Restrictions on Data Transfers and the WTO

Abstract

The WTO is not well-known for being an institution that regulates the free flow of personal data across borders. The trade agreements under the auspices of the WTO either predate or coincide with the invention and early development of the internet. When the WTO was created in 1994, its members agreed to create rules for trade in services. Tim Wu observed that as a consequence, and almost by accident, “the WTO has put itself in an oversight position for most of the national laws and practices that regulate the Internet.” Wu (Chicago J Int Law 7(1), 264, 2006). Over a quarter century later, the internet has become indispensable for trade in services, facilitating not only communication and payment between parties involved in any transaction, but also as a platform for the transmission of the services themselves, and the driving technology for the creation of new services. The first section of this chapter shows how cross-border flows of personal data (on the internet) have become intertwined with the supply of many digital services (Sect. 4.1). The second section describes how the rules of the WTO on trade in services are relevant for the regulation of cross-border flows of personal data (Sect. 4.2). These multilateral trade rules can be used as proxies to distinguish between legitimate regulatory concerns and protectionism. Regarding the regulation of cross-border flows of personal data, these rules allow for the legal assessment of the line between data protection and data protectionism. The third section of this chapter analyzes whether the EU’s fundamental rights-based regulation of data transfers interferes with the rules of the WTO on trade in services (Sect. 4.3). The fourth section assesses whether the interferences that have been identified can be justified under the relevant exceptions to the rules of the WTO on trade in services (Sect. 4.4).

The WTO is not well-known for being an institution that regulates the free flow of personal data across borders. The trade agreements under the auspices of the WTO either predate or coincide with the invention and early development of the internet. When the WTO was created in 1994, its members agreed to create rules for trade in services. Tim Wu observed that as a consequence, and almost by accident, “the WTO has put itself in an oversight position for most of the national laws and practices that regulate the Internet.” Wu (2006). Over a quarter century later, the internet has become indispensable for trade in services, facilitating not only communication and payment between parties involved in any transaction, but also as a platform for the transmission of the services themselves, and the driving technology for the creation of new services. The first section of this chapter shows how cross-border flows of personal data (on the internet) have become intertwined with the supply of many digital services (Sect. 4.1). The second section describes how the rules of the WTO on trade in services are relevant for the regulation of cross-border flows of personal data (Sect. 4.2). These multilateral trade rules can be used as proxies to distinguish between legitimate regulatory concerns and protectionism. Regarding the regulation of cross-border flows of personal data, these rules allow for the legal assessment of the line between data protection and data protectionism. The third section of this chapter analyzes whether the EU’s fundamental rights-based regulation of data transfers interferes with the rules of the WTO on trade in services (Sect. 4.3). The fourth section assesses whether the interferences that have been identified can be justified under the relevant exceptions to the rules of the WTO on trade in services (Sect. 4.4).

1 Data Flows and Trade in Digital Services

Internet connectivity is rising around the world. The flow of information across the internet’s electronic highways has replaced physical proximity for trade in services. Economists estimate that already 50% of the world’s traded services are digitized (Sect. 4.1.1). A consequence of this development are data localization policies. They require that data is locally stored, processed, and/or accessed. Governments offer a variety of arguments for data localization policies; from avoiding foreign surveillance and promoting users’ security and privacy to bolstering domestic law enforcement and securing domestic economic development. The common denominator of these policies is that they affect trade in digital services. In this regard, the EU’s fundamental rights-based regulation of data transfers may also have the effect of a data localization policy (Sect. 4.1.2). Many digital services rely on cross-border flows of personal data. Some services require systematic, structural, and continuous flows of personal data (Sect. 4.1.3), other services require only occasional flows of personal data (Sect. 4.1.4).

1.1 Trade in Digital Services

The internet is growing fast and has brought both disruption and innovation.¹ It has become indispensable for trade, facilitating not only communication and payment between parties involved in any transaction, but also acting as a platform for the transmission of goods and services, and the driving technological force for the creation of new products. This research focuses on digital services because they are usually associated with cross-border flows of personal data. For a long time, many services were considered to be non-tradable because it is in their nature that the provision coincides with the consumption and thus requires physical proximity and the interaction of the seller and the buyer.² When services were first considered as trade, it was usually the movements of individuals or organizations across borders that brought sellers and buyers into physical and temporal proximity. The internet has created new means of supply: electronic highways that allow sellers and buyers to remain apart while exchanging digital services.³ The flow of information across the network bridge replaces physical proximity. Economists estimate that already 50% of the world’s traded services are digitized.⁴ In short, the once non-tradable became hyper-tradable.⁵

1.2 Data Localization

A consequence of the growth of the internet are data localization policies. There is no settled definition for data localization, but it is widely understood that such policies limit the free flow of data across borders.⁶ Data localization policies take different forms. They may include rules preventing information from being sent outside a country, requirements to obtain prior consent of data subjects before information about them is transmitted across borders, obligations to store copies of information domestically, and even taxes on the export of data.⁷ Governments offer a variety of arguments for data localization policies; from avoiding foreign surveillance and promoting users’ security and privacy, to bolstering domestic law enforcement and securing economic development. Martina Ferracane created a taxonomy for data localization policies based on restrictions on cross-border data flows:⁸

1. A.

   Strict restrictions on cross-border data flows:

   1. I.

      Local storage requirement

   2. II.

      Local storage and processing requirement

   3. III.

      Ban on data transfer (local storage, processing, and access requirement)

2. B.

   Conditional restrictions on cross-border data flows:

   1. IV.

      Conditional flow regime in which conditions apply to the recipient country

   2. V.

      Conditional flow regime in which conditions apply to the controller/processor

Ferracane distinguishes between strict restrictions on cross-border data flows and conditional restrictions on cross-border data flows:

• Strict restrictions apply without conditions for the recipient country or the controller/processor. Local storage means that data cannot be transferred unless a copy of the data is stored domestically. As long as a copy is saved in the territory of the country where it is produced, data storage and processing can also take place outside the country and companies can operate as usual. A local storage and processing requirement requires companies to use data centers located in the country for the main processing of the data. Companies must either build data centers or switch to local providers for data processing solutions (or leave the market altogether). A ban on data transfers also requires companies to access the data only locally.

