft of the GATS––was prepared and circulated.Footnote 120 It did not contain any reference to privacy or data protection. There were intense discussions at the following third meeting of the sectoral ad hoc Working Group on Telecommunications Services. The representative from Canada, supported by the US representative, “wondered whether there was truly a need for a privacy exception in either the framework or a telecommunications annex.”Footnote 121 The representative from Canada stated that
[w]hile the issue of privacy was becoming increasingly important, his delegation’s view was that the protection of personal information could be adequately covered through existing contractual arrangements between individuals and legal entities rather than through legislative solutions.Footnote 122
This was tricky for the EC as the contractual approach was not included in the first draft of Directive 95/46/EC (which was still not published at the time of these discussions). The representative of the EC recalled that the July Text foresaw the need for exceptions to protect public morals, order, safety, health, etc. “The need to specify the nature of such exceptions was to minimize the scope for disputes among parties. He saw no reason not to apply a similar logic with regard to privacy-related matters in a telecommunications annex.”Footnote 123 During the discussions, the US seemed to turn around and support the inclusion of a privacy exception into the framework text of the GATS as “[t]he issues of privacy and data/information protection were viewed in the United States as content issues which were not specific to the telecommunications sector only.” Nevertheless, the US insisted that the EC had to explain its reasons for a privacy exception:
The representative of the United States recalled that her country did not legislate prospectively and sought concrete examples from the EC delegation to better understand the problems it foresaw in the area of privacy protection. She emphasized that her delegation believed that the issue under discussion was one of private contractual relations between a customer and an information vendor. It was not apparent to her why an international agreement should enter into this area.Footnote 124
The representative from Canada also started to speculate and stated that “the EC seemed to want to capture the activities of private operators through their provisions on information-related matters.”Footnote 125 The EC successfully avoided this topic and did not mention its intention to legislate in the field of data protection and its plans for an adequacy-based system for cross-border flows of personal data. The discussions ended without a clear result and the chairman concluded that “[t]he outcome of the GNS discussions would be conditioning the group’s approach to privacy-related matters.”Footnote 126 However, the privacy exception was not on the agenda of the fourth meeting of the sectoral ad hoc Working Group on Telecommunications Services on 15-17 October 1990. In her complaint that the current text did not include many of the points considered important by her delegation, the representative from the US nevertheless mentioned again that “[m]atters related to privacy should be dealt with under the framework [of the GATS].”Footnote 127 She reiterated this position, even though the first draft of Directive 95/46/EC was published a month before. It seems that the US was not aware of its impact on trade.Footnote 128
The so-called Brussels Text from December 1990—the draft of the GATS for the Ministerial Conference in Brussels—was the first official draft that contained a reference to privacy.Footnote 129 The reference to privacy was not included in the draft framework of the GATS, but in Paragraph 15 of the draft Annex on Telecommunications. An important footnote was attached:
The privacy-related aspects of this sentence may need to be reviewed in light of the final text of the provisions of the Agreement related to protection of personal privacy.Footnote 130
The question of including a privacy exception in the framework text of the GATS was still open after the Ministerial Conference in Brussels in 1990. Only a year later, in the so-called Dunkel Draft of December 1991—named after Arthur Dunkel, the Director General of the GATT—it was decided that the privacy exception should be included into the framework text of the GATS.Footnote 131 In the absence of consensus on a particular provision, Dunkel requested the chairs of the negotiation groups to include their personal views regarding the negotiations of that provision when submitting their part to the Dunkel Draft.Footnote 132 In the case of services, it was in fact the view of two chairs, because, since April 1991, Ambassador Felipe Jaramillo from Colombia had been assisted in his tasks by Ambassador David Hawes form Australia, who became a sort of co-chair of the GNS, and succeeded Ambassador Jaramillo when he left Geneva.Footnote 133 It seems that the inclusion of the privacy exception into the framework of the GATS was dealt with as an issue without consensus and it was the two chairs who decided to integrate the privacy exception into the framework of the GATS.Footnote 134
Even though the GATS negotiations started before the first draft of Directive 95/46/EC was proposed, the European Commission realized that in order to safeguard the EC’s future data protection framework, it required a privacy exception in the framework of the GATS to justify potential infringements of the WTO rules on trade in services. The EC clearly intended to and were successful in pushing the privacy exception through the negotiations. The arrangement in the Dunkel Draft was adopted in the final text.Footnote 135
2.1.4.2.2 Chapeau
According to the two-tier analysis, GATS-inconsistent measures that are provisionally justified under one of the paragraphs of Article XIV GATS must also satisfy the chapeau of Article XIV GATS. The chapeau requires that measures are not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade in services.Footnote 136 WTO members must act in a consistent manner across comparable situations.Footnote 137 The jurisprudence of the WTO’s adjudicating bodies shows that the chapeau presents a stumbling block for the justification of measures with legitimate policy objectives. Out of all cases that reached the adjudicative stage of WTO dispute settlement, eight cases entailed a measure that was provisionally justified under a paragraph of the general exceptions in Article XX GATT or Article XIV GATS, but only in one case could the measure successfully pass analysis under the chapeau.Footnote 138
The AB has portrayed the chapeau as an expression of the principle of good faith.Footnote 139 Its function is to prevent the general exceptions from being abused.Footnote 140 The interpretation of the chapeau focuses on the equilibrium between the right of WTO members to invoke the general exceptions and the obligation not to misuse that right and thereby frustrate the rights of other WTO members under WTO law.Footnote 141 The first requirement for the application of a measure under the chapeau is due process. The AB stressed in US – Shrimp that rigorous compliance with the fundamental requirements of due process should be required in the application and administration of a measure which purports to be an exception to the treaty obligations of the Member imposing the measure and which effectively results in a suspension pro hac vice of the treaty rights of other Members.Footnote 142
The chapeau entails three written standards to assess a measure: arbitrary discrimination, unjustifiable discrimination, and disguised restriction on trade. The AB has chosen a conceptual and holistic approach to interpret the chapeau without emphasizing the individual meaning of the three standards because they involve overlapping concepts that are not easy to separate.Footnote 143 In general, the WTO adjudicating bodies do not distinguish between the standards of arbitrary and unjustifiable discrimination.Footnote 144
The words arbitrary and unjustifiable qualify the word discrimination. A certain degree of discrimination is allowed under the chapeau.Footnote 145 In order to determine arbitrary or unjustifiable discrimination, the adjudicating bodies often use a proxy:
[W]hether a measure was applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination depends on if the measure has been applied reasonably.Footnote 146
The fact that discrimination could have been reasonably avoided with another application of a measure renders the measure arbitrary and unjustifiable.Footnote 147 It is also important that the discrimination can be reconciled with, or is rationally related to, the policy objective under which the measure has been provisionally justified.Footnote 148
With regard to disguised restrictions on international trade, the scope of the standard remains rather unclear.Footnote 149 GATT panels seem mainly concerned with transparency.Footnote 150 The AB has underlined that “concealed or unannounced restriction or discrimination in international trade does not exhaust the meaning of disguised restriction.”Footnote 151 A measure need not be formally hidden in order to constitute a disguised restriction on international trade within the meaning of the chapeau.Footnote 152
The application of the general exceptions follows the standard patterns of WTO law. It is incumbent upon the responding party to prove that a measure is justified under Article XIV GATS. After a complaining party has established a prima facie case of inconsistency with a provision in the GATS, the burden of proof shifts to the responding party if the latter claims an affirmative defense.Footnote 153
2.1.4.3 Security Exceptions
The raison d’être of the security exceptions in Article XIV bis GATS is to preserve WTO members’ freedom of action in areas relating to national defense and security.Footnote 154 The security exceptions are the widest among the exceptions listed in the WTO texts and have only rarely been invoked by WTO members.Footnote 155 Recently, national security has been cited more often as a rationale to restrict digital trade.Footnote 156 The most important paragraph of the security exception for the EU system for data transfers can be found in Article XIV bis:(1)(b)(iii) GATS:
1. Nothing in this Agreement shall be construed:
- (b)
to prevent any Member from taking any action which it considers necessary for the protection of its essential security interests:
(iii) taken in time of war or other emergency in international relations;
The panel in Russia – Traffic in Transit provided some guidance regarding the application of the security exception in Article XXI GATT.Footnote 157 The design of the security exception in Article XIV bis GATS is basically the same as the design of the security exceptions in Article XXI GATT. This is why the interpretation of the security exception in Article XXI GATT serves as a guideline for the interpretation of Article XIV bis GATS.Footnote 158 The panel in Russia – Traffic in Transit clarified that the term “essential security interests” may generally be understood to refer to those interests relating to the quintessential functions of the state, namely, the protection of its territory and its population from external threats, and the maintenance of law and public order internally.Footnote 159 The final determination is left in the hands of WTO members and will depend on the particular situation and the perception of the state in question.Footnote 160 A WTO member only needs to consider that its essential security interests are endangered, which amounts to a subjective standard. That determination is nevertheless subject to good faith.Footnote 161
The panel also clarified that the subparagraphs in Article XIV bis:1(b) GATS operate as limitative qualifying clauses, implying that they limit the discretion granted to WTO members when invoking the security exceptions.Footnote 162 This prevents the security exceptions from becoming a catch-all provision for unverified unilateral determinations and a circumvention of the GATS.Footnote 163 For example, the term emergency in international relations is amenable to an objective determination.Footnote 164 The term is not firmly entrenched in international law and must be construed by the WTO adjudicative bodies.Footnote 165 The panel in Russia – Traffic in Transit pointed out that “political or economic differences between Members are not sufficient, of themselves, to constitute an emergency in international relations.”Footnote 166 It defined an emergency in international relations as a “situation of armed conflict, or of latent armed conflict, or of heightened tension or crisis, or of general instability engulfing or surrounding a state.”Footnote 167 This limits the application of the security exception to restrictions on cross-border flows of personal data to very specific circumstances.
2.2 Annex on Telecommunications
The telecommunications sector was one of the sectors that required additional rules to the GATS because it is essential for the supply of other services (Sect. 4.2.2.1). The GATS Annex on Telecommunications entails substantive obligations on access to and use of public telecommunications transport networks and services (Sect. 4.2.2.2). The internet can be qualified as a public telecommunications transport network (Sect. 4.2.2.3). In addition to the substantive obligations, the Annex on Telecommunications also foresees exceptions for the confidentiality of messages (Sect. 4.2.2.4).
2.2.1 Enabling Function
During the negotiations of the GATS, WTO members recognized that the telecommunications sector played an important role as the underlying means for other economic activities.Footnote 168 The GATS Annex on Telecommunications thus aimed to ensure that commitments of WTO members in sectors other than telecommunications were not frustrated through the lack of access to and use of foreign telecommunications services.Footnote 169 The Annex on Telecommunications only comes into effect once a WTO member has offered a specific commitment in a given sector.Footnote 170 Despite being an act on telecommunications, the Annex on Telecommunications mostly liberalized trade in non-telecommunications services whose effective performance require access to and use of communications networks and services in the destination country.Footnote 171 The Annex on Telecommunications is a general insurance policy for service suppliers to have access to telecommunications networks and services abroad.Footnote 172
2.2.2 Substantive Obligations
The main substantive obligation of the Annex on Telecommunications can be found in Paragraph 5. The Annex on Telecommunications requires in Paragraph 5(a) that WTO members grant access to and use of public telecommunications transport networks and services on reasonable and non-discriminatory terms and conditions for the supply of services included in their schedules.Footnote 173 The Annex on Telecommunications specifically requires in Paragraph 5(c) that other WTO members may use public telecommunications transport networks and services for the movement of information within and across borders, including for intra-corporate communications, and for access to information contained in data bases or otherwise stored in machine-readable form on the territory of any WTO member.Footnote 174
2.2.3 Coverage of the Internet
A “public telecommunications transport network” is defined in Paragraph 3(c) Annex on Telecommunications as “the public telecommunications infrastructure which permits telecommunications between and among defined network termination points.”Footnote 175 The exact scope of this obligation is not entirely clear, especially when it comes to the internet.
The GATS was drafted with a narrow idea of telecommunications in mind. Tim Wu explains that the drafters “had no idea that nearly every type of service under the GATS might eventually be offered over the TCP/IP protocol. In trade lingo, the framers thought of the Internet as a service sector, when, instead, it is usually a service mode.”Footnote 176 Cross-border flows of personal data on the internet are relevant for the supply of many services.Footnote 177 Access to and use of the internet in the territory of another WTO member is of the utmost importance for trade in services. The Council for Trade in Services noted regarding the application of the Annex on Telecommunications to the internet that
[t]he general view was that the Annex on Telecommunications applies to access to and use of the Internet network when it is defined in a Member’s regulatory system as a public telecommunications transport service and/or network in terms of that Annex.Footnote 178
This view is widely shared by scholars.Footnote 179 The aim of the Annex on Telecommunications was to prevent access to communication networks becoming a barrier to trade.Footnote 180 This is why the WTO adjudicative bodies applied the GATS to internet-based service transactions.Footnote 181 Article 2(2) Regulation (EU) 2015/2120 defines an “internet access service” as a “publicly available electronic communications service that provides access to the internet, and thereby connectivity to virtually all end points of the internet, irrespective of the network technology and terminal equipment used.”Footnote 182 The EU is therefore obligated to grant access to and use of the internet for the services it has scheduled in order for service suppliers to move information within the EU, for their cross-border data flows, including intra-corporate communications, and for access to information contained in data bases or otherwise stored in the EU.
The regulation of data transfers in the EU does not forbid access to and use of the internet for foreign service suppliers and services. Rather it regulates the cross-border flow of personal data from the EU to a third country. Even in cases in which the EU does not allow cross-border flows of personal data to a service supplier in the territory of a WTO member, this does not violate Paragraph 5(c) Annex on Telecommunications. The reason for the restriction on the cross-border flows of personal data is not a prohibition to access and use the internet for the movement of information within and across borders but related to the protection for personal data. The fact that the based regulation of data transfers in the EU also applies to the manual transportation of personal data to third countries underlines this.
Nevertheless, it must be acknowledged that Paragraph 5(c) Annex on Telecommunications has never been subject to dispute settlement and its exact scope is still unclear. During the negotiations, the US stated that “the cross-border movement of information was an intrinsic part of access to and use of the services of the public telecommunications transport network.”Footnote 183 The EC, in reaction, said that “the issue of data protection and privacy bore a strong link to that of the movement of information.”Footnote 184 There is a possibility that a restriction on cross-border flows of personal data could amount to a restriction on access to and use of a public telecommunications transport network because the movement of (personal) information is intrinsically linked with the access and use.
2.2.4 Confidentiality Exception
Paragraph 5(d) Annex on Telecommunications allows WTO members to take measures that are necessary to ensure the security and confidentiality of messages, notwithstanding the obligation to open public telecommunications transport networks and services for the movement of information within and across borders, including the intra-corporate communications of such service suppliers, and for access to information contained in data bases or otherwise stored in machine-readable form in their territory.Footnote 185 These measures may not be applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade in services.
Some scholars have argued that this exception covers privacy and data protection considerations.Footnote 186 The OED explains that confidential means “characterized by the communication of secrets or private matters.”Footnote 187 Nevertheless, context suggests that this exception does not cover privacy and data protection considerations. It must be observed from a systematic perspective that Paragraph 8 GATS Understanding on Commitments in Financial Services and the privacy exception in Article XIV(c)(ii) GATS distinguish the concepts of privacy and data protection from the concept of confidentiality by naming them separately. The negotiation history of the Annex on Telecommunications as supplementary means of interpretation according to Article 32 VCLT helps to clarify the interpretation of Paragraph 5(d). It was unclear during the GATS negotiations where a privacy exception should be inserted (if at all).Footnote 188 At the end, it was decided that the privacy-related aspects in the Annex on Telecommunications of the Brussels Text from December 1990 should be deleted and included in the framework text of the GATS in the Dunkel Draft from December 1991.Footnote 189 It seems to be clear from the preparatory work of the Annex on Telecommunications and the circumstances of the conclusion of the GATS that the concepts of privacy and data protection should not be part of Paragraph 5(d) Annex on Telecommunications.Footnote 190
Accordingly, the exception in Paragraph 5(d) Annex on Telecommunications must be construed narrowly and privacy as well as data protection considerations are only relevant where they overlap with considerations relating to the confidentiality of messages.
2.3 Treatment of Digital Services
Since the negotiation of the GATS coincided with the early development of the internet, the parties did not necessarily think of digital services when they drafted the GATS. This raises legal questions that are highly relevant for restrictions on cross-border flows of personal data, which affect trade in digital services: Are digital services part of the scope of the commitments in the schedule of WTO members (Sect. 4.2.3.1)? Which mode of supply covers the supply of digital services (Sect. 4.2.3.2)? How should digital services be classified in the Service Sectoral Classification List (W/120) (Sect. 4.2.3.3)? The classification of digital services is important for the commitments of WTO members in their respective schedules. A list with examples illustrates the classification of different digital services (Sect. 4.2.3.4).
2.3.1 Commitments
There was an early understanding among WTO members that the electronic supply of a service is covered by the commitments under GATS. The WTO Council for Trade in Services underlined in 1999 that
[t]he electronic delivery of services falls within the scope of the GATS, since the Agreement applies to all services regardless of the means by which they are delivered, and electronic delivery can take place under any of the four modes of supply. Measures affecting the electronic delivery of services are measures affecting trade in services and would therefore be covered by GATS obligations.Footnote 191
The Council for Trade in Services stressed that according to the technological neutrality of the GATS, the electronic supply of a service is covered by specific commitments unless the schedule of a WTO member states otherwise.Footnote 192 All GATS provisions would be applicable to the supply of services through electronic means.Footnote 193 The WTO adjudicative bodies followed this interpretation. They found in US – Gambling that by limiting the electronic supply of gambling services, the US failed to accord services and service suppliers in Antigua treatment no less favorable than that provided for under the terms, limitations, and conditions agreed and specified in the market access column of its schedule.Footnote 194 The modes of supply in the GATS cover the “supply [of] a service through all means of delivery, whether by mail, telephone, Internet etc., unless otherwise specified in a Member's Schedule.”Footnote 195 The panel added that this was “in line with the principle of ‘technological neutrality’, which seems to be largely shared among WTO Members” and also referred to the above mentioned report of the Council on Trade in Services.Footnote 196
In the subsequent case China – Audiovisual Products, the panel found that the electronic distribution of sound recordings was technically feasible and a commercial reality as early as 1998, and in any case before China’s accession to the WTO in December 2001.Footnote 197 It found, and the AB confirmed, that sound recording distribution services in China’s schedule of specific commitments extend to the distribution of sound recordings in non-physical form through technologies such as the internet.Footnote 198 The panel added that there was no need to invoke the principle of technological neutrality because it has already found that the core meaning of China’s commitment on these services includes the distribution of audio content on non-physical media.Footnote 199 The WTO adjudicative bodies confirmed that the GATS applies to digital services.
2.3.2 Mode of Supply
The supply of digital services could either fall within mode 1 (cross-border) or mode 2 (consumption abroad).Footnote 200 With regard to mode 1, it can be argued that a digital service is sent to a recipient in another country via the internet. The panel in Mexico – Telecoms confirmed that the cross-border supply of services can encompass services which begin on one country’s telecommunication network and terminate on another’s.Footnote 201 With regard to mode 2, it can be argued that the consumer abroad actually visits the website of a service provider in another country.Footnote 202 The distinction is of some interest as, generally, concessions under mode 2 are more liberal than under mode 1.Footnote 203
The panel in US – Gambling addressed the question with regard to digital gambling services. The panel first established that cross-border supply must be distinguished from remote supply.Footnote 204 It used the term “remote supply” to refer to “any situation where the supplier, whether domestic or foreign, and the consumer of gambling and betting services are not physically together.”Footnote 205 The logic behind the panel’s reasoning is that the GATS does not distinguish between remote or on-site supply but between four modes of supply out of which only mode 1 can be remote.Footnote 206 The panel therefore limited its analysis to mode 1. It clearly stated that “[t]his dispute concerns one of the four modes of supply under the GATS, that is, the so-called ‘cross-border supply’ of gambling and betting services.”Footnote 207 The AB followed this line of reasoning and only assessed mode 1 in its review of the dispute.Footnote 208 The WTO adjudicative bodies therefore confirmed that digital services are supplied through mode 1.Footnote 209
2.3.3 Classification
The Service Sectoral Classification List (W/120) has remained unchanged since 1991.Footnote 210 The W/120 is somewhat outdated when it comes to the classification of digital services. Nevertheless, it has proven to be flexible enough to cover most current digital services (Sect. 4.2.3.3.1). The allocation of a digital service to a service sector and subsector is an interpretative exercise of the WTO members’ schedules (Sect. 4.2.3.3.2). Three elements should be given due consideration when classifying digital services:Footnote 211 First, the ordinary meaning of the terms in a schedule of commitments might change with the development of technology (Sect. 4.2.3.3.3). Second, the classification is based upon the output of services (Sect. 4.2.3.3.4). Third, integrated or composite services should be classified as if they consisted of the service that gives them their essential character (Sect. 4.2.3.3.5). Finally, a functional approach is suggested for the classification of digital services (Sect. 4.2.3.3.6).
2.3.3.1 Coverage of the Service Sectoral Classification List
The GATS is molded by a comprehensive approach. It should be applicable in principle to any service in any sector as laid down in Article I:I(3)(b) GATS.Footnote 212 Given that the W/120 and the CPC are intended to be exhaustive, presumably any service should automatically fall under some category on the list.Footnote 213 The GATS liberalized trade in services with a positive list approach, in which WTO members actively commit to open their markets for a specific service sector or subsector. The result of this approach is that potentially not all current tradable services are encompassed. The question here is whether a WTO member could be assumed to have undertaken commitments on a service that was not foreseen at the time of submitting the commitments. New services might only be covered if they can be clearly identified under an existing sectoral classification that has been committed by a WTO member.Footnote 214
The concept of new services must be approached cautiously. There is no definition of new services in the GATS.Footnote 215 During discussions in the WTO Committee on Specific Commitments in 2014, it was underlined that in considering new services, WTO members should be mindful of the distinction between new means of delivery and genuinely new services.Footnote 216 Many WTO members shared the opinion that genuinely new services are rare, if they exist at all, and that the rest could be accommodated in the W/120.Footnote 217 The same opinion is also expressed by scholars. Ines Willemyns has argued that “very limited genuinely new services exist and that many allegedly new digital services can be classified within the W/120.”Footnote 218 The question is how an activity can be allocated to a service sector and subsector.
2.3.3.2 Interpretation of the Schedules
The W/120 is based on a taxonomy of distinct and mutually exclusive services. The sectors and subsectors in a WTO member’s schedule must be mutually exclusive. If that were not the case, and a WTO member scheduled the same service in two different sectors, then the scope of the commitment would not be clear if the WTO member made a full commitment in one of those sectors and a limited commitment in the other.Footnote 219 The allocation of digital services to a service sector and subsector is an interpretative exercise of WTO members’ schedules. The general rules of interpretation of public international law in Articles 31 and 32 VCLT apply.Footnote 220 First, the ordinary meaning of the relevant terms in a schedule must be determined based on the dictionary meaning.Footnote 221 The AB cautioned that panels should acknowledge when multiple interpretations are possible and not just focus solely on the preferred interpretation.Footnote 222 Second, the meaning of the terms can be informed by the relevant context, namely:
(i) the remainder of the [...] Schedule of specific commitments; (ii) the substantive provisions of the GATS; (iii) the provisions of covered agreements other than the GATS; and (iv) the GATS Schedules of other Members.Footnote 223
Context does not include the W/120 or the Scheduling Guidelines of 1993 because they do not constitute agreements between the parties.Footnote 224 The object and purpose of the GATS can offer further guidance for the interpretation.Footnote 225 Finally, Article 31 VCLT also refers to subsequent practice as a tool for interpretation.Footnote 226
Where the ordinary meaning of the terms, interpreted together with the context and relevant subsequent practice, leaves the meaning of the terms ambiguous, recourse should be made to the supplementary means of interpretation as provided in Article 32 VCLT.Footnote 227 The AB confirmed that both the W/120 and the Scheduling Guidelines of 1993 constitute supplementary means of interpretation.Footnote 228
2.3.3.3 Evolution of Technology
When classifying digital services it is important to take into consideration that the ordinary meaning of the terms in a schedule of commitments can change with the development of technology. Exactly how this works has been an issue in dispute settlement before:
In EC – IT Products, a dispute concerning the Information Technology Agreement (ITA) that entails concessions to provide zero tariffs for selected IT products, the panel was asked to elaborate to what extent the state of technology that existed at the time of the negotiations is relevant to determining the scope of the concessions. The panel stated that “it is neither desirable nor possible to answer such questions in the abstract and without reference to the terms of the concessions that are being interpreted.”Footnote 229 In responding to the EC’s argument that multifunctional monitors were new products that had not existed at the time of negotiations, the panel explained that the notion of multifunctional monitors was not unknown to the negotiators at the time. The panel continued to explain that even if the EC’s argument were accepted, it was of limited relevance to the question of whether the product in question was covered by the concessions, because “this must be determined by interpreting the terms of the concession in accordance with the Vienna Convention.”Footnote 230 The panel decided that the products in question were covered by the ITA on the basis of a strict textual interpretation.Footnote 231
In China – Publications and Audiovisual Products, the panel had to assess China’s argument that its commitment on sound recording distribution services should not be considered to cover the electronic distribution of sound recordings because the latter had emerged as an established business only after the negotiation of its schedule of commitments and its accession to the WTO.Footnote 232 The panel admitted that evidence on the technical feasibility or commercial reality of a service at the time of the commitments might constitute circumstances that are relevant to the interpretation of the commitment under Article 32 VCLT:
We consider therefore that any evidence that sound recordings delivered in non-physical form were not, unlike today, technically possible or commercially practiced at the time China’s Schedule was negotiated might, in principle, be relevant as a supplementary means of interpretation with respect to the scope of that commitment.Footnote 233
The panel assessed the technical feasibility and commercial practice with respect to the electronic distribution of sound recordings before and at the time of China's Protocol of Accession and found that it was technically feasible and a commercial reality before China’s accession to the WTO and therefore confirmed its finding under Article 31 VCLT.Footnote 234 The AB upheld the panel’s finding but added a nuance as to how schedules should be interpreted:
We further note that interpreting the terms of GATS specific commitments based on the notion that the ordinary meaning to be attributed to those terms can only be the meaning that they had at the time the Schedule was concluded would mean that very similar or identically worded commitments could be given different meanings, content, and coverage depending on the date of their adoption or the date of a Member's accession to the treaty.Footnote 235
Without explicitly referring to the state of technology, the AB argued that a historic interpretation “would undermine the predictability, security, and clarity of GATS specific commitments.”Footnote 236 Especially because GATS schedules, like the GATS itself and all WTO agreements, constitute multilateral treaties with continuing obligations entered into for an indefinite period of time—regardless of whether they were original WTO members or acceded after 1995.Footnote 237 The AB also argued that “the terms used in China’s GATS Schedule (‘sound recording’ and ‘distribution’) are sufficiently generic that what they apply to may change over time.”Footnote 238 The AB therefore indicated that the ordinary meaning of the terms of specific commitments could not be limited to the meaning that they had at the time the schedule had been concluded. They rather must be interpreted based on their contemporary meaning if the terms are sufficiently generic.Footnote 239
2.3.3.4 Service Output
Another element that should be given due consideration when classifying digital services is that the classification of services in the W/120 and the CPC is based on the service output provided by service suppliers.Footnote 240 Service output means the result of the production of the service.Footnote 241 Footnote 9 to the GATS excludes input services from the market access obligation in Article XVI:2(c) GATS. This qualification in Footnote 9 to the GATS provides a safeguard against unwanted liberalization.Footnote 242 It allows WTO members to limit trade in input services that have not been committed to themselves. The Scheduling Guidelines of 2001 clarify that market access and national treatment commitments “do not imply a right for the service supplier of a committed service to supply uncommitted services which are inputs to the committed service.”Footnote 243 It is ultimately the service output (i.e. the product), and not the activity that generates the output, which enters trade and is subject to the commitments in the schedules of WTO members.Footnote 244 The classification of a service must focus on the output.
2.3.3.5 Integrated Services
A third element that should be given due consideration when classifying digital services is that integrated or composite services should be classified as if they consisted of the service that gives them their essential character. WTO members have already acknowledged that due to the evolution of technology, increasingly complex and combined services are entering the market.Footnote 245 This is especially true for digital services.
The notion of integrated services was introduced in China – Electronic Payment Services. In identifying the nature of electronic payment services, the panel noted that two issues arise: One was whether the services at issue could be considered as an integrated service, which was supplied as such. The other was whether the services at issue should be classified under a single subsector or under more than one subsector in the classification system.Footnote 246 The panel first underlined that electronic payment services are composed of several elements, which are services in their own right.Footnote 247 In spite of this, the panel found that while these elements might be individually identifiable services, all of them together, were necessary for a payment card transaction to materialize and are thus integrated into a whole.Footnote 248 Thus the different services combined together result in a distinct service that is supplied and consumed as such.Footnote 249 The panel therefore concluded that electronic payment services for payment card transactions constitute an integrated service.Footnote 250 Furthermore, the panel found that electronic payment services, as an integrated service, were covered by China’s commitments under a single subsector.Footnote 251
These findings are compatible with the focus on service output and the fact that input services are not automatically committed.Footnote 252 The panel focused on the service output and found that the final service, as supplied to the consumer (considering the transaction from start to end), is a distinct service (without input services) and can therefore be classified within a single subsector. This is also compatible with Article XXVIII(b) GATS that defines the supply of a service as including production, distribution, marketing, sale, and delivery of a service.
The CPC also addresses integrated services. The introductory part of the CPC suggests some general rules to guide statisticians in their use of the classification system.Footnote 253 These include: Composite services shall be classified as if they consisted of the service which gives them their essential character.Footnote 254 Services that cannot be classified in accordance with the general rules shall be classified under the category appropriate to the services to which they are most akin.Footnote 255
2.3.3.6 Functional Approach
The functional approach to classification of digital services focuses on service output and considers integrated services where applicable. The functional approach to classification is based on the determination of a service’s end-use.Footnote 256 The question is what function is achieved by the service?Footnote 257 Based on this determination, the service sector and subsector that has the closest relation to the function can be considered the correct classification.Footnote 258 The panel in China – Publications and Audiovisual Products made an important finding in this regard:
A description of a service sector in a GATS schedule does not need to enumerate every activity that is included within the scope of that service, and is not meant to do so. A service sector or subsector in a GATS schedule thus includes not only every service activity specifically named within it, but also any service activity that falls within the scope of the definition of that sector or subsector referred to in the schedule.Footnote 259
The determination of a service’s function can be tricky when it comes to services that may serve multiple end-uses.Footnote 260 For example, advertising online games, which are either specifically designed for advertising purposes or simply entail advertisements.Footnote 261 The determination will depend on the perspective taken. This could be the perspective of the producers, consumers, or regulators and each might yield a different result. In China – Electronic Payment Services, the panel referred to the consumers’ perspective when determining the correct classification.Footnote 262 The functional approach is also supported by the principle of technological neutrality, as the focus on the end-use of the service does not take account of, or is at least not determined by, the means through which the service is being supplied.Footnote 263
The components-based approach to classification stands in contrast to the functional approach. The components-based approach relies on identifying the separate components a service consists of, after which the main component (or the one most easily classified) determines the classification of the service. Ines Willemyns explains that a components-based classification approach can lead to converging classification of widely different digital services, because it is based on the main constituting elements (that may even be inputs) of the service rather than the final service being provided.Footnote 264 If the components-based approach would prevail, a majority of digital services might be classified as data transmission services, since data transmission is the major component in how these services are supplied. This would not allow for a differentiated classification of different digital services. Consequently, I argue that the components-based approach to classification is not suitable and the functional approach should be used.Footnote 265
2.3.4 Examples
The functional approach to classification is best illustrated with examples. The following examples have already been introduced as examples of services that require cross-border flows of personal data.Footnote 266 The classifications suggested here for these examples will be used in the legal analysis of the regulation of data transfers in the EU and the market access obligation in Article XVI GATS.Footnote 267
2.3.4.1 Cloud Computing Services
The use of cloud computing should not automatically be considered as a single final service output for trade in services. It also offers ways in which other services can be supplied.Footnote 268 Services using cloud computing do not necessarily amount to computer services based on the functional approach to service classification. They often constitute integrated services, which can be classified elsewhere. Nevertheless, cloud computing services are also traded independently. In order to produce a service that relies on cloud computing, the supplier of that service might have recourse to foreign suppliers and import cloud computing services.
2.3.4.1.1 Cloud Computing Without Distinction by Type
In 2007, a group of 19 WTO members, including the EC (not counting its member states) and the US, circulated the Understanding on the scope of coverage of CPCprov 84 in which they submitted that CPCprov 84 covers all computer and related services.Footnote 269 Division 84 of the CPCprov includes the following groups:
-
841 - Consultancy services related to the installation of computer hardware
-
842 - Software implementation services
-
843 - Data processing services
-
844 - Data base services
-
845 - Maintenance and repair services of office machinery and equipment including computers
-
849 - Other computer services
The US and the EU later argued that according to this understanding, CPCprov 84 also includes cloud computing services.Footnote 270 They did not maintain a distinction between the different types of cloud computing services. In 2015, the WTO Secretariat provided the United Nations Expert Group on International Statistical Classifications with an illustrative list of services that did not have explicit references in W/120 and included on it cloud computing services.Footnote 271 The experts also concluded that cloud computing services would fall under CPCprov 84.Footnote 272 They also did not push for a distinction between the different types of cloud computing services either.
It was mainly China that objected and stated that cloud computing clearly overlapped with both computer and related services and telecommunications services.Footnote 273 China argued that cloud computing could not simply be classified as falling either under computer-related services or telecommunications services.Footnote 274 The EU disagreed with China that cloud computing is a new service and that it should (also) be considered as a (value-added) telecommunication service.Footnote 275 The EU pointed out that telecommunications are only the means of delivery, and not the core of the service provided (just as cloud computing itself could be an enabling service).Footnote 276 In 2016, the WTO Secretariat noted that the discussions on the classification of cloud computing services in the WTO had not resulted in any consensus.Footnote 277
I argue that cloud computing services themselves also should be seen as integrated services.Footnote 278 They are composed of several elements, each of which are services in their own right. Even though there are elements that are individually identifiable services, such as computer and related services and telecommunications services, all of them together, are necessary to supply could computing services. Only the elements combined result in a distinct service that is supplied and consumed as such. With a focus on the output, it seems that cloud computing services should be classified in the sector “Business Services” and the subsector “Computer and Related Services” (W/120-1.B), which corresponds to CPCprov 84.