• Conditional data flow regimes apply conditions to the recipient country and/or to the data controller or data processor (see Fig. 4.1). The cross-border flow of personal data is prohibited unless these conditions are fulfilled. If the conditions are not satisfied, then such a data flow regime constitutes a ban on data transfers (i.e. a requirement for local storage, processing, and access).

The regulation of data transfers in the EU constitutes a conditional data flow regime. It entails legal mechanisms for the transfer of personal data with conditions that apply to the recipient country (adequacy decisions according to Article 45 GDPR), legal mechanisms with conditions that apply to the data exporter and data importer in which conditions for the recipient country also play a role (instruments providing appropriate safeguards according to Article 46 GDPR), and legal mechanisms with conditions that apply only to the data exporter (derogations for specific situations according to Article 49 GDPR). Should the respective conditions not be fulfilled, the transfer of personal data is prohibited.⁹

Fig. 4.1

Taxonomy for restrictions on transborder data flows

The regulation of data transfers in the EU has the effect of a data localization policy.¹⁰ Exporters of personal data may be subject to data localization in the EU if they require systematic, structural, and continuous transfers of personal data for the supply of their services and the recipient country lacks an adequacy decision or the data exporter cannot ensure a level of protection that is essentially equivalent to that guaranteed within the EU for the respective data transfers with the instruments providing appropriate safeguards. In addition, data exporter may be subject to data localization in the EU if they require occasional transfers of personal data for the supply of their services and the data transfers are not necessary for the performance of a contract and data subjects do not consent to the respective transfers of personal data.

1.3 Services with Systematic Flows of Personal Data

Personal data is increasingly intertwined with trade in digital services. Personal data can be an input factor to customize or make a service better, but it can also be a factor of production because some services are impossible to provide without it. In addition, personal data can be a form of payment for the delivery of services in so far as companies monetize the free delivery of their services by using consumers’ personal data to better target advertising. Finally, personal data can also be a service itself because it contains valuable information that is sold to companies for different purposes.¹¹ Digital services therefore often require cross-border flows of personal data. Research on the interface of personal data and international trade law so far has not distinguished between different types of services.¹² These distinctions are necessary for a detailed analysis of international trade law.¹³ The most important distinction that has to be made is between services that require systematic, structural, and continuous cross-border flows of personal data and those that do not. The following list entails examples for services that require systematic, structural, and continuous cross-border flows of personal data: cloud computing services (Sect. 4.1.3.1), search engine services (Sect. 4.1.3.2), social network services (Sect. 4.1.3.3), internet of things services (Sect. 4.1.3.4), and sharing economy platform services (Sect. 4.1.3.5).

1.3.1 Cloud Computing Services

Cloud computing is a term used to refer to the delivery of computing services over the internet. It allows for tapping into data and software from the internet, rather than accessing it offline via a personal device or a local server.¹⁴ Cloud computing has a hybrid nature as a service. It can be a service itself and, at the same time, it enables many other digital services. Three forms of cloud computing must be distinguished:

• Software as a service (SaaS): The cloud provider offers software applications on its computing infrastructure and the consumer uses the provider’s application on various client devices.

• Platform as a service (PaaS): The cloud provider offers tools and programming languages on its computing infrastructure and the consumer-producers can create or acquire applications with them.

• Infrastructure as a service (IaaS): The cloud provider only offers the computing infrastructure and the consumer can rent it for processing, storage, and other computing activities.

Cloud computing services may involve cross-border flows of personal data when servers are (also) located outside of the EU.

1.3.2 Search Engine Services

Search engines crawl the internet and index the results for search queries.¹⁵ Consumers get access to databases containing a plethora of websites and the information contained therein. Search engines are usually cloud-based. Alphabet is a well-known example of a company that operates a search engine (Google) and exports large amounts of personal data from individuals using their search engine in the EU to the US. However, this cross-border flow of personal data is not directly linked to the supply of search engine services. In the ECJ case Google Spain and Google, the referring Audiencia Nacional (Spanish National High Court) established that Google does not merely give access with its search engine to content hosted on the indexed websites, but takes advantage of the users’ search activity and includes, in return for payment, advertising associated with the users’ search terms.¹⁶ Alphabet has recourse to its subsidiaries in EU member states, such as Google Spain, for promoting the sale of its advertising space. Even though the ECJ held that Alphabet’s “advertising activity […] is separate from its search engine service,” the Court also found that the activities “are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine at issue economically profitable and that engine is, at the same time, the means enabling those activities to be performed.”¹⁷ Accordingly, search engines do not necessarily require cross-border flows of personal data for the supply search engine services, but for the corresponding targeted advertising services.

1.3.3 Social Network Services

Social networks are online platforms encompassing digital relationships between individuals, groups, organizations, or even entire societies. The structure of a social network is determined by interactions between persons or entities. Users share values and beliefs among the community and form social links with other users of the network.¹⁸ Facebook is a well-known example of a company that operates a social network and exports a large amount of personal data of users residing in the EU to its parent company Meta in the US.¹⁹ Although the cross-border flows of personal data are also used for targeted advertising services, social networks still require those data flows for the supply of their main services. Social networks use the information that users upload to connect them with other users of the network.