Nevertheless, China made a valid point that there are three different types of cloud computing services that should be individually classified because they satisfy different consumer needs: IaaS, PaaS, and SaaS.Footnote 279
2.3.4.1.2 IaaS
IaaS may be classified in the category “Data processing services” (W/120-1.B.c), which corresponds to CPCprov 843.Footnote 280 The OED defines processing as “the subjection of something to a special process.”Footnote 281 Cloud computing as IaaS allows a consumer to rent cloud computing infrastructure from the provider. The consumer can rely on the provider for processing, storage, networks, and other fundamental computing resources located in the cloud. The provider therefore subjects the data of the consumer to special processing operations. The CPC as a supplementary means of interpretation supports that conclusion. CPCprov 843 entails a sub-class 84320 with the title “Data-processing and tabulation services.” The sub-class is defined as services such as data processing tabulation services, computer calculating services, and rental services of computer time. The rental of computer time fits the IaaS model.
2.3.4.1.3 PaaS
PaaS may be classified in the category “Software implementation services” (W/120-1.B.b), which corresponds to CPCprov 842. The OED defines software as the “collection of programs essential to the operation of a particular computer system” or as “programs designed to enable a computer to perform a particular task or series of tasks.”Footnote 282 Implementation refers to an action and also means fulfillment.Footnote 283 Cloud computing as PaaS allows a consumer to work with tools supported by the cloud provider. A consumer can create web or mobile applications on an existing cloud computing platform. The interpretation based on the ordinary meaning of the terms “software implementation services” is not conclusive. It is not clear how the action of implementing something should be associated with PaaS. The CPC as a supplementary means of interpretation clarifies the classification. The description of software implementation services in CPCprov 842 explains that all services involving consultancy services for development and implementation of software are covered. Sub-class 84230 with the title “Systems design services” includes technical solutions, with respect to methodology or new technologies.Footnote 284 PaaS offers technical solutions for consumers.
2.3.4.1.4 SaaS
SaaS may also be classified in the category “Software implementation services” (W/120-1.B.b). SaaS allows a consumer to use a software application of a cloud provider on various client devices. The provider manages the application and handles maintenance. The interpretation based on the ordinary meaning of the terms software implementation services is not conclusive, but the CPC as a supplementary means of interpretation clarifies the classification. Sub-classes 84240 with the title “Programming services” and 84250 with the title “System maintenance services” suggest that the writing of programs and the maintenance of software products in use are covered by software implementation services.
2.3.4.2 Search Engine Services
Search engines crawl the internet and index the results for search queries.Footnote 285 They use cloud computing and algorithms to grant users access to databases containing a plethora of websites and the information therein. The use of cloud computing should not be considered the final service output for trade in search engine services. The use of cloud computing is an element of the integrated service of a search engine.
Before classifying search engine services, it is necessary to address an important element of the operation of a search engine. The services offered by search engines are usually free of charge to the consumers. Additional targeted advertising services usually cover the financial needs of the search engine. Virtual space is sold to businesses which are interested in reaching a wide, but targeted audience. Advertising is the main revenue source for search engines. The ECJ found that the search engine functions and advertising activities
are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine economically profitable and that the search engine is, at the same time, the means enabling those advertising activities to be performed.Footnote 286
The reasoning of the ECJ does not translate easily into WTO law. The panel found in China – Electronic Payment Services that electronic payment services are composed of several elements, which are services in their own right but that all of them, together, are necessary for a payment card transaction to materialize and are thus integrated into a whole.Footnote 287 The panel’s jurisprudence on integrated services is based on functional and not economic considerations. From a functional perspective, the advertising services are not necessary for the supply of search engine services. In addition, there could be other business models for search engine services than advertising.Footnote 288 This indicates that search engine services do not necessarily have to be linked with advertising services. I thus conclude that search engine services should not be seen as an integrated service that includes advertising services.Footnote 289 Rather the advertising services should be classified separately.
Search engine services may be classified under the sector “Business Services” and the subsector “Computer and Related Services” as “Data base services” (W/120-1.B.c), which correspond to CPCprov 844. The OED defines “database” as a “structured set of data held in computer storage and typically accessed or manipulated by means of specialized software.”Footnote 290 Search engines consist of a database and an interface that makes the database accessible.Footnote 291 They fit the ordinary meaning of W/120-1.B.c perfectly. The CPCprov as a supplementary means of interpretation supports this classification. The description of database services in CPCprov 844 includes all services provided from primarily structured databases through a communication network. Search engines satisfy both conditions of that description.Footnote 292
2.3.4.3 Social Network Services
Social networks are cloud-based platforms encompassing digital relationships between individuals, groups, organizations, or even entire societies. The use of cloud computing should not be considered the final service output for trade in social network services. The use of cloud computing rather is an element of the integrated service of a social network.
Just as in the case of search engines, it is necessary to address advertising services before classifying social network services. The services offered by a social network are usually free of charge to the consumers. Additional targeted advertising services often cover the financial needs of a social network. It is the main revenue source for social networks. The jurisprudence of the WTO adjudicative bodies on integrated services is based on functional and not economic considerations. From a functional perspective, the advertising services are not necessary for the supply of social network services. Social network services cannot be seen as an integrated service that includes advertising services.Footnote 293 The advertising services must be classified separately.
Social networks may be classified under the sector “Business Services” and the subsector “Computer and Related Services” as “Data base services” (W/120-1.B.c), which correspond to CPCprov 844.Footnote 294 Social network services enable electronic interaction and allow access to and manipulation of information in databases because whatever is posted or shared by the users is included in the online database of the social network.Footnote 295 The CPCprov as a supplementary means of interpretation supports this classification. The description of database services in CPCprov 844 includes all services provided from primarily structured databases through a communication network. Social networks satisfy both conditions of this description.Footnote 296
2.3.4.4 Online Advertising Services
Online advertising services may be classified under the sector “Business Services” and the subsector “Other Business Services” as “Advertising services” (W/120-1.F.a), which correspond to CPCprov 871.Footnote 297 The ordinary meaning of the term advertising services in W/120-1.F.a matches online advertisement services, especially when taking account of the evolution of technology. It is not necessary to consult the CPCprov as a supplementary means of interpretation as the result of the interpretation according to Article 31 VCLT does not leave the meaning of the terms ambiguous.
2.3.4.5 IoT Services
One of the examples given above for IoT services was related to internet-connected automobiles. Maintenance and the improvement of the driving experience are important services with regard to internet-connected vehicles. IoT maintenance services for internet-connected vehicles can be classified in the sector “Transport Services” and the subsector “Road Transport Services” as “Maintenance and repair of road transport equipment” (W/120-11.F.d), which corresponds to CPCprov 6112. The ordinary meaning of the terms “maintenance” and “repair of road transport equipment” matches the IoT maintenance services for internet-connected vehicles, especially when taking account of the evolution of the ordinary meaning of the term due to technological development. The CPCprov as a supplementary means of interpretation supports this classification. Sub-class 611120 with the title “Maintenance and repair services of motor vehicles” includes a detailed list of maintenance services. The terms are sufficiently generic that what they apply to may change over time.Footnote 298
The second example for IoT service given above was related to smart fridges. Restocking groceries is an important service provided by smart fridges. IoT restocking services for smart fridges cannot be classified in any sector and subsector of W/120. I am of the opinion that IoT restocking services for smart fridges is one of the rare examples of a new service that is not covered by the W/120. The subsector “Retailing services” is not pertinent (W/120-4.C). The OED defines “retail” as the “action or business of selling goods in relatively small quantities for use or consumption rather than for resale.”Footnote 299 IoT restocking services of smart fridges involve the buying of goods and not their sale. The subsector “Computer and Related Services” is not pertinent either (W/120-1.B). Even though data processing services are a component of IoT restocking services, the classification must focus on the service output, which is ordering groceries and filling up the fridge. Furthermore, none of the “Other” subsectors are pertinent. IoT restocking services are essentially personal shopping services from a technologically neutral perspective. Someone (or something) is going to the stores (or contacting the stores) for you (or maybe with you) to select and/or buy the things you need. There is no classification for personal shopping in the W/120.
2.3.4.6 Sharing Economy Platform Services
The treatment of sharing economy platform services is tricky, not only with regard to the GATS. Countries have historically struggled to find sensible regulatory solutions for the sharing economy. Should the respective companies be treated as tech-companies or the same as their analogue counterparts?Footnote 300 Similarly, in the GATS context, their services can be classified either as computer and related services, or as the services that they facilitate.
The first example for sharing economy platform services discussed above was related to the arrangement of lodging. I would classify digital lodging arrangement platform services under the sector “Tourism and Travel Related Services” and the subsector “Hotels and restaurants” (W/120-9.A), which corresponds to CPCprov 641-643. The interpretation, however, based on the ordinary meaning of the terms hotels and restaurants leaves the classification ambiguous. The CPCprov as a supplementary means of interpretation offers further guidance. Sub-class 64193 with the title “Letting services of furnished accommodation” includes lodging and related services provided by cabins, private apartments, and homes. There is no requirement as to who owns the subject property. The mere fact that a company like Airbnb does not own the property does not preclude them from providing such services.Footnote 301 The classification in the subsector hotels and restaurants focuses on service output from the perspective of the consumer/user that travels. Data processing and database services are certainly elements of digital lodging arrangement platform services, and constitute services in their own right, but all of them, together, are necessary for digital lodging arrangement platform services to materialize. The different services are thus combined and result in a distinct integrated service that is supplied and consumed as such.Footnote 302
The second example for sharing economy platform services was related to the arrangement of transportation. I would classify digital transportation arrangement platform services under the sector “Transportation Services” and the subsector “Road Transport Services” as “Passenger transportation” (W/120-11.F.a), which corresponds to CPCprov 7121+7122. The interpretation based on the ordinary meaning provides a clear classification. The CPCprov as a supplementary means of interpretation supports this classification. Sub-class 71221 with the title “Taxi services” includes services that are generally rendered on a distance-traveled basis, for a limited duration of time, and to a specific destination. The classification as passenger transportation focuses on service output from the perspective of the consumer/user that travels. Data processing and database services are certainly elements of digital transportation arrangement platform services, and constitute services in their own right, but all of them, together, are necessary for digital transportation arrangement platform services to materialize. The different services are combined together and result in a distinct integrated service that is supplied and consumed as such.Footnote 303
2.3.4.7 Travel Agencies
Travel agencies supply services that can be classified under the sector “Tourism and Travel Related Services” and the subsector “Travel agencies and tour operator services” (W/120-9.B), which corresponds to CPCprov 7471. The services offered by travel agencies fit the ordinary meaning of W/120-1.B.c perfectly.
2.3.4.8 Digital Medical Services
Digital medical services as described above may be classified under the sector “Business Services” and the subsector “Professional Services” as “Medical and dental services” (W/120-1.A.h), which correspond to CPCprov 9312. The ordinary meaning of the term “medical services” matches digital medical services, especially when taking into account the evolution of technology. The CPCprov as a supplementary means of interpretation supports this classification.
2.3.4.9 Legal Services
Legal services as described above may be classified under the sector “Business Services” and the subsector “Professional Services” as “Legal Services” (W/120-1.A.a), which correspond to CPCprov 861. The interpretation according to the ordinary meaning of the terms suffices for the classification.
2.4 Electronic Commerce Negotiations
The cross-border flow of personal data is not directly regulated by the law of the WTO yet, but it is part of the electronic commerce negotiations held at the WTO since 1998. These negotiations can be divided into four stages: the preparatory work until 2015 (Sect. 4.2.4.1), the emancipation from the Doha structure from 2015 to 2017 (Sect. 4.2.4.2), the Joint Statement Initiative from 2017 to 2019 (Sect. 4.2.4.3), and the current negotiations that started in 2019 (Sect. 4.2.4.4).
2.4.1 Preparatory Work
At the second Ministerial Conference of the WTO in May 1998, the delegations recognized that growing global electronic commerce was creating new opportunities for trade. They thus adopted the Declaration on Global Electronic Commerce.Footnote 304 The declaration directed the WTO General Council to establish a comprehensive work program to address trade-related issues concerning electronic commerce. In September 1998, the General Council established the “Work Programme on Electronic Commerce,” instructing each of its councils to look at specific issues under their respective responsibilities.Footnote 305
The Work Programme on Electronic Commerce has an exploratory and informative nature. It was mainly designed to build understanding around the trade-related aspects of electronic commerce without the pre-set objective to negotiate new rules.Footnote 306 Discussions did not see significant progress until the Nairobi Ministerial Conference in 2015.Footnote 307 The International Centre for Trade and Sustainable Development noted that the topic was completely absent in some of the councils for years.Footnote 308 In spite of this and in spite of the Doha agenda deadlock, some pertinent trade-related aspects of electronic commerce were identified.Footnote 309 With regard to trade in services, such aspects included the technological neutrality of the GATS, the fact that specific commitments for market access and national treatment also cover the supply of services through electronic means (unless otherwise specified), and the application of the Annex on Telecommunications to access and use of the internet when it is defined in a WTO member’s regulatory system as a public telecommunications transport service.Footnote 310
2.4.2 Emancipation from the Doha Structure
At the Nairobi Ministerial Conference in 2015, it was recognized that many WTO members desired to carry out the work on the basis of the Doha structure, while some wanted to explore new negotiation architectures.Footnote 311 Given the rapid growth of electronic commerce and the absence of global rules, some WTO members called for electronic commerce to be prioritized among the new issues for consideration.Footnote 312
In the runup to the Buenos Aires Ministerial Conference in 2017, the discussions of the Work Programme on Electronic Commerce intensified and several WTO members, or groups of WTO members, issued statements and proposals on potential issues for discussion. These issues also included data flows and data protection. Developing countries, especially WTO members in Africa, argued against negotiating new rules at the WTO, concerned that this would detract attention from the outstanding issues of the Doha agenda, along with imposing constraints on policy space.Footnote 313
2.4.3 Joint Statement Initiative
The Buenos Aires Ministerial Conference in 2017 witnessed the launch of a Joint Statement Initiative for exploratory talks on potential negotiations of trade rules on electronic commerce by 71 WTO members.Footnote 314 The WTO members involved in this Joint Statement Initiative met on an almost monthly basis. A total of nine meetings were held, in which proposals and submissions were discussed with the aim of setting and agreeing on the agenda for the negotiations.Footnote 315 That phase was concluded by the signing of a second Joint Statement Initiative in Davos in January 2019, announcing the intention of 76 WTO members to begin plurilateral negotiations on electronic commerce.Footnote 316
2.4.4 Current Negotiations
By the end of February 2020, seven negotiating rounds had been completed, with more than 80 WTO members participating. Big differences have been reported between three influential WTO members—China, the EU and the US—but also between developed and developing countries when it comes to subjects like data protection and cross-border flows of personal data.Footnote 317
The EU’s first proposal was circulated on 26 April 2019 and entailed safeguards for WTO members to regulate the protection of personal data and privacy:Footnote 318
2.8 Protection of Personal Data and Privacy
-
1.
Members recognize that the protection of personal data and privacy is a fundamental right and that high standards in this regard contribute to trust in the digital economy and to the development of trade.
-
2.
Members may adopt and maintain the safeguards they deem appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data. Nothing in the agreed disciplines and commitments shall affect the protection of personal data and privacy afforded by the Members' respective safeguards.
-
3.
Personal data means any information relating to an identified or identifiable natural person.
The wording of the EU’s proposal is very similar to the Model Data Flow Clauses for their future trade agreements.Footnote 319 It entails a deferential approach allowing WTO members to choose the safeguards they deem appropriate for the protection of personal data and privacy including rules on cross-border flows of personal data. It does not mention any qualifying requirement such as necessity or standards similar to the chapeau of Article XIV GATS. The EU’s proposal tries to safeguard the right to continuous protection of personal data in Article 8 CFR and the legal mechanisms for the transfer of personal data in the GDPR.
China’s first proposal was circulated on 23 April 2019 and only briefly addressed the protection of personal information:Footnote 320
3.9. Personal Information Protection: Members should adopt measures that they consider appropriate and necessary to protect the personal information of electronic commerce users.
The wording of China’s proposal, while less detailed, is similarly deferential as regards the protection of personal data. China explicitly stated that WTO members “should respect each other’s design of the electronic commerce development paths, and the legitimate right to adopt regulatory measures in order to achieve reasonable public policy objectives.”Footnote 321 China seems to side with the EU on privacy issues in its proposal, arguing that appropriate and necessary measures can be implemented to protect privacy.Footnote 322 However, while the EU’s focus is on fundamental rights, China’s focus is on security:
4.1. […] However, more importantly, the data flow should be subject to the precondition of security, which concerns each and every Member’s core interests. To this end, it is necessary that the data flow orderly in compliance with Members’ respective laws and regulations.
This might be explained by the fact that China’s Cybersecurity Law states that operators of critical information infrastructure must pass a security assessment by government agencies before cross-border flows of personal data are possible.Footnote 323
The US proposal was circulated on 26 April 2019 and entailed detailed rules on protection of personal information and cross-border transfers of information:Footnote 324
Article 7: Personal Information Protection
-
1.
Each Party shall adopt or maintain a legal framework that provides for the protection of the personal information of the users of digital trade.Footnote 325
-
2.
Each Party shall publish information on the personal information protections it provides to users of digital trade, including how:
-
(a)
individuals can pursue remedies; and
-
(b)
an enterprise can comply with legal requirements.
-
(a)
-
3.
Recognizing that the Parties may take different legal approaches to protecting personal information, each Party should encourage the development of mechanisms to promote interoperability between these different regimes.
-
4.
The Parties recognize the importance of ensuring compliance with measures to protect personal information and ensuring that any restrictions on cross-border flows of personal information are necessary and proportionate to the risks presented.
Article 8: Cross-Border Transfer of Information by Electronic Means
-
1.
No Party shall prohibit or restrict the cross-border transfer of information, including personal information, by electronic means, if this activity is for the conduct of the business of a covered person.
-
2.
This Article does not prevent a Party from adopting or maintaining a measure inconsistent with paragraph 1 that is necessary to achieve a legitimate public policy objective, provided that the measure:
-
(a)
is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and
-
(b)
does not impose restrictions on transfers of information greater than are necessary to achieve the objective.Footnote 326
-
(a)
The US proposal is characterized by a commitment to recognize different legal approaches to protect personal data and the interoperability of these approaches.Footnote 327 The US suggested in a follow-up communication from 17 June 2019 that so-called “interoperability regimes” can be instituted between economies where national standards on data protection diverge.Footnote 328 It explicitly mentioned the Privacy Shield as an example for the use of such an interoperability regime.Footnote 329 The invalidation of Decision (EU) 2016/1250, the Privacy Shield adequacy decision, by the ECJ in Schrems 2 shows the limits of such regimes from the perspective of the EU.Footnote 330 At the same time, the US proposal also significantly limits domestic regulatory space for rules on cross-border flows of personal data with qualifying requirements. First, parties must generally ensure that restrictions on cross-border flows of personal data are necessary and proportionate to the risks presented. This requires an explanation of the risks of cross-border flows of personal data and a test of necessity and proportionality of the restrictions. Second, and somewhat overlapping, the proposal forbids prohibitions and restrictions of cross-border flows of personal data for the conduct of businesses, except where a measure is necessary to achieve a legitimate public policy objective and is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and does not impose restrictions on transfers of information greater than are necessary to achieve the objective. Contrary to the EU’s and China’s proposal, the US proposal entails many legal tests for data flow regimes.
An agreement that reconciles differing national approaches to personal privacy seems elusive.Footnote 331 Nevertheless, the parties had hoped to publish a consolidated text at the Nur-Sultan Ministerial Conference of the WTO in June 2020.Footnote 332 The conference was postponed due to the COVID-19 pandemic, which has given the negotiations more time. On 14 December 2021 the co-convenors of the WTO e-commerce negotiations—Australia, Japan and Singapore—issued a joint statement welcoming the substantial progress in the negotiations and setting the goal for members to secure convergence on the majority of issues by the end of 2022.Footnote 333 The negotiations seem to have produced a number of clean articles such as on spam, electronic signatures, online consumer protection and open government data but privacy and data flows remain two of the significant open issues.Footnote 334 The co-convenors stated on 15 September 2022 that a finalisation of the negotiations in 2023 is within reach.Footnote 335
2.5 Summary
Digital services often require cross-border flows of personal data. When the GATS was drafted, many digital services that now rely on the free flow of personal data were not yet invented. Nevertheless, I argue that most digital services are covered by the commitments in the schedules of WTO members. They fall under mode 1 (cross-border supply of services). Since the GATS applies to measures affecting trade in services, the EU’s fundamental rights-based regulation of data transfers is subject to the obligations in the GATS because any restriction on the free flow of personal data across borders affects trade in services. The MFN treatment obligation in Article II GATS prohibits discrimination between foreign services and service suppliers from different third countries. The domestic regulation obligation in Article VI GATS requires “reasonable, objective, and impartial” administration of measures and practicable, judicial, arbitral, or administrative tribunals or procedures that provide for the prompt review of measures and appropriate remedies. Subject to the specific commitments undertaken by the EU, the market access obligation in Article XVI (a) and (c) GATS does not allow limitations on the number of service suppliers and operations, and the national treatment obligation in Article XVII GATS prohibits discrimination between foreign and domestic services and service suppliers. Exceptions pertaining to economic integration in Article V GATS, privacy in Article XIV(c)(ii) GATS, and security in Article XIV bis GATS can justify violations of the obligations in the GATS. The GATS Annex on Telecommunications aims to ensure that the specific commitments are not frustrated through lack of access to foreign telecommunications services. In addition, the ongoing electronic commerce negotiations at the WTO involve rules on cross-border flows of personal data. However, it still seems rather difficult to reconcile the differing national approaches to privacy protection at the level of the WTO.
3 The Regulation of Data Transfers as Trade Barrier
The multilateral framework of the WTO allows its members to challenge the EU’s fundamental rights-based regulation of data transfers as a trade barrier. The analysis of the obligations under the GATS highlights how the regulation of data transfers in the EU interferes with the rules of the WTO on trade in services. The analysis focuses on the MFN treatment obligation in Article II GATS (Sect. 4.3.1), the domestic regulation obligation in Article VI GATS (Sect. 4.3.2), the market access obligation in Article XVI:2(a) and (c) GATS (Sect. 4.3.3), and the national treatment obligation in Article XVII GATS (Sect. 4.3.4).
3.1 MFN Treatment
The MFN treatment obligation in Article II:1 GATS applies to any measure affecting trade in services irrespective of whether specific commitments have been undertaken.Footnote 336 The EU is required to accord to services and services suppliers of any WTO member treatment no less favorable than that it accords to like services and service suppliers of any other country immediately and unconditionally. The analysis of the EU’s regulation of data transfers under the MFN treatment obligation focuses on regular adequacy decisions (Sect. 4.3.1.1), special framework adequacy decisions (Sect. 4.3.1.2), the management of the adequacy assessment (Sect. 4.3.1.3), and instruments providing appropriate safeguards (Sect. 4.3.1.4).
3.1.1 Adequacy Decisions
The EU system for data transfers interferes with the MFN treatment obligation in so far as adequacy decisions by the European Commission lead to situations in which services and service suppliers in some WTO members are treated less favorably than services and service suppliers in other states. Where the Commission decides that a third country provides an adequate level of protection for personal data according to Article 45 GDP, services and services suppliers from that third country benefit from the possibility to transfer personal data without any specific authorization. Services and service suppliers in WTO members without an adequacy decision must have recourse to other legal mechanisms for their data transfers. An interference with the MFN treatment obligation may occur with regard to services and service suppliers that require systematic, structural, and continuous cross-border flows of personal data (Sect. 4.3.1.1.1) but also with regard to services and service suppliers that only require occasional cross-border flows of personal data (Sect. 4.3.1.1.2).Footnote 337
3.1.1.1 Services with Systematic Flows of Personal Data
Service suppliers in a WTO member without an adequacy decision that require systematic, structural, and continuous cross-border flows of personal data for their services have to rely on instruments providing appropriate safeguards according to Article 46 GDPR to transfer personal data from the EU to their home country. In such cases, services and service suppliers are treated less favorably than like services and service suppliers from third countries with an adequacy decision. It is not sufficient under Article II:1 GATS to accord a WTO member similar treatment to that accorded to another state.Footnote 338 By virtue of the MFN treatment obligation, any WTO member must be given exactly the same treatment as any other state.Footnote 339 The use of instruments providing appropriate safeguards is more burdensome than transferring personal data on the basis of an adequacy decision.Footnote 340 The concept of treatment no less favorable in Article II:1 GATS focuses on a measure’s modification of the conditions of competition.Footnote 341 Any evidence that the EU intruded into the competitive relationship between services or service suppliers satisfies that legal standard and establishes treatment less favorable under Article II:1 GATS. It is more costly for services and service suppliers to use instruments providing appropriate safeguards than relying on an adequacy decision. The instruments in Article 46 GDPR are less flexible, they entail additional obligations, and require ongoing legal management. The requirement to use those instruments creates a competitive disadvantage for services and service suppliers in WTO members without an adequacy decision. This constitutes treatment less favorable. The EU does not immediately and unconditionally accord to those services and service suppliers treatment no less favorable than that it accords to like services and service suppliers in states with an adequacy decision. This constitutes an interference with the MFN treatment obligation in Article II:1 GATS.Footnote 342
Carla Reyes argues that there is less favorable treatment for services and service suppliers in the specific situation where a WTO member’s claim of adequacy has been rejected compared to like services and service suppliers from those states for which adequacy remains undetermined.Footnote 343 Svetlana Yakovleva and Kristina Irion disagree because the available legal mechanisms for the transfer of personal data in the GDPR for a country with a negative adequacy decision by the Commission and for countries whose data protection regime have never been assessed are the same, i.e. the instruments providing appropriate safeguards according to Article 46 GDPR.Footnote 344 Yakovleva and Irion also add that this is a highly hypothetical scenario because the Commission has never issued a single negative adequacy decision so far.Footnote 345 It must be added that there might in fact be consequences for the available data transfer mechanisms should the Commission, or a supervisory authority, or the ECJ, find that the level of protection for personal data that is transferred from the EU to a third country, is not essentially equivalent to that guaranteed within the EU. The instruments providing appropriate safeguards in Article 46 GDPR can only be used if they comply with the right to continuous protection of personal data. They are not available for the transfer of personal data to third countries in which they cannot ensure a level of protection for personal data that is essentially equivalent to that guaranteed within the EU.
3.1.1.2 Services with Occasional Flows of Personal Data
Without an adequacy decision, services and service suppliers that only require occasional cross-border flows of personal data from the EU will usually rely on the derogations in Article 49 GDPR. In such cases, services and service suppliers are treated less favorably than like services and service suppliers from states with an adequacy decision. The use of the derogations creates a competitive disadvantage for services and service suppliers in WTO members without an adequacy decision because of the additional burden to comply with the conditions of the derogations.Footnote 346 Services and service suppliers from a state with an adequacy decision may transfer personal data without any further requirements. This amounts to treatment less favorable and constitutes an interference with the MFN treatment obligation in Article II:1 GATS.
3.1.2 Special Framework Adequacy Decisions
The EU adopted some adequacy decisions for special frameworks with third countries such as the invalidated Decision 2000/520, the Safe Harbor adequacy decision, or Decision (EU) 2016/1250, the Privacy Shield adequacy decision. The EU already has plans to adopt a new special framework adequacy decision regarding the US called the Transatlantic Data Privacy Framework.Footnote 347 Special framework adequacy decisions must be assessed separately under WTO law. Although these adequacy decisions have the same effect as regular adequacy decisions with regard to the modification of the conditions of competition for services and service suppliers from third countries without an adequacy decision, the justification for the interference with the MFN treatment obligation under the general exceptions in Article XIV GATS will be different. This is because special framework adequacy decisions are often tailor-made decisions for countries that otherwise would not necessarily qualify for a regular adequacy decision.
Perry Keller has argued that that the more lenient treatment for an adequacy finding with such special framework adequacy decisions—a privilege only so far given to the US—in effect afforded the US more favorable treatment compared to other third countries.Footnote 348 This argument focuses on the management of the adequacy procedure by the Commission and not on the competitive advantages that the enactment of an adequacy decision can produce for certain countries and not for others. This argument is relevant under Article VI:1 GATS on domestic regulation.
3.1.3 Adequacy Assessment
Some scholars have focused on the adequacy assessment in their analyses of the MFN treatment obligation in Article II:1 GATS. First, Stefano Saluzzo argues that the EU would be able to claim that there is no interference with the MFN treatment obligation because all WTO members are on equal footing concerning the access to an adequacy assessment (Sect. 4.3.1.3.1). Second, Eric Shapiro and Carla Reyes claim that irregularities in the management of the adequacy assessment may amount to an infringement of the MFN treatment obligation (Sect. 4.3.1.3.2).
3.1.3.1 Access
The panel in EC – Bananas III (Article 21.5 – Ecuador) maintained that the EC had treated Ecuador less favorably than other WTO members because Ecuador’s service suppliers did “not have opportunities to obtain access to import licences on terms equal to those enjoyed by service suppliers of EC/ACP origin.”Footnote 349 Stefano Saluzzo used this finding to show that the EU could rebut a prima facie case that the EU’s handling of adequacy decisions constitutes a de facto interference with the MFN treatment obligation.Footnote 350 He argued that “the EU would be able to claim that no violation of the MFN clause occurred in relation to data transfer restrictions, since every country is on an equal footing as far as the adequacy assessment is concerned.”Footnote 351
I am of the opinion that the situation in EC – Bananas III (Article 21.5 – Ecuador) cannot be applied to adequacy decisions. Saluzzo is right to point out that any country is on equal footing to (informally) ask for an adequacy decision. In that regard, any country has the opportunity to obtain access to an adequacy assessment on terms equal to those enjoyed by other countries. However, in EC – Bananas III (Article 21.5 – Ecuador), access to import licenses on equal terms would automatically have created equal competitive opportunities and erased the less favorable treatment. This is different with respect to adequacy decisions. Access to an adequacy assessment does not automatically create equal competitive opportunities. Access to an adequacy assessment does not erase the less favorable treatment because it does not guarantee a favorable outcome in the form of an adequacy decision.
The argument brought forward by Saluzzo would imply that there is an aims-and-effect test in Article II:1 GATS. Only considering the aim of the EU’s fundamental rights-based regulation of data transfers under Article II:1 GATS would justify that some countries receive a positive adequacy decision, while others do not. According to the aims-and-effect test, a measure will not be considered as discriminating if the aim of the measure is not discriminatory, even if the result is discriminatory.Footnote 352 This is basically what Saluzzo noted when he wrote that “the EU would be able to claim that no violation of the MFN clause occurred in relation to data transfer restrictions, since every country is on an equal footing as far as the adequacy assessment is concerned.”Footnote 353 The AB stated clearly in EC – Bananas III that there is no authority in Article II:1 GATS for the proposition that the aims and effects of a measure are in any way relevant in determining whether that measure is inconsistent with the MFN treatment obligation.Footnote 354 In Argentina – Financial Services, the AB underlined that the legal standard for the concept of treatment no less favorable in Article II:1 GATS focuses on the modification of the conditions of competition and that this legal standard does not include a separate and additional inquiry into the regulatory objective of, or the regulatory concerns underlying, the contested measure.Footnote 355
3.1.3.2 Management
Some scholars have claimed that there is less favorable treatment between services and service suppliers in different WTO members because the management of the adequacy assessments lacks consistency.Footnote 356 For example, Eric Shapiro argued that there is an interference with the MFN treatment obligation because the EU offered the US much less rigorous terms and that the (invalidated) Safe Harbor adequacy decision required much less of the US than the EU required of Hungary or Australia.Footnote 357 Similarly, Carla Reyes argued that services and service suppliers from Australia have been afforded less favorable treatment than like services and service suppliers from other countries where the Article 29 WP also made determinations of inadequate data protection standards, such as for the US and Canada.Footnote 358
These arguments are based on the fact that the application of the adequacy mechanism may amount to an interference with the MFN treatment obligation.Footnote 359 They primarily focus on the management of the adequacy assessment by the Commission and not on the advantages that the enactment of an adequacy decision can produce for certain countries and not for others. These arguments are rather relevant under Article VI:1 GATS on domestic regulation, which concerns the administration of a measure, than under Article II:1 GATS, which focuses on the conditions of competition.
3.1.4 Appropriate Safeguards
Where no adequacy decision is in place and where the instruments providing appropriate safeguards in Article 46 GDPR are not available either, service suppliers that require systematic, structural, and continuous cross-border flows of personal data for their services cannot rely on any other legal mechanism in the GDPR. Such situations may arise in cases in which a supervisory authority in an EU member state uses its corrective powers and imposes a temporary or definitive limitation including a ban on processing of personal data in the form of data transfers to a third country according to Article 58(2)(f) GDPR or suspends data flows to a recipient in a third country according to Article 58(2)(j) GDPR.Footnote 360 In such cases, services and service suppliers are treated less favorably than like services and service suppliers from countries in which the use of the instruments in Article 46 GDPR are generally possible. This modifies the conditions of competition in favor of services and service suppliers from these countries. The EU does not immediately and unconditionally accord treatment no less favorable. This interferes with the MFN treatment obligation in Article II:1 GATS.
3.2 Domestic Regulation
Article VI GATS on domestic regulation balances trade liberalization with the right of WTO members to regulate. Some of the requirements for domestic regulation in Article VI GATS are relevant for the EU system for data transfers. This concerns the procedural requirements in Paragraph 1 that relate to the administration of a measure (Sect. 4.3.2.1) and the requirements in Paragraph 2 that relate to judicial, arbitral or administrative mechanisms for the review of measures at the request of an affected service supplier (Sect. 4.3.2.2). Contrary to the claims of some scholars, the other requirements in Article VI GATS are not relevant for the EU system for data transfers. This concerns Paragraph 3 relating to authorization requirements (Sect. 4.3.2.3) and Paragraphs 4 and 5 relating to qualification procedures, technical standards, and licensing requirements (Sect. 4.3.2.4).