1.3.4 Internet of Things Services

The term “internet of things” (IoT) refers to the interconnection of computing devices embedded in everyday objects, enabling them to send and receive data. The IoT allows companies to create large sets of data generated by sensors on the respective objects, analyze it, train algorithms with it, and find patterns that can be used either in the supply of services or in the creation of new services. Companies using IoT sensor data often store and process the collected data in servers located outside of the EU.²⁰ Two examples can illustrate how IoT services require cross-border flows of personal data:

• The first example of IoT services relates to vehicles. Vehicles such as automobiles are increasingly connected to the internet and transmit information to the manufacturer and other service providers. This information may include client data, the vehicle serial number or any other unique identifier of the vehicle such as the license plate number, geolocation data, technical data relating to the state of the vehicle and its parts, the driver’s biometric data and data relating to the use of the vehicle by the driver or the occupants.²¹ This information includes personal data and allows the manufacturer and other service providers to supply specific services across borders such as maintenance services or services relating to improvements of the driving experience. These services may involve cross-border flows of personal data.

The second example of IoT services relates to fridges. Smart fridges take care of food management by assessing the contents of the refrigerator with the help of sensors. They can track food preferences as well as search and even order groceries from online stores. Various traits of the smart fridge owners’ eating behaviors can be inferred based on the collected data. Smart fridges also use client data and credit card information. This information includes personal data and allows the manufacturer or other service providers to supply specific services across borders such as restocking services. Those services may involve cross-border flows of personal data.

1.3.5 Sharing Economy Platform Services

The term “sharing economy” refers to a “peer-to-peer-based activity of obtaining, giving, or sharing access to goods and services, coordinated through community-based online services.”²² Companies usually provide a web-based or mobile application, which suppliers and customers use to buy and sell goods or services. These companies offer a platform service. In offering that platform, the companies themselves also supply a service. Two examples can illustrate how sharing economy platform services require cross-border flows of personal data:

• The first example relates to lodging. Companies provide a platform for arranging lodging, primarily homestays, or tourism experiences. The companies do not own any of the real estate listings, nor do they host events, they only act as a broker, receiving commission from each booking over their platform. Airbnb is a well-known example of such a company. The application coordinating the bookings involves cross-border flows of personal data.

The second example relates to passenger transportation. Companies provide a platform for arranging ride-hailing or transportation services. Again, the companies do not own any of the cars used for the services nor do they usually employ the drivers of the cars. The companies only act as a broker, receiving commission from each booking over their platform. Uber is a well-known example of such a company. The application coordinating the bookings involves cross-border flows of personal data.

1.4 Services with Occasional Flows of Personal Data

Not all digital services require systematic, structural, and continuous cross-border flows of personal data for their performance. The following list entails examples of services that only require occasional cross-border flows of personal data: travel agency services (Sect. 4.1.4.1), digital medical services (Sect. 4.1.4.2), and legal services (Sect. 4.1.4.3).

1.4.1 Travel Agency Services

Travel agencies organize voyages, holidays, and other international activities for their clients. They often must transfer personal data of their clients in their communication with hotels or other commercial partners for the organization of their clients’ stay abroad. These cross-border flows of personal data are occasional and tailored to the specific wishes of the clients.²³

1.4.2 Digital Medical Services

Digital medical services supplied across borders include e-health applications for online diagnosis and medical transcription.²⁴ The handling of personal data concerning the health of an individual is subject to the strict rules on processing of special categories of personal data in Article 9 GDPR. Where data is aggregated for the supply of digital medical services, it is possible to anonymize the personal data of an individual or a number of individuals.²⁵ This is difficult for personalized services. In that case, there will be occasional flows of personal data that are tailored to the specific wishes or needs of the patient.²⁶

1.4.3 Legal Services

The legal industry is an industry founded upon the exchange of information. Lawyers often face transactions involving multiple countries and are required to provide services and advice in more than one jurisdiction. Legal services supplied across borders include document review, due diligence in large-scale litigation or corporate transactions, basic contract drafting, and legal research.²⁷ The information necessary for the supply of digital legal services may involve personal data.²⁸ The supply of digital legal services is on demand and personalized to individuals, and thus cross-border flows of personal data are usually only occasional.

1.5 Summary

The EU’s fundamental rights-based regulation of data transfers is a conditional data flow regime that has the effect of a data localization policy. Different digital services require different types of cross-border flows of personal data. Data exporters may be subject to data localization in the EU if they require systematic, structural, and continuous flows of personal data across borders for the supply of their services and the destination country lacks an adequacy decision or a data exporter cannot ensure a level of protection that is essentially equivalent to that guaranteed within the EU. Data exporters may also be subject to data localization in the EU if they require occasional flows of personal data across borders for the supply of their digital services and the transfer of personal data is not necessary for the performance of a contract and the data subject does not consent to the transfer of personal data.

2 Data Flows and the Law on Trade in Services

Multilateral trade rules can be used as proxies to distinguish legitimate regulatory concerns and protectionism. The rules for trade in services in WTO law are codified in the GATS (Sect. 4.2.1). In addition, the GATS Annex on Telecommunications specifically requires WTO members to grant access to their internet network. The use of foreign internet networks is quintessential for cross-border flows of personal data (Sect. 4.2.2). When the GATS was drafted, many digital services that now rely on the free flow of personal data were not yet invented. Nevertheless, I show that most digital services are covered by the commitments in the schedules of WTO members (Sect. 4.2.3). Current negotiations at the WTO also turn to personal data as an important asset for the global economy. The conclusion of the e-commerce negotiations might see the inclusion of a provision on the free flow of personal data across borders in WTO law (Sect. 4.2.4).