3.2.1 Administration of Measures
Article VI:1 GATS relates to the administration of measures.Footnote 361 The requirements for domestic regulation in Article VI:1 GATS oblige WTO members to administer measures of general application affecting trade in services in sectors where specific commitments are undertaken in a reasonable, objective, and impartial manner. A measure of general application covers a range of cases and situations and thus affects an unidentified number of economic operators.Footnote 362 The GDPR in general, and the regulation of data transfers specifically, can be considered a measure of general application as they cover all transfers of personal data from the EU to third countries and thus affect an unidentified number of economic operators.Footnote 363 The aim of Article VI:1 GATS is to promote the principles of consistency and predictability in the application of domestic measures, so as to avoid adverse effects on the business performance of foreign service suppliers. The regulation of data transfers in the EU should be dealt with according to the different ways and procedures it is applied rather than the degree of the restrictions imposed.Footnote 364 Potential problems with the administration may occur with regard to regular adequacy decisions (Sect. 4.3.2.1.1), special framework adequacy decisions (Sect. 4.3.2.1.2), standard data protection clauses (Sect. 4.3.2.1.3), BCRs (Sect. 4.3.2.1.4), derogations (Sect. 4.3.2.1.5), and overlapping requirements due to the geographical scope of application of the GDPR (Sect. 4.3.2.1.6).
3.2.1.1 Adequacy Decisions
The administration of the regulation for data transfers in the EU potentially faces four problems regarding adequacy decisions and Article VI:1 GATS. The number of adequacy decisions (Sect. 4.3.2.1.1.1), the selection of countries for adequacy decisions (Sect. 4.3.2.1.1.2), the consistency of the adequacy assessment (Sect. 4.3.2.1.1.3), and the procedures of the adequacy assessment (Sect. 4.3.2.1.1.4).
3.2.1.1.1 Number of Adequacy Decisions
A first problem relates to the number of countries that receive an adequacy decision. Carla Reyes has argued that the EU has had difficulties in explaining why the current selection of countries with an adequacy decision—14 in total under the GDPR—is reasonable given the more than 140 other countries that continue to import personal data from the EU in the absence of an adequacy decision.Footnote 365
The administration of a measure is reasonable if it is in accordance with generally accepted standards of rationality and sound judgment.Footnote 366 There must be a rational reason for the conduct in question.Footnote 367 Apart from the fact that adequacy decisions are only available for countries that provide a level of protection of personal data that is essentially equivalent to that guaranteed within the EU, it would require a huge amount of effort on the part of the European Commission to maintain 100 or more adequacy decisions. The GDPR entails extensive obligations regarding their monitoring and review.Footnote 368 These obligations are necessary to comply with the right to continuous protection of personal data. It is reasonable that the Commission has been slow to extend the number of adequacy decisions as the necessary assessments and negotiations for an adequacy decision are complicated and lengthy.
This is supported by the fact that the GDPR provides alternative legal mechanisms for the transfer of personal data for WTO members that do not yet have an adequacy decision yet provide a level of protection of personal data that is essentially equivalent to that guaranteed within the EU. The instruments providing appropriate safeguards in Article 46 GDPR allow the same kind of data transfers as adequacy decisions. The lack of an adequacy decision thus has no impact on the kind of transfers of personal data from the EU to a third country, but it is more burdensome to use the instruments in Article 46 GDPR. A prima facie case of compliance with Article VI:1 GATS could be rebutted when a complainant shows that there are many WTO members without an adequacy decision that provide a level of protection for personal data that is essentially equivalent to that guaranteed within the EU and that the EU consciously avoids granting them an adequacy decision or even enter into the procedures to adopt one. I do not find that this is currently the case, but I submit that such a situation would amount to an unreasonable administration of the EU regulation of data transfers and as such would interfere with the standards of Article VI:1 GATS.
3.2.1.1.2 Selection of Countries for Adequacy Decisions
A second problem relates to the selection of countries that receive adequacy decisions. Svetlana Yakovleva and Kristina Irion have submitted that the country-by-country adequacy assessment falls short of the impartiality and objectivity standard in Article VI:1 GATS.Footnote 369 They argue that there are no formal criteria on when and how third countries’ data protection regimes are to be assessed for their adequacy. They underline that adequacy decisions do not seem to rely on a legal-only assessment and may not be considered even-handed.
The administration of a measure is not impartial if the application is unfair, biased or prejudiced.Footnote 370 For the administration of a measure to be objective, it may not be arbitrary.Footnote 371 According to the OED, “arbitrary” means “derived from mere opinion or preference” and “not based on the nature of things.”Footnote 372 While it is true that there are certain indications for preferential treatment of countries with regard to adequacy decisions, none of these indications amount to a biased application of the EU’s regulation of data transfers in general, and adequacy decisions specifically. I have shown that neither geographical nor economic factors seem to be coherently applied for preferential treatment with regard to adequacy decisions.Footnote 373 Yakovleva and Irion point out that there are no formal criteria on when and how third countries’ data protection regimes are to be assessed for their adequacy, but the Commission has a strategy for adequacy decisions with informal criteria.Footnote 374 The strategy puts third countries at a disadvantage if they are not negotiating a trade agreement with the EU, could be dangerous for the outsourcing of data processing operations, and are neither geographically nor culturally close to the EU.Footnote 375 But even this strategy allows the consideration of countries that are potentially at a disadvantage if they are data protection champions and serve as a role model for other third countries. This would underline that the country-by-country adequacy assessment is not unfair nor prejudiced, but actually based on the nature of things, i.e., the protection for personal data that is essentially equivalent to that guaranteed within the EU.
I thus argue that the administration of the EU regulation of data transfers regarding the selection of countries that receive an adequacy decision does not interfere with the standards in Article VI:1 GATS. An exception to that submission would concern a country that is constantly denied an adequacy decision even when it is widely acknowledged—over a substantial period of time—that it provides a level of protection for personal data that is essentially equivalent to that guaranteed within the EU. There does not, however, seem to be a WTO member to which this description applies.
3.2.1.1.3 Consistency of Adequacy Assessments
A third problem relates to the consistency of adequacy assessments. Some content-related inconsistencies have been mentioned above.Footnote 376 Yakovleva and Irion have specifically highlighted that not all of the Commission’s adequacy decisions require that the third country restricts the onward transfer of personal data to countries without adequate protection.Footnote 377 Even though the GDPR now entails more detailed requirements for adequacy decisions, including rules for the onward transfer of personal data, such inconsistencies in the adequacy assessment under Directive 95/46/EC may put into question the impartiality of the administration of the EU system for data transfers with regard to adequacy decisions.Footnote 378 In spite of this, it has to be noted that in order to constitute a violation of Article VI:1 GATS, there must be “a significant impact on the overall administration of the law, and not simply on the outcome in the single case in question.”Footnote 379 The EU’s more recent adequacy decisions have been much more carefully drafted and the new detailed requirements in the GDPR leave less room for such inconsistencies, if any at all. It would thus be difficult to argue that the mentioned content-related inconsistencies have a significant impact on the overall administration of the EU system for data transfers with regard to adequacy decisions and not just on the single case in question. This is especially true when considering that under the GDPR all adequacy decisions must be reviewed every four years, which includes the adequacy decisions taken under Directive 95/46/EC.Footnote 380 I thus conclude that the administration of the EU regulation of data transfers with regard to the consistency of adequacy assessments does not interfere with the high standards in Article VI:1 GATS.
3.2.1.1.4 Procedures of the Adequacy Assessment
A fourth problem relates to the procedures of adequacy assessments. The Commission oversees all adequacy decisions. There are no formal procedures third countries can pursue to apply for an adequacy decision. Consequently, the informal ways in which the EU deals with inquires for an adequacy decision may be susceptible to interferences with Article VI:1 GATS.
The Commission has never issued a negative adequacy decision. However, Australia received a negative adequacy assessment from the Article 29 WP and the four African countries Burkina Faso, Mauritius, Tunisia, and Morocco all received negative adequacy assessments from an academic institution in the EU tasked to research the level of data protection in these countries.Footnote 381 The administration of a measure is not impartial if the application is unfair, biased or prejudiced.Footnote 382 The mentioned example do not show prejudice because there is some form of assessment even if it is not by the same institution for all inquiring countries, and even if it is not followed by a final administrative decision when the preliminary results of the assessment are negative. Article VI:1 GATS does not require the EU to issue negative administrative decisions in order for the EU system for data transfers to be fair with regard to adequacy decisions.Footnote 383
Jennifer Stoddart, Benny Chan, and Yann Joly underline that the ad hoc and discretionary manner in which the Article 29 WP, the EDPB and the Commission seek clarifications and broker deals for adequacy decisions “speaks volumes about the consistency and predictability of adequacy assessments” and therefore seems to be arbitrary at times.Footnote 384 It has also been mentioned above that some countries receive more active support in order to reach an adequacy decision.Footnote 385 Nevertheless, any claim about impartiality here is highly unlikely to succeed because this extra support does not have a significant impact on the overall administration of the EU’s regulation of data transfers with regard to adequacy decisions, but rather on the outcome of the single case in question.Footnote 386 In consequence, I argue that the administration of the EU system for data transfers with regard to the procedures of the adequacy assessment does not interfere with the standards in Article VI:1 GATS.
3.2.1.2 Special Framework Adequacy Decisions
The administration of the EU’s regulation for data transfers also faces a problem with special framework adequacy decisions such as the invalidated Decision 2000/520, the Safe Harbor adequacy decision, or the invalidated Decision (EU) 2016/1250, the Privacy Shield adequacy decision, and Article VI:1 GATS. Special framework adequacy decisions are tailor-made decisions for countries that otherwise would not necessarily qualify for a regular adequacy decision. After the invalidation of the Privacy Shield adequacy decision by the ECJ in Schrems 2, there are no special framework adequacy decisions in force anymore. However, the European Commission already negotiated a new special framework for an adequacy decision with the US and initiated the process to adopt the corresponding adequacy decision.Footnote 387 If this adequacy decision is adopted, then other WTO members that may not necessarily qualify for an adequacy decision either—and have not been able to negotiate such a special framework—could claim that the administration of the EU system for data transfers with regard to special framework adequacy decisions is not compatible with Article VI:1 GATS because it is not impartial. These countries could also claim that there is a significant impact on the overall administration of the EU system for data transfers because the special framework adequacy decisions are an additional mechanism for data transfers which is not available to them.Footnote 388 Accordingly, the administration of the EU’s regulation of data transfers with regard to special framework adequacy decisions would not comply with Article VI:1 GATS.
3.2.1.3 Standard Data Protection Clauses
The administration of the EU’s regulation of data transfers could also have a problem with regard to the standard data protection clauses and Article VI:1 GATS. Control over continuous protection for personal data in relation with standard data protection clauses lies primarily with the supervisory authorities of the EU member states.Footnote 389 Each of them is vested with the power to examine whether data transfers from its home EU member state to a third country on the basis of standard data protection clauses comply with the requirements laid down in the GDPR and the right to continuous protection of personal data in Article 8 CFR. If data transfers do not comply with these requirements, the supervisory authorities must use their corrective powers such as the imposition of a temporary or definitive limitation according to Article 58(2)(f) GDPR or the suspension of data flows to a recipient in a third country according to Article 58(2)(j) GDPR.
There is a risk that some transfers of personal data to a third country on the basis of standard data protection clauses could be permitted in one EU member state but suspended or banned in another depending on whether the responsible supervisory authority had investigated issues surrounding the transfer of personal data to that third country, or had reached a different conclusions regarding the violation of the requirements in the GDPR and Article 8 CFR.Footnote 390 The risk that the approaches taken by the different supervisory authorities can be fragmented is inherent in the decentralized structure for supervision intended by the EU legislator.Footnote 391 That risk is somewhat mediated with the voluntary consistency mechanism in Article 64(2) GDPR, which enables supervisory authorities to request an opinion from the EDPB when deciding to suspend or ban data transfers to a third country. Regular opinions of the EDPB are not legally binding, but they carry considerable weight. It can be expected that supervisory authorities will follow an EDPB opinion regarding the suspension or ban of data transfers to a third country. The EDPB also has the option to adopt a legally binding decision under Article 65(1)(c) GDPR, should a supervisory authority not follow an opinion of the EDPB.Footnote 392 Even though this voluntary mechanism is in place, the risk remains that some transfers of personal data to a third country on the basis of standard data protection clauses could be permitted in one EU member state but suspended or banned in another.
I therefore argue that a fragmented application of the corrective powers of supervisory authorities with regard to data transfers on the basis of standard data protection clauses would allow for a successful claim under the objective and/or impartial standard of Article VI:1 GATS. This is especially true since the assessment of an interference with Article VI:1 GATS may also involve an examination of the impact on the competitive situation due to alleged partiality in the application of a law or regulation.Footnote 393 The voluntary consistency mechanism in Article 64(2) GDPR and the power of the EDPB to adopt a legally binding decision in Article 65(1)(c) GDPR should be used in order to prevent any incompatibility with Article VI:1 GATS.
3.2.1.4 BCRs
The administration of the EU’s regulation of data transfers regarding BCRs and Article VI:1 GATS is not as problematic compared to standard data protection clauses. Control over continuous protection for personal data through BCRs also primarily lies with the supervisory authorities of the EU member states.Footnote 394 The mechanism to approve BCRs allows the responsible supervisory authority the possibility to prohibit data transfers to third countries where interferences with the right to continuous protection for personal data might occur. The approval of BCRs is subject to the mandatory consistency mechanism in Article 63 GDPR.Footnote 395 This mechanism supports a consistent administration of the EU system for data transfers with regard to BCRs that is compatible with Article VI:1 GATS.
3.2.1.5 Derogations
The administration of the EU’s regulation of data transfers regarding derogations under Article 49 GDPR and Article VI:1 GATS is also unproblematic. Andrew D. Mitchell and Jarrod Hepburn have submitted that there is a likelihood that the requirement to obtain consent before transmitting personal information across borders violates the domestic regulation obligation in Article VI GATS.Footnote 396 In their argument they refer to Usman Ahmed and Anupam Chander who in turn have argued that there are difficulties in obtaining consent when it comes to devices that capture information about more than one person.Footnote 397 While it may be a valid point that a framework that requires consent for systematic, structural, and continuous data transfer is unreasonable, the derogations under Article 49 GDPR can only be used for occasional data transfers anyway. Even though Usman and Chander also stated that “[w]e do not typically require a special consent before a consumer purchases a good, or even food, from a foreign source,” a consent requirement is reasonable with regard to occasional data transfers because, contrary to the mentioned examples, the purchase of a service such as supplied by travel agencies, or digital medical diagnosis services, or legal services requires processing of personal data.Footnote 398 The requirement of an agreement from the data subject for occasional data transfers based either on consent according to Article 49(1)(a) GDPR or on a contract according to Article 49(1)(b) GDPR is not unreasonable and therefore compatible with Article VI:1 GATS.
3.2.1.6 Overlapping Requirements
There is an additional element that must be considered when analyzing the administration of the EU’s regulation of data transfers according to Article VI:1 GATS. Svetlana Yakovleva and Kristina Irion have stressed that the regulation of data transfers and the provisions on the geographical scope of application in the GDPR create two sets of overlapping requirements that are not coordinated with each other.Footnote 399 According to Article 3(2)(a) GDPR, the regulation also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU in cases in which the processing activities are related to the offering of services to data subjects in the EU irrespective of whether a payment of the data subject is required.Footnote 400 A service supplier in a WTO member without an adequacy decision whose services require data transfers from the EU must thus potentially comply with the regulation of data transfers and the other rules of the GDPR at the same time. I therefore conclude that the overlapping requirements are reasonable with regard to Article VI:1 GATS.Footnote 401 The safeguards for personal data provided by the EU’s regulation of data transfers are necessary to prevent the circumvention of EU law.Footnote 402 I thus argue that the administration of the EU regulation of data transfers as a measure to prevent the circumvention of EU law taken together with the provisions on the geographical scope of application in the GDPR, does not interfere with accepted standards of rationality and sound judgment.Footnote 403 It is consistent with Article VI:1 GATS.
3.2.2 Judicial, Arbitral or Administrative Mechanisms
Article VI:2(a) GATS relates to the administration of justice.Footnote 404 The requirements for domestic regulation in Article VI:2(a) GATS oblige WTO members to maintain practicable, judicial, arbitral or administrative tribunals or procedures that provide, at the request of an affected service supplier—and where justified—appropriate remedies for administrative decisions affecting trade in services. Potential problems with the administration of justice regarding the EU’s fundamental rights-based regulation of data transfers may occur with regard to adequacy decisions (Sect. 4.3.2.2.1), standard data protection clauses (Sect. 4.3.2.2.2), and BCRs (Sect. 4.3.2.2.3).Footnote 405
3.2.2.1 Adequacy Decisions
Adequacy decisions face a potential problem with Article VI:2(a) GATS. Stefano Saluzzo has submitted that a rejection of an adequacy assessment may not easily be subject to judicial scrutiny in the EU.Footnote 406 Saluzzo has argued that a positive adequacy assessment is adopted in the form of an “implementing act,” the legitimacy of which can be verified by the ECJ, whereas in case of a negative adequacy assessment no formal act is actually made.Footnote 407 There is no right to an adequacy assessment under EU law.Footnote 408 Consequently, there is no obligation for the European Commission to issue a negative adequacy decision under EU law when a third country does not provide an adequate level of protection for personal data. Negative adequacy assessments were/are either issued by the Article 29 WP, the EDPB or an academic institution tasked to research the level of protection for personal data in a third country.Footnote 409 The reports that contain negative adequacy assessments are not legally binding and do not constitute administrative decisions according to Article VI:2(a) GATS. In the absence of an administrative decision, ArticleVI:2(a) GATS does not oblige the EU to maintain review procedures and remedies. There is no interference with Article VI:2(a) GATS.
3.2.2.2 Standard Data Protection Clauses
The procedures surrounding standard data protection clauses satisfy the requirements in Article VI:2(a) GATS. Every natural and legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them based on Article 78(1) GDPR. This also covers a decision of a supervisory authority to impose a temporary or definitive limitation or ban on processing of personal data according to Article 58(2)(f) GDPR or the suspension of data flows to a recipient in a third country according to Article 58(2)(j) GDPR. The proceedings against a supervisory authority must be brought before the courts of the EU member state in which the supervisory authority is established according to Article 78(3) GDPR. There is no interference with Article VI:2(a) GATS.
3.2.2.3 BCRs
The procedures surrounding BCRs satisfy the requirements in Article VI:2(a) GATS. The right of every legal person to an effective judicial remedy against a legally binding decision of a supervisory authority in Article 78(1) GDPR also covers the decisions of a supervisory authority not to approve BCRs. The proceedings against the supervisory authority must be brought before the courts of the EU member state in which the supervisory authority is established according to Article 78(3) GDPR. Where the proceedings are brought against a decision of a supervisory authority which was preceded by an opinion of the EDPB according to the consistency mechanism, such as in the case of the approval of BCRs, the opinion must be forwarded to the responsible court based on Article 78(4) GDPR. In these cases, there is no interference with Article VI:2(a) GATS.
3.2.3 Authorization Requirements
Article VI:3 GATS relates to authorization requirements for the supply of a service on which a specific commitment has been made. Where such authorization requirements are in place, Article VI:3 GATS obliges WTO members to inform applicants of the decision concerning the status of their application. Carla Reyes claims that the regulation of data transfers in the EU interferes with this provision to the extent that countries initially determined to provide inadequate data protection standards remain uninformed of opportunities to rectify their status, and countries for which no determination has been made remain uninformed of the investigation timeline.Footnote 410 This claim is wrong because the regulation of data transfers in the EU does not constitute an authorization requirement for the supply of services.Footnote 411 Article VI:3 GATS does not apply to the EU system for data transfers.
3.2.4 Qualification Procedures, Technical Standards and Licensing Requirements
Article VI:4 and Article VI:5 GATS relate to qualification procedures, technical standards, and licensing requirements. Shin-Yi Peng claims that these paragraphs apply to the rules on the protection of personal data because they constitute technical standards within the meaning of Article VI GATS.Footnote 412 Peng argues that according to WTO negotiating papers, technical standards are measures that lay down the characteristics of a service or the manner in which it is supplied.Footnote 413 The regulation of data transfers in the EU, however, determines how personal data can be transferred from the EU to a third country. While it affects the supply of services, it does not lay down the characteristics of a service or the manner in which it is supplied.Footnote 414 Paragraphs 4 and 5 of Article VI GATS therefore do not apply to the EU system for data transfers.
3.3 Market Access
The market access obligation in Article XVI GATS applies only to the commitments, conditions, and qualifications in the schedule of a WTO member.Footnote 415 In sectors in which the EU has undertaken market access commitments, it need not maintain—unless specified in the schedule—limitations on the number of service suppliers according to Article XVI:2(a) GATS and limitations on the total number of service operations or on the total quantity of service output according to Article XVI:2(c) GATS. The analysis of the EU’s fundamental rights-based regulation of data transfers under the market access obligation requires clarifications regarding the relationship of data localization and market access (Sect. 4.3.3.1). It is only possible to determine an interference with Article XVI:2(a) and (c) GATS when looking at specific examples of services that require systematic, structural, and continuous cross-border flows of personal data (Sect. 4.3.3.2) and specific examples of services that require occasional cross-border flows of personal data (Sect. 4.3.3.3). To complete the picture, it is necessary to mention two options to prevent interference with the market access obligation in Article XVI:2(a) and (c) GATS: the EU could either modify its schedule of commitments or the WTO members could conclude the electronic commerce negotiations with a horizontal provision on the protection of personal data and privacy (Sect. 4.3.3.4).
3.3.1 The Relationship Between Data Localization and Market Access
The relationship between data localization and market access has to be clarified before the obligation in Article XVI GATS can be assessed. When cross-border flows of personal data are restricted, foreign service suppliers are required to store and process personal data on servers located in the EU. It is necessary to clarify whether the supply of services in mode 1 (cross-border) includes the ability to store and process personal data in the territory of the WTO member where the service supplier is located (Sect. 4.3.3.1.1). Furthermore, it is necessary to clarify whether the market access obligation covers both quantitative and qualitative implications of data localization on trade in services (Sect. 4.3.3.1.2).
3.3.1.1 Cross-border Supply of Services and Data Localization
When the regulation of data transfers in the EU leads to a restriction on cross-border flows of personal data to a certain country, foreign service suppliers in that country may not export personal data from the EU and store and process it where they are located. This amounts to a data localization requirement. In that case, foreign service suppliers have to store and process personal data in the EU. Should the supply of services in mode 1 (cross-border) include the ability to store and process personal data in the territory of the WTO member in which the service supplier is located, then the market access obligation in Article XVI:2(a) and (c) GATS is affected by the EU’s regulation of data transfers.
The Scheduling Guidelines of 2001 clarify that under mode 1 the “[s]ervice supplier [is] not present within the territory of the Member.”Footnote 416 The panel in Mexico – Telecoms relied on the explanatory note on scheduling of initial commitments in trade in services, which states that the supply of a service through telecommunications is an example of cross-border supply “since the service supplier is not present within the territory of the Member where the service is delivered.”Footnote 417 This indicates that the cross-border supply of services is not compatible with data localization. Data localization implies a certain presence or operation of the service supplier in the territory of the WTO member where the service is consumed. Daniel Crosby has submitted that where a WTO member makes a full mode 1 commitment, “it may not condition the supply of cross-border services on the services suppliers’ presence or operation within its territory.”Footnote 418
This submission is supported by the fact that the supply of services includes the production, distribution, marketing, sale, and delivery of a service according to the definition in Article XXVIII(b) GATS. The storage and processing of personal data can be essential to produce a service. The supply of services in mode 1 (cross-border) therefore includes the ability to store and process personal data in the territory of the WTO member where the service supplier is located. Trade in services under mode 1 thus covers cross-border flows of personal data required to produce services. Data localization hinders this cross-border supply of services.
3.3.1.2 Quantitative and Qualitative Implications of Data Localization
The implications of data localization for the cross-border supply of services can be either quantitative or qualitative in nature. Market access is a legally defined concept that encompasses a limited set of situations that do not entail qualitative elements.Footnote 419 The AB has maintained that a measure that totally prohibits the supply of a service constitutes a market access limitation according to Article XVI:2(a) and (c) GATS because it effectively limits to zero the number of service suppliers, service operations, and service output.Footnote 420 The focus lies on the numerical or quantitative nature of a measure. A zero quota constitutes a market access limitation that takes the form of a numerical quota.Footnote 421
The regulation of data transfers in the EU, however, is not numerical or quantitative in regard to the supply of services. It does not directly prohibit the supply of services. Rather it relates to cross-border flows of personal data and not to the supply of specific services. Nevertheless, the regulation of data transfers may amount to an indirect prohibition for the supply of a service when cross-border flows of personal data are restricted.Footnote 422 Two types of services that require data transfers need to be distinguished:
-
The first type covers services for which the cross-border flow of personal data is an unavoidable element. In this type, the use of personal data, and the corresponding data flows, are a conditio sine qua non for the supply of those services. This creates an interference with the market access obligation in Article XVI:2(a) and (c) GATS whenever the regulation of data transfers in the EU prevents the performance of a service for which cross-border flows of personal data are an unavoidable element.Footnote 423 In these cases, the data localization amounts to a zero quota because it effectively limits to zero the number of service suppliers, service operations, and service output.
-
The second type covers services which can also be supplied without cross-border flows of personal data. In this type, the use of personal data, and the corresponding data flows, are not unavoidable for the services to be supplied. Such services use personal data, and the corresponding data flows, to improve the quality of the services or to generate additional income. In these cases, the data localization is a qualitative element not encompassed by Article XVI:2(a) and (c) GATS.Footnote 424
3.3.2 Services with Systematic Flows of Personal Data
Some scholars have submitted that the default prohibition on the transfer of personal data from the EU to third countries with inadequate protection effectively constitutes a zero quota violating the market access obligation in Article XVI:2(a) and (c) GATS.Footnote 425 Svetlana Yakovleva, Kristina Irion, and Marija Bartl argue that this submission ignores the availability of other legal mechanisms for data transfers.Footnote 426 They offer a convincing argument, but it needs further differentiation:
In the absence of an adequacy decision, service suppliers may use instruments that provide appropriate safeguards according to Article 46 GDPR for systematic, structural, and continuous cross-border flows of personal data. Nevertheless, this still leaves open situations in which the data exporter has to stop the transfer of personal data from the EU or supervisory authorities in EU member states use their corrective powers and ban or suspend the data transfers in order to comply with the right to continuous protection for personal data in Article 8 CFR. It has to be stressed that the exercise of the powers of supervisory authorities to suspend and prohibit transfers set out in Article 58(2)(f) and (j) of the GDPR is no longer merely an option left to the supervisory authorities’ discretion.Footnote 427 The data exporter and the supervisory authorities are obliged to ensure compliance with the GDPR and the right to continuous protection for personal data. This could increasingly lead to the unavailability of the instruments that provide appropriate safeguards under Article 46 GDPR for certain transfers of personal data to certain third countries in the future. Especially in cases in which measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data are not available.Footnote 428 In this situation, the fundamental rights-based regulation of data transfers in the EU potentially interferes with the market access obligations in Article XVI:2(a) and (c) GATS with regard to services that require systematic, structural, and continuous cross-border flows of personal data.
In addition, the availability of derogations for data transfers in Article 49 GDPR cannot preclude an interference with the market access obligation in Article XVI:2(a) and (c) GATS when the services require systematic, structural, and continuous cross-border flows of personal data. The consent-based derogation in Article 49(1)(a) GDPR and the contract-based derogation in Article 49(1)(b) GDPR are not available are only available for services that require occasional cross-border flows of personal data.
I now turn to analyze whether the following services cannot be supplied through mode 1withouth cross-border flows of personal data: cloud computing services (Sect. 4.3.3.2.1), search engine services (Sect. 4.3.3.2.2), social network services (Sect. 4.3.3.2.3), online advertising services (Sect. 4.3.3.2.4), IoT services (Sect. 4.3.3.2.5), and sharing economy platform services (Sect. 4.3.3.2.6).
3.3.2.1 Cloud Computing Services
When cloud computing is not part of another integrated service, it may constitute trade in services itself. There are three different types of cloud computing services that should be individually classified. IaaS may be classified as “Data processing services” (W/120-1.B.c) while PaaS as well as SaaS may be classified as “Software implementation services” (W/120-1.B.b).Footnote 429 The EU did not schedule any limitations on market access with regard to the cross-border supply of data processing services. Apart from Malta, which remains unbound, the EU member states committed to open their markets to the cross-border supply of data processing services.Footnote 430 The same is true for software implementation services.Footnote 431
It is difficult to determine whether restrictions on structural, continuous, and systematic cross-border flows of personal data amounts to a zero quota for cloud computing services (regardless of the type). Answering this question requires in-depth knowledge of the industry, the technology, and current practices. It is not possible to give a definitive answer here. There are examples for IaaS that do not involve cross-border flows of personal data such as IaaS in support of cloud-based numerical weather prediction.Footnote 432 Yet, restrictions on the free flow of personal data across borders drastically limits the possibilities of foreign cloud computing providers to supply IaaS. Nevertheless, I would argue that it does not amount to a zero quota and an interference with the market access obligation in Article XVI:2(a) and (c) GATS because IaaS would be available for a certain segment of the market that does not require personal data. The limitations on the possibilities of foreign cloud computing providers to supply IaaS will be relevant with regard to the modification of the conditions of competition under the national treatment obligation in Article XVII GATS.
It is less clear whether there are also examples for PaaS or SaaS that do not involve cross-border flows of personal data.Footnote 433 It should be assumed that there is a valid case for a zero quota for PaaS and SaaS when such data flows are prohibited. In these cases, the fundamental rights-based regulation of data transfers in the EU would constitute an interference with the market access obligation in Article XVI:2(a) and (c) GATS.Footnote 434
3.3.2.2 Search Engine Services
Search engine services may be classified as “Data base services” (W/120-1.B.c).Footnote 435 The EU did not schedule any limitations on market access with regard to the cross-border supply of data processing services. Apart from Malta, which remains unbound, the EU member states committed to open their markets to the cross-border supply of data base services.Footnote 436
Systematic, structural, and continuous cross-border flows of personal data are not necessary for the supply of search engine services. For the delivery of search results, it is not absolutely necessary to process personal data.Footnote 437 There are examples of search engines that do not collect any personal data from their users, and accordingly do not depend on personal data flows.Footnote 438 Some search engines use personal data and the corresponding cross-border flows of personal data to improve the quality of their services (targeted search results) and for the supply of other services (online advertising) to generate income. The restriction on the free flow of personal data across borders in such cases is not of numerical or quantitative nature with regard to the supply of services, but a qualitative element not encompassed by Article XVI:2(a) and (c) GATS.
3.3.2.3 Social Network Services
Social network services may also be classified as “Data base services” (W/120-1.B.c).Footnote 439 The EU did not schedule any limitations on market access with regard to the cross-border supply of data processing services. Apart from Malta, which remains unbound, the EU member states committed to open their market to the cross-border supply of data base services.Footnote 440
Systematic, structural, and continuous cross-border flows of personal data are necessary for the supply of social network services. Social networks are platforms on which individuals interact. Even in cases in which individuals are not identifiable for other visitors of a social network, the suppliers of the social network services still necessarily handle personal data. The restriction on the free flow of personal data across borders amounts to a zero quota for social network services because it effectively limits to zero the number of service suppliers, service operations, and service outputs. In these cases, the fundamental rights-based regulation of data transfers in the EU interferes with the market access obligation in Article XVI:2(a) and (c) GATS.
3.3.2.4 Online Advertising Services
Online advertising services may be classified as “Advertising services” (W/120-1.F.a).Footnote 441 The EU did not schedule any limitations on market access with regard to the cross-border supply of advertising services.Footnote 442 All EU member states committed to open their markets to the cross-border supply of advertising services.Footnote 443
Systematic, structural, and continuous cross-border flows of personal data are not necessary for the supply of online advertising services. For the posting of advertisements, it is not absolutely necessary to process personal data.Footnote 444 Some suppliers of online advertising services use personal data and the corresponding data flows to improve the quality of their services (targeted advertising).Footnote 445 The restrictions on the free flow of personal data in such cases is not of a numerical or quantitative nature with regard to the supply of services, but instead a qualitative element that is not encompassed by Article XVI:2(a) and (c) GATS.
3.3.2.5 IoT Services
The first example for IoT services considered above was internet-connected vehicles.Footnote 446 IoT maintenance services of connected vehicles may be classified as “Maintenance and repair of road transport equipment” (W/120-11.F.d). Most EU member states did not schedule any limitation on market access regarding the cross-border supply of maintenance and repair services of road transport equipment. With the exceptions of Cyprus, the Czech Republic, Finland, Lithuania, Latvia, Malta, Poland, Sweden, and the Slovak Republic—which each remain unbound—all other EU member states committed to open their markets to the cross-border supply of maintenance and repair services of road transport equipment.Footnote 447
Systematic, structural, and continuous cross-border flows of personal data are necessary for the supply of IoT maintenance services of connected vehicles. This kind of service would not be possible without the processing of personal data and the corresponding data flows it requires. Consequently, in these cases the fundamental rights-based regulation of data transfers in the EU interferes with the market access obligation in Article XVI:2(a) and (c) GATS.
The second example for IoT services considered above was smart fridges.Footnote 448 Restocking and ordering food are important services pertaining to smart fridges, but they cannot be classified in any sector and subsector of W/120. IoT restocking services for smart fridges is one of the rare examples of a new service not covered by the W/120. Accordingly, no commitments were scheduled, and the EU member states did not commit to open their markets to the cross-border supply of IoT restocking services for smart fridges. There is thus no interference with the market access obligation in Article XVI:2(a) and (c) GATS.
3.3.2.6 Sharing Economy Platform Services
The first example of a sharing economy platform services considered above was the arrangement of lodging.Footnote 449 Digital lodging arrangement platform services may be classified as “Hotel and restaurant” services (W/120-9.A). Most EU member states did not schedule any limitation on market access regarding the cross-border supply of hotel and restaurant services. With the exceptions of Estonia, Finland, and Hungary, which remain unbound, the EU member states committed to open their market to the cross-border supply of hotel and restaurant services.Footnote 450
Systematic, structural, and continuous cross-border flows of personal data are necessary for the supply of digital lodging arrangement platform services. This kind of service would not be possible without the processing of personal data and the corresponding data flows. The service supplier has to connect users with the hosts, and this is not possible without cross-border flows of personal data when the service is supplied across borders. The EU system for data transfers thus interferes with the market access obligation in Article XVI:2(a) and (c) GATS with such restrictions.
The second example considered above of sharing economy platform services related to the arrangement of transportation.Footnote 451 Digital transportation arrangement platform services may be classified as “Passenger transportation” services (W/120-11.F.a). All EU member states remain unbound regarding the cross-border supply of passenger transportation services.Footnote 452 There is no interference with the market access obligation in Article XVI:2(a) and (c) GATS.
3.3.3 Services with Occasional Flows of Personal Data
Occasional cross-border flows of personal data are possible based on contract with Article 49(1)(b) GDPR or based on consent with Article 49(1)(a) GDPR even if the level of protection for personal data is not essentially equivalent to that guaranteed within the EU.Footnote 453 Both derogations require an agreement by the data subject to the risk of the data transfer. Without the agreement of the data subject, the transfer of personal data may not take place. The examples for services that require occasional cross-border flows of personal data include travel agency services, digital medical diagnosis, and legal services.Footnote 454 They are strongly intertwined with the necessary data transfers. In cases in which the data subject rejects the data transfers, they also essentially reject the cross-border supply of such a service.
Gianpaolo Maria Ruotolo has submitted that this cannot be “compatible with the multilateral trading rules, since it leaves to the will of private individuals the possibility for the EU of respecting international trade obligations.”Footnote 455 Ruotolo does not consider, however, the quantitative nature of the market access obligation in Article XVI:2(a) and (c) GATS. The AB maintained that a measure that totally prohibits the supply of a service constitutes a market access limitation because it effectively limits to zero the number of service suppliers, service operations, and service output.Footnote 456 The contract-based and consent-based derogations do not limit to zero the number of service suppliers, service operation, and service output in cases in which the data subject (which is also the consumer of the service in question) agrees to the data transfers. The consumer decides whether they want a service based on the conditions of the service. This is not a zero quota on the number of service suppliers, service operations, and service output. There is no interference with the market access obligation in Article XVI:2(a) and (c) GATS.
3.3.4 Preventing Interferences
There are two options to prevent an interference with the market access obligation in Article XVI:2(a) and (c) GATS. The first option requires the EU to modify its schedule of commitments and include a reservation concerning the EU system for data transfers (Sect. 4.3.3.4.1). The second option requires that the ongoing e-commerce negotiations conclude with an exception for data protection-based restrictions on cross-border flows of personal data (Sect. 4.3.3.4.2).
3.3.4.1 Modification of the Schedule
Each WTO member specified the terms, limitations, and conditions on market access according to Article XX:1(a) GATS when it joined the WTO. Even though the EC was well aware of data protection issues relating to trade in services when it negotiated the GATS, it did not specify any terms, limitations, and conditions on market access with regard to data protection when it joined the WTO. Presumably, the EC was satisfied with the inclusion of the privacy exception in Article XIV GATS and convinced that it could justify any potential inconsistencies of the developing data protection directive with the market access obligation in Article XVI GATS.Footnote 457
WTO members can modify or withdraw a commitment according to the rules in Article XXI GATS, usually by making concessions in the form of compensatory adjustments in other areas. The EU could add a horizontal reservation for compliance with the GDPR and the Charter (including the regulation of data transfers) in the market access column of its schedule.Footnote 458 Should the EU choose to include such a reservation, it has to notify the Council for Trade in Services three months before the intended date of implementation of the modification.Footnote 459 Any WTO member whose benefits under the GATS might be affected by this modification, could then enter into negotiations with the EU regarding necessary compensatory adjustments.Footnote 460 These adjustments would have to be made on an MFN basis.Footnote 461 Without any agreement between the parties on necessary compensatory adjustments, affected WTO members can refer the matter to arbitration.Footnote 462 The findings of the arbitration would be binding for the EU.
Such a modification of the schedule of commitments is nearly unprecedented. The only effort to withdraw a commitment was initiated in 2007 by the US after they lost their case in US – Gambling. The process to find compensatory adjustments is still ongoing.Footnote 463 As long as the general exceptions in Article XIV GATS can justify an interference with the market access obligation, the modification of commitments seems like an unnecessary and potentially risky undertaking. It is not foreseeable which WTO members might seek compensatory adjustments and what form these adjustments might take or how much it would ultimately cost the EU. There is also the chance that WTO members with a bad track record on data protection issues would use this opportunity to demand further commitments.
3.3.4.2 Electronic Commerce Negotiations
It is still unclear if there will be an outcome of the electronic commerce negotiations and what it will look like. Should the position of the EU on cross-border flows of personal data (or a similar one) prevail and WTO members adopt a new provision on the protection of personal data and privacy, this provision could also legitimate interferences with the market access obligation in Article XVI:2(a) and (c) GATS by the EU system for data transfers. Article 2.8(2) of the EU proposal provides that
Members may adopt and maintain the safeguards they deem appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data. Nothing in the agreed disciplines and commitments shall affect the protection of personal data and privacy afforded by the Members’ respective safeguards.Footnote 464
According to this provision, the fundamental rights-based regulation of data transfers in the EU would not affect the market access obligation in Article XVI:2(a) and (c) GATS because nothing in the agreed disciplines and commitments shall affect the protection of personal data and privacy. This provision would amount to a super exception without any chapeau requirements as in Article XIV GATS.
3.4 National Treatment
The national treatment obligation in Article XVII GATS also applies only according to the commitments, conditions, and qualifications in the schedule.Footnote 465 In sectors in which the EU has undertaken national treatment commitments, it must—unless specified in the schedule—accord to foreign services and service suppliers treatment no less favorable than that it accords to like services and service suppliers located in the EU. The analysis of the compatibility of the EU’s regulation of data transfers with the national treatment obligation focuses on adequacy decisions according to Article 45 GDPR (Sect. 4.3.4.1), instruments providing appropriate safeguards in Article 46 GDPR (Sect. 4.3.4.2), and the derogations of Article 49 GDPR (Sect. 4.3.4.3). Just as in the case of interferences with the market access obligation in Article XVI GATS, there are two options to justify an interference with the national treatment obligation in Article XVII GATS. The EU could modify its schedule of commitments or the WTO members could conclude the electronic commerce negotiations with a horizontal provision on the protection of personal data and privacy (Sect. 4.3.4.4).
3.4.1 Adequacy Decisions
Adequacy decisions according to Article 45 GDPR apply equally to cross-border flows of personal data of foreign and domestic service suppliers. Although treatment is identical, adequacy decisions are especially relevant for foreign service suppliers because they need cross-border flows of personal data for the cross-border supply of their services in the EU.Footnote 466
Foreign service suppliers located in a third country with an adequacy decision can use this legal mechanism for their data transfers without any specific authorization. There are no restrictions on the free flow of personal data between the EU and third countries with an adequacy decision. The situation is comparable to the free movement of data on the internal market of the EU.Footnote 467 Competition between foreign and domestic service suppliers is not affected by the EU system for data transfers when a third country has an adequacy decision. There is no interference with the national treatment obligation in Article XVI GATS.
3.4.2 Appropriate Safeguards
The instruments providing appropriate safeguards in Article 46 GDPR also apply equally to foreign and domestic service suppliers for their systematic, structural, and continuous cross-border flows of personal data. Although treatment is identical, the instruments providing appropriate safeguards are especially relevant for foreign service suppliers because they need cross-border flows of personal data for the cross-border supply of their services in the EU. An interference with the national treatment obligation in Article XVII GATS may obviously occur in cases in which instruments providing appropriate safeguards cannot be used (Sect. 4.3.4.2.1) but an interference may also occur in cases in which they can (Sect. 4.3.4.2.2).
3.4.2.1 Appropriate Safeguards Are Not Available
In cases in which foreign service suppliers cannot rely on Article 46 GDPR for their systematic, structural, and continuous cross-border flows of personal data, and the EU has made a positive commitment to grant national treatment, foreign service suppliers are treated less favorably than domestic service suppliers because they have no possibility to make the necessary transfers of personal data.
This is especially true for foreign services and service suppliers for whom cross-border flows of personal data are an unavoidable element. In these cases, there is a modification of the competition between foreign and domestic service suppliers to the detriment of foreign service suppliers when the instruments providing appropriate safeguards in Article 46 GDPR are not available. I thus argue that this constitutes less favorable treatment for foreign service suppliers and thus an interference with the national treatment obligation in Article XVII GATS.Footnote 468 From the list of examples for services that require systematic, structural. and continuous cross-border flows of personal data, this concerns some cloud computing services,Footnote 469 social network services,Footnote 470 IoT maintenance services of connected vehicles,Footnote 471 and digital lodging arrangement platform services.Footnote 472
In the analysis of the market access obligation, I have argued that only the quantitative implications of data localization may lead to an interference with Article XVI GATS because the qualitative implications do not amount to a zero quota for the supply of services. This is different regarding interferences with the national treatment obligation in Article XVII GATS. Foreign service suppliers whose services can also be supplied without cross-border flows of personal data rely on Article 46 GDPR for systemic, structural, and continuous data flows to improve the quality of their services or use them to generate additional income. When the instruments providing appropriate safeguards in Article 46 GDPR are not available, there is consequently a modification of the competition to the detriment of the foreign service suppliers. I thus conclude that this constitutes less favorable treatment and is thus an interference with the national treatment obligation in Article XVII GATS. The relevant examples from the list of services that require systematic, structural, and continuous data transfers highlight how competition is modified to the detriment of the foreign service suppliers. These include: cloud computing service suppliers that cannot offer IaaS to businesses in the EU that require cross-border flows of personal data;Footnote 473 search engines that cannot use cross-border flows of personal data to customize search results for the users and thus lose an important feature;Footnote 474 and online advertising services that cannot use cross-border flows of personal data to individually target advertisements.Footnote 475
3.4.2.2 Appropriate Safeguards Are Available
In cases in which foreign service suppliers can rely on Article 46 GDPR for systematic, structural, and continuous cross-border flows of personal data, and the EU has made a positive commitment to grant national treatment, foreign service suppliers are still treated less favorably than domestic service suppliers because they have to bear a regulatory double burden. Foreign service suppliers must comply with the conditions for instruments providing appropriate safeguards in addition to the other rules of the GDPR. I would argue that this double burden modifies the competition to the detriment of the foreign service suppliers.Footnote 476 These additional compliance efforts translate into additional costs, which domestic service suppliers do not have to bear. This amounts to an interference with the national treatment obligation in Article XVII GATS for all services that require systematic, structural, and continuous cross-border flows of personal data (in cases in which the EU has committed to national treatment).
3.4.3 Derogations
The derogations in Article 49 GDPR also apply equally to foreign and domestic service suppliers. Although treatment is identical, the derogations in Article 49 GDPR especially affect foreign service suppliers because they depend on cross-border flows of personal data for the cross-border supply of their services in the EU. Many foreign service suppliers thus have to rely on the contract-based derogation in Article 49(1)(b) GDPR or the consent-based derogation in Article 49(1)(a) GDPR for the transfer of personal data, while service suppliers located in the EU can rely on a contract according to Article 6(1)(b) GDPR or on consent according to Article 6(1)(a) GDPR as legal bases for the processing of personal data.
The decisive aspect for less favorable treatment is the modification of the competition to the detriment of the foreign service or service supplier.Footnote 477 There is no detrimental modification of the competition for foreign service suppliers with regard to the contract-based derogation. Article 49(1)(b) GDPR simply requires from foreign service suppliers that data transfers must be necessary for the performance of a contract. The principles of purpose limitation in Article 5(1)(b) GDPR and data minimization in Article 5(1)(c) GDPR impose a similar obligation on service suppliers located in the EU. Furthermore, the transparency requirement in Article 5(1)(a) GDPR and the general information duty in Article 13 GDPR—from which the information duty for foreign service suppliers concerning the risks of the data transfers derives—are also applicable to service suppliers located in the EU. I therefore find that the regulation of data transfers in the EU does not distort the existing market conditions and opportunities in favor of domestic service suppliers with regard to the contract-based derogation in Article 49(1)(b) GDPR because both domestic and foreign service suppliers have to comply with essentially the same obligations under the provisions of the GDPR.
However, it is possible to claim that there are detrimental modifications of the competition for foreign service suppliers with regard to the consent-based derogation. Article 49(1)(a) GDPR requires foreign service suppliers to seek explicit consent from the data subject for data transfers, while service suppliers located in the EU can use regular consent for the processing of personal data.Footnote 478 The GDPR requires explicit consent in situations in which particular data protection risks may emerge, and so, a high individual level of control over personal data is important.Footnote 479 The EU legislator has decided that such high risks appear in the context of international data transfers.
This context might suggest the relevance of Footnote 10 to Article XVII:1 GATS. Footnote 10 stipulates that specific commitments assumed under Article XVII:1 GATS shall not be construed to require any WTO member to compensate for any inherent competitive disadvantages which result from the foreign character of the relevant services or service suppliers. The AB stressed in Argentina – Financial Services that the inherent competitive disadvantages caused by the foreign character of the relevant services or service suppliers under Footnote 10 “must be distinguished from the measure’s impact on the conditions of competition in the marketplace.”Footnote 480 With regard to the consent-based derogation, the competitive disadvantage is imposed by the EU’s regulation of data transfers requiring explicit instead of routine consent for data transfers. This amounts to a de facto discrimination not covered by Footnote 10.
In these cases, foreign service suppliers are placed at a disadvantage because of the additional requirement to seek explicit consent. The term “explicit” refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent.Footnote 481 It is evidently an additional burden to obtain such an express statement of consent. The Article 29 WP stated that
[a]n obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. Where appropriate, the controller could make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future.Footnote 482
It could be argued that this additional burden of seeking explicit consent only has a minimal effect on the conditions of competition. However, the jurisprudence of the WTO adjudicative bodies does not acknowledge such a de minimis standard for the national treatment obligation. Two panels rejected arguments suggesting that the minimal effect of less favorable treatment should be taken into account.Footnote 483
Nevertheless, it must be stressed that service suppliers can always rely on the contract-based derogation in Article 49(1)(b) GDPR that complies with the national treatment obligation in Article XVII GATS. From the perspective of examples like travel agencies, digital medical diagnosis, and legal services, the contract-based derogation seems to be an appropriate legal mechanism for the necessary cross-border flows of personal data. Moreover, the whole fundamental rights-based regulation of data transfers in the EU must be seen as the measure affecting trade in service. The availability of a practical alternative within the derogations for occasional data flows thus prevents the distortion of the market conditions in favor of domestic service suppliers. It is unclear whether the WTO adjudicating bodies would follow such an interpretation. The panel in Canada – Autos stated that
The less favourable treatment of imported products which is the result of the denial of the advantage in case of sale or use of imported products is not negated by the fact that the advantage may also be obtained by other means than sale or use of domestic products.Footnote 484
In spite of this, I conclude that there is no interference with the national treatment obligation in Article XVII GATS based on the fact that the EU’s regulation of data transfers as a whole guarantees equality of opportunities to compete in the EU market for both foreign and domestic service suppliers.
3.4.4 Preventing Interferences
There are also two possible ways to prevent interferences with the national treatment obligation. The first option requires the EU to modify its schedule of commitments and to include a reservation concerning the EU system for data transfers. The second option requires the ongoing e-commerce negotiations to conclude with an exception for data protection-based restrictions on cross-border flows of personal data.Footnote 485
In addition to what has been outlined above, it is necessary in the case of the national treatment obligation to refer to Article XX:2 GATS:
Measures inconsistent with both Articles XVI and XVII shall be inscribed in the column relating to Article XVI. In this case the inscription will be considered to provide a condition or qualification to Article XVII as well.
It has been shown that the regulation of data transfers in the EU can be inconsistent with both the market access obligation in Article XVI GATS and the national treatment obligation in Article XVII GATS. To remedy this inconsistency, it would be sufficient to add a horizontal reservation for compliance with the GDPR and the Charter (including the regulation of data transfers) in the market access column of the EU’s schedule of commitments.Footnote 486
3.5 Summary
Two types of interferences with GATS obligations caused by the EU regulation of data transfers can be distinguished. The first type relates to countries without an adequacy decision where the instruments providing appropriate safeguards generally can be used for data transfers. These countries could raise the following three claims:
-
Adequacy decisions interfere with the MFN treatment obligation because the EU does not accord treatment no less favorable to services and service suppliers from WTO members without an adequacy decision.
-
Special framework adequacy decisions––should one be adopted again (e. g. the Transatlantic Data Privacy Framework between the EU and the US)––interfere with the domestic regulation obligation. Until now, special framework adequacy decisions were negotiated with third countries that would otherwise not qualify for an adequacy decision. This is not impartial and has a significant impact on the overall administration of the EU’s regulation of data transfers.
-
Instruments providing appropriate safeguards interfere with the national treatment obligation in cases in which the EU has made specific commitments. Foreign services and service suppliers must comply with the conditions of the instruments providing appropriate safeguards in addition to the other rules of the GDPR.
The second type of interference relates to countries without an adequacy decision where the instruments providing appropriate safeguards generally cannot be used for data transfers. These countries could raise the following four claims:
-
The restriction on the use of instruments providing appropriate safeguards interferes with the MFN treatment obligation because the EU does not accord treatment no less favorable to services and service suppliers from WTO members which cannot profit from these instruments.
-
The use of corrective powers by supervisory authorities may lead to an interference with the domestic regulation obligation when it results in a fragmentation of EU member states’ policies regarding data transfers. Such fragmentation contradicts the standard of objective and/or impartial administration of a measure.
-
The restriction on the use of instruments providing appropriate safeguards interferes with the market access obligation when a service that is covered by the EU’s market access commitments cannot be supplied without systematic, structural, and continuous cross-border flows of personal data. The restriction then amounts to a zero quota because it effectively limits to zero the number of service suppliers, service operations, and service output.
-
The restriction on the use of instruments providing appropriate safeguards also interferes with the national treatment obligation because it modifies the conditions of competition to the detriment of foreign services and service suppliers.
4 The Regulation of Data Transfers as a Justifiable Trade Barrier
The interferences with GATS obligations caused by the EU fundamental rights-based regulation of data transfers are subject to exceptions in the GATS. These exceptions may justify the trade barriers erected by the EU. The analysis shows, however, that the economic integration exception in Article V GATS (Sect. 4.4.1) and the security exceptions in Article XIV bis GATS (Sect. 4.4.2) can only be used in certain circumstances. Moreover, the confidentiality exception in Paragraph 5(d) of the Annex on Telecommunications does not cover interferences of the GATS at all (Sect. 4.4.3). The justification focuses on the privacy exception in Article XIV(c)(ii) GATS (Sect. 4.4.4).
4.1 Economic Integration Exception
The departure from the MFN treatment obligation may be justified under the economic integration exception in Article V GATS.Footnote 487 Interferences with the MFN treatment obligation can be assessed in terms of economic integration based on trade agreements. However, it must be noted that an adequacy decision alone does not qualify as an agreement liberalizing trade in services under Article V GATS (Sect. 4.4.1.1). The first interference with the MFN treatment obligation relates to less favorable treatment for services and service suppliers in a WTO member without an adequacy decision. Only under particular circumstances can such an interference be justified under Article V GATS (Sect. 4.4.1.2). The second interference with the MFN treatment obligation relates to less favorable treatment for services and services suppliers in a WTO member where instruments providing appropriate safeguards cannot be used. Such interferences can be difficult to justify under Article V GATS (Sect. 4.4.1.3). Finally, the EU common market cannot be used to justify interferences with the MFN treatment obligation under Article V GATS (Sect. 4.4.1.4).
4.1.1 Adequacy Decisions Are Not Economic Integration Agreement
Adequacy decisions do not constitute an agreement liberalizing trade in services. Instead, they are unilateral acts of the EU and while they may have a liberalizing effect, they do not correspond to the logic of Article V GATS that requires the opening of service sectors to the supply of services in the four modes. Adequacy decisions only concern the transfer of personal data and do not specifically cover the supply of services. Adequacy decisions alone therefore do not qualify for the economic integration exception in Article V GATS.
4.1.2 Adequacy Decision and Economic Integration Agreements
Adequacy decisions are often adopted for third countries that also have some form of an economic integration agreement with the EU. For example, Andorra is a European microstate and widely integrated into the EU common market through an association agreement. Switzerland is also partly integrated in the common market through an array of bilateral agreements; and Japan, Canada, South Korea, and Israel as well as the UK have all concluded trade agreements with the EU.
The first condition in Article V:1(a) GATS requires that all economic integration agreements liberalizing trade in services must have substantial sectoral coverage. The second condition in Article V:1(b) GATS demands the elimination of substantially all discrimination in the sectors covered by granting national treatment to the contracting parties. Adequacy decisions are a tool for the EU to comply with Article V:1(b) GATS because they eliminate national treatment discrimination among services and service suppliers that require cross-border flows of personal data.Footnote 488 Where an adequacy decision was taken for a country that also has an economic integration agreement covering trade in services with the EU, the interference with the MFN treatment obligation could be covered with the requirement to comply Article V:1(b) GATS.
Nevertheless, not all adequacy decisions have been tied to some form of economic integration agreement with the EU. For example, Uruguay and the EU concluded negotiations of a trade agreement at the end of 2019, but the agreement is not yet ratified. Moreover, New Zealand and the EU only started negotiations for a trade agreement in 2018. Furthermore, the partial integration of Switzerland in the common market does not cover trade in services.Footnote 489 Consequently, interferences with the MFN treatment obligation involving these states cannot be justified on the basis of the economic integration exception in Article V GATS.
4.1.3 Appropriate Safeguards and Economic Integration Agreements
Contrary to adequacy decisions, instruments providing appropriate safeguards do not eliminate national treatment discrimination with regard to services and service suppliers that require cross-border flows of personal data.Footnote 490 It is much more difficult to satisfy the second condition in Article V:1(b) GATS concerning the elimination of substantially all discrimination in the sectors covered, by granting national treatment to the contracting parties without an adequacy decision. In addition, there will always be states without an economic integration agreement with the EU. Interferences with the MFN treatment obligation involving these states cannot be justified on the basis of the economic integration exception in Article V GATS.
4.1.4 The Common Market of the EU
Some scholars have argued that the EU common market could be used under the economic integration exception in Article V GATS to justify interferences with the MFN treatment obligation in Article II GATS (Sect. 4.4.1.4.1) and the national treatment obligation in Article XVII GATS (Sect. 4.4.1.4.2).
4.1.4.1 Most-Favored Nations Treatment Violations
Some scholars have implied that the EU common market could be used to justify the interferences with the MFN treatment obligation caused by the EU regulation of data transfers under Article V GATS.Footnote 491 However, there seems to be a misunderstanding about the underlying interference with the MFN treatment obligation that needs to be justified. In their explanations, Kristina Irion, Svetlana Yakovleva and Marija Bartl refer to a situation where an EU measure would “accord less favorable treatment to a WTO Member State as compared to an EU Member State.”Footnote 492 Similarly, Federica Velli refers to an interference of the MFN treatment obligation in cases in which an EU member state accords treatment less favorable to services and service suppliers of a non-EU WTO member than that it accords to like services and service suppliers of another EU member state.
What these scholars fail to consider in their arguments is that such a scenario—an EU member state interferes with the MFN treatment obligation because of its less favorable treatment of a non-EU WTO member compared to another EU member state—is only possible if the measure at issue is attributed to the EU member state and not to the EU itself. From the perspective of EU law, it is clear that Article 16 TFEU is the legal basis of the GDPR and that Chapter V GDPR consolidates the legal mechanisms for the transfer of personal data to third countries on the level of the EU. From the perspective of WTO law however, the international responsibility of the EU vis-à-vis that of its member states is decisive. Pursuant to Article 6(1) ARIO complaints that concern the legal acts of EU institutions are regularly attributable to the EU.Footnote 493 The GDPR is a legal act of the EU. Consequently, the regulation of data transfers is a measure that is attributable to the EU—and not to the member states—under international law. An EU member state cannot be liable under the MFN treatment obligation for treating other EU member states differently than non-EU WTO members on the basis of the GDPR or the Charter. This also extends to decisions of supervisory authorities in the EU member states to suspend or prohibit data transfers because those powers are based on EU law.Footnote 494 The interferences with the MFN treatment obligation concern situations between two non-EU states.Footnote 495 The common market therefore does not provide a justification under the economic integration exception in Article V GATS in these situations.
4.1.4.2 National Treatment Violations
It is controversial whether Article V GATS may be used to justify interferences with GATS obligations other than the MFN treatment obligation.Footnote 496 Svetlana Yakovleva and Kristina Irion submit that the economic integration exception in Article V GATS also applies to interferences with the national treatment obligation, but they do not substantiate how.Footnote 497
However, interferences with the national treatment obligations based on economic integration agreements should be settled according to the procedures under Article XXI GATS. If the members of an economic integration agreement withdraw or modify specific market access or national treatment commitments they have previously made in the area of services, then the procedures under Article XXI GATS require consultations and negotiations with the affected parties regarding compensation.Footnote 498 This implies that interferences with the national treatment obligation cannot find justification under Article V GATS. Such an interpretation is supported by the fact that Article V:5 GATS specifically refers to the procedures of Article XXI GATS if, in the conclusion of an economic integration agreement, a WTO member intends to withdraw or modify a specific scheduled commitment. A representative of Japan also stressed this point in a meeting of the Committee on Regional Trade Agreements:
With regard to paragraph 5 and the chapeau of GATS Article V:1, her delegation considered that the scope of the exemptions granted to EIAS [economic integration agreements] included MFN obligations, but did not include other general obligations of the GATS.Footnote 499
In addition, the panel in Canada – Autos stressed that “it is worth recalling that Article V provides legal coverage for measures taken pursuant to economic integration agreements, which would otherwise be inconsistent with the MFN obligation in Article II.”Footnote 500 Based on these considerations, I argue that the economic integration exception in Article V GATS cannot justify interferences with the national treatment obligation.
4.2 Security Exceptions
The security exceptions allow for the justification of interferences with obligations in the GATS caused by the EU regulation of data transfers only under very particular circumstances. Article XIV bis(1)(b)(iii) GATS requires that the security measure be taken in a time of war or other emergency in international relations. The use of corrective powers by supervisory authorities might meet this requirement if it is made in time of an emergency in international relations. The other interferences with obligations in the GATS identified above cannot satisfy the chronological concurrence that is necessary for a security justification under Article XIV bis(1)(b)(iii) GATS.Footnote 501
The panel in Russia – Traffic in Transit defined an emergency in international relations as “a situation of armed conflict, or of latent armed conflict, or of heightened tension or crisis, or of general instability engulfing or surrounding a state.”Footnote 502 There would have to be a very specific situation for the EU to be able to invoke this exception. The situation disclosed by Edward Snowden in the US could be an example. If a massive surveillance program is revealed in a WTO member, it could be possible to qualify it as a situation of heightened tension or crisis. Should a supervisory authority react and use its corrective powers to ban or suspend data transfers, it might be interpretable as a measure taken in a time of an emergency in international relations. However, if it is known for a long period of time that there is massive surveillance program in a WTO member, it would not be possible to qualify it as a situation of heightened tension or crisis to justify measures under Article XIV bis(1)(b)(iii) GATS.
A measure must also be considered necessary for the protection of essential security interests according to Article XIV bis(1)(b)(iii) GATS. It is incumbent on the invoking WTO member to articulate the essential security interests and to demonstrate their veracity.Footnote 503 What qualifies as a sufficient level of articulation will depend on the situation.Footnote 504 The panel in Russia – Traffic in Transit considered that
the less characteristic is the ‘emergency in international relations’ invoked by the Member, i.e. the further it is removed from armed conflict, or a situation of breakdown of law and public order (whether in the invoking Member or in its immediate surroundings), the less obvious are the defence or military interests, or maintenance of law and public order interests, that can be generally expected to arise. In such cases, a Member would need to articulate its essential security interests with greater specificity than would be required when the emergency in international relations involved, for example, armed conflict.Footnote 505
Following the Snowden example, the EU would have to articulate its essential security interests with great specificity because governmental surveillance in a third country is far removed from armed conflict. The panel in Russia – Traffic in Transit underlined that “essential security interests” is a narrower concept than security interests and may be understood “to refer to those interests relating to the quintessential functions of the state, namely, the protection of its territory and its population from external threats, and the maintenance of law and public order internally.”Footnote 506
Marina Francesca Ferracane has submitted that as long as the surveillance activities do not result in unauthorized access of confidential government, military or critical information that can undermine the sovereignty of third countries, these activities cannot be considered to pose a direct threat to national security.Footnote 507 Similarly, Bruce Schneier finds that it is necessary to distinguish between surveillance and espionage.Footnote 508 While cyber espionage may be related to national security, cyber surveillance is more likely a law enforcement issue.Footnote 509 Only in cases in which governmental surveillance in the respective WTO member also involves cyber espionage would it be possible to claim an essential national security interest.
It must also be underlined that it might not be in the interest of the EU and its member states to use the security exceptions to justify their fundamental rights-based regulation of data transfers in WTO dispute settlement, or in general discourse. Doing so opens the door for other WTO members to do the same for their data transfer regulation, which might not be as deeply rooted in the protection of fundamental rights but rather used as a protectionist tool.
4.3 Confidentiality Exception
The confidentiality exception in Paragraph 5(d) of the Annex on Telecommunications only justifies interferences with the provisions in the Annex on Telecommunications. The Annex recognizes that its provisions relate to and build upon the obligations and disciplines contained in the GATS.Footnote 510 Paragraph 1 of the Annex on Telecommunications explicitly states that the Annex provides notes and supplementary provisions to the GATS. Consequently, interferences with the GATS cannot be justified with the confidentiality exception in Paragraph 5(d) of the Annex on Telecommunications.
Should the EU not be successful with the argument that its regulation of data transfers does not directly restrict the use of the internet but only the movement of certain types of information, it can resort to the confidentiality exception in Paragraph 5(d) of the Annex on Telecommunications for interferences with the annex. The exception, however, must be construed narrowly without referring to privacy or data protection considerations.Footnote 511 If the EU is found to restrict the use of the internet for the movement of information across borders because of surveillance practices in a WTO member that compromise the integrity of messages, then the confidentiality exception is available as a justification as long as the restriction is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade in services.
4.4 General Exceptions
The general exceptions in Article XIV GATS are often used to justify interferences with GATS obligations.Footnote 512 The interpretation of the general exceptions has become the core mechanism in WTO law to distinguish between domestic measures that are legitimate and those that are protectionist.Footnote 513 It is important that the aspect of the measure that gives rise to an interference with a GATS obligation is the same as the one addressed under Article XIV GATS.Footnote 514 A respondent may not justify the inconsistency of a measure by basing its defense on aspects of a measure different from those that were found to be inconsistent with the GATS.Footnote 515 The different interferences with GATS obligations caused by the EU fundamental rights-based regulation of data transfers must therefore be justified independently from each other.Footnote 516 This section analyzes the justification for interferences with the MFN treatment obligation (Sect. 4.4.4.1), the domestic regulation obligation (Sect. 4.4.4.2), the market access obligation (Sect. 4.4.4.3), and the national treatment obligation (Sect. 4.4.4.4).
4.4.1 Interference with the MFN Treatment Obligation
The aspects of the EU regulation of data transfers that interfere with the MFN treatment obligation in Article II GATS can be provisionally justified under the privacy exception in Article XIV(c)(ii) GATS (Sect. 4.4.4.1.1),Footnote 517 but they encounter challenges under the chapeau of Article XIV GATS (Sect. 4.4.4.1.2).
4.4.1.1 Privacy Exception
Interferences with the MFN treatment obligation must be justified under the privacy exception in Article XIV(c)(ii) GATS. The first interference considered takes place because service suppliers in WTO members without adequacy decisions must rely on the instruments providing appropriate safeguards for their transfers of personal data (Sect. 4.4.4.1.1.1). The second interference considered takes place because service suppliers in WTO members cannot rely on the instruments providing appropriate safeguards either and thus have to use the derogations for their transfers of personal data (Sect. 4.4.4.1.1.2).
4.4.1.1.1 Adequacy Decisions Versus Appropriate Safeguards
The first interference with the MFN treatment obligation in Article II GATS takes place because service suppliers in WTO members without adequacy decisions must use the instruments providing appropriate safeguards for their transfers of personal data. This treats these WTO members unfavorably compared to states with adequacy decisions. The privacy exception requires a demonstration that the respective measure is designed to secure compliance with laws that are not in themselves inconsistent with the GATS.Footnote 518 Panels have previously followed a three-step approach, whereby the WTO member invoking such a defense must
(i) identify the laws and regulations with which the challenged measure is intended to secure compliance, and prove that (ii) those laws and regulations are not in themselves inconsistent with WTO law; and (iii) that the measure challenged is designed to secure compliance with those laws or regulations.Footnote 519
First, adequacy decisions in Article 45 GDPR are intended to secure compliance with the GDPR and the right to continuous protection for personal data in Article 8 CFR.Footnote 520 Second, the GDPR and the right to continuous protection of personal data in Article 8 CFR are consistent with WTO law. The panel in Argentina – Financial Services stated that “a Member’s legislation shall be presumed WTO-consistent until proven otherwise.”Footnote 521 The AB added in its review of Argentina – Financial Services that “there may be circumstances in which the GATS-inconsistency of certain provisions of a legal instrument could affect or taint the GATS-consistency of other parts of the same instrument or of the instrument as a whole.”Footnote 522 I thus argue on this basis that the GDPR and the right to continuous protection of personal data in Article 8 CFR can be presumed to be WTO-consistent and that potential inconsistencies of the GDPR do not affect the GDPR as a whole.Footnote 523 Third, it has been shown above that adequacy decisions are designed to comply with the right to data protection in Article 8 CFR.Footnote 524
Furthermore, the privacy exception requires that a measure is necessary to secure such compliance.Footnote 525 This entails an in-depth and holistic weighing and balancing exercise of the relationship between the inconsistent measure and the relevant laws.