2.1 General Agreement on Trade in Services

The GATS aims at protecting the equality of competitive opportunities for companies in domestic markets, irrespective of their origin or the origin of their services, all while recognizing the right of WTO members to regulate in order to meet domestic public policy objectives. The GATS applies to measures that affect trade in services (Sect. 4.2.1.1). It entails general obligations for WTO members (Sect. 4.2.1.2) and obligations subject to the specific commitments in their schedules (Sect. 4.2.1.3). Different exceptions can justify GATS-inconsistent measures (Sect. 4.2.1.4).

2.1.1 Scope

The GATS does not offer a definition of services (Sect. 4.2.1.1.1). It rather encompasses four modes by which services can be traded (Sect. 4.2.1.1.2). The liberalization of trade in services follows a positive list approach. A WTO member is required to open its markets to foreign services and service suppliers when it commits to do so in its schedule of specific commitments (Sect. 4.2.1.1.3). The rules in the GATS apply when measures of WTO members affect trade in services (Sect. 4.2.1.1.4).

2.1.1.1 Services

The GATS does not offer a definition of services.²⁹ Article I:3(b) GATS describes services as “any services in any sector except supplied in the exercise of governmental authority.” In the context of the GATS, services need to be classified along different sectors. The GATT Secretariat provided a list of classifications to the negotiating parties in 1991.³⁰ The Service Sectoral Classification List (W/120) consists of 11 broad service sectors and a residual category “Other Services Not Included Elsewhere.” The W/120 is intended to be comprehensive.³¹ It is further divided into over 150 subsectors. Each sector and various subsectors also include a residual category “Other Services.” The subsectors are normally annotated with the relevant numbers of the 1991 Provisional Central Product Classification (CPCprov), which was prepared by the UN for the purpose of trade statistics.³² The CPCprov numbers in the W/120 classification also point to the corresponding explanatory notes in the CPCprov that describe what is covered by the listed services. Although the W/120 is not a mandatory classification system, almost all WTO members follow the structure of the W/120 for the classification of services when scheduling their commitments under the GATS.

2.1.1.2 Supply of Services

The supply of services is defined in Article XXVIII(b) GATS and includes the production, distribution, marketing, sale, and delivery of a service. The GATS encompasses four modes by which services can be supplied:

• Mode 1, cross-border supply: The service provider is domiciled in its own country and delivers the services to a customer domiciled in another WTO member (Article I:2(a) GATS).

• Mode 2, consumption abroad: The service is used by a customer in the country of origin of the service supplier, but the customer using the service comes from a different WTO member (Article I:2(b) GATS).

• Mode 3, commercial presence: The service provider establishes a domicile within the territory of another WTO member, and the service is delivered by this commercial presence to a customer within the same territory (Article I:2(c) GATS).

• Mode 4, presence of natural persons: The service provider is present with natural persons within the territory of another WTO member and the service is delivered by the natural persons to a customer within the same territory (Article I:2(d) GATS).

The four modes are not only of definitional value for trade in services, they are also used as a pattern to schedule the specific commitments of WTO members.³³

2.1.1.3 Schedules

The GATS regulates trade in services with a positive list approach.³⁴ A WTO member is only bound to open its markets to foreign services and service suppliers when it commits to do so in its schedule of specific commitments. Article XX:1 GATS requires each WTO member to submit such a schedule that specifies:

1. (a)

   the terms, limitations, and conditions on market access;

2. (b)

   conditions and qualifications on national treatment;

3. (c)

   undertakings relating to additional commitments;

4. (d)

   where appropriate the time-frame for implementation of such commitments; and

5. (e)

   the day of entry into force of such commitments.

Most WTO members base their schedule on the Service Sectoral Classification List (W/120) provided by the GATT Secretariat. In practice, the schedules of WTO members represent a codification of the conditions in their market upon which a foreign service provider can rely and which can be enforced in WTO dispute settlement. A WTO member can modify or withdraw a commitment only according to the rules in Article XXI GATS, usually by making concessions in the form of compensatory adjustments in other areas.³⁵ The schedules of specific commitments of the WTO members are appended to the GATS and form an integral part of the Agreement according to Article XX:3 GATS. They are legally binding and subject to WTO dispute settlement as explicitly stated in Article XXIII:1 GATS.

2.1.1.4 Measures Affecting Trade in Services

The GATS applies to measures affecting trade in services according to Article I:1 GATS. The AB explained in Canada – Autos that the “determination of whether a measure is, in fact, covered by the GATS must be made before the consistency of that measure with any substantive obligation of the GATS can be assessed.”³⁶ The threshold examination involves two elements.³⁷ There must be trade in services and there must be a measure of a WTO member state that affects this trade in services. The AB concluded in EC – Bananas III that “the use of the term ‘affecting’ reflects the intent of the drafters to give a broad reach to the GATS.”³⁸ Importantly, for a measure to be considered to affect trade in services it is not necessary that the measure directly addresses such trade.³⁹ The panel underlined in EC – Bananas III that the “GATS encompasses any measure of a Member to the extent it affects the supply of a service regardless of whether such measure directly governs the supply of a service or whether it regulates other matters but nevertheless affects trade in services.”⁴⁰ Many services require cross-border flows of personal data.⁴¹ Any restriction on such data flows would affect trade in those services. Even if the EU system for data transfers does not directly govern the supply of services, it falls within the scope of the GATS.