In particular, this element entails an assessment of whether, in the light of all relevant factors in the ‘necessity’ analysis, this relationship is sufficiently proximate, such that the measure can be deemed to be ‘necessary’ to secure compliance with such laws or regulations.Footnote 526
The balancing must take into account the importance of the objective pursued, the measure’s contribution to that objective, and the trade restrictiveness of a measure.Footnote 527 The AB underlined that the greater a measure’s contribution to the end pursued, the more easily a measure might be considered to be necessary.Footnote 528 The assessment of trade restrictiveness is similar.Footnote 529 A measure with a relatively small impact on trade might more easily be considered necessary than a measure with intense or broader restrictive effects.Footnote 530 But balancing also requires a comparison between the challenged measure and possible alternatives.Footnote 531 The AB clarified that a measure can only be necessary “if there were no alternative measure consistent with the General Agreement, or less inconsistent with it.”Footnote 532 It is up to the complaining party to identify reasonably available alternative measures that achieve the same level of protection with respect to the objective pursued.Footnote 533 The AB explicitly underlined that a reasonably available alternative measure “must be a measure that would preserve for the responding Member its right to achieve its desired level of protection.”Footnote 534 In turn, the responding party must demonstrate why it does not consider the proposed alternative measure to be appropriate.Footnote 535
Compliance with the right to continuous protection of personal data is the objective of an adequacy decision. This objective must be considered of the utmost importance because it is a constituent part of the fundamental right to data protection in Article 8 CFR.Footnote 536 Adequacy decisions directly contribute to continuous protection for personal data.Footnote 537 At the same time, the trade restrictiveness of using instruments providing appropriate safeguards instead of an adequacy decision as the legal basis for transfers of personal data is low because instruments providing appropriate safeguards also allow structural, systemic, and continuous cross-border flows of personal data. The interference with the MFN treatment obligation based on adequacy decisions versus appropriate safeguards should therefore satisfy the necessity test in Article XIV(c)(ii) GATS.
Aaditya Mattoo and Joshua P. Meltzer do not share this conclusion. They argue instead that
the Privacy Shield may be used to show that such flexible negotiated agreements are able to achieve the EU’s desired level of privacy protection in a way that is less trade restrictive than the Commission’s relatively rigid approach to determining the (lack of) adequacy of India’s privacy regime.Footnote 538
This submission cannot be supported. In cases in which the compliance of a measure with its objective is high and the trade restrictiveness is low, necessity can be assumed without resorting to reasonably available alternatives. In addition, Decision (EU) 2016/1250, the Privacy Shield adequacy decision, was invalidated exactly because it did not achieve the EU’s desired level of protection.
Should the adjudicative bodies of the WTO nevertheless resort to an assessment of alternative measures and suggest that special framework adequacy decisions, such as the Privacy Shield, constitute a measure that is less inconsistent with the GATS, the EU could argue that such special frameworks do not constitute a measure that is reasonably available in all cases.Footnote 539 The adoption of special framework adequacy decisions could be impossible in cases in which the WTO members have a level of protection for personal data that is much lower than in the EU.
However, it is possible that the WTO adjudicative bodies would find that special framework adequacy decisions would still be available for other WTO members. The AB held in China – Publications and Audiovisual Products that
an alternative measure should not be found not to be reasonably available merely because it involves some change or administrative costs [...] Rather, in order to establish that an alternative measure is not ‘reasonably available’, the respondent must establish that the alternative measure would impose undue burden on it, and it must support such an assertion with sufficient evidence.Footnote 540
The EU could argue that negotiating that many special framework adequacy decisions would be an undue burden. Again, it is possible that the WTO adjudicative bodies would find that efforts to adopt special framework adequacy decisions are not an undue burden for the EU, but a legitimate change to the adequacy-based system of data transfers that comes with certain administrative costs. In that case, the interference with the MFN treatment obligation would not satisfy the necessity test in Article XIV(c)(ii) GATS. Nevertheless, it must be underlined one more time that necessity should be assumed here because the compliance of the measure with its objective is high and trade restrictiveness is low.
4.4.1.1.2 Appropriate Safeguards Versus Derogations
The second interference with the MFN treatment obligation in Article II GATS occurs when services and service suppliers in WTO members cannot rely on adequacy decisions or the instruments providing appropriate safeguards and have to use the derogations for their transfers of personal data. The first task to justify the interference is demonstrating that the measure in question is designed to secure compliance with laws that are not in themselves inconsistent with the GATS.Footnote 541 The instruments providing appropriate safeguards in Article 46 GDPR are intended to secure compliance with the other provisions of the GDPR and the right to continuous protection for personal data in Article 8 CFR.Footnote 542 Consequently, the instruments providing appropriate safeguards may be considered as attempting to secure compliance with laws consistent with WTO law. Importantly, the AB underlined in Argentina – Financial Services that
[a] measure can be said ‘to secure compliance’ with laws or regulations when its design reveals that it secures compliance with specific rules, obligations, or requirements under such laws or regulations, even if the measure cannot be guaranteed to achieve such result with absolute certainty.Footnote 543
This is especially important with regard to the instruments providing appropriate safeguards because the compliance with the right to continuous protection of personal data in Article 8 CFR heavily depends on the awareness of the data exporter and the supervisory authorities’ use of their corrective powers and, therefore, cannot be guaranteed to achieve such result with absolute certainty.
The second task to justify the interference is to verify that the measure in question is necessary to secure such compliance.Footnote 544 The instruments providing appropriate safeguards must be attributed a lower level of compliance with the right to continuous protection of personal data than adequacy decisions because the responsibility for compliance lies with the data exporter and control over the compliance is decentralized.Footnote 545 At the same time, the effect on trade restrictiveness between appropriate safeguards and the derogations is greater than between adequacy decisions and appropriate safeguards because structural, systemic, and continuous cross-border flows of personal data are not possible with the derogations. This may result in a zero quota for certain services.Footnote 546 This interference with the MFN treatment obligation therefore requires an additional analysis to determine if there are reasonably available alternative measures that are consistent with the GATS and still achieve the same level of protection for personal data.
Some scholars have submitted—without going into much detail—that the necessity of data transfer rules could be successfully challenged if the complaining party claims that there are less restrictive alternatives, such as the principle of accountability, which has been adopted in Canada and many Asia-Pacific Economic Community (APEC) states.Footnote 547 It is important to bear in mind, however, that this interference with the MFN treatment obligation takes place because the instruments providing appropriate safeguards cannot guarantee the right to continuous protection of personal data that is transferred from the EU to a WTO member. Consequently, the principle of accountability cannot constitute an alternative measure because it is not the legal mechanism for data transfers that is the problem. Rather, it is the level of protection for personal data in the non-EU WTO member that is the problem. Should a level of protection that is essentially equivalent to that guaranteed within the EU not be available for the transfer of personal data to the non-EU WTO member, then the principle of accountability would not be sufficient in itself to comply with the right continuous protection of personal data.Footnote 548
Carla Reyes has argued that using technology to enforce data protection laws would increase compliance and decrease the impact on international trade.Footnote 549 It is unclear however to what extent technological measures would be considered as reasonably available alternatives by the WTO adjudicative bodies. Should the adjudicative bodies choose to consider technological measures as reasonably available measures, then the EU may attempt to show that technological measures do not allow it to achieve the level of protection it requires and, therefore, cannot be a genuine alternative.Footnote 550 The EDPB already provided guidance on the limitations of technological solutions to comply with the right to continuous protection of personal data in Article 8 CFR.Footnote 551 For example, the EDPB stated that if a data exporter transfers personal data to a cloud service provider which requires access to the data in the clear in order to execute the task assigned and the power granted to the public authorities of the recipient country to access transferred data (such as for surveillance purposes) goes beyond what is necessary and proportionate in a democratic society, then the “current state of the art [is] incapable of envisioning an effective technical measure to prevent that access from infringing on data subject rights.”Footnote 552 The EDPB added that in the given scenario,
where unencrypted personal data is technically necessary for the provision of the service by the processor, transport encryption and data-at-rest encryption even taken together, do not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys.Footnote 553
This assessment must be taken into account by the WTO adjudicative bodies when they consider technological measures as reasonably available alternatives. It is difficult to say if the WTO adjudicative bodies would deviate from the guidelines provided by the EDPB. The explicit reference to the EU’s desired level of protection in the guidelines––an essentially equivalent level of protection––indicates that a deviation would have to be justified with great effort and in-depth technological assessments, also with regard to the regime of government access to the transferred personal data in the respective WTO member. There is much to suggest that such technological measures would not be considered reasonably available alternatives. The interference with the MFN treatment obligation should therefore satisfy the necessity test in Article XIV(c)(ii) GATS.
4.4.1.2 Chapeau
Any interference with the MFN treatment obligation based on adequacy decisions (Sect. 4.4.4.1.2.1) and appropriate safeguards (Sect. 4.4.4.1.2.2) must also satisfy the chapeau requirements of Article XIV GATS.
4.4.1.2.1 Adequacy Decisions Versus Appropriate Safeguards
The examination under the chapeau requires an assessment of whether the conditions prevailing in the countries between which the measure allegedly discriminates are the same. The AB has underlined that only conditions that are relevant for the purpose of establishing arbitrary or unjustifiable discrimination in the light of the specific character of the measure should be considered.Footnote 554 In particular, conditions relating to the policy objective under the applicable subparagraph of Article XIV GATS are relevant.Footnote 555 It can be assumed that for the purposes of privacy in the digital sphere, the same conditions prevail in all WTO members. The impact of the processing of personal data of individuals can be expected to be the same regardless of the physical location of the individual. Similarly, the AB confirmed the panel’s finding in Brazil – Retreaded Tyres “that the health impact of remoulded tyres imported from MERCOSUR countries and their European counterparts can be expected to be comparable.”Footnote 556 In contrast, Neha Mishra focuses on the “regulatory culture of privacy” in different WTO members to establish same conditions.Footnote 557 The reports of the WTO adjudicative bodies, however, do not support such a focus on the regulatory culture when establishing same conditions for the purposes of the chapeau.
In cases in which the same conditions prevail, the analysis of whether discrimination is arbitrary or unjustifiable within the meaning of the chapeau must focus on the cause of the discrimination, or the rationale put forward to explain its existence.Footnote 558 The AB relied on a number of factors in making this determination:
(i) a ‘rigid and unbending requirement’ that countries exporting shrimp into the United States must adopt a regulatory programme that is essentially the same as the United States' programme; (ii) the fact that the discrimination resulted from the failure to take into account different circumstances that may occur in the territories of other WTO Members, in particular, specific policies and measures other than those applied by the United States that might have been adopted by an exporting country for the protection and conservation of sea turtles; and (iii) the fact that, while the United States negotiated seriously with some WTO Members exporting shrimp into the United States for the purpose of concluding international agreements for the protection and conservation of sea turtles, it did not do so with other WTO Members.Footnote 559
In addition, one of the most important factors in the assessment of arbitrary or unjustifiable discrimination is the question of whether the discrimination can be reconciled with—or is rationally related to—the policy objective with respect to which the measure has been provisionally justified under the paragraphs of Article XIV GATS.Footnote 560 In US – Shrimp, the AB highlighted that the measure treated shrimp caught using methods identical to those employed in the US differently from shrimp caught in the US or other certified countries, solely because they have been caught in the waters of countries that have not been certified by the US.Footnote 561 The AB found that this discrimination was “difficult to reconcile with the declared policy objective of protecting and conserving sea turtles.”Footnote 562 Another important factor in the assessment of arbitrary or unjustifiable discrimination is the question of whether the application of the measure at issue allows for any inquiry into the appropriateness of the regulatory program given the conditions prevailing in the concerned countries.Footnote 563
An interference with the MFN treatment obligation based on adequacy decisions seems to satisfy many of the factors for finding arbitrary or unjustifiable discrimination. Third countries must adopt a regulatory program for the protection of personal data that is essentially the same as in the EU and there is not much flexibility regarding the level of protection for personal data when it comes to regular adequacy decisions. In this regard, it is important to note that all WTO members should have the same opportunities to obtain an adequacy decision.
First, the assessment must be the same for all WTO members. This is why many adequacy decisions underline in the recitals that
any decision based on Article 25(6) of Directive 95/46/EC should be made and enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail, nor constitute a disguised barrier to trade, regard being had to the Community's present international commitments.Footnote 564
However, as has been noted, there are some content-related inconsistencies between the different existant adequacy assessments.Footnote 565 This could be problematic under the standards of the chapeau depending on the extent of these inconsistencies. In spite of this, the mandatory review process in Article 45(9) GDPR of the older adequacy decisions under the GDPR addresses such inconsistencies because the legal requirements in the GDPR are much more detailed than they were in Directive 95/46/EC. The GDPR simply does not leave room for such inconsistencies anymore.
Second, the EU must undertake a serious, good faith effort to assess the level of a country’s data protection measures when formally asked for an adequacy decision by a WTO member. Here, the AB also underlined that
rigorous compliance with the fundamental requirements of due process should be required in the application and administration of a measure which purports to be an exception to the treaty obligations of the Member imposing the measure and which effectively results in a suspension pro hac vice of the treaty rights of other Members.Footnote 566
In US – Shrimp the AB criticized the US for not providing formal notice for a denied application nor an explanation of the reasons for the denial.Footnote 567 This was compounded by the fact that the US further offered no formal legal procedure for reviewing or appealing a denial.
I would argue that an assessment of a country’s level of protection for personal data by an independent EU institution such as the Article 29 WP or the EDPB would constitute a serious, good faith effort to assess the level of data protection in a third country. An external non-governmental assessment—such as the ones conducted by the Research Centre on IT and Law at the University of Namur (CRID) for Burkina Faso, Mauritius, Tunisia, and Morocco in 2010—might not be enough because the findings are not legitimated by an official governmental institution. At the same time, an opinion of the Article 29 WP or the EDPB cannot be reviewed or appealed. Nevertheless, it provides a detailed explanation of the reasons for the denial of an adequacy finding that should be sufficient.
It is necessary to distinguish the situation adjudicated in US – Shrimp from hypothetical situations concerning the EU’s personal data protection regime. The effect of the measure in US – Shrimp was “a rigid and unbending standard by which United States officials determine whether or not countries will be certified, thus granting or refusing other countries the right to export shrimp to the United States.”Footnote 568 In contrast to this, the interferences with the MFN treatment obligation caused by EU adequacy decisions still allow structural, systematic, and continuous cross-border flows of personal data on the basis of Article 46 GDPR and cannot be construed as an export prohibition.Footnote 569 The trade restrictive effect of the measure is not comparable in the EU case and therefore the implicit due process standards of the chapeau should be satisfied. As long as every WTO member asking for an adequacy decision receives an assessment by the EDPB, the interference with the MFN treatment obligation caused by EU adequacy decisions does not amount to arbitrary or unjustifiable discrimination under the chapeau.Footnote 570
With regard to the prohibition on disguised restrictions on trade, the AB acknowledged that it is often difficult to prove the hidden factors marking a disguised protectionist measure: “Although it is true that the aim of a measure may not be easily ascertained, nevertheless its protective application can most often be discerned from the design, the architecture, and the revealing structure of a measure.”Footnote 571
An interference with the MFN treatment obligation based on adequacy decisions could be considered a disguised restriction on trade if WTO members interested in obtaining an adequacy decision do not receive any kind of assessment of their level of protection for personal data. In sum, I find that there is no disguised restriction on international trade in cases in which a third country is subject to an assessment of the EDPB.
The chapeau analysis will be different when a special framework adequacy decision—such as the invalidated Decision (EU) 2016/1250, the Privacy Shield adequacy decision—is in force. Currently, there are no special framework adequacy decisions in force, but the EU started the process of adopting a new special framework adequacy decision for the US covering the Transatlantic Data Privacy Framework.Footnote 572 The AB clarified in US – Shrimp (Article 21.5 – Malaysia) that the chapeau does not require the conclusion of an agreement in order to avoid arbitrary or unjustifiable discrimination.Footnote 573 Rather, it is simply necessary that all countries be provided with similar opportunities.Footnote 574 Accordingly, the EU is bound to provide all countries with similar opportunities to negotiate a special framework adequacy decision if the EU adopts a new one. The standard of a good faith effort to negotiate a special framework adequacy decision would need to be assessed against the efforts made in the special framework adequacy decisions in force, or former special framework decisions.Footnote 575 Comparable resources must be invested, and comparable energy must be devoted.Footnote 576 This would set a high standard given the efforts made by the European Commission to negotiate the Privacy Shield or the Transatlantic Data Privacy Framework with the US. Should the EU once again adopt a special framework adequacy decision, it would amount to an interference with the MFN treatment obligation if the EU does not provide all WTO members with similar opportunities.Footnote 577
4.4.1.2.2 Appropriate Safeguards Versus Derogations
The interference with the MFN treatment obligation based on the instruments providing appropriate safeguards in Article 46 GDPR amounts to an export prohibition for certain services.Footnote 578 Such an interference with the MFN treatment obligation may occur in cases in which supervisory authorities in EU member states make use of their corrective powers to ban or suspend data transfers in order to safeguard the right to continuous protection for personal data in Article 8 CFR. In these cases, the EU would be able to make a prima facie case that there is no arbitrary or unjustifiable discrimination for two reasons. First, the interference with the MFN treatment obligation can be reconciled with the measure’s policy objective under Article XIV(c)(ii) GATS. Second, the due process requirements are fulfilled because any decision of supervisory authorities can be subject to judicial review. Nevertheless, two scenarios are imaginable that could still lead to arbitrary or unjustifiable discrimination:
-
The first scenario relates to inconsistencies among the supervisory authorities of different EU member states. For example, if the French supervisory authority prohibits a Chinese service supplier to use “instruments providing appropriate safeguards,” but the Dutch supervisory authority does not. This divergence is not reconcilable with the policy objective of securing compliance with the right to continuous protection of personal data in Article 8 CFR. A scenario like this is possible when supervisory authorities do not coordinate the use of their corrective powers for data transfers, for example by using the voluntary consistency mechanism in Article 64(2) GDP, or when they do not implement the results of the voluntary consistency mechanism, in which case the EDPB could still issue a legally binding decision according to Article 65(1)(c) GDPR.Footnote 579
-
The second scenario relates to inconsistencies regarding the actions of a single supervisory authority in comparable situations. This scenario would arise if for example the French supervisory authority prohibits a Chinese service supplier to transfer personal data from the EU to China on the basis of Article 46 GDPR because of fundamental rights considerations, but at the same time a Russian service supplier is still allowed to transfer personal data from the EU to Russia on the basis of Article 46 GDPR when similar fundamental rights concerns exist with regard to those data transfers. The complainant would have to show that the data transfers to Russia on the basis of Article 46 GDPR would undermine the declared policy objective of securing compliance with the right to continuous protection of personal data in Article 8 CFR.
Should a complainant be able to show the existence of either scenario, it might be possible to rebut the EU’s prima facie case of consistency. In such cases, interferences with the MFN treatment obligation based on the instruments providing appropriate safeguards in Article 46 GDPR would amount to arbitrary or unjustifiable discrimination under the chapeau.
With regard to the standard of disguised restriction on trade, the the EU could make a prima facie case for compliance by referring to the independence of supervisory authorities according to Article 8(3) CFR.Footnote 580 Where supervisory authorities use their corrective powers in reaction to a complaint lodged with them, there cannot be a disguised restriction on international trade. Where they use their corrective powers on their own initiative, a complainant would have to show that the relevant decision was not motivated by the protection of the right to continuous protection for personal data in Article 8 CFR.
4.4.2 Interference with the Domestic Regulation Obligation
One aspect of the EU regulation of data transfers that interferes with the domestic regulation obligation in Article VI GATS can be provisionally justified under the privacy exception in Article XIV(c)(ii) GATS (Sect. 4.4.4.2.1), but it does not satisfy the requirements of the chapeau in Article XIV GATS (Sect. 4.4.4.2.2).
4.4.2.1 Privacy Exception
Interferences with the domestic regulation obligation must be provisionally justified under the privacy exception in Article XIV(c)(ii) GATS. The first type of interference occurs because special framework adequacy decisions are usually negotiated with a WTO member that would otherwise not qualify for an adequacy decision (Sect. 4.4.4.2.1.1). The second type of interference occurs when the use of corrective powers by different EU member supervisory authorities results in a fragmentation of conditions for the use of instruments providing appropriate safeguards in Article 46 GDPR across the EU (Sect. 4.4.4.2.1.2).
4.4.2.1.1 Interference Based on Special Framework Adequacy Decisions
The first type of interference has a significant impact on the overall administration of the EU regulation of data transfers because it essentially introduces an additional legal mechanism for data transfers that is not available to all WTO members. To justify this interference, it must be demonstrated that the respective measure is designed to secure compliance with the GDPR and the right to continuous protection of personal data in Article 8 CFR.Footnote 581 The ECJ has invalidated both of the special framework adequacy decisions that the European Commission has negotiated so far. The most important reason for the invalidations was that the decisions did not comply with the right to continuous protection for personal data in Article 8 CFR. It is therefore not even entirely clear whether these special framework adequacy decisions would have satisfied the first standard.
Furthermore, it must be demonstrated that the respective measure is necessary to secure compliance with the GDPR and the right to continuous protection of personal data in Article 8 CFR.Footnote 582 This requires a weighing and balancing test. It must take into account the importance of the objective pursued, the measure’s contribution to that objective, and the trade restrictiveness of the measure.Footnote 583 Securing compliance with the right to continuous protection for personal data is of the utmost importance because it is a constituent part of the fundamental right to data protection in Article 8 CFR. If a special framework adequacy decision is actually found to secure compliance with the right to continuous protection for personal data, it can be assumed that its contribution to that objective is high. Moreover, the trade restrictiveness of special framework adequacy decisions is not very high because instruments providing appropriate safeguards also allow structural, systemic, and continuous cross-border flows of personal data. If a specific special framework adequacy decision actually complies with the right to continuous protection of personal data in Article 8 CFR, the interference with the MFN treatment obligation should satisfy the necessity test in Article XIV(c)(ii) GATS.
4.4.2.1.2 Interference Based on Corrective Powers of Supervisory Authorities
The second type of interference with the domestic regulation obligation occurs when the use of corrective powers by supervisory authorities results in a fragmentation among EU member states of the conditions for data transfers using instruments providing appropriate safeguards in Article 46 GDPR. Supervisory authorities must use their corrective powers to safeguard the right to continuous protection of personal data. The corrective powers are designed to secure compliance with the right to continuous protection of personal data. This objective is of the utmost importance.Footnote 584 While the use of the corrective powers is essential for the compliance with the right to continuous protection of personal data, the trade restrictiveness of a fragmentation among EU member states as regards the conditions for data transfers with instruments providing appropriate safeguards is quite high. Consequently, reasonably available alternative measures must be assessed.
The ECJ has addressed the issue of fragmentation in in Schrems 2.Footnote 585 Here the Court highlighted that the voluntary consistency mechanism in Article 64(2) GDPR enables supervisory authorities to request an opinion from the EDPB when deciding whether to suspend or ban data transfers to a third country.Footnote 586 The ECJ also emphasized the possibility for the EDPB in Article 65(1)(c) GDPR to adopt a legally binding decision, should a supervisory authority not follow an opinion of the EDPB.Footnote 587 However, the consistency mechanism in Article 64(2) GDPR is not a water-tight solution because it is voluntary. A requirement to use the mandatory consistency mechanism in Article 64(1) GDPR would be a reasonably available alternative measure that is consistent with the GATS because it guarantees the impartial application of these powers and preserves for the EU its right to achieve the desired level of data protection. Supervisory authorities must already communicate a draft decision to the EDPB for an opinion when they approve BCRs based on Article 64(1)(f) GDPR. The list for the mandatory consistency mechanism in Article 64(1) GDPR would have to be extended with decisions to ban or suspend data transfers according to Article 58(2)(f) and (j) GDPR. Should the use of corrective powers by supervisory authorities lead to an interference with Article VI:1 GATS because the voluntary consistency mechanism could not prevent the fragmentation among EU member states for the use of instruments providing appropriate, it cannot be considered necessary for the purposes of Article XIV(c)(ii) GATS.
4.4.2.2 Chapeau
Any interference with the domestic regulation obligation in Article VI GATS based on special framework adequacy decisions must also be justified under the chapeau of Article XIV GATS. The analysis of whether discrimination is arbitrary or unjustifiable within the meaning of the chapeau must focus on the cause of the discrimination, or the rationale put forward to explain its existence.Footnote 588 I have shown above that an interference with the MFN treatment obligation in Article II GATS based on special framework adequacy decisions amounts to arbitrary or unjustifiable discrimination in cases in which other WTO members do not have similar opportunities to negotiate such a special framework for an adequacy decision. The same is true for the interference with the impartiality standard in Article VI:1 GATS. As long as special framework adequacy decisions are in force and the EU does not provide all WTO members with similar opportunities to negotiate such a solution, the interference with the domestic regulation obligation based on special framework adequacy decisions constitutes arbitrary and unjustifiable discrimination and cannot be justified under the chapeau of Article XIV GATS.
4.4.3 Interference with the Market Access Obligation
Interferences with the market access obligation in Article XVI:2(a) and (c) GATS can be provisionally justified under the privacy exception in Article XIV(c)(ii) GATS (Sect. 4.4.4.3.1) and the EU can also make a prima facie case of consistency with the chapeau of Article XIV GATS (Sect. 4.4.4.3.2).
4.4.3.1 Privacy Exception
There is an interference with the market access obligation in Article XVI:2(a) and (c) GATS in cases in which supervisory authorities restrict the cross-border flow of personal data and structural, systematic, and continuous cross-border flows of personal data are a necessary element of the cross-border supply of a service covered by the EU’s market access commitments.Footnote 589 First, it must be demonstrated that the respective measure is designed to secure compliance with the GDPR and the right to continuous protection of personal data in Article 8 CFR.Footnote 590 I have concluded above that the use of corrective powers by supervisory authorities is designed to secure compliance with the right to continuous protection for personal data in Article 8 CFR.Footnote 591
Second, it must be demonstrated that the respective measure is necessary to secure compliance with the GDPR and the right to continuous protection of personal data in Article 8 CFR. The weighing and balancing test must take into account the importance of the objective pursued, the measure’s contribution to that objective, and the trade restrictiveness of the measure.Footnote 592 The objective of securing compliance with the right to continuous protection for personal data is of the utmost importance and the use of corrective powers by supervisory authorities is essential for compliance with the right to continuous protection for personal data. Nevertheless, the trade restrictiveness of the interference with the market access obligation in Article XVI:2(a) and (c) GATS is high because the use of corrective powers results in a zero quota for the services at issue. Consequently, reasonably available alternative measures must be assessed.
In contrast to the interference with the domestic regulation obligation, the mandatory consistency mechanism in Article 64(1) GDPR does not constitute a reasonably available alternative measure that could mediate the interference with Article XVI:2(a) and (c) GATS. Nor could the principle of accountability constitute an alternative measure.Footnote 593 In addition, the corrective powers in Article 58(2)(f) and (j) GDPR already foresee temporary measures in cases where non-compliance with the right to continuous protection for personal data can be improved. I conclude that there are no reasonably available alternative measures and that therefore the use of corrective powers by supervisory authorities can be provisionally justified under the privacy exception in Article XIV(c)(ii) GATS.
4.4.3.2 Chapeau
Interferences with the market access obligation in Article XVI:2(a) and (c) GATS must also be justified under the chapeau of Article XIV GATS. The analysis of whether discrimination is arbitrary or unjustifiable within the meaning of the chapeau must focus on the cause of the discrimination, or the rationale put forward to explain its existence.Footnote 594 The EU would be able to make a prima facie case that there is no arbitrary or unjustifiable discrimination for two reasons. First, the use of the corrective powers by supervisory authorities can be reconciled with the policy objective under Article XIV(c)(ii) GATS. Supervisory authorities make use of their corrective powers to ban or suspend data transfers in cases in which data exporters infringe the right to continuous protection for personal data in Article 8 CFR. Second, the due process requirements are satisfied because all decisions of the supervisory authorities are subject to judicial review.
Nevertheless, two scenarios could still lead to arbitrary or unjustifiable discrimination. First, when a complainant successfully shows that supervisory authorities in different EU member states maintain different regimes for services and service suppliers for the same WTO member. Second, when a complainant successfully shows that a single supervisory authority in an EU member state selectively uses its corrective powers to discriminate against certain WTO members.
The EU would also be able to make a prima facie case that there is no disguised restriction on trade by referring to the independence of supervisory authorities according to Article 8(3) CFR.Footnote 595 Only when a complainant can successfully show that the use of the corrective powers by supervisory authorities is not motivated by the protection of the right to continuous protection for personal data can there be a finding of disguised restrictions on international trade.
4.4.4 Interference with the National Treatment Obligation
Finally, the aspects of the EU regulation of data transfers that interfere with the national treatment obligation in Article XVII GATS can also be provisionally justified under the privacy exception in Article XIV(c)(ii) GATS (Sect. 4.4.4.4.1) and the chapeau of Article XIV GATS (Sect. 4.4.4.4.2).
4.4.4.1 Privacy Exception
Interferences with the national treatment obligation must be provisionally justified under the privacy exception in Article XIV(c)(ii) GATS. The first interference is based on the instruments providing appropriate safeguards in Article 46 GDPR because foreign service suppliers must comply with the conditions of their use in addition to the other rules in the GDPR (Sect. 4.4.4.4.1.1). The second interference is based on the use of the corrective powers of supervisory authorities (Sect. 4.4.4.4.1.2).
4.4.4.1.1 Interference Based on Appropriate Safeguards
It must be demonstrated that the use of instruments providing appropriate safeguards in Article 46 GDPR is designed to secure compliance with the GDPR and the right to continuous protection of personal data in Article 8 CFR.Footnote 596 These instruments must be attributed a lower level of compliance with the right to continuous protection of personal data than adequacy decisions. At the same time, the trade restrictiveness of an interference with the national treatment obligation is not very high. The use of the instruments in Article 46 GDPR is a regulatory burden, but they still allow structural, systematic, and continuous data transfers. It is thus not clear whether it is necessary to look into alternative measures that are reasonably available and achieve the same level of protection with respect to the objective pursued.
Should the adjudicative bodies of the WTO decide to look into alternative measures, it seems sensible to address the principle of accountability again with regard to the national treatment obligation.Footnote 597 The scholars who submit that it could present a less restrictive alternative refer to a text by Christopher Kuner from 2009: “An Alternative Standard for International Data Transfers.”Footnote 598 In this text, Kuner argues that it is necessary to investigate what legal mechanisms could ensure that data exporters remain accountable and responsible for data processing once personal data have been transferred outside the EU. He suggests that “[t]his might include reliance on liability concepts under national law, or use of data transfer mechanisms that are already recognized, such as BCRs or the use of standard contractual clauses for International Data Transfers.”Footnote 599 This scholarship overlooks the fact that the instruments in Article 46 GDPR––which also existed under Directive 95/46/EC––already work with the principle of accountability. The contractual solutions foreseen in Article 46 GDPR include liability concepts. For example, BCRs have to specify the liability by the data exporter established on the territory of an EU member state for any breaches of the BCRs by any member of the group of enterprises not established in the EU according to Article 47(2)(f) GDPR and Clause 6 of the standard data protection clauses adopted with Decision 2010/87/EU also entail detailed rules on liability. I thus argue that there are no alternative measures that are reasonably available and achieve the same level of protection with respect to the right to continuous protection for personal data. The interference with the national treatment obligation based on instruments providing appropriate safeguards therefore satisfies the necessity test in Article XIV(c)(ii) GATS.
4.4.4.1.2 Interference Based on Corrective Powers of Supervisory Authorities
The second interference with the national treatment obligation is based on the use of corrective powers by supervisory authorities. To justify this interference, it must be demonstrated that the respective measure is designed to secure compliance with the GDPR and the right to continuous protection of personal data in Article 8 CFR.Footnote 600 Furthermore, it must be demonstrated that the respective measure is necessary to secure such compliance. The corrective powers are designed to secure compliance with the right to continuous protection of personal data but because of the trade restrictiveness of the decision of a supervisory authority to use corrective powers to suspend or ban data transfers to a third country is high, reasonably available alternative measures must be assessed.
I submit that there are no alternative measures that would achieve the same level of protection. The GDPR itself already entails a scaled set of corrective powers in Article 58(2)(f) and (j) GDPR. A supervisory authority may only suspend data transfers according; it may impose a temporary limitation or ban on data transfers; and it may impose a definitive limitation or ban on data transfers. The national treatment violation caused by the corrective powers of supervisory authority would therefore satisfy the necessity test in Article XIV(c)(ii) GATS.
4.4.4.2 Chapeau
Interferences with the national treatment obligation in Article XVII GATS based on appropriate safeguards (Sect. 4.4.4.4.2.1) and the corrective powers of supervisory authorities (Sect. 4.4.4.4.2.2) must also be justified under the chapeau of Article XIV GATS.Footnote 601
4.4.4.2.1 Interference Based on Appropriate Safeguards
The EU would be able to make a prima facie case that there is no arbitrary or unjustifiable discrimination in the interference with the national treatment obligation based on the instruments providing appropriate safeguards in Article 46 GDPR. The interference can be reconciled with the policy objective under Article XIV(c)(ii) GATS. The transfer of personal data presents a risk for individuals in the EU because information about them leaves the EU where the GDPR applies and can be enforced. This is the rationale of the discrimination because in contrast, domestic services and service suppliers do not necessarily require data transfers.
The EU would also be able to make a prima facie case that there is no disguised restriction on international trade because services and service suppliers in the EU must also use these instruments when they transfer personal data to a third country. Accordingly, the interference with the national treatment obligation can be justified under the chapeau of Article XIV GATS.
4.4.4.2.2 Interference Based on Corrective Powers of Supervisory Authorities
The EU would also be able to make a prima facie case that there is no arbitrary or unjustifiable discrimination in the interference with the national treatment obligation based on the corrective powers of supervisory authorities. Supervisory authorities make use of their corrective powers to ban or suspend data transfers where data exporters infringe the right to continuous protection for personal data in Article 8 CFR.
Nevertheless, a complainant could, as Svetlana Yakovleva and Kristina Irion suggest, try to rebut the prima facie case and argue that the EU applies double standards when it comes to foreign internet surveillance.Footnote 602 Should supervisory authorities—and ultimately the ECJ—require a higher standard for internet surveillance in third countries than applicable for the EU member states, then the interference with the national treatment obligation based on the corrective powers of supervisory authorities would amount to arbitrary and unjustifiable discrimination. Such a double standard could not be reconciled with the policy objective with respect to which the measure has been provisionally justified under the paragraphs of Article XIV GATS. However, I showed above that there are no double standards for foreign internet surveillance and the EU member states are bound to comply with the same requirements as third countries.Footnote 603
The EU would also be able to make a prima facie case that there is no disguised restriction on trade by referring to the independence of supervisory authorities according to Article 8(3) CFR.Footnote 604 Only when a complainant can successfully show that the use of corrective powers by supervisory authorities is not motivated by the protection of the right to continuous protection on personal data can there be a finding of a disguised restriction on international trade. The interference with the national treatment obligation caused by the corrective powers of supervisory authorities can therefore be justified under the chapeau of Article XIV GATS.