2.1.2 General Obligations

The GATS entails general obligations that apply to all measures affecting trade in services, irrespective of the specific commitments undertaken by WTO members in their schedules. Two general obligations in the GATS are especially important for cross-border flows of personal data: The most-favored nation (MFN) treatment obligation in Article II GATS (Sect. 4.2.1.2.1) and the domestic regulation obligation in Article VI GATS (Sect. 4.2.1.2.2).

2.1.2.1 MFN Treatment

The core general obligation of the GATS is the MFN treatment obligation in Article II GATS. It requires each WTO member to accord immediately and unconditionally to services and service suppliers of any other WTO member treatment no less favorable than that it accords to like services and service suppliers of any other country. The MFN treatment obligation prohibits discrimination between different foreign services and services suppliers. It captures both de jure and de facto discrimination.⁴² The MFN treatment obligation applies to any measure affecting trade in services irrespective of whether specific commitments have been undertaken.⁴³ WTO members were allowed to list exemptions from the MFN treatment obligation in the Annex on Article II Exemptions until the date of entry into force of the WTO Agreement on 1 January 1995. Paragraph 6 Annex on Article II Exemptions states that, in principle, the exemptions should not exceed ten years.⁴⁴ The EU did not list any exemption from the MFN treatment obligation relating to cross-border flows of personal data, or data protection in general.⁴⁵

Article II:1 GATS identifies a mode for comparison and establishes that there shall be no discrimination against services and service suppliers of any WTO member compared to like services and services suppliers of any other country. The basis of comparison is the likeness of services and service suppliers. The AB clarified in Argentina – Financial Services that the phrase “like services and service suppliers” should be seen as “an integrated element for the likeness analysis.”⁴⁶ It serves to assess the competitive relationship of the services and service suppliers at issue.⁴⁷ The criteria traditionally employed as analytical tools for assessing likeness in the context of trade in goods may also be employed in assessing likeness in the context of trade in services, provided that they are adapted as appropriate to account for the specific characteristics of trade in services.⁴⁸ The four criteria are properties, nature, and quality of the products; the end-uses of the products; consumers’ tastes and habits or consumers’ perceptions and behavior in respect of the products; and the tariff classification of the products.⁴⁹ The AB implied in Argentina – Financial Services that a consideration of the nature and characteristics of a service transaction may be seen as an appropriate adaptation of the original criterion of properties.⁵⁰ Similarly, the AB stated with respect to the original criterion of tariff classification that the classification under the CPCprov will be relevant for trade in services.⁵¹

It could be asserted that a high level of data protection influences the likeness analysis in so far as it affects the nature and characteristics of a service transaction as well as consumers’ perceptions and behavior in respect of a service and service supplier. Such an assertion stands on shaky ground. It would require a very specific example to prove that a high level of data protection can alter the very nature or important characteristics of a service transaction. For example, the level of data protection in a state does not affect the nature and the characteristics of search engine services. The search engine services might be more customized to an individual when supplied by a state with a low level of data protection. Nevertheless, the very nature or important characteristics of search engine services are not altered. Even consumers’ perceptions and behavior in respect to a service and service supplier are not different based on the level of data protection. Individual consumers clearly value data protection and privacy, but often act irrationally so that the result that their preferences do not manifest in their choices.⁵² End-use and classification under the CPCprov are the same regardless of the level of data protection. A high level of data protection cannot (yet) be held to have distinctively altered the competitive relationship between services and service suppliers for the purposes of the GATS.⁵³

Article II:1 GATS requires treatment no less favorable between like services and service suppliers of any country. The concept of “treatment no less favorable” focuses on a measure’s modification of the conditions of competition.⁵⁴ This legal standard is met in cases in which a WTO member intrudes into the competitive relationship between service suppliers or services. It is not sufficient under Article II GATS to accord a WTO member similar treatment to that accorded to another country. By virtue of the MFN treatment obligation, the WTO member is rather to be given exactly the same treatment as the other country.⁵⁵ That treatment must be afforded immediately and unconditionally.

2.1.2.2 Domestic Regulation

A second important general obligation is the domestic regulation obligation in Article VI GATS. The preamble of the GATS entails two potentially antagonizing objectives.⁵⁶ First, the preamble expresses the wish to expand trade in services as a means of promoting the economic growth of all trading partners. Second, the preamble also recognizes the right of WTO members to regulate and introduce new regulations on the supply of services within their territories in order to meet national policy objectives. The panel in US – Gambling underlined that “regulatory sovereignty is an essential pillar of the progressive liberalization of trade in services, but this sovereignty ends whenever rights of other Members under the GATS are impaired.”⁵⁷ The panel also stressed that “Members maintain the sovereign right to regulate within the parameters of Article VI of the GATS.”⁵⁸

Four paragraphs of Article VI GATS relate to the application, administration, and review of regulatory measures and therefore provide procedural standards (Article VI:1-3 and 6 GATS). Two paragraphs relate to the content of regulatory measures and therefore provide substantive guidance (Article VI:4 and 5 GATS).⁵⁹ Article VI:1 and 2 GATS are particularly important for cross-border flows of personal data and the supply of services.⁶⁰

Article VI:1 GATS obligates WTO members to administer measures of general application affecting trade in services in sectors where specific commitments are undertaken in “a reasonable, objective, and impartial manner.”⁶¹ A measure of general application covers a range of cases and situations and thus affects an unidentified number of economic operators.⁶² The EU system for data transfers is a measure of general application.