4.5 Summary
The justification of interferences with GATS obligations caused by the EU’s fundamental rights-based regulation of personal data focuses on the general exceptions in Article XIV. The economic integration exception in Article V GATS could be relevant to justify interferences with the MFN treatment obligation if the EU concluded a trade agreement with every country that has an adequacy decision. The security exception in Article XIV bis GATS is only relevant in situations of heightened tension or crisis. Finally, the confidentiality exception in Paragraph 5(d) of the Annex on Telecommunications can only justify interferences with the provisions of the annex.
I find that most of the interferences with GATS obligations can be provisionally justified under the general exceptions in Article XIV GATS. Only one interference fails provisional justification under the privacy exception in Article XIV(c)(ii) GATS: The interference with the domestic regulation obligation in Article VI:1 GATS caused by a fragmented application of the corrective powers of different supervisory authorities among EU member states. The trade restrictiveness of such a fragmentation is high. Subjecting the decisions of supervisory authorities to a mandatory consistency mechanism in Article 64(1) GDPR could be a reasonably available alternative measure that is consistent with the GATS because it guarantees the impartial application of these powers and preserves for the EU its right to achieve its desired level of protection for personal data.
In addition, some of the provisionally justified interferences fail the assessment under the chapeau of Article XIV GATS:
-
The interference with the MFN treatment obligation based on regular adequacy decisions amounts to arbitrary or unjustifiable discrimination should a WTO member that asks for an adequacy decision not receive an assessment by the EDPB concerning the level of protection for personal data.
-
The interference with the MFN treatment obligation as well as the interference with the domestic regulation obligation caused by special framework adequacy decisions—if and when a new special framework adequacy decision comes into force (e.g. the Transatlantic Data Privacy Framework with the US)—also amounts to arbitrary or unjustifiable discrimination insofar as the EU does not provide all WTO members with similar opportunities to negotiate a special framework adequacy decision.
-
The interference with the market access obligation based on restrictions to use the instruments providing appropriate safeguards in Article 46 GDPR amounts to arbitrary or unjustifiable discrimination if different supervisory authorities in different EU member states maintain different regimes for service supplies in the territory of the same WTO member, or if a single supervisory authority in an EU member state selectively uses its corrective powers for certain WTO members and not for others and thereby undermines the right to continuous protection of personal data.
5 Conclusion
The rules of the multilateral trading system of the WTO can be used as proxies to distinguish legitimate regulation from protectionism. When applied to the EU’s fundamental rights-based regulation of data transfers, they allow for the legal assessment of the line between data protection and data protectionism. The analysis above shows that the regulation of data transfers is largely compatible with WTO law. Seven interferences with obligations in the GATS have been identified. Most of them are justifiable under the privacy exception in Article XIV(c)(ii) GATS. The history of the privacy exception shows that the EC negotiated the WTO’s trade agreement on services with great foresight. The EC pushed for the adoption of a privacy exception during the negotiations of the GATS with a view to its future data protection framework. Nevertheless, some aspects of the EU system for data transfers need further attention because they may not be justifiable under the privacy exception in Article XIV(c)(ii) GATS.
The first aspect concerns the application of adequacy decisions. Adequacy decisions interfere with the MFN treatment obligation in Article II:1 GATS. The AB maintained that the chapeau of the general exceptions demands “rigorous compliance with the fundamental requirements of due process.”Footnote 605 This includes formal notice for a denial of an application or an explanation of the reasons for the denial.Footnote 606 This interference with the MFN treatment obligation would amount to arbitrary or unjustifiable discrimination under the chapeau should a WTO member ask the EU for an adequacy decision and not receive an assessment by the EDPB. In order to comply with WTO law, the European Commission must ask the EDPB for an assessment of the level of protection for personal data in a third country when a third country asks for an adequacy decision, or, alternatively, issue a negative adequacy decision itself.
The second aspect concerns special framework adequacy decisions such as the invalidated Decision (EU) 2016/1250, the Privacy Shield adequacy decision. Special framework adequacy decisions are often tailor-made solutions for countries that otherwise would not qualify for a regular adequacy decision. They interfere with the MFN treatment obligation and the impartiality standard of the domestic regulation obligation. Should a new special framework adequacy decision come into force, this interference would amount to arbitrary or unjustifiable discrimination under the chapeau if the EU does not provide all WTO members with similar opportunities to negotiate a special framework for an adequacy decision. To comply with WTO law, the European Commission will have to stop negotiating special framework adequacy decision unless it is ready to initiate such negotiations with all interested WTO members. Since the EU already works towards adopting a special framework adequacy decision for the Transatlantic Data Privacy Framework with the US, an unjustifiable violation of the MFN treatment obligation is foreseeable.Footnote 607
The third aspect concerns the administration of the corrective powers of supervisory authorities. The ECJ confirmed that supervisory authorities must suspend or ban transfers of personal data in cases in which the right to continuous protection of personal data in Article 8 CFR cannot be guaranteed and the data exporter refuses to take action.Footnote 608 The suspension or ban of data transfers may lead to an interference with the MFN treatment obligation and the market access obligation. These interferences amount to arbitrary or unjustifiable discrimination under the chapeau if the administration of the corrective powers is inconsistent. For example, when supervisory authorities in different EU member states maintain different regimes for services and service suppliers in the same WTO member, or when a supervisory authority in an EU member state selectively uses its corrective powers for data transfers to certain WTO members and not for data transfers to other WTO members where similar deficiencies regarding data protection exist, and the selective use of the corrective powers thereby undermines the right to continuous protection of personal data. Such a fragmented use of the corrective powers of supervisory authorities also interferes with the impartiality standard of the domestic regulation obligation. The interference does not satisfy the necessity test of the privacy exception. Currently, supervisory authorities are not obliged to coordinate the use of their corrective powers. They may use the voluntary consistency mechanism in Article 64(2) GDPR to ask for an opinion from the EDPB, which all supervisory authorities should then implement. A requirement to use the mandatory consistency mechanism in Article 64(1) GDPR would be a reasonably available alternative measure that is consistent with the GATS because it guarantees the impartial application of these powers and preserves for the EU its right to achieve the desired level of protection. This would require a change in the GDPR. Supervisory authorities must be aware that they are responsible for complying with WTO law and use their corrective powers accordingly.
With regard to the interferences with the market access obligation and the interferences with the national treatment obligation, it is important to note that allegations that the EU maintains a higher standard for internet surveillance in third countries than applicable for EU member states do not challenge the compliance of the regulation of data transfers with the chapeau of the general exceptions. There are no double standards for foreign internet surveillance. The EU member states are bound to comply with the same requirements as third countries in the assessment of their level of protection for personal data.Footnote 609
From the perspective of WTO law, the design of the EU system for data transfers does not constitute data protectionism. However, the analysis has revealed that the European Commission and the supervisory authorities in the EU member states must make sure the system is applied without protectionist side effects. The Commission must treat third countries equally when it comes to adequacy assessments and the supervisory authorities must coordinate their corrective powers and use them consistently in the same or similar situations. Lastly, special framework adequacy decisions should not be adopted as WTO law would then require the EU to offer the same possibilities to all other WTO members.
Notes
- 1.
- 2.
Burri (2019), p. 86.
- 3.
For early predictions of the importance of these electronic highways for trade in services see Drake and Nicolaidis (1992), p. 48 with further references in fn. 19.
- 4.
A pilot survey of the UNCTAD included Costa Rica (39%), India (57%), the US (over 50%), and the EU (52% or 56% when excluding intra-EU trade). UNCTAD (2015), pp. 4–5.
- 5.
See WTO (2019a), pp. 14–15.
- 6.
- 7.
Chander and Le (2015), p. 680.
- 8.
See Ferracane (2017), p. 3.
- 9.
See Sect. 3.1.4.1.
- 10.
- 11.
So-called data brokers collect and sell information about individuals. Yakovleva and Irion (2018), p. 17.
- 12.
- 13.
See Sect. 4.3.3.
- 14.
Urs Gasser and John Palfrey also provide a more specific definition for cloud computing: “A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (for example networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” Gasser and Palfrey (2012), p. 142.
- 15.
- 16.
See ECJ, Google Spain and Google, para. 43.
- 17.
Ibid., paras 51, 56. See also ECJ, Google v. CNIL, para. 50.
- 18.
Weber and Burri (2012), p. 115.
- 19.
See IHC, Schrems 2, para. 35.
- 20.
Urquhart et al. (2019), p. 6.
- 21.
CNIL (2017), p. 6.
- 22.
Hamari et al. (2016), p. 2047.
- 23.
Article 29 WP (2018c), p. 8.
- 24.
Blouin et al. (2006), pp. 203–207.
- 25.
The principles of data protection should not apply to anonymous information according to Recital (26) GDPR, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
- 26.
If these services are not used sporadically when health issues arise but regularly or on an ongoing way, such data flows will be systematic as well.
- 27.
Susskind (2013), p. 26.
- 28.
Collins (2019), p. 89.
- 29.
- 30.
GATT Secretariat (1991).
- 31.
- 32.
UN (1991).
- 33.
- 34.
- 35.
- 36.
WTO AB Report, Canada – Autos, para. 151.
- 37.
- 38.
WTO AB Report, EC – Bananas III, para. 220.
- 39.
Saluzzo (2017), p. 818.
- 40.
WTO Panel Report, EC – Bananas III, para. 7.285.
- 41.
- 42.
- 43.
WTO Panel Report, EC – Bananas III, para. 7.298.
- 44.
Many WTO members continue to apply the exemptions they listed. They argue that Paragraph 6 Annex on Article II Exemptions does not explicitly forbid their continuous application. The reviews of the Council for Trade in Services did not result in any finding that a listed exemption was no longer justified.
- 45.
See Yakovleva and Irion (2016), p. 197 fn. 46.
- 46.
WTO AB Report, Argentina – Financial Services, para. 6.29.
- 47.
Ibid.
- 48.
- 49.
GATT (1970), para. 18.
- 50.
WTO AB Report, Argentina – Financial Services, para. 6.32; WTO Panel Report, EC – Bananas III, para. 7.322.
- 51.
Ibid.
- 52.
- 53.
- 54.
- 55.
Wolfrum (2008), p. 88.
- 56.
Krajewski (2003), p. 59.
- 57.
WTO Panel Report, US – Gambling, para. 6.316.
- 58.
Ibid.
- 59.
See ibid., para. 6.432; Krajewski (2008), p. 167.
- 60.
First, Article VI:3 GATS does not apply to the EU’ system for data transfers because it not an authorization requirement for the supply of services. See Yakovleva and Irion (2016), p. 205. Contra Reyes (2011), p. 20. Second, Article VI:4 and 5 GATS do not apply to the EU regulation of data transfers either because it is not a technical standard in the sense of a measure that lays down the characteristics of a service or the manner in which it is supplied. Contra Weber (2012), p. 37.
- 61.
Even though Article VI GATS is a general obligation, its first paragraph is applicable only for sectors in which a WTO member has undertaken specific commitments. It is not clear whether this requires commitments in both market access and national treatment columns, but the general wording seems to suggest that specific commitments in one domain are sufficient. Wouters and Coppens (2008), p. 217; see generally Van den Bossche and Zdouc (2017), p. 535; Munin (2010), pp. 272–275; Krajewski (2008), pp. 168–172.
- 62.
- 63.
Trachtman (2003), p. 66.
- 64.
Saluzzo (2017), p. 825 fn. 84.
- 65.
GATT Secretariat (1971), Article VII; Pauwelyn (2005), 138 fn. 24.
- 66.
- 67.
WTO Panel Report, Dominican Republic – Import and Sale of Cigarettes, para 7.385 (on Article X:3(a) GATT).
- 68.
Krajewski (2008), p. 171.
- 69.
Ibid.
- 70.
WTO Panel Report, Thailand – Cigarettes (Philippines), para. 7.898 (on Article X(3)(a) GATT).
- 71.
Krajewski (2008), p. 172.
- 72.
Ibid.; Munin (2010), p. 277.
- 73.
WTO Panel Report, US – Hot Rolled Steel, para. 7.268 (on Article X:3(a) GATT).
- 74.
- 75.
Munin (2010), p. 278.
- 76.
Ibid., 280; Van den Bossche and Zdouc (2017), p. 535.
- 77.
Krajewski (2008), p. 174.
- 78.
The panel in China – Electronic Payment Services clarified that the scope of Article XVI GATS and the scope of Article XVII GATS are not mutually exclusive. Both provisions can apply to a single measure. WTO Panel Report China – Electronic Payment Services, para. 7.658.
- 79.
- 80.
- 81.
Article XVI:2(e) is an exception because it does not constitute a quantitative restriction. It refers to the form of legal entity.
- 82.
WTO Panel Report, US – Gambling, para. 6.298.
- 83.
Ibid., para. 6.318; WTO AB Report, US – Gambling, para. 215.
- 84.
- 85.
WTO AB Report, US – Gambling, para. 232; WTO Panel Report, US – Gambling, paras 6.330–6.332; Delimatsis and Molinuevo (2008), p. 378.
- 86.
WTO AB Report, US – Gambling, para. 227; WTO Panel Report, US – Gambling, para. 6.355.
- 87.
WTO Panel Report, US – Gambling, para. 6.349.
- 88.
Ibid., para. 6.347; WTO AB Report, US – Gambling, para. 252.
- 89.
- 90.
The national treatment obligation applies to measures affecting the supply of services and is hence narrower than the general scope of the GATS, which covers measures affecting trade in services. The supply of services is defined in Article XXVIII(b) GATS and includes the production, distribution, marketing, sale, and delivery of a service whereas trade in services also includes the purchase, payment or use of a service according to Article XXVIII(b)(i) GATS. The national treatment obligation therefore does not extend to measures affecting only the consumption of services. Krajewski and Engelke (2008), p. 399.
- 91.
- 92.
- 93.
- 94.
Krajewski and Engelke (2008), p. 411.
- 95.
- 96.
Ibid., para. 10.271.
- 97.
- 98.
Cottier and Molinuevo (2008), p. 130.
- 99.
WTO AB Report, Turkey – Textiles, para. 48.
- 100.
- 101.
WTO Panel Report, Canada – Autos, para. 10.271.
- 102.
- 103.
Cottier and Molinuevo (2008), p. 143.
- 104.
- 105.
WTO AB Report, US – Gambling, para. 292 with reference to WTO AB Report, US – Shrimp, para. 147 (on Article XX GATT) and WTO AB Report, US – Gasoline, 20 (on Article XX GATT); Van den Bossche and Zdouc (2017), pp. 606–607; Matsushita et al. (2015), p. 614; Munin (2010), pp. 340–341; Cottier et al. (2008), pp. 294–296.
- 106.
- 107.
- 108.
- 109.
- 110.
WTO AB Report, US – Gambling, para. 305 with reference to WTO AB Report, Korea – Various Measures on Beef, para. 164 (on Article XX GATT).
- 111.
Ibid. with reference to WTO AB Report, Korea – Various Measures on Beef, para. 166 (on Article XX GATT).
- 112.
Ibid., para. 306.
- 113.
Newman (2009), p. 117, 188 fn. 69.
- 114.
GATT (1989), para. 93.
- 115.
See Sect. 2.1.3.
- 116.
GATT (1990a).
- 117.
Ibid., 13.
- 118.
GATT (1990b), para. 22. This was also supported by the representative of Switzerland. Ibid., para. 25.
- 119.
GATT (1990c), para. 70. Other representatives that supported this position were from Sweden and Canada. Ibid., paras 138 and 141.
- 120.
GATT (1990d).
- 121.
GATT (1990e), para. 99.
- 122.
Ibid.
- 123.
Ibid.
- 124.
Ibid., para. 105.
- 125.
Ibid., para. 107.
- 126.
Ibid., para. 112.
- 127.
GATT (1990f), para. 39.
- 128.
Cp. Newman (2009), p. 117, 188 fn. 69.
- 129.
GATT (1990g).
- 130.
Ibid., 373.
- 131.
GATT (1991).
- 132.
Marchetti and Mavroidis (2011), p. 712.
- 133.
Ibid., 712–713.
- 134.
Notably, a representative of Australia stressed during the negotiations “the need to keep any exceptions article very tightly circumscribed and considered the list in the […] draft framework to be sufficiently broad. That statement concerned the July Text that did not include a privacy exception. It seems therefore that the support of the US to include the privacy exception into the framework text of the GATS—instead of the Annex on Telecommunications—was a decisive element of the inclusion of the privacy exception into the Dunkel Draft. GATT (1990h), para. 27.
- 135.
GATT (1991), p. 18.
- 136.
- 137.
Matsushita et al. (2015), p. 620.
- 138.
The case that successfully passed the analysis under the chapeau was EC – Asbestos. The panel decided that the standards of the chapeau are not violated, and the appellant did not bring forward any claims of error. The AB did not address the chapeau. WTO Panel Report, EC – Asbestos, para. 8.240 (on Article XX GATT). Cp. Public Citizen (2015), p. 5.
- 139.
- 140.
WTO AB Report, Indonesia – Import Licensing Regimes, para. 595 (on Article XX GATT) with reference to WTO AB Report, EC – Seal Products, para. 5.297 (on Article XX GATT); WTO AB Report, US – Shrimp, para. 156 (on Article XX GATT) and WTO AB Report, US – Gasoline, 22 (on Article XX GATT); Cottier et al. (2008), p. 321.
- 141.
“The location of the line of equilibrium, as expressed in the chapeau, is not fixed and unchanging; the line moves as the kind and the shape of the measures at stake vary and as the facts making up specific cases differ.” WTO AB Report, US – Shrimp, para. 159 (on Article XX GATT).
- 142.
WTO AB Report, US – Shrimp, para. 182 (on Article XX GATT).
- 143.
- 144.
WTO AB Report, EC – Seal Products, paras 5.328, 5.337 (on Article XX GATT); WTO AB Report, Brazil – Retreaded Tyres, paras 228, 233, 246 (on Article XX GATT); WTO AB Report, US – Gasoline, 25 (on Article XX GATT).
- 145.
- 146.
WTO Panel Report, EC – Asbestos, para. 8.226 (on Article XX GATT) with reference to WTO AB Report, US – Gasoline, 22 (on Article XX GATT).
- 147.
WTO AB Report, US – Shrimp, para. 171 (on Article XX GATT); WTO AB Report, US – Gasoline, 26–27 (on Article XX GATT).
- 148.
WTO AB Report, EC – Seal Products, para. 5.306 (on Article XX GATT); WTO AB Report US – Shrimp, para. 165 (on Article XX GATT); WTO AB Report Brazil – Retreaded Tyres, paras 227, 228, 232 (on Article XX GATT); Bartels (2015), pp. 117–118.
- 149.
- 150.
GATT Panel Report, US – Tuna (Canada), para. 4.8 (on Article XX GATT); GATT Panel Report, US – Spring Assemblies, para. 56 (on Article XX GATT).
- 151.
WTO AB Report, US – Gasoline, 25 (on Article XX GATT).
- 152.
WTO Panel Report, Brazil – Retreaded Tyres, para. 7.319 (on Article XX GATT).
- 153.
- 154.
- 155.
- 156.
Ferracane (2018), p. 2.
- 157.
- 158.
- 159.
WTO Panel Report, Russia – Traffic in Transit, para. 7.130 (on Article XXI GATT).
- 160.
Ibid., para. 7.131 (on Article XXI GATT).
- 161.
Ibid., paras 7.132–7.134 (on Article XXI GATT); Cottier and Delimatsis (2008), pp. 335–336.
- 162.
WTO Panel Report, Russia – Traffic in Transit, para. 7.65 (on Article XXI GATT); Bogdanova (2019).
- 163.
Bogdanova (2019).
- 164.
WTO Panel Report, Russia – Traffic in Transit, paras 7.70–7.71 (on Article XXI GATT).
- 165.
Cottier and Delimatsis (2008), pp. 344–345.
- 166.
WTO Panel Report, Russia – Traffic in Transit, para. 7.75 (on Article XXI GATT).
- 167.
Ibid., para. 7.76 (on Article XXI GATT).
- 168.
- 169.
- 170.
WTO Panel Report, Mexico – Telecoms, paras 7.292–7.293; Luff (2012), p. 87.
- 171.
Burri (2015), p. 32.
- 172.
Bronckers and Larouche (2008), p. 326.
- 173.
- 174.
- 175.
Gao (2008), p. 694.
- 176.
Wu (2006), p. 266.
- 177.
- 178.
WTO (1999a), para. 19.
- 179.
- 180.
- 181.
WTO Panel Report, US – Gambling, paras 6.362–6.363 upheld by WTO AB Report, US – Gambling, para. 265; WTO Panel Report, China – Audiovisual Products, para. 7.1265 upheld by WTO AB Report, China – Audiovisual Products, para. 412; Burri (2015), pp. 39–40; Wunsch-Vincent (2006), p. 323; see Sect. 4.2.3.
- 182.
Regulation (EU) 2015/2120 of the European Parliament and of the Council of 25 November 2015 laying down measures concerning open internet access and amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services and Regulation (EU) No 531/2012 on roaming on public mobile communications networks within the Union [2015] OJ L 310/1.
- 183.
GATT (1990c), para. 154.
- 184.
Ibid., para. 155.
- 185.
Gao (2008), p. 703.
- 186.
- 187.
OED online, entry for confidential (adj.).
- 188.
See Sect. 4.2.1.4.2.
- 189.
- 190.
Similarly, Yakovleva and Irion (2020a), p. 12.
- 191.
WTO (1999b), para. 4.
- 192.
Ibid.
- 193.
Ibid.
- 194.
- 195.
WTO Panel Report, US – Gambling, para. 6.285; Wunsch-Vincent (2006), pp. 332–333.
- 196.
WTO Panel Report, US – Gambling, para. 6.285.
- 197.
WTO Panel Report, China – Audiovisual Products, paras 7.1220, 7.1247.
- 198.
Ibid.; WTO AB Report, China – Audiovisual Products, para. 398; Hodson (2019), p. 587.
- 199.
WTO Panel Report, China – Audiovisual Products, para. 7.1258.
- 200.
- 201.
WTO Panel Report, Mexico – Telecoms, para. 7.45.
- 202.
WTO (1999c), para. 4.
- 203.
Tinawi and Berkey (2000), pp. 5–6, 8.
- 204.
WTO Panel Report, US – Gambling, para. 6.32.
- 205.
Ibid.
- 206.
Wunsch-Vincent (2006), p. 326.
- 207.
WTO Panel Report, US – Gambling, paras 6.29, 6.280.
- 208.
WTO AB Report, US – Gambling, para. 215.
- 209.
Hodson (2019), p. 586; Crosby (2016), pp. 2–3; Tuthill and Roy (2012), p. 159. Sacha Wunsch-Vincent suggested that WTO members should use the opportunity of US – Gambling to enter into an agreement declaring mode 1 as fully applicable to all cross-border electronic transactions. That has not yet happened. Wunsch-Vincent (2006), p. 327.
- 210.
In contrast, the CPCprov––the source and annotation of the W/120––has been revised and updated several times to reflect technological changes.
- 211.
Willemyns (2019), p. 67.
- 212.
- 213.
- 214.
Weber and Burri (2012), p. 51.
- 215.
The Understanding on Commitments in Financial Services contains a particular provision devoted to “New financial services” where new depends on the availability of such service in a particular territory and not to the innovative character of a service. Zhang (2015), p. 15.
- 216.
WTO (2014a), para. 1.2.
- 217.
For example, Canada, the US, the EU, Australia and South Africa. Ibid., paras 1.3, 1.5, 1.6, 1.8 and 1.11.
- 218.
Willemyns (2019), p. 67.
- 219.
WTO Panel Report, US – Gambling, paras 6.63, 6.101, 6.119; AB Report, US – Gambling, para. 180 fn. 219.
- 220.
In accordance with Article 3.2 DSU. See Sorel and Boré Eveno (2011), pp. 820–821.
- 221.
The AB reminded panels not to equate the ordinary meaning of a term with the definition provided by dictionaries and reiterated that “interpretation pursuant to the customary rule codified in Article 31 of the Vienna Convention is ultimately a holistic exercise that should not be mechanically subdivided into rigid components.” WTO AB Report, China – Publications and Audiovisual Products, para. 348. See generally Dörr (2018a), pp. 580–582; Villiger (2009), pp. 426–427.
- 222.
WTO AB Report, US – Gambling¸ para. 167; Willemyns (2019), p. 67.
- 223.
- 224.
Ibid., paras 175–176.
- 225.
- 226.
- 227.
- 228.
WTO AB Report, US – Gambling¸ paras 196–197.
- 229.
WTO Panel Report, EC – IT Products, paras 7.596, 7.952.
- 230.
Ibid., paras 7.599–7.601.
- 231.
Luff (2012), pp. 70–71. In contrast, Rolf H. Weber and Mira Burri submitted that “[t]he Panel decided in favor of the complainants with the argument that lists of IT products would soon be outdated and that the liberalization objective of WTO Members would embody new products having a similar function.” They concluded that the panel in EC – IT Products applied a teleological interpretation of the concessions in the ITA. Weber and Burri (2012), pp. 14–15.
- 232.
WTO Panel Report, China – Publications and Audiovisual Products, para. 7.1235.
- 233.
Ibid., para. 7.1237.
- 234.
Ibid., para. 7.1247.
- 235.
WTO AB Report, China – Publications and Audiovisual Products, para. 397.
- 236.
Ibid.
- 237.
Ibid., para. 396.
- 238.
WTO AB Report, China – Publications and Audiovisual Products, para. 396 with reference to the approach taken in US – Shrimp, where the AB interpreted the term “exhaustible natural resources” in Article XX(g) GATT. WTO AB Report, US – Shrimp, paras 129–130.
- 239.
- 240.
- 241.
WTO Panel Report, US – Gambling, para. 6.349.
- 242.
- 243.
WTO (2001), para. 25.
- 244.
Cp. the definition of services in European Commission/IMF/OECD/United Nations/ World Bank (2009), para. 6.17: “Services are the result of a production activity that changes the conditions of the consuming units, or facilitates the exchange of products or financial assets.”
- 245.
WTO (2011), para. 5.
- 246.
WTO Panel Report, China – Electronic Payment Services, para. 7.57.
- 247.
Such as the process and coordination of approving or declining a transaction; the delivery of transaction information among participating entities; the calculation, determination, and reporting of the net financial position of relevant institutions for all transactions that have been authorized; and the facilitation, management and/or other participation in the transfer of net payments owed among participating institutions. Ibid., para. 7.58.
- 248.
Ibid., para. 7.59.
- 249.
Ibid., para. 7.188.
- 250.
Ibid.
- 251.
Ibid., paras 7.180, 7.188. The US raised a valid point that was not further discussed by the panel. The US submitted that if China’s position were accepted––that a service must first be disaggregated into subcomponents and each subcomponent separately classified––it would render WTO members’ concessions meaningless for a wide range of services. Ibid., para. 7.173.
- 252.
- 253.
While designed to guide statisticians, these rules may also be helpful for the scheduling of commitments.
- 254.
UN (2015a), para. 56(b).
- 255.
Ibid., para. 57.
- 256.
- 257.
Willemyns (2019), p. 71.
- 258.
Weber and Burri (2012), p. 127.
- 259.
WTO Panel Report, China – Publications and Audiovisual Products, para. 7.1014.
- 260.
Zhang (2015), pp. 10–11.
- 261.
Ibid.
- 262.
WTO Panel Report, China – Electronic Payment Services, paras 7.61, 7.180.
- 263.
Willemyns (2019), p. 71.
- 264.
Ibid., 72.
- 265.
An illustrative example can be found in Canada – Periodicals, where the two services components of periodicals were identified (editorial content and advertising content), but the AB concluded that the services combined into a final good, which is why the GATT (and not the GATS) was applicable to the measure at issue. WTO AB Report, Canada – Periodicals, para. 17.
- 266.
- 267.
See Sect. 4.3.3.
- 268.
See Sect. 4.1.3.1.
- 269.
WTO (2007).
- 270.
- 271.
UN (2015b), paras 1.2–1.3.
- 272.
Kelsey (2019), p. 38.
- 273.
- 274.
WTO (2012), para. 66.
- 275.
WTO (2015b), para. 4.33.
- 276.
Ibid.
- 277.
WTO (2016), para. 2.9.
- 278.
Cp. WTO Panel Report, China – Electronic Payment Services, paras 7.58–7.59, 7.188.
- 279.
WTO (2016), para. 2.2.
- 280.
Cp. Anuradha (2018), p. 76.
- 281.
OED online, entry for processing (n.).
- 282.
Ibid., entry for software (n.).
- 283.
Ibid., entry for implementation (n.).
- 284.
Cp. Anuradha (2018), p. 237.
- 285.
- 286.
ECJ, Google Spain and Google, paras 51, 56; ECJ, Google v. CNIL, para. 50.
- 287.
WTO Panel Report, China – Electronic Payment Services, paras 7.58–7.59.
- 288.
DuckDuckGo is an example for a search engine that allows its users to turn off advertisements.
- 289.
Henry Gao similarly distinguishes between Google’s search engine and advertising services. Tim Wu does not mention the corresponding advertisement services at all. Fred Erixon, Brian Hindley and Hosuk Lee-Makiyama argue that the whole service provided by a search engine could be classified as advertisement services. Ines Willemyns argues that a classification as advertisement services follows a components-based approach, after which the main component (or the one most easily classified) determines the classification. The components-based approach does not harmonize well with the focus on output of services inherent in W/120. Gao (2011), p. 359; Wu (2006), pp. 282–283; Erixon et al. (2009), p. 12; Willemyns (2019), p. 72.
- 290.
OED online, entry for database (n.).
- 291.
Gao (2012), p. 256.
- 292.
- 293.
Rolf Weber and Mira Burri similarly distinguish advertisement services from social network services. They argue that an “easy” classification as advertisement services puts this element of social networks at the forefront, which is not in the main interest of the users. Ines Willemyns does not mention the corresponding advertisement services. Weber and Burri (2012), p. 116; Willemyns (2019), p. 76.
- 294.
Ines Willemyns argues that social networks may be classified as packet-switched data transmission services (W/120-2.C.b), which correspond to CPCprov 7523. Henry Gao explains that CPCprov 7523 covers network services but not the actual contents carried over such networks. Rolf Weber and Mira Burri argue that, as far as telecommunications are concerned, the underlying purpose of that classification does not really comply with the functions of a social network, since the transmission services are not at the forefront and the availability of data in the databases is more important. Willemyns (2019), p. 76; Gao (2011), p. 364; Weber and Burri (2012), p. 117.
- 295.
Willemyns (2019), p. 76.
- 296.
Ines Willemyns argues that this classification seems to focus on a components-based approach, considering not the output of the service, but rather its technical components. She disregards the fact that the database is not only a technical component of a social network, but, arguably, also its function from the perspective of its users. Willemyns (2019), p. 76. Cp. Weber and Burri (2012), p. 118.
- 297.
- 298.
Cp. WTO AB Report, China – Publications and Audiovisual Products, para. 396 with reference to the approach taken in US – Shrimp, where the AB interpreted the term “exhaustible natural resources” in Article XX(g) GATT. WTO AB Report, US – Shrimps, paras 129–130.
- 299.
OED online, entry for retail (n.).
- 300.
The ECJ decided in Airbnb Ireland that even if Airbnb’s intermediary service is aimed at the rental of accommodation, it can be separated from the actual real estate business. It acted as an “information society service” rather than a real estate agency. ECJ, Airbnb Ireland, paras 49, 52. In contrast, the ECJ found that the intermediary service of Uber must be regarded as forming an integral part of an overall service whose main component is a transport service and, accordingly, must not be classified as an “information society service.” ECJ, Uber France, para. 21; ECJ, Asociación Profesional Élite Taxi, paras 39–40.
- 301.
Anuradha (2018), p. 73.
- 302.
Cp. WTO Panel Report, China – Electronic Payment Services, paras 7.58–7.59, 7.188.
- 303.
Cp. ibid.
- 304.
WTO (1998a).
- 305.
The term “electronic commerce” is understood to mean the production, distribution, marketing, sale or delivery of goods and services by electronic means. WTO (1998b), para. 1.3.
- 306.
Ismail (2020), p. 9.
- 307.
Ibid., 10.
- 308.
ICTSD (2017).
- 309.
Ismail (2020), p. 10.
- 310.
WTO (1999d), paras 4, 15, 17, 19.
- 311.
WTO, Nairobi Ministerial Declaration of 19 December 2015, WT/MIN(15)/DEC, para. 32.
- 312.
Ismail (2020), p. 11.
- 313.
Ibid., 12.
- 314.
WTO (2017).
- 315.
Garcia-Israel and Grollier (2019), pp. 5–14.
- 316.
WTO (2019a).
- 317.
- 318.
WTO (2019b).
- 319.
A detailed analysis is provided in Sect. 5.4.
- 320.
WTO (2019c).
- 321.
Ibid., para. 4.1.
- 322.
Hufbauer and Lu (2019), p. 6.
- 323.
The definition of CII has a very broad scope. Ibid., 4.
- 324.
WTO (2019d).
- 325.
For greater certainty, a Party may comply with the obligation in this paragraph by adopting or maintaining measures such as comprehensive privacy, personal information, or personal data protection laws, sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy.
- 326.
A measure does not meet the conditions of this paragraph if it accords different treatment to data transfers solely on the basis that they are cross-border in a manner that modifies the conditions of competition to the detriment of a covered person of another Party.
- 327.
- 328.
WTO (2019e), para. 33.
- 329.
Ibid.
- 330.
ECJ, Schrems 2, para. 201.
- 331.
- 332.
Cimino-Isaacs et al. (2020), p. 1.
- 333.
WTO (2021a), p. 1.
- 334.
- 335.
WTO (2022b).
- 336.
See Sect. 4.2.1.2.1.
- 337.