There is little guidance as to what makes something “reasonable, objective and impartial.” Joel Trachtman has argued that Article VI:1 GATS might imply a proportionality requirement, meaning that the regulatory burden imposed on foreign services and service suppliers must not be disproportionate in relation to the policy objective pursued.⁶³ It seems that this would produce an overlap with the requirements for the application of general exceptions in Article XIV GATS.⁶⁴ Furthermore, the negotiation history of the GATS does not support this argument. The negotiators explicitly refused to impose a general necessity test on domestic regulation.⁶⁵

The ordinary meaning of the terms and previous panel reports on Article X:3(a) GATT—which is the equivalent provision for trade in goods—give indications regarding the applicable standards.⁶⁶ The administration of a measure is “reasonable” if it is in accordance with generally accepted standards of rationality and of sound judgment.⁶⁷ There must be a rational reason for the conduct in question.⁶⁸ For the administration of a measure to be “objective,” its application should not be arbitrary.⁶⁹ Lastly, the administration of a measure is “impartial” if the application of the relevant laws and regulations is fair, unbiased, and unprejudiced.⁷⁰ Giving special consideration or privileges to one party or commercial interest without giving the same consideration or privileges to other parties or commercial interests is not impartial.⁷¹ Even though the three standards in Article VI:1 GATS are closely linked and serve similar functions, they are separate legal obligations.⁷² All three must be satisfied if Article VI:1 GATS is not to be interfered with. However, to constitute an interference with Article VI:1 GATS, there must be “a significant impact on the overall administration of the law, and not simply on the outcome in the single case in question.”⁷³

Article VI:2(a) GATS requires WTO members to maintain practicable, judicial, arbitral or administrative tribunals or procedures that provide for the prompt review of administrative decisions affecting trade in services, and where justified, appropriate remedies⁷⁴ The requirement of providing review and appeal procedures leave considerable discretion to WTO members.⁷⁵ In cases in which the procedures are not independent from the institution entrusted with the relevant administrative decision, WTO members must at least ensure that the procedures are objective and impartial.⁷⁶ An appropriate remedy involves either the possibility of replacing an incorrect administrative decision, or the awarding of compensation for suffered economic loss of the service supplier.⁷⁷

2.1.3 Obligations Subject to Specific Commitments

The GATS also entails obligations subject to the specific commitments undertaken by WTO members in their schedules. Two obligations are important for cross-border flows of personal data: The market access obligation in Article XVI GATS (Sect. 4.2.1.3.1) and the national treatment obligation in Article XVII GATS (Sect. 4.2.1.3.2).⁷⁸

2.1.3.1 Market Access

The market access obligation in Article XVI GATS requires WTO members to accord services and service suppliers of other WTO members treatment no less favorable than that provided for under the terms, limitations, and conditions agreed and specified in their schedules.⁷⁹ Market access is not a general concept under GATS.⁸⁰ The obligation to grant market access cannot be equated with common terms (such as entry or admission) that imply the general ability to perform business activities in a given market. Article XVI:2 GATS provides a list with a well-defined set of quantitative restrictions that may hamper the ability to supply a service and are thus forbidden.⁸¹ The list with forbidden market access restrictions is exhaustive.⁸² Other measures are not covered under Article XVI GATS.⁸³ Importantly, the list does not relate to the quality of the supplied service.⁸⁴

In US – Gambling, the WTO adjudicative bodies dealt with the question of whether a complete ban on the cross-border supply of a service should be regarded as a market access limitation falling within the ambit of Article XVI:2(a) and (c) GATS. According to the two provisions, WTO members may not maintain or adopt:

• (a) limitations on the number of service suppliers whether in the form of numerical quotas, monopolies, exclusive service suppliers or the requirements of an economic needs test.

• (c) limitations on the total number of service operations or on the total quantity of service output expressed in terms of designated numerical units in the form of quotas or the requirement of an economic needs test.

The AB stated “that the thrust of sub-paragraph (a) is not on the form of limitations, but on their numerical, or quantitative, nature.”⁸⁵ Consequently, the AB found that a measure that totally prohibits the supply of certain services effectively limits to zero the number of service suppliers. The AB explained that such a prohibition results in a zero quota and hence constitutes a market access limitation that takes the form of a numerical quota, as zero is quantitative in nature, and, thus, numerical.⁸⁶

With regard to subparagraph (c), the panel defined service output as the result of the production of the service.⁸⁷ The panel found, and the AB confirmed, that the measure in question “imposes a ‘limitation on the total number of service operations... expressed... in the form of quotas’ contrary to Article XVI:2(c) of the GATS.”⁸⁸

The underlying rationale of this jurisprudence is that WTO members should not be allowed to circumvent their market access commitments by prohibiting the entry into their markets of services and service suppliers either overall and directly, or indirectly with regard to essential characteristics of a service (e.g. the electronic supply).⁸⁹ Article XVI GATS has a wide scope in order to guarantee the access to the market as committed by WTO members in their schedules. The market access obligations cover regulatory measures that make it factually impossible to supply a service.

2.1.3.2 National Treatment

The national treatment obligation in Article XVII GATS requires WTO members to accord to services and service suppliers of other WTO members treatment no less favorable than that it accords to its own like services and service suppliers in respect of all measures affecting the supply of services.⁹⁰ The national treatment obligation also uses the concept of “likeness” and establishes that there shall be no negative discrimination against foreign services and service suppliers compared to like services and services suppliers located in the EU.