Gregory Shaffer submitted that “the EU Directive applies equally to transfers to all countries and thus should not violate the GATS most-favored-nations clause.” However, he did not consider that the MFN treatment obligation in Article II:1 GATS also covers de facto discrimination. See Shaffer (2000), pp. 49–50.
- 338.
See Sect. 4.2.1.2.1.
- 339.
Wolfrum (2008), p. 88.
- 340.
See generally Wojtan (2011), pp. 76–80.
- 341.
- 342.
Saluzzo (2017), p. 821.
- 343.
Reyes (2011), pp. 14–15.
- 344.
Yakovleva and Irion (2016), p. 203.
- 345.
Ibid. They also explain that the argument made by Reyes that Australia was granted an inadequacy finding is not valid. Australia received a refusal to grant an adequacy finding from the Article 29 WP. The opinion of the Article 29 WP is not legally binding and does not give a final conclusion on the inadequacy of data protection in Australia. See Article 29 WP (2001), p. 6.
- 346.
See Sect. 3.1.4.4.
- 347.
- 348.
- 349.
WTO Panel Report, EC – Bananas III (Article 21.5 – Ecuador), para. 6.133.
- 350.
Saluzzo (2017), p. 821.
- 351.
Ibid.
- 352.
- 353.
Saluzzo (2017), p. 821.
- 354.
WTO AB Report, EC – Bananas III, para. 241.
- 355.
WTO AB Report, Argentina – Financial Services, para. 6.106.
- 356.
Yakovleva and Irion (2016), p. 203.
- 357.
Shapiro (2003), p. 2819.
- 358.
Reyes (2011), p. 14.
- 359.
Cp. Saluzzo (2017), p. 821.
- 360.
See Sect. 3.3.4.
- 361.
- 362.
Cp. WTO Panel Report, EC – Selected Custom Matters, para. 7.116 (on Article X:1 GATT); WTO Panel Report, US – Underwear, para. 7.65 (on Article X:1 GATT).
- 363.
- 364.
Cp. Saluzzo (2017), p. 825. In contrast, Carla Reyes assumes that under one of two competing standards, Article VI:1 GATS imposes a substantive proportionality requirement. Reyes argues that the prohibition to transfer personal data to countries without an adequate level of protection for personal data is the most restrictive means available for a data transfer system to achieve its objectives. According to Reyes, this violates Article VI:1 GATS. While the assumption cannot be maintained that Article VI:1 GATS imposes a substantive proportionality requirement, Reyes also ignores that the derogations in Article 49 GDPR still allow data transfers to countries in which the protection for personal data is not essentially equivalent to that guaranteed within the EU. See Reyes (2011), p. 19. This was also criticized by Svetlana Yakovleva and Kristina Irion. See Yakovleva and Irion (2016), p. 205.
- 365.
- 366.
WTO Panel Report, Dominican Republic – Import and Sale of Cigarettes, para. 7.385 (on Article X:3(a) GATT).
- 367.
Krajewski (2008), p. 171.
- 368.
Article 45(3)–(6) GDPR. See also Sect. 3.2.3.
- 369.
- 370.
Cp. WTO Panel Report, Thailand – Cigarettes (Philippines), para. 7.898 (on Article X(3)(a) GATT).
- 371.
See Krajewski (2008), p. 171.
- 372.
OED online, entry for arbitrary (adj.).
- 373.
See Sect. 3.2.1.4.
- 374.
European Commission (2017), p. 8.
- 375.
See Sect. 3.2.1.4.
- 376.
See Sect. 3.2.1.3.
- 377.
Yakovleva and Irion (2016), p. 205.
- 378.
Yakovleva and Irion refer to the standard of reasonableness instead. Ibid.
- 379.
Cp. WTO Panel Report, US – Hot Rolled Steel, para. 7.268 (on Article X:3(a) GATT).
- 380.
Article 45(3)–(6) and (9) GDPR.
- 381.
Makulilo (2013), p. 49.
- 382.
Cp. WTO Panel Report, Thailand – Cigarettes (Philippines), para. 7.898 (on Article X(3)(a) GATT).
- 383.
Article VI:2(a) GATS only obliges WTO members to maintain practicable, judicial, arbitral or administrative tribunals or procedures that provide, at the request of an affected service supplier, for the prompt review of, and where justified, appropriate remedies for, administrative decisions affecting trade in services. It cannot be adduced from Article VI:2(a) GATS that Article VI:1 GATS requires an administrative decision when a WTO member extends an advantage to a third country, but not to another.
- 384.
Stoddart et al. (2016), p. 147.
- 385.
See Sect. 3.2.1.2.
- 386.
Cp. WTO Panel Report, US – Hot Rolled Steel, para. 7.268 (on Article X:3(a) GATT).
- 387.
- 388.
Cp. ibid.
- 389.
See Sect. 3.3.4.
- 390.
See Sect. 3.3.3.1.5.
- 391.
ECJ, Wirtschaftsakademie Schleswig-Holstein, paras 69–73.
- 392.
Ibid.
- 393.
Cp. WTO Panel Report, Argentina – Hides and Leather, para. 11.77 (on Article X(3)(a) GATT).
- 394.
See Sect. 3.3.4.
- 395.
Articles 47(1) and 64(1)(f) GDPR.
- 396.
Mitchell and Hepburn (2017), p. 200.
- 397.
Usman and Chander (2015), pp. 6–7.
- 398.
Ibid.
- 399.
- 400.
- 401.
Yakovleva and Irion (2016), p. 205.
- 402.
See Sect. 3.1.2.1.
- 403.
Cp. WTO Panel Report, Dominican Republic – Import and Sale of Cigarettes, para. 7.385 (on Article X:1 GATT). See also Yakovleva and Irion (2016), p. 205.
- 404.
- 405.
Kristina Irion, Svetlana Yakovleva and Marija Bartl suggested that the EU’s fundamental rights-based regulation does not trigger Article VI:2 GATS because it does not mount authorization, qualification or licensing requirements, nor can it be considered a technical standard. That is not important because Article VI:2 GATS relates to administrative decisions without referring to authorization, qualification or licensing requirements, or technical standards. Irion et al. (2016), p. 31.
- 406.
Saluzzo (2017), p. 826.
- 407.
Ibid.
- 408.
See Sect. 3.2.1.1.
- 409.
Australia is an example of a country that received a negative adequacy assessment from the Article 29 WP and the four African countries Burkina Faso, Mauritius, Tunisia, and Morocco are examples of countries that received a negative adequacy assessment from an academic institution in the EU tasked to research the level of data protection in these countries.
- 410.
Reyes (2011), p. 20.
- 411.
Cp. Yakovleva and Irion (2016), p. 205.
- 412.
- 413.
- 414.
- 415.
- 416.
WTO (2001), para. 26.
- 417.
WTO Panel Report, Mexico – Telecoms, para. 7.43; GATT Secretariat (1993), para. 19(a).
- 418.
Crosby (2016), p. 3.
- 419.
Delimatsis and Molinuevo (2008), pp. 376–377.
- 420.
WTO AB Report, US – Gambling, paras 232; 252.
- 421.
Ibid., para. 227; WTO Panel Report, US – Gambling, para. 6.355.
- 422.
See Sect. 4.1.2.
- 423.
Cp. Ruotolo (2018), p. 20.
- 424.
But see Meltzer (2019), p. 25.
- 425.
- 426.
- 427.
ECJ, Schrems 2, para. 135; ECJ, AG Opinion, Schrems 2, para. 144.
- 428.
EDPB (2020), pp. 26–27.
- 429.
See Sect. 4.2.3.4.1.
- 430.
WTO (2019f), p. 61.
- 431.
Ibid., 58.
- 432.
Molthan et al. (2015), p. 1371.
- 433.
W. Kuan Hon, Christopher Millard, and Ian Walden show that cross-border flows of personal data necessarily occur in cloud computing services that use personal data because excluding the (re-)identification of anonymized data or encrypted data may be impossible. Hon et al. (2011), p. 217, 224.
- 434.
Gianpaolo Maria Ruotolo arrived at a similar conclusion but he argues that the specific commitment in the case of cloud computing consists in the transfer of (personal) data. Ruotolo (2018), p. 20.
- 435.
See Sect. 4.2.3.4.2.
- 436.
- 437.
See Sect. 4.1.3.2.
- 438.
Swisscows is an example of such a search engine that does not collect any personal data from its visitors, including the search requests entered and the IP addresses associated with the request.
- 439.
See Sect. 4.2.3.4.3.
- 440.
- 441.
See Sect. 4.2.3.4.4.
- 442.
Only Poland specifically excluded all forms of advertising of tobacco products, alcoholic beverages, and pharmaceuticals.
- 443.
WTO (2019f), p. 76.
- 444.
See Sect. 4.1.3.2.
- 445.
In Google Spain and Google, the referring Audiencia Nacional (Spanish National High Court) established that Google takes advantage of the users’ search activity and includes, in return for payment, advertising associated with the users’ search terms, for undertakings which wish to use that information in order to offer their goods or services to the users. ECJ, Google Spain and Google, para. 43.
- 446.
See Sect. 4.1.3.4.
- 447.
WTO (2019f), p. 187.
- 448.
See Sect. 4.1.3.4.
- 449.
See Sect. 4.1.3.5.
- 450.
WTO (2019f), p. 164.
- 451.
See Sect. 4.1.3.5.
- 452.
WTO (2019f), p. 183.
- 453.
- 454.
See Sect. 4.1.4. They will usually also satisfy the condition of the derogation in Article 49(1)(b) GDPR that the data transfers must be necessary for the performance of the contract.
- 455.
Ruotolo (2018), p. 28.
- 456.
WTO AB Report, US – Gambling, paras 232, 252.
- 457.
See Sect. 4.2.1.4.2.1.
- 458.
Irion et al. (2016), p. 47.
- 459.
Article XXI:1(b) GATS.
- 460.
Article XXI:2(a) GATS.
- 461.
Article XXI:2(b) GATS.
- 462.
Article XXI:3(a) GATS.
- 463.
- 464.
WTO (2019b).
- 465.
- 466.
Gregory Shaffer argued that the EU Directive “applies equally to EU-owned and -registered companies and foreign-owned and -registered companies and thus should not violate the GATS national treatment clause” Shaffer does not consider that the national treatment obligation in Article XVII GATS also covers de facto discrimination. Shaffer (2000), p. 50.
- 467.
See Sect. 3.1.3.1.1.
- 468.
Cp. WTO Panel Report, China – Publications and Audiovisual Products, paras 7.978–7.979.
- 469.
With the exception of Malta, which remains unbound, the EU member states committed to national treatment for software implementation services in mode 1. WTO (2019f), p. 59.
- 470.
With the exception of Malta, which remains unbound, the EU member states committed to national treatment for data base services in mode 1. Ibid., 62.
- 471.
With the exception of Cyprus, the Czech Republic, Finland, Lithuania, Latvia, Malta, Poland, Sweden and the Slovak Republic, which remain unbound, the EU member states committed to national treatment of maintenance and repair services for road transport equipment in mode 1. Ibid., 187.
- 472.
With the exception of Estonia, Finland, Hungary and Sweden, which remain unbound, the EU member states committed to national treatment for hotel and restaurant services in mode 1. Ibid., 164.
- 473.
With the exception of Malta, which remains unbound, the EU member states committed to national treatment for data processing services in mode 1. Ibid., 61.
- 474.
Apart from Malta, which remains unbound, the EU member states committed to national treatment for data base services in mode 1. Ibid., 62.
- 475.
All EU member states committed to national treatment for advertising services in mode 1. Ibid., 76.
- 476.
“[T]he mere existence of cross-border regulatory diversity represents a burden for foreign service suppliers.” Muller (2017), p. 472.
- 477.
Article XVII:3 GATS.
- 478.
See Sect. 3.1.4.4.1.
- 479.
EDPB (2018), p. 6.
- 480.
WTO AB Report, Argentina – Financial Services, para. 6.104.
- 481.
Article 29 WP (2018b), p. 18.
- 482.
Ibid.
- 483.
WTO Panel Report, Canada – Autos, para. 10.84 (on Article III:4 GATT); WTO Panel Report, China – Audiovisual Products, para. 7.1537.
- 484.
WTO Panel Report, Canada – Autos, para. 10.87 (on Article III:4 GATT).
- 485.
See Sect. 4.3.3.4.
- 486.
Panel Report, China –Publications and Audiovisual Products, paras 7.920–7.921.
- 487.
See Sect. 4.2.1.4.1.
- 488.
See Sect. 4.3.4.1.
- 489.
There are minor exceptions. See Oesch (2018), pp. 76–83.
- 490.
See Sect. 4.3.4.2.
- 491.
- 492.
Irion et al. (2016), p. 33.
- 493.
Marín Durán (2017), pp. 710–711, 720; ILC, Draft Articles on the Responsibility of International Organizations (ARIO), annexed to UN (2012); see for example WTO Panel Report, EC – Biotech, paras 2.1–2.5 where the contested measures included national safeguard measures prohibiting the import and/or marketing of specific biotech products, which had been taken by six EU member states relying on the possibility provided for in the relevant EU legislation and where the panel accepted the EU’s standing as the single respondent bearing sole responsibility for these measures.
- 494.
See WTO Panel Report, EC – Biotech, paras 2.1–2.5 and WTO Panel Report, EC – Asbestos, paras 3.32–3.35, in which the EU was targeted as the sole defendant—and thus potentially, solely responsible for a violation of WTO obligations (quod non)—of the challenged French decree banning asbestos and asbestos-containing products, even though the link between this national measure and EU legislation was not readily obvious.
- 495.
- 496.
Cottier and Molinuevo (2008), p. 129.
- 497.
- 498.
Stephenson (1999), p. 54.
- 499.
WTO (1999e), para. 18. The representative of New Zealand expressed a similar view in the same meeting. Ibid., para. 17.
- 500.
WTO Panel Report, Canada – Autos, para. 10.272.
- 501.
WTO Panel Report, Russia – Traffic in Transit, para. 7.70 (on Article XXI GATT).
- 502.
Ibid., para. 7.76 (on Article XXI GATT).
- 503.
Ibid., para. 7.134 (on Article XXI GATT).
- 504.
Ibid., para. 7.135 (on Article XXI GATT).
- 505.
Ibid (on Article XXI GATT).
- 506.
Ibid., para. 7.130 (on Article XXI GATT).
- 507.
Ferracane also argued that conditional data transfer regimes, such as in the GDPR, would hardly be implemented under the national security rationale and that such regimes would normally be justified under the general exceptions of the GATS. Ferracane (2018), pp. 5, 11–12.
- 508.
Schneier (2014).
- 509.
Ibid.
- 510.
WTO Panel Report, Mexico – Telecoms, para. 7.332.
- 511.
See Sect. 4.2.2.4.
- 512.
See Sect. 4.2.1.4.2.
- 513.
Yakovleva (2020), p. 461.
- 514.
WTO AB Report, Argentina – Financial Measures, para. 6.166.
- 515.
Ibid.
- 516.
So far, scholars generally address the justification under Article XIV GATS without specifically adapting it to the different interferences with GATS obligations caused by the EU regulation of data transfers. Cp. Velli (2019), pp. 888–889; Mattoo and Meltzer (2018), p. 781; Saluzzo (2017), p. 827; Yakovleva and Irion (2016), p. 206; Weber (2012), p. 39; Reyes (2011), p. 27; Peng (2011), p. 766; Perez Asinari (2003), pp. 3–5.
- 517.
Some scholars also find that a justification under the public morals exception in Article XIV(a) GATS would be possible. Cp. Mattoo and Meltzer (2018), p. 781.
- 518.
WTO Panel Report, Argentina – Financial Services, paras 7.592–7.593; WTO AB Report, Argentina – Financial Services, para. 6.202.
- 519.
WTO Panel Report, Argentina – Financial Services, paras 7.595–7.5961, referring to WTO Panel Report, Colombia – Ports of Entry, para.7.514 (on Article XX GATT), WTO Panel Report, US – Shrimp (Thailand), para. 7.174 (on Article XX GATT) and WTO AB Report, Korea – Various Measures on Beef, para.157 (on Article XX GATT).
- 520.
Yakovleva and Irion (2016), p. 206. But see that Rolf Weber noted that “even if the criterion of the adequate extent to which the enforcement measure contributes to the realization of the end pursued, that is, to the securing of compliance with the rules or regulations to be enforced, can be acknowledged, some doubts still remain whether the international community in the light of the lack of globally harmonized privacy standards would attribute the requested key function to national privacy standards.” Weber (2012), pp. 40–41.
- 521.
WTO Panel Report, Argentina – Financial Services, para. 7.625.
- 522.
WTO AB Report, Argentina – Financial Services, para. 6.201.
- 523.
For example, Aaditya Mattoo and Joshua P. Meltzer have argued that the requirement of local representation in Article 27 GDPR and the failure to extend the so-called “one-stop shop” mechanism in the GDPR to all data processors and controllers requires companies exporting digital services into the EU to interact with and comply with multiple supervisory authorities across the EU, thus creating costs for foreign service suppliers not faced by like domestic suppliers which could amount to a violation of the national treatment obligation. Mattoo and Meltzer (2018), pp. 780–781; Velli (2019), p. 889; Yakovleva and Irion (2016), p. 206.
- 524.
See Sect. 3.2.3.
- 525.
WTO Panel Report, Argentina – Financial Services, paras 7.592–7.593; WTO AB Report, Argentina – Financial Services, para. 6.202.
- 526.
Ibid., para. 6.204.
- 527.
WTO Panel Report, Argentina – Financial Services, paras 7.659, 7.661 with reference to, among others, WTO AB Report, EC – Seal Products, para. 5.169 (on Article XX GATT) and WTO AB Report, US – Gambling, paras 306–307.
- 528.
WTO AB Report, Argentina – Financial Services, para. 6.234 with reference to WTO AB Report, Korea – Various Measures on Beef, para. 163 (on Article XX GATT).
- 529.
Ibid.
- 530.
WTO AB Report, Korea – Various Measures on Beef, para. 163 (on Article XX GATT).
- 531.
WTO AB Report, Argentina – Financial Services, para. 6.201 with reference to WTO Panel Report, Argentina – Financial Services, paras 7.658–7.661, WTO AB Report, EC – Seal Products, paras 5.169, 5.214 (on Article XX GATT) and WTO AB Report, US – Gambling, para. 304.
- 532.
WTO AB Report, EC – Asbestos, para. 171 (on Article XX GATT), with reference to WTO AB Report, Korea – Various Measures on Beef, para. 166 (on Article XX GATT), in which the AB expressly affirmed the standard set forth by the panel in GATT Panel Report, US – Section 337 of the Tariff Act of 1930, para. 5.26 [emphasis added] (on Article XX GATT).
- 533.
WTO Panel Report, Argentina – Financial Services, para. 7.730 with reference to WTO AB Report, US – Gambling, para. 311 and WTO AB Report, Brazil – Retreaded Tyres, para. 156 (on Article XX GATT).
- 534.
WTO AB Report, US – Gambling, para. 308. Carla Reyes suggested that the “comparable” rather than “adequate/equivalent” standard will alter the balance under the weighing and balancing test with regard to both the extent to which the “Privacy Directive” secures enforcement and the negative impact on trade. Yet, the EU is free to define its desired level of protection under Article XIV(c)(ii) GATS according to this finding of the AB. The EU is not required to introduce a standard of comparable protection for personal data under WTO law. Reyes (2011), p. 33.
- 535.
WTO Panel Report, Argentina – Financial Services, para. 7.730 with reference to WTO AB Report, US – Gambling, para. 311 and AB Report, Brazil – Retreaded Tyres, para. 156 (on Article XX GATT).
- 536.
Mishra (2019), p. 14.
- 537.
See Sect. 3.2.4. Christopher Kuner submits that adequacy decisions do not provide a watertight standard of data protection. Kuner (2009), p. 271. While this submission is not wrong, the new rules under the GDPR improve compliance with the right to continuous protection for personal data. The criteria for adequate protection are more detailed and the periodic review mechanism ensures consistency over time.
- 538.
Mattoo and Meltzer (2018), p. 782.
- 539.
- 540.
WTO AB Report, China – Publications and Audiovisual Products, paras 326–327, with reference to WTO AB Report, US – Gambling, para. 308.
- 541.
WTO Panel Report, Argentina – Financial Services, paras 7.592–7.593; WTO AB Report, Argentina – Financial Services, para. 6.202.
- 542.
- 543.
WTO AB Report, Argentina – Financial Services, para. 6.203 [footnote omitted].
- 544.
WTO Panel Report, Argentina – Financial Services, paras 7.592–7.593; WTO AB Report, Argentina – Financial Services, para. 6.202; see Sect. 4.4.4.1.1.
- 545.
See Sect. 3.3.4.
- 546.
This is the case for digital services such as cloud computing services, social network services, IoT maintenance services, and digital lodging arrangement platform services that cannot be supplied without systematic, structural, and continuous cross-border flows of personal data. See Sect 4.3.3.2.
- 547.
- 548.
- 549.
Reyes (2011), p. 33.
- 550.
Cp. WOT AB Report, Brazil – Retreaded Tyres, para. 156 (on Article XX GATT).
- 551.
EDPB (2020), pp. 26–27.
- 552.
Ibid.
- 553.
Ibid., 27.
- 554.
WTO AB Report, EC – Seal Products, para. 5.299 (on Article XX GATT).
- 555.
Ibid., para. 5.300 (on Article XX GATT).
- 556.
WTO AB Report, Brazil – Retreated Tyres, para. 217 (on Article XX GATT); WTO Panel Report, Brazil – Retreaded Tyres, para. 7.270 (on Article XX GATT).
- 557.
Mishra (2019), pp. 19–20.
- 558.
WTO AB Report, EC – Seal Products, para. 5.303 (on Article XX GATT) with reference to WTO AB Report, Brazil – Retreaded Tyres, para. 226 (on Article XX GATT).
- 559.
Ibid., para. 5.305 (on Article XX GATT) with reference to WTO AB Report, US – Shrimp, paras 163–164, 166, 172 and 177 (on Article XX GATT).
- 560.
Cp. ibid., para. 5.306 (on Article XX GATT).
- 561.
WTO AB Report, US – Shrimp, para. 176 (on Article XX GATT).
- 562.
Ibid. (on Article XX GATT).
- 563.
- 564.
This is an example taken from Recital (4) Commission Decision 2003/821/EC of 21 November 2003 on the adequate protection of personal data in Guernsey, [2003] OJ L 308/27.
- 565.
See Sect. 3.2.1.3.
- 566.
WTO AB Report, US – Shrimp, para. 182 (on Article XX GATT).
- 567.
Ibid., para. 183 (on Article XX GATT).
- 568.
WTO AB Report, US – Shrimp, para. 163 (on Article XX GATT).
- 569.
Where the instruments providing appropriate safeguards in Article 46 GDPR are not available, a potential export prohibition for digital services that require structural, systematic, and continuous transfers of personal data could be reconciled with the policy objective of protecting privacy under Article XIV(c)(ii) GATS.
- 570.
Should the WTO adjudicative bodies not follow the assessment submitted here, the European Commission would potentially need to start issuing negative adequacy decisions subject to judicial review. Such negative adequacy decisions would have negative consequences for the use of the instruments in Article 46 GDPR because the decision would consist of an official determination that the level of protection for personal data is not essentially equivalent to that guaranteed within the EU. Complainants should thus be aware that a negative adequacy decision could require data controllers and supervisory authorities to suspend or ban all data transfers from the EU to third countries with a negative adequacy decision.
- 571.
WTO AB Report, Japan – Alcoholic Beverages II, 29 (on Article XX GATT).
- 572.
- 573.
WTO AB Report, US – Shrimp (Article 21.5 – Malaysia), para. 134 (on Article XX GATT).
- 574.
Ibid., para. 122 (on Article XX GATT).
- 575.
Ibid., para. 133 (on Article XX GATT), with reference to WTO Panel Report, US – Shrimp (Article 21.5 – Malaysia), para. 5.71 (on Article XX GATT).
- 576.
Ibid., para. 122 (on Article XX GATT).
- 577.
Bygrave (2002), p. 198.
- 578.
See Sect. 4.3.3.2.
- 579.
See Sect. 3.3.3.1.3.
- 580.
See Sect. 2.2.2.4.
- 581.
WTO AB Report, Argentina – Financial Services, para. 6.202; WTO Panel Report, Argentina – Financial Services, paras 7.592–7.593; see Sect. 4.4.4.1.1.
- 582.
Ibid.
- 583.
WTO Panel Report, Argentina – Financial Services, paras 7.659, 7.661 with reference to, among others, WTO AB Report, EC – Seal Products, para. 5.169 (on Article XX GATT) and WTO AB Report, US – Gambling, paras 306–307.
- 584.
Mishra (2019), p. 14.
- 585.
ECJ, Schrems 2, para. 147.
- 586.
Ibid.
- 587.
Ibid.
- 588.
WTO AB Report, EC – Seal Products, para. 5.303 (on Article XX GATT) with reference to WTO AB Report, Brazil – Retreaded Tyres, para. 226 (on Article XX GATT).
- 589.
This is the case for digital services such as cloud computing services, social network services, IoT maintenance services, and digital lodging arrangement platform services that cannot be supplied without systematic, structural, and continuous data transfers. See Sect. 4.3.3.2.
- 590.
WTO AB Report, Argentina – Financial Services, para. 6.202; WTO Panel Report, Argentina – Financial Services, paras 7.592–7.593; see Sect. 4.4.4.1.1.
- 591.
See Sect. 4.4.4.2.1.
- 592.
WTO Panel Report, Argentina – Financial Services, paras. 7.659, 7.661 with reference to, among others, WTO AB Report, EC – Seal Products, para. 5.169(on Article XX GATT) and WTO AB Report, US – Gambling, paras 306–307.
- 593.
- 594.
WTO AB Report, EC – Seal Products, para. 5.303 (on Article XX GATT) with reference to WTO AB Report, Brazil – Retreaded Tyres, para. 226 (on Article XX GATT).
- 595.
See Sect. 2.2.2.4.
- 596.
WTO AB Report, Argentina – Financial Services, para. 6.202; WTO Panel Report, Argentina – Financial Services, paras 7.592–7.593; see Sect. 4.4.4.1.1.
- 597.
I have argued above––concerning the MFN treatment obligation––that the principle of accountability would not be a reasonably available alternative measure that achieves the same level of protection with respect to the objective pursued in cases in which the right to continuous protection for personal data cannot be ensured with the instruments in Article 46 GDPR. See Sect. 4.4.4.1.1.
- 598.
- 599.
Kuner (2009), p. 270.
- 600.
WTO AB Report, Argentina – Financial Services, para. 6.202; WTO Panel Report, Argentina – Financial Services, paras 7.592–7.593; see Sect. 4.4.4.1.1.
- 601.
WTO AB Report, EC – Seal Products, para. 5.303 (on Article XX GATT) with reference to WTO AB Report, Brazil – Retreaded Tyres, para. 226 (on Article XX GATT).
- 602.
Yakovleva and Irion (2020b), p. 11.
- 603.
See Sect. 2.4.3.
- 604.
See Sect. 2.2.2.4.
- 605.
WTO AB Report, US – Shrimp, para. 182 (on Article XX GATT).
- 606.
Ibid., para. 183 (on Article XX GATT).
- 607.
- 608.
ECJ, Schrems 2, para. 113.
- 609.
See Sect. 2.4.3.
References
Bibliography
Anuradha RV (2018) Technological Neutrality: Implications for Services Commitments and the Discussions on E-Commerce. Centre for WTO Studies Working Paper. New Delhi
Bartels L (2015) The Chapeau of the general exceptions in the WTO GATT and GATS Agreements. A reconstruction. Am J Int Law 109(1):95–125
Barth S, de Jong MDT (2017) The privacy paradox – Investigating discrepancies between expressed privacy concerns and actual online behavior – A systematic literature review. Telematics Inform 34(7):1038–1058
Batura O (2013) The WTO legal framework for telecommunications services and challenges of the information age. In: Hermann C, Krajewski M, Terhechte JP (eds) European yearbook of international economic law. Springer, Heidelberg, pp 201–234
Bennett CJ (2012) The accountability approach to privacy and data protection: assumptions and caveats. In: Guagnin D, Hempel L, Iten C et al (eds) Managing privacy through accountability. Palgrave Macmillan, New York, pp 33–48
Bhagwati J (2004) In defense of globalization. Oxford University Press, New York
Blouin C, Gobrecht J, Lethbridge J, Singh D, Smith R, Warner D (2006) Trade in health services under the four modes of supply: review of current trends and policy issues. In: Blouin C, Drager N, Smith R (eds) International trade in health services and the GATS. Current issues and debates. The World Bank, Washington DC, pp 203–234
Bogdanova I (2019) The WTO Panel Ruling on the National Security Exception: Has the Panel ‘Cut’ the Baby in Half?, EJIL:Talk!, 12 April 2019. https://www.ejiltalk.org/the-wto-panel-ruling-on-the-national-security-exception-has-the-panel-cut-the-baby-in-half/. Accessed 3 Jan 2021
Brehmer JH (2018) Data localization: the unintended consequences of privacy litigation. Am Univ Law Rev 67(3):927–969
Brin S, Page L (1998) The anatomy of a large-scale hypertextual web search engine. Comput Netw ISDN Syst 30(1):107–117
Bronckers M, Larouche P (2008) A review of the WTO regime for telecommunications services. In: Kern A, Mads A (eds) The World Trade Organization and trade in services. Martinus Nijhoff Publishers, Leiden/Boston, pp 319–380
Burri M (2015) The international economic law framework for digital trade. Zeitschrift für Schweizerisches Recht 135(2):10–72
Burri M (2019) Understanding and shaping trade rules for the digital era. In: Elsig M, Hahn M, Spilker G (eds) The shifting landscape of global trade governance. Cambridge University Press, Cambridge, pp 73–106
Burri M (2021) Towards a new treaty on digital trade. J World Trade 55(1):77–100
Bygrave L (2002) Data protection law. Approaching its rationale, logic and limits. Kluwer, The Hague
Chander A (2020) Is data localization a solution for Schrems II? J Int Econ Law 23:1–14
Chander A, Le UP (2015) Data nationalism. Emory Law J 64(3):677–739
Chen I-C (2018) Government internet censorship measures and international law. LIT, Zurich
Cimino-Isaacs CD, Fefer RF, Fergusson IF (2020) WTO: Ministerial Delay, COVID-19, and Ongoing Issues. Congressional Research Service In Focus. Washington DC
Cisco (2019) Cisco Visual Networking Index: Forecast and Trends, 2017–2022. San Jose
Collins D (2019) The public international law of trade in legal services. Cambridge University Press, Cambridge
Conrad CR (2011) Processes and production methods (PPMs) in WTO law: interfacing trade and social goals. Cambridge University Press, Cambridge
Cottier T, Delimatsis P (2008) Article XIVbis GATS. In: Rüdiger W, Stoll P-T, Feinäugle C (eds) WTO – Trade in services. Max Planck commentaries on World Trade Law. Martinus Nijhoff, Leiden, pp 329–348
Cottier T, Molinuevo M (2008) Article V GATS. In: Rüdiger W, Stoll P-T, Feinäugle C (eds) WTO – trade in services. Max Planck commentaries on World Trade Law. Martinus Nijhoff, Leiden, pp 125–164
Cottier T, Delimatsis P, Diebold N (2008) Article XIV GATS. In: Rüdiger W, Stoll P-T, Feinäugle C (eds) WTO – Trade in Services. Max Planck Commentaries on World Trade Law, Martinus Nijhoff, Leiden, pp 287–328
Crosby D (2016) Analysis of data localization measures under WTO service trade rules and commitments. The E15 Initiative Policy Brief. Geneva
Delimatsis P, Molinuevo M (2008) Article XVI GATS. In: Rüdiger W, Stoll P-T, Feinäugle C (eds) WTO – Trade in Services. Max Planck commentaries on World Trade Law. Martinus Nijhoff, Leiden, pp 367–395
Dörr O (2018a) Article 31. General rule of interpretation. In: Dörr O, Schmalenbach K (eds) Vienna Convention on the law of treaties. A commentary, 2nd edn. Springer, Heidelberg, pp 559–616
Dörr O (2018b) Article 32. Supplementary means of interpretation. In: Dörr O, Schmalenbach K (eds) Vienna convention on the law of treaties. A commentary, 2nd edn. Springer, Heidelberg, pp 617–633
Drake WJ, Nicolaidis K (1992) Ideas, interests, and institutionalization. “Trade in Services” and the Uruguay Round. Int Organ 46(1):37–100
Erixon F, Hindley B, Lee-Makiyama H (2009) Protectionism online: internet censorship and international trade law. ECIPE Working Paper No. 12/2009, Brussels
European Commission (2022a) European commission and United States joint statement on trans-Atlantic data privacy framework. 25 March 2022. https://ec.europa.eu/commission/presscorner/detail/en/IP_22_2087. Accessed 30 Oct 2022
European Commission (2022b) Questions & answers: EU-U.S. data privacy framework. 7 October 2022. https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_6045. Accessed 30 Oct 2022
Fefer RF (2020) Internet Regimes and WTO E-Commerce Negotiations. Congressional Research Service Report. R46198. Washington DC
Ferracane MF (2017) Restrictions on Cross-Border data flows: a taxonomy. ECIPE Working Paper 1/2017. Brussels
Ferracane MF (2018) Data flows and national security: a conceptual framework to assess restrictions on data flows under GATS security exception. Digital Policy, Regulation and Governance. https://doi.org/10.1108/DPRG-09-2018-0052. Accessed 3 Jan 2021
Gao H (2008) Annex on telecommunications. In: Rüdiger W, Stoll P-T, Feinäugle C (eds) WTO – Trade in services. Max Planck commentaries on World Trade Law. Martinus Nijhoff, Leiden, pp 683–711
Gao H (2011) Google’s China problem: a case study on trade, technology and human rights under the GATS. Asian J WTO Int Health Law Policy 6(2):347–385
Gao H (2012) Googling for the trade–human rights nexus in China: can the WTO help? In: Burri M, Cottier T (eds) Trade governance in the digital age. Cambridge University Press, Cambridge, pp 247–275
Garcia-Israel K, Grollier J (2019) Electronic commerce joint statement: issues in the discussion phase. CUTS, Geneva
Gasser U, Palfrey J (2012) Fostering innovation and trade in the global information society: the different facets and roles of interoperability. In: Burri M, Cottier T (eds) Trade governance in the digital age. Cambridge University Press, Cambridge, pp 123–154
Hamari J, Sjöklint M, Ukkonen A (2016) The sharing economy: why people participate in collaborative consumption. J Assoc Inform Sci Technol 67(9):2047–2059
Hodson S (2019) Applying WTO and FTA disciplines to data localization measures. World Trade Rev 18(4):579–607
Hon WK, Millard C, Walden I (2011) The problem of ‘personal data’ in cloud computing: what information is regulated?—the cloud of unknowing. Int Data Priv Law 1(4):211–228
Hufbauer GC, Lu Z (2019) Global E-Commerce talks stumble on data issues, privacy, and more. Peterson Institute for International Economics Policy Brief. Washington DC
ICTSD (2017) Debating the Future of E-Commerce and Digital Trade in Buenos Aires. Bridges 21(40). http://www.ictsd.org/bridges-news/bridges/news/debating-the-future-of-e-commerce-and-digital-trade-in-buenos-aires. Accessed on 14 May 2022
Irion K, Yakovleva S, Bartl M (2016) Trade and privacy: complicated bedfellows? How to achieve data protection-proof free trade agreements. Independent study commissioned by BEUC et al. Amsterdam
Ismail Y (2020) E-commerce in the World Trade Organization: history and latest developments in the negotiations under the Joint Statement. International Institute for Sustainable Development and CUTS International, Geneva
ITU (2019) Measuring digital development. Facts and figures 2019, Geneva
Kariyawasam R (2007) International economic law and the digital divide. A New Silk Road? Edward Elgar, Cheltenham
Keller P (2011) European and international media law: liberal democracy, trade, and the new media. Oxford University Press, Oxford
Kelsey J (2019) Understanding the European Union’s understanding on computer and related services. Third World Network, Penang
Korolov M (2018) It’s Cool, It’s Well Wired, and It’s Staying in the EU. Data Center Knowledge, 6 February 2018. https://www.datacenterknowledge.com/europe/it-s-cool-it-s-well-wired-and-it-s-staying-eu. Accessed 3 Jan 2021
Krajewski M (2003) National regulation and trade liberalization in services. The legal impact of the general agreement on trade in services (GATS) on national regulatory autonomy. Kluwer, The Hague/London/New York
Krajewski M (2008) Article VI GATS. In: Rüdiger W, Stoll P-T, Feinäugle C (eds) WTO – Trade in Services. Max Planck commentaries on World Trade Law. Martinus Nijhoff, Leiden, pp 167–196
Krajewski M, Engelke M (2008) Article XVII GATS. In: Rüdiger W, Stoll P-T, Feinäugle C (eds) WTO – Trade in Services. Max Planck Commentaries on World Trade Law. Martinus Nijhoff, Leiden, pp 396–420
Kuner C (2009) Developing an adequate legal framework for international data transfers. In: Gutwirth S, Poullet Y, de Hert P et al (eds) Reinventing data protection? Springer, Heidelberg, pp 263–273
Kuner C (2015) Extraterritoriality and regulation of international data transfers in EU data protection law. Int Data Priv Law 5(4):235–245
Kuner C (2017) The Internet and the Global Reach of EU Law. University of Cambridge Faculty of Law Research Paper No. 24/2017
Lang A (2011) World Trade law after neoliberalism. Reimagining the global economic order. Oxford University Press, Oxford
Lapid K (2006) Outsourcing and offshoring under the general agreement on trade in services. J World Trade 40(2):341–364
Le Bouthillier Y (2011) Article 32 Convention of 1969. In: Corten O, Klein P (eds) The Vienna Conventions on the law of treaties. A commentary. Vol. I. Oxford University Press, Oxford, pp 841–863
Lo C-F (2013) The proper interpretation of ‘Disguised Restriction on International Trade’ under the WTO: the need to look at the protective effect. J Int Disp Settlement 4(1):111–137
Luff D (2004) Current international trade rules relevant to telecommunications services. In: Geradin D, Luff D (eds) The WTO and global convergence in telecommunications and audio-visual services. Cambridge University Press, Cambridge, pp 34–50
Luff D (2012) Convergence - a Buzzword to remain? In: Burri M, Cottier T (eds) Trade governance in the digital age. Cambridge University Press, Cambridge, pp 65–90
Makulilo AB (2013) Data protection regimes in Africa. Too far from the European ‘adequacy’ standard. Int Data Priv Law 3(1):42–50
Mantilla BS, Pehl A (2020) National security exceptions in international trade and investment agreements. Justiciability and Standards of Review. Springer, Heidelberg
Marchetti JA, Mavroidis PC (2011) The genesis of the GATS (General Agreement on Trade in Services). Eur J Int law 22(3):689–721
Marín Durán G (2017) Untangling the international responsibility of the European Union and its member states in the World Trade Organization post-Lisbon: a competence/remedy model. Eur J Int Law. 28(3):697–729
Mathew B (2003) The WTO Agreements on telecommunications. Peter Lang, Bern
Matsushita M, Schoenbaum TJ, Mavroidis PC, Hahn M (2015) The World Trade Organization. Law, practice, and policy, 3rd edn. Oxford University Press, Oxford
Mattoo A, Meltzer JP (2018) International data flows and privacy: the conflict and its resolution. J Int Econ Law 21(4):769–789
Mattoo A, Wunsch-Vincent S (2004) Pre-empting protectionism in services: the GATS and outsourcing. J Int Econ Law 7(4):765–800
Meltzer JP (2019) Governing digital trade. World Trade Rev 18(1):23–48
Mishra N (2016) Data localization laws in a digital world. Data protection or data protectionism? Public Sphere 2016:135–158
Mishra N (2019) Privacy, cybersecurity, and GATS Article XIV: a new frontier for trade and internet regulation? World Trade Rev 19(3):1–24
Mitchell AD, Hepburn J (2017) Don’t Fence Me In: reforming trade and investment law to better facilitate cross-border data transfer. Yale J Law Technol 19:182–237
Mitchell AD, Neha M (2018) Data at the docks: modernizing international trade law for the digital economy. Vanderbilt J Entertain Technol Law 20(4):1073–1134
Molinuevo M (2008) Article XX GATS: schedules for specific commitments. In: Rüdiger W, Stoll P-T, Feinäugle C (eds) WTO – Trade in Services. Max Planck Commentaries on World Trade Law. Martinus Nijhoff, Leiden, pp 445–464
Molthan AL, Case JL, Venner J, Schroeder R et al. (2015) Clouds in the Cloud. Weather forecast and applications within cloud computing environment. Bull Am Meteorol Soc 96(8):1369–1379
Muller G (2017) Troubled relationships under the GATS: tensions between market access (Article XVI), national treatment (Article XVII), and domestic regulation (Article VI). World Trade Rev 16(3):449–474
Munin N (2010) Legal guide to GATS. Kluwer, Alphen aan den Rijn
Nadakavukaren Schefer K (2009) Dancing with the devil: a heretic’s view of protectionism in the WTO legal system. Asian J WTO Int Health Law Policy 4(2):423–443
Nartova O (2008) Article XXI: modification of schedules. In: Rüdiger W, Stoll P-T, Feinäugle C (eds) WTO – trade in services. Max Planck commentaries on World Trade Law. Martinus Nijhoff, Leiden, pp 465–479
Newman AL (2009) Protectors of Privacy. Regulating personal data in the global economy. Cornell University Press, New York
Oesch M (2018) Switzerland and the European Union. Schulthess, Zurich
Oesch M, Burghartz AO, Manikulam V (2020) The Jurisprudence of WTO Dispute Resolution (2019). Swiss Rev Int Eur Law 2:265–294
Panizzon M (2006) Good Faith in the Jurisprudence of the WTO. Hart, Portland
Pauwelyn J (2005) Rien ne Va Plus? Distinguishing domestic regulation from market access in GATT and GATS. World Trade Rev 4(2):131–170
Peng S-y (2011) Digitalization of services, the GATS and the protection of personal data. In: Sethe R, Heinemann A, Hilty RM et al (eds) Kommunikation. Stämpfli, Bern, pp 753–769
Perez Asinari MV (2003) The WTO and the protection of personal data. Do EU measures fall within GATS Exception? Which future for data protection within the WTO e-commerce Context? Paper presented at the 18th BILETA Conference: Controlling Information in the Online Environment. London
Public Citizen (2015) Only One of 44 Attempts to Use the GATT Article XX/GATS Article XIV “General Exception” Has Ever Succeeded: Replicating the WTO Exception Construct Will Not Provide for an Effective TPP General Exception. Washington D.C
Reyes CL (2011) WTO-compliant protection of fundamental rights. Lessons from the EU privacy directive. Melbourne J Int Law 12(1):1–36
Roseman D (2003) Domestic regulation and trade in telecommunications services: experience prospects under the GATS. In: Mattoo A, Sauvé P (eds) Domestic regulation & service trade liberalization. The World Bank, Washington DC, pp 83–108
Rothstein P (2008) Moving all-In with the World Trade Organization: ignoring adverse rulings and gambling with the future of the WTO. Georgia J Int Comp Law 37(1):151–180
Ruotolo GM (2018) The EU data protection regime and the multilateral trading system. Where dream and day unite. Quest Int Law 51(6):5–29
Saluzzo S (2017) Cross border data flows and international trade law. The relationship between EU data protection law and the GATS. Diritto del Commercio Internazionale 31(4):807–829
Sargsyan T (2016) Data localization and the role of infrastructure for surveillance, privacy, and security. Int J Commun 10:2221–2237
Schneier B (2014) Espionage vs. Surveillance. Blog Schneier on Security. 14 May 2014. https://www.schneier.com/blog/archives/2014/05/espionage_vs_su.html. Accessed 3 January 2021
Sen N (2018) Understanding the role of the WTO in international data flows: taking the liberalization or the regulatory autonomy path? J Int Econ Law 21(2):323–348
Shaffer G (2000) Globalization and social protection: the impact of EU and international rules in the ratcheting up of U.S. Privacy standards. Yale J Int Law 25(1):1–88
Shapiro E (2003) All is not fair in the privacy trade: the safe harbor agreement and the World Trade Organization. Fordham Law Rev 71(6):2781–2821
Sorel J-M, Boré Eveno V (2011) Article 31 Convention of 1969. In: Corten O, Klein P (eds) The Vienna Conventions on the law of treaties. A commentary, vol I. Oxford University Press, Oxford, pp 804–837
South Centre (2009) The Draft GATS Domestic Regulation Disciplines. Analytical Note of October 2009. SC/AN/TDP/SV/12
Stelly R (2019) Countries Table Proposals, Talks Continue on WTO E-Commerce Rules, Disruptive Competition Project. 23 August 2019. http://www.project-disco.org/21st-century-trade/082319-countries-table-proposals-talks-continue-on-wto-e-commerce-rules/. Accessed 3 Jan 2021
Stephenson SM (1999) Approaches to Liberalizing Trade in Services. World Bank Policy Research Paper 2107. Washington DC
Stoddart J, Chan B, Joly Y (2016) The European Union’s adequacy approach to privacy and international data sharing in health research. J Law Med Ethics 44(1):143–155
Susskind R (2013) Tomorrow’s lawyers: an introduction to your future. Oxford University Press, Oxford
Svantesson DJB (2020) Article 3. Territorial scope. In: Kuner C, Bygrave L, Docksey C (eds) The EU general data protection regulation (GDPR). Oxford University Press, Oxford, pp 74–99
Tinawi E, Berkey JO (2000) E-Services and the WTO: The Adequacy of the GATS Classification Framework. Institute for Agriculture & Trade Policy. https://www.iatp.org/documents/e-services-and-the-wto-the-adequacy-of-the-gats-classification-framework. Accessed 14 May 2022
Trachtman JP (2003) Lessons for the GATS from existing WTO rules on domestic regulation. In: Mattoo A, Sauvé P (eds) Domestic regulation & service trade liberalization. The World Bank, Washington DC, pp 57–82
Tuthill L (2016) Cross-border data flows: what role for trade rules? In: Sauvé P, Roy M (eds) Research handbook on trade in services. Edward Elgar, Cheltenham, pp 357–382
Tuthill L, Roy M (2012) GATS classification issues for information and communication technology services. In: Burri M, Cottier T (eds) Trade governance in the digital age. Cambridge University Press, Cambridge, pp 157–178
UNCTAD (2015) International Trade in ICT Services and ICT-Enabled Services. Proposed Indicators from the Partnership on Measuring ICT for Development. UNCTAD Technical Notes on ICT for Development N°3. Geneva
Urquhart L, Lodge T, Crabtree A (2019) Demonstrably doing accountability in the Internet of Things. Int J Law Inform Technol 27(1):1–27
Usman A, Chander A (2015) Information Goes Global: Protecting Privacy, Security, and the New Economy in a World of Cross-border Data Flows. E15 Expert Group on the Digital Economy Think Piece. E15 Initiative. Geneva
Van den Bossche P, Zdouc W (2017) The law and policy of the World Trade Organization, 4th edn. Cambridge University Press, Cambridge
Velli F (2019) The issue of data protection in EU Trade Commitments: cross-border data transfers in GATS and bilateral free trade agreements. Eur Pap 4(3):881–894
Villiger ME (2009) Commentary on the 1969 Vienna Convention on the law of treaties. Brill, Leiden/Boston
Voon T (2019) The security exception in WTO law: entering a new era. Am J Int Law Unbound 113:45–50
Wang C (2019) Invocation of National Security Exceptions under GATT Article XXI: Jurisdiction to review and standard of review. Chinese J Int Law 18(3):695–712
Weber R (2012) Regulatory autonomy and privacy standards under the GATS. Asian J WTO Int Health Law Policy 7(1):25–48
Weber R, Burri M (2012) Classification of services in the digital economy. Schulthess, Zurich
Willemyns I (2018) The GATS (In)consistency of Barriers to Digital Trade. KU Leuven Centre for Global Governance Studies Working Paper No. 207. September 2018
Willemyns I (2019) GATS classification of digital services – does ‘The Cloud’ have a silver lining? J World Trade 53(1):59–81
Wojtan B (2011) The new EU model clauses: one step forward, two steps back? Int Data Priv Law 1(1):76–80
Wolfrum R (2008), WTO – services. In: Rüdiger W, Stoll P-T, Feinäugle C (eds) WTO – trade in services. Max Planck Commentaries on World Trade Law. Martinus Nijhoff, Leiden, pp 71–91.
Wouters J, Coppens D (2008) GATS and domestic regulation: balancing the right to regulate and trade liberalization. In: Kern A, Mads A (eds) The World Trade Organization and trade in services. Martinus Nijhoff Publishers, Leiden/Boston, pp 207–263
WTO (2019a) World Trade Report 2019. The future of services trade. Geneva
Wu T (2006) The World Trade Law of censorship and internet filtering. Chicago J Int Law 7(1):263–287
Wunsch-Vincent S (2006) The Internet, cross-border trade in services, and the GATS: lessons from US-Gambling. World Trade Rev 5(3):319–355
Yakovleva S (2020) Privacy protection(ism): the latest wave of trade constraints on regulatory autonomy. Univ Miami Law Rev 74(2):416–519
Yakovleva S, Irion K (2016) The best of both worlds. Free trade in services and EU law on privacy and data protection. Eur Data Protect Law Rev 2(2):191–208
Yakovleva S, Irion K (2018) The Interface Between Trade and Privacy: How to Reconcile the European Union Governance of Personal Data Flows with External Trade. ASIL Conference Paper
Yakovleva S, Irion K (2020a) Pitching trade against privacy- reconciling EU governance of personal data flows with external trade. Int Data Priv Law 10(3):1–21
Yakovleva S, Irion K (2020b) Toward compatibility of the EU trade policy with the general data protection regulation. Am J Int Law Unbound 114:10–14
Zacharias D (2008) Article I GATS. In: Rüdiger W, Stoll P-T, Feinäugle C (eds) WTO – Trade in services. Max Planck commentaries on World Trade Law. Martinus Nijhoff, Leiden, pp 31–69
Zhang R (2015) Covered or not covered: that is the question - Services classification and Its Implications for Specific Commitments under the GATS. WTO Staff Working Paper. Geneva
Jurisprudence
ECJ, AG Opinion, Schrems 2: ECJ, Opinion of AG Saugmandsgaard Øe delivered on 19 December 2019, Schrems 2, C-311/18, EU:C:2019:1145
ECJ, Airbnb Ireland: ECJ, Judgment of 19 December 2019, Airbnb Ireland, C-390/18, EU:C:2019:1112
ECJ, Asociación Profesional Élite Taxi: ECJ, Judgment of 20 December 2017, Asociación Profesional Élite Taxi, C-434/15, EU:C:2017:981
ECJ, Google Spain and Google: ECJ, Judgment of 13 May 2014, Google Spain and Google, C-131/12, EU:C:2014:317
ECJ, Google v. CNIL: ECJ, Judgment of 24 September 2019, Google v. CNIL, C-507/17, EU:C:2019:772
ECJ, Schrems 2: ECJ, Judgment of 16 July 2020, Facebook Ireland and Schrems, C-311/18, EU:C:2020:559
ECJ, Uber France: ECJ, Judgment of 10 April 2018, Uber France, C-320/16, EU:C:2018:221
GATT Panel Report, US – Section 337 of the Tariff Act of 1930: GATT Panel Report, US – Section 337 of the Tariff Act of 1930, 7 November 1989, 36S/345
GATT Panel Report, US – Spring Assemblies, GATT Panel Report of 26 May 1983, US – Spring Assemblies, 30S/107
GATT Panel Report, US – Tuna (Canada): GATT Panel Report of 22 February 1982, US – Tuna (Canada) 29S/91
IHC, Schrems 2: IHC, Judgment of 3 October 2017, Data Protection Commissioner v. Facebook Ireland and Schrems, 2016 No. 4809 P 8
WTO AB Report, Argentina – Financial Services: WTO AB Report of 14 April 2016, Argentina – Measures Relating to Trade in Goods and Services, WT/DS453/AB/R
WTO AB Report, Brazil – Retreated Tyres: WTO AB Report of 3 December 2007, Brazil – Measures Affecting Imports of Retreaded Tyres, WT/DS332/AB/R
WTO AB Report, Canada – Autos: WTO AB Report of 31 May 2000a, Canada – Certain Measures Affecting the Automotive Industry, WT/DS139/AB/R and WT/DS142/AB/R
WTO AB Report, Canada – Periodicals: WTO AB Report of 30 June 1997a, Canada – Certain Measures Concerning Periodicals, WT/DS31/AB/R
WTO AB Report, China – Publications and Audiovisual Products: WTO AB Report of 12 August 2009, China – Measures Affecting Trading Rights and Distribution Services for Certain Publications and Audiovisual Entertainment Products, WT/DS363/AB/R
WTO AB Report, EC – Asbestos: WTO AB Report of 12 March 2001a, European Communities – Measures Affecting Asbestos and Asbestos-Containing Products, WT/DS135/ AB/R
WTO AB Report, EC – Bananas III: WTO AB Report of 9 September 1997b, European Communities – Regime for the Importation, Sale and Distribution of Bananas, WT/DS27/ AB/R
WTO AB Report, EC – Seal Products: WTO AB Report of 22 May 2014, European Communities – Measures Prohibiting the Importation and Marketing of Seal Products, WT/DS401/AB/R
WTO AB Report, Indonesia – Import Licensing Regimes: WTO AB Report of 9 November 2017, Indonesia – Importation of Horticultural Products, Animals and Animal Products, WT/DS477/AB/R
WTO AB Report, Japan – Alcoholic Beverages II: WTO AB Report of 4 October 1996a, Japan – Taxes on Alcoholic Beverages WT/DS8/AB/R
WTO AB Report, Korea – Various Measures on Beef: WTO AB Report of 11 December 2000b, Korea – Measures Affecting Imports of Fresh, Chilled and Frozen Beef, WT/DS161/AB/R
WTO AB Report, Turkey – Textiles: WTO AB Report of 22 October 1999, Turkey – Restrictions on Imports of Textile and Clothing Products, WT/DS34/AB/R
WTO AB Report, US – Gambling: WTO AB Report of 7 April 2005, United States – Measures Affecting the Cross-Border Supply of Gambling and Betting Services, WT/DS285/AB/R
WTO AB Report, US – Gasoline: WTO AB Report of 29 April 1996b, United States – Standards for Reformulated and Conventional Gasoline, WT/DS2/AB/R
WTO AB Report, US – Shrimp: WTO AB Report of 12 October 1998, United States – Import Prohibition of Certain Shrimp and Shrimp Products, WT/DS58/AB/R
WTO AB Report, US – Shrimp (Article 21.5 – Malaysia): WTO AB Report of 22 October 2001b, United States – Import Prohibition of Certain Shrimp and Shrimp Products, Article 21.5 DSU – Malaysia, WT/DS58/AB/RW
WTO AB Report, US – Stainless Steel (Mexico): WTO AB Report of 30 April 2008, United States – Final Anti-Dumping Measures on Stainless Steel from Mexico, WT/DS444/AB/R
WTO Panel Report, Argentina – Financial Services: WTO Panel Report of 30 September 2015, Argentina – Measures Relating to Trade in Goods and Services, WT/DS453/R
WTO Panel Report, Argentina – Hides and Leather: WTO Panel Report of 19 December 2000a, Argentina – Measures Affecting the Export of Bovine Hides and the Import of Finished Leather, WT/DS155/R
WTO Panel Report, Brazil – Tyres: WTO Panel Report of 17 December 2007, Brazil – Measures Affecting Imports of Retreaded Tyres, WT/DS332/R
WTO Panel Report, China – Electronic Payment Services: WTO Panel Report of 16 July 2012, China – Certain Measures Affecting Electronic Payment Services, WT/DS413/R
WTO Panel Report, China – Publications and Audiovisual Products: WTO Panel Report of 12 August 2009, China – Measures Affecting Trading Rights and Distribution Services for Certain Publications and Audiovisual Entertainment Products, WT/DS363/R
WTO Panel Report, Dominican Republic – Import and Sale of Cigarettes: WTO Panel Report of 26 November 2004a, Dominican Republic — Measures Affecting the Importation and Internal Sale of Cigarettes, WT/DS302/R
WTO Panel Report, EC – Asbestos: WTO Panel Report of 18 September 2000b, European Communities – Measures Affecting Asbestos and Asbestos-Containing Products, WT/DS135/R
WTO Panel Report, EC – Bananas III: WTO Panel Report of 22 May 1997, European Communities – Regime for the Importation, Sale and Distribution of Bananas, WT/DS27/R/ECU
WTO Panel Report, EC – Bananas III (Article 21.5 – Ecuador): WTO Panel Report of 12 April 1999, European Communities – Regime for the Importation, Sale and Distribution of Bananas, Article 21.5 DSU – Ecuador, WT/DS27/R/ECU
WTO Panel Report, EC – Biotech: WTO Panel Report of 21 November 2006a, European Communities – Measures Affecting the Approval and Marketing of Biotech Products, WT/DS291/R
WTO Panel Report, EC – IT Products: WTO Panel Report of 21 September 2010a, European Communities and its Member States – Tariff Treatment of Certain Information Technology Products, WT/DS375/R
WTO Panel Report, EC – Selected Custom Matters: WTO Panel Report of 16 June 2006b, European Communities – Selected Customs Matters, WT/DS315/R
WTO Panel Report, Mexico – Telecoms: WTO Panel Report of 2 April 2004b, Mexico – Measures Affecting Telecommunications Services, WT/DS204/R
WTO Panel Report, Russia – Traffic in Transit: WTO Panel Report of 5 April 2019, Russia – Measures Concerning Traffic in Transit, WT/DS512/R
WTO Panel Report, Thailand – Cigarettes (Philippines): WTO Panel Report of 15 November 2010b, Thailand – Customs and Fiscal Measures on Cigarettes from the Philippines, WT/DS371/R
WTO Panel Report, US – Gambling: WTO Panel Report of 10 November 2004c, United States – Measures Affecting the Cross-Border Supply of Gambling and Betting Services, WT/DS285/R
WTO Panel Report, US – Hot Rolled Steel: WTO Panel Report of 28 February 2001a, United States – Anti-Dumping Measures on Certain Hot-Rolled Steel Products from Japan, WT/DS184/R
WTO Panel Report, US – Shrimps: WTO Panel Report of 15 June 2001b, United States – Import Prohibition of Certain Shrimp and Shrimp Products, Article 21.5 DSU – Malaysia, WT/DS58/RW
WTO Panel Report, US – Underwear: WTO Panel Report of 9 November 1996, United States – Restrictions on Imports of Cotton and Man-Made Fibre Underwear, WT/DS24/R
Documents
Article 29 WP (2001) Opinion 03/2001 on the level of protection of the Australian Privacy Amendment (Private Sector) Act 2000. WP40. 26 January 2001
Article 29 WP (2018b) Guidelines on consent under Regulation 2016/679. WP 259 rev.01. 28 November 2017 as last revised and adopted on 10 April 2018
Article 29 WP (2018c) Guidelines on Article 49 of Regulation 2016/679. WP 262. 6 February 2018
CNIL (2017) Compliance Package. Connected Vehicles and Personal Data, October 2017
EDPB (2018) Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/6793. 25 May 2018
EDPB (2020) Recommendations 02/2020 on the European Essential Guarantees for surveillance measures. 10 November 2020
European Commission (2017) Communication on Exchanging and Protecting Personal Data in a Globalised World. COM(2017) 7 final. 10 January 2017
European Commission (2020) Active WTO Dispute Settlement Cases: European Commission, General Overview of Active WTO Dispute Settlement Cases Involving the EU as Complainant or Defendant, of Cases under Bilateral Agreements and of Active Cases under the Trade Barriers Regulation. Ref. Ares(2020)2149313. 21 April 2020,
European Commission/IMF/OECD/United Nations/World Bank (2009) System of National Accounts 2008, ST/ESA/STAT/SER.F/2/Rev.5
GATT (1970) Working Party Report, Border Tax Adjustments. L/3464. BISD 18S/97. 2 December 1970
GATT (1989) GNS, Note on the Meeting of 5-9 June 1989. MTN.GNS/23. 11 July 1989
GATT (1990a) GNS, Communication from the European Communities, Proposal by the European Community, Draft General Agreement on Trade in Services. MTN.GNS/W/105. 18 June 1990
GATT (1990b) GNS, Working Group on Telecommunications Services, Note on the Meeting of 5–6 June 1990. MTN.GNS/TEL/1. 27 June 1990
GATT (1990c) GNS, Working Group on Telecommunications Services, Note on the Meeting of 9–11 July 1990. MTN.GNS/TEL/2. 6 August 1990
GATT (1990d) GNS, Draft Multilateral Framework for Trade in Services. MTN.GNS/35. 23 July 1990
GATT (1990e) GNS, Working Group on Telecommunications Services, Note on the Meeting of 10–12 September 1990. MTN.GNS/TEL/3. 12 October 1990
GATT (1990f) GNS, Working Group on Telecommunications Services, Note on the Meeting of 15–17 October 1990. MTN.GNS/TEL/4. 30 November 1990
GATT (1990g) TNC, Draft Final Act Embodying the Results of the Uruguay Round of Multilateral Trade Negotiations, Revision. MTN.TNC/W/35/ Rev.1. 3 December 1990
GATT (1990h) GNS, Working Group on Professional Services, Note on the meeting of 30-31 July 1990. MTN.GNS/PROF/1. 29 August 1990
GATT (1991) TNC, Draft Final Act Embodying the Results of the Uruguay Round of Multilateral Trade Negotiations. MTN.TNC/W/FA. 20 December 1991
GATT Secretariat (1970) Group of Negotiations on Services, Draft Multilateral Framework for Trade in Services. MTN.GNS/35. 23 July 1990
GATT Secretariat (1991) Service Sectoral Classification List. MTN.GNS/W/120. 10 July 1991
GATT Secretariat (1993) Scheduling of Initial Commitments in Trade in Services: Explanatory Note. MTN.GNS/W/164. 3 September 1993
UN (1991) Provisional Central Product Classification. ST/ESA/STAT/SER.M/77. New York
UN (2012) UNGA Res 66/100. UN Doc. A/Res/66/100. 27 February 2012
UN (2015a) Department of Economic and Social Affairs, Statistics Division, Central Product Classification (CPC) Version 2.1, ST/ESA/STAT/SER.M/77/Ver.2.1. Geneva
UN (2015b) Department of Economic and Social Affairs, Statistics Division, Meeting of the Expert Group on International Statistical Classifications, New York, 19-22 May 2015, New issues requiring guidance in the Central Product Classification (CPC). ESA/STAT/AC.289/20. 12 May 2015
WTO (1998a) Ministerial Conference, Declaration on Electronic Commerce of 20 May 1998, WT/MIN(98)/DEC/2. 20 May 1998
WTO (1998b) General Council, Work Programme on Electronic Commerce. WT/L/274. 25 September 1998
WTO (1998c) Committee on Regional Trade Agreements, Establishment of the European Union, Communication from the European Communities and their Member States. WT/REG39/1. 24 April 1998
WTO (1999a) Work Programme on Electronic Commerce, Council on Trade in Services, Progress Report to the General Council. S/L/74. 27 July 1999
WTO (1999b) Work Programme on Electronic Commerce, Council on Trade in Services, Interim Report to the General Council. S/C/8. 31 March 1999
WTO (1999c) Work Programme on Electronic Commerce, Submission of the United States. WT/COMTD/17. 12 February 1999
WTO (1999d) Work Programme on Electronic Commerce, Council on Trade in Services, Progress Report to the General Council. S/L/74. 19 July 1999
WTO (1999e) Committee on Regional Trade Agreements. Note on the Meetings of 29–30 April and 3 May 1999. WT/REG/M/22. 4 June 1999
WTO (2000) Work Programme on Electronic Commerce, Council for Trade in Services, Communication from the European Communities and their Member States. S/C/W/183. 30 November 2000
WTO (2001) Council on Trade in Services, Guidelines for the Scheduling of Specific Commitments und the General Agreement on Trade in Services (GATS). S/L/92. 28 March 2001
WTO (2007) Committee on Specific Commitments, Communication from Albania, Australia, Canada, Chile, Colombia, Croatia, the European Communities, Hong Kong China, Japan, Mexico, Norway, Peru, the Separate Customs Territory of Taiwan, Penghu, Kinmen and Matsu, Turkey and the United States, Understanding on the scope of coverage of CPC 84 - Computer and Related Services. TN/S/W/60, S/CSC/W/51. 26 January 2007
WTO (2009) Working Party on Domestic Regulation, Room Document, Draft Disciplines on Domestic Regulation Pursuant to GATS Article VI:4, Second Revision, Informal Note by the Chairman of 20 March 2009
WTO (2011) Committee on Specific Commitments, Informal Discussion of Classification Issues on Computer and Related Services (CRS) on 10 March 2011, Summary by the Chairperson. JOB/SERV/44. 4 April 2011
WTO (2012) Council for Trade in Services, Report of the Meeting held on 23 March 2012, Note by the Secretariat. S/C/M/109. 21 May 2012
WTO (2014a) Committee on Specific Commitments, Report of the Meeting held on 18 September 2014, Note by the Secretariat. S/CSC/M/71. 15 October 2014
WTO (2014b) Work Programme on Electronic Commerce, Council for Trade in Services, Communication by the United States. S/C/W/359. 17 December 2014
WTO (2015a) Committee on Specific Commitments, Report of the Meeting held on 18 March 2015, Note by the Secretariat. S/CSC/M/72. 2 April 2015
WTO (2015b) Council for Trade in Service, Report of the Meeting held on 18 March 2015, Note by the Secretariat. S/C/M/122. 1 May 2015
WTO (2016) Committee on Specific Commitments, Report of the Meeting held on 5 October 2016, Note by the Secretariat. S/CSC/M/77. 21 November 2016
WTO (2017) Ministerial Conference, Joint Statement on Electronic Commerce of 13 December 2017. WT/MIN(17)/60. 13 December 2017
WTO (2019b) Joint Statement on Electronic Commerce. WT/L/1056. 25 January 2019
WTO (2019c) Joint Statement on Electronic Commerce, EU Proposal for WTO Disciplines and Commitments Relating to Electronic Commerce, Communication from the European Union INF/ECOM/22. 26 April 2019
WTO (2019d) Joint Statement on Electronic Commerce, Communication from China. INF/ECOM/19. 23 April 2019
WTO (2019e) Joint Statement on Electronic Commerce, Communication from the United States. INF/ECOM/23 RESTRICTED. 26 April 2019
WTO (2019f) Working Programme on Electronic Commerce, Council for Trade in Services. The Economic Benefits of Cross-Border Data Flows. Communication from the United States. S/C/W/382. 17 June 2019
WTO (2019g) Trade in Services, European Union Schedule of Specific Commitments. GATS/SC/157. 7 May 2019
WTO (2020) WTO Electronic Commerce Negotiations. Consolidated Negotiating Text – December 2020. INF/ECOM/62/Rev.1 RESTRICTED. 14 December 2020. https://web.archive.org/web/20210212083531/https:/www.bilaterals.org/IMG/pdf/wto_plurilateral_ecommerce_draft_consolidated_text.pdf. Accessed 21 May 2022
WTO (2021a) WTO Joint Statement Initiative on E-commerce. Statement by Ministers of Australia, Japan and Singapore. December 2021. https://www.wto.org/english/news_e/news21_e/ji_ecom_minister_statement_e.pdf. Accessed on 21 May 2022
WTO (2021b) Negotiations on e-commerce advance, eyeing a statement at MC12. https://www.wto.org/english/news_e/news21_e/ecom_10nov21_e.htm. Accessed on 21 May 2022
WTO (2022a) E-commerce negotiations resume with call for intensified efforts in 2022. https://www.wto.org/english/news_e/news22_e/jsec_04feb22_e.htm. Accessed on 21 May 2022
WTO (2022b) E-commerce talks resume following summer break, Mauritius joins the initiative. https://www.wto.org/english/news_e/news22_e/ecom_16sep22_e.htm Accessed 30 Oct 2022
Author information
Authors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2023 The Author(s)
About this chapter
Cite this chapter
Naef, T. (2023). Restrictions on Data Transfers and the WTO. In: Data Protection without Data Protectionism. European Yearbook of International Economic Law(), vol 28. Springer, Cham. https://doi.org/10.1007/978-3-031-19893-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-031-19893-9_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-19892-2
Online ISBN: 978-3-031-19893-9
eBook Packages: Law and CriminologyLaw and Criminology (R0)