Formally identical and formally different treatment can amount to less favorable treatment according to Article XVII:2 GATS. The national treatment obligation captures both de jure and de facto discrimination.⁹¹ It prohibits measures which openly link a difference in treatment to the origin of a service or service supplier. It also prohibits measures that do not distinguish between services and service suppliers on the basis of their origin but with respect to a neutral criterion that still modifies the conditions of competition in favor of domestic services and service suppliers. The decisive aspect of less favorable treatment is the modification of the competition to the detriment of foreign services or service suppliers according to Article XVII:3 GATS.⁹²

The interpretative Footnote 10 to Article XVII GATS stresses that specific commitments assumed under the national treatment obligation should not be construed to require any WTO member to compensate for any inherent competitive disadvantages, which result from the foreign character of the relevant services or service suppliers.⁹³ An inherent disadvantage due to the foreign nature of a service or service supplier must be distinguished from a disadvantage caused by de facto discrimination.⁹⁴

2.1.4 Exceptions

The GATS entails different exceptions to justify interferences with the obligations under GATS. Article V GATS allows exceptions from the MFN treatment obligation for economic integration (Sect. 4.2.1.4.1); Article XIV GATS provides general exceptions for public policy objectives that apply to all provisions and existing commitments under the GATS (Sect. 4.2.1.4.2); and Article XIV bis GATS foresees the security exceptions that are also applicable to all provisions and existing commitments under the GATS (Sect. 4.2.1.4.3).

2.1.4.1 Economic Integration

The economic integration exception in Article V GATS allows WTO members to deviate from the MFN treatment obligation as a consequence of having entered into an economic integration agreement liberalizing trade in services.⁹⁵ It is in the very nature of economic integration agreements to accord preferential treatment to the contracting parties.⁹⁶ As a deviation from the MFN treatment obligation, economic integration agreements have to comply with the following three conditions in Article V GATS:

• Article V:1(a) GATS requires that an economic integration agreement liberalizing trade in services must have substantial sectoral coverage.⁹⁷ The interpretative Footnote 1 to Article V GATS explains that this condition is understood in terms of number of sectors, volume of trade affected, and modes of supply. It clarifies that the condition entails both qualitative and quantitative requirements.⁹⁸ With regard to the economic integration exception in the GATT, the AB held that substantially all the trade (the wording used in Article XXIV:8(b) GATT) “is not the same as all the trade,” and that it is “something considerably more than merely some of the trade.”⁹⁹ The same reasoning also applies to trade in services. Article V GATS does not require all sectors to be covered but rather that an economic integration agreement excludes no more than a very limited number of sectors.¹⁰⁰ The panel in Canada – Autos noted that “the purpose of Article V is to allow for ambitious liberalization to take place at a regional level, while at the same time guarding against undermining the MFN obligation by engaging in minor preferential arrangements.”¹⁰¹

• Article V:1(b) GATS requires the elimination of substantially all discrimination in the sectors covered, by granting national treatment to the contracting parties.¹⁰² Economic integration agreements liberalizing trade in services need to bring about a level playing field between domestic and foreign services and service suppliers on the markets of the contracting parties.

Article V:4 GATS prohibits so-called fortress integration.¹⁰³ Economic integration agreements liberalizing trade in services should be designed to facilitate trade between the contracting parties and not raise the overall level of barriers to trade in services for other WTO members compared to the level prior to the conclusion of the agreement.¹⁰⁴

2.1.4.2 General Exceptions

The preamble of the GATS not only expresses the intention to expand trade in services as a means of promoting the economic growth of all trading partners, but also the right of WTO members to regulate in order to meet national policy objectives. This right is guaranteed with the general exceptions of Article XIV GATS. The general exceptions require a two-tier analysis of a measure that interferes with a GATS obligation.¹⁰⁵ First, a measure must fall within the scope of the paragraphs of Article XIV GATS. Second, a measure must also satisfy the requirements of the chapeau of Article XIV GATS. The analysis under the paragraphs of Article XIV GATS focuses on the content of a measure whereas the analysis under the chapeau is directed toward the application of a measure.¹⁰⁶ The design of the general exceptions in Article XIV GATS is basically the same as the design of the general exceptions in Article XX GATT. This is why the adjudicative bodies of the WTO frequently refer to the interpretation of the general exceptions in Article XX GATT when they apply the general exceptions in Article XIV GATS.¹⁰⁷

2.1.4.2.1 Privacy Exception

The subparagraphs of Article XIV GATS entail a list of pre-defined public policy objectives. The most important one for restrictions on cross-border flows of personal data is the privacy exception in Article XIV(c)(ii) GATS:

nothing in this Agreement shall be construed to prevent the adoption or enforcement by any Member of measures necessary:

1. (c)

   to secure compliance with laws or regulations which are not inconsistent with the provisions of this Agreement including those relating to

   1. (ii)

      the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.

The privacy exception in Article XIV(c)(ii) GATS requires that a GATS-inconsistent measure is necessary to secure compliance with GATS-consistent laws or regulations.¹⁰⁸ The reference to “secure compliance” means that the measures for which justification is sought must enforce the relevant laws and regulations.¹⁰⁹ The privacy exception also requires a necessity test. The AB explained in US – Gambling that necessity should be determined through a process of weighing and balancing a series of factors.¹¹⁰ The AB characterized this process as a determination of whether a WTO-consistent alternative measure is available, which a WTO member could reasonably be expected to employ, or whether a less WTO-inconsistent measure is reasonably available.¹¹¹ The relevant considerations are the relative importance of the interest at issue, the contribution of the measure to the realization of the ends pursued by it, and the restrictive impact of the measure on international commerce.¹¹²

The negotiation history of the privacy exception reveals a close relationship between the privacy exception and the EU’s fundamental rights-based regulation of data transfers. A former official of the European Commission told Abraham Newman in an interview that the EC went into the negotiations of the GATS with the goal of exempting rules for the protection of data privacy.¹¹³ The records of the Group of Negotiations on Services (GNS) show that the EC stressed at a meeting from 5-9 June 1989 that domestic regulation of data privacy “might mean that personal data could not be transmitted across borders without guarantees of equivalent protection for that data in a foreign country.”¹¹⁴ This was before the Commission proposed the first draft for Directive 95/46/EC on 13 September 1990.¹¹⁵

The EC circulated its first draft framework proposal for the GATS in the beginning of June 1990.¹¹⁶ This draft included an exception for the protection of personal data and individual privacy in Article XV(c).¹¹⁷ At the first meeting of the sectoral ad hoc Working Group on Telecommunications Services from 5-6 June 1990, the EC stressed with regard to a possible annex for telecommunications services that “annex provisions might also need to be considered in regard to the protection of data transmitted over networks as well as the need to protect information of a personal and private nature.”¹¹⁸ At the second meeting of this working group from 9-11 July 1990, the US stated that “[t]he issue of privacy was not specific to the telecommunications sector and should be addressed in the framework.”¹¹⁹ At that point, the first draft of Directive 95/46/EC was still not published and the negotiation parties could not have been aware of its impact on trade.

Shortly after, the so-called July Text from 1990––essentially the first official draft of the GATS––was prepared and circulated.¹²⁰ It did not contain any reference to privacy or data protection. There were intense discussions at the following third meeting of the sectoral ad hoc Working Group on Telecommunications Services. The representative from Canada, supported by the US representative, “wondered whether there was truly a need for a privacy exception in either the framework or a telecommunications annex.”¹²¹ The representative from Canada stated that

[w]hile the issue of privacy was becoming increasingly important, his delegation’s view was that the protection of personal information could be adequately covered through existing contractual arrangements between individuals and legal entities rather than through legislative solutions.¹²²

This was tricky for the EC as the contractual approach was not included in the first draft of Directive 95/46/EC (which was still not published at the time of these discussions). The representative of the EC recalled that the July Text foresaw the need for exceptions to protect public morals, order, safety, health, etc. “The need to specify the nature of such exceptions was to minimize the scope for disputes among parties. He saw no reason not to apply a similar logic with regard to privacy-related matters in a telecommunications annex.”¹²³ During the discussions, the US seemed to turn around and support the inclusion of a privacy exception into the framework text of the GATS as “[t]he issues of privacy and data/information protection were viewed in the United States as content issues which were not specific to the telecommunications sector only.” Nevertheless, the US insisted that the EC had to explain its reasons for a privacy exception:

The representative of the United States recalled that her country did not legislate prospectively and sought concrete examples from the EC delegation to better understand the problems it foresaw in the area of privacy protection. She emphasized that her delegation believed that the issue under discussion was one of private contractual relations between a customer and an information vendor. It was not apparent to her why an international agreement should enter into this area.¹²⁴

The representative from Canada also started to speculate and stated that “the EC seemed to want to capture the activities of private operators through their provisions on information-related matters.”¹²⁵ The EC successfully avoided this topic and did not mention its intention to legislate in the field of data protection and its plans for an adequacy-based system for cross-border flows of personal data. The discussions ended without a clear result and the chairman concluded that “[t]he outcome of the GNS discussions would be conditioning the group’s approach to privacy-related matters.”¹²⁶ However, the privacy exception was not on the agenda of the fourth meeting of the sectoral ad hoc Working Group on Telecommunications Services on 15-17 October 1990. In her complaint that the current text did not include many of the points considered important by her delegation, the representative from the US nevertheless mentioned again that “[m]atters related to privacy should be dealt with under the framework [of the GATS].”¹²⁷ She reiterated this position, even though the first draft of Directive 95/46/EC was published a month before. It seems that the US was not aware of its impact on trade.¹²⁸

The so-called Brussels Text from December 1990—the draft of the GATS for the Ministerial Conference in Brussels—was the first official draft that contained a reference to privacy.¹²⁹ The reference to privacy was not included in the draft framework of the GATS, but in Paragraph 15 of the draft Annex on Telecommunications. An important footnote was attached:

The privacy-related aspects of this sentence may need to be reviewed in light of the final text of the provisions of the Agreement related to protection of personal privacy.¹³⁰

The question of including a privacy exception in the framework text of the GATS was still open after the Ministerial Conference in Brussels in 1990. Only a year later, in the so-called Dunkel Draft of December 1991—named after Arthur Dunkel, the Director General of the GATT—it was decided that the privacy exception should be included into the framework text of the GATS.¹³¹ In the absence of consensus on a particular provision, Dunkel requested the chairs of the negotiation groups to include their personal views regarding the negotiations of that provision when submitting their part to the Dunkel Draft.¹³² In the case of services, it was in fact the view of two chairs, because, since April 1991, Ambassador Felipe Jaramillo from Colombia had been assisted in his tasks by Ambassador David Hawes form Australia, who became a sort of co-chair of the GNS, and succeeded Ambassador Jaramillo when he left Geneva.¹³³ It seems that the inclusion of the privacy exception into the framework of the GATS was dealt with as an issue without consensus and it was the two chairs who decided to integrate the privacy exception into the framework of the GATS.¹³⁴

Even though the GATS negotiations started before the first draft of Directive 95/46/EC was proposed, the European Commission realized that in order to safeguard the EC’s future data protection framework, it required a privacy exception in the framework of the GATS to justify potential infringements of the WTO rules on trade in services. The EC clearly intended to and were successful in pushing the privacy exception through the negotiations. The arrangement in the Dunkel Draft was adopted in the final text.¹³⁵

2.1.4.2.2 Chapeau

According to the two-tier analysis, GATS-inconsistent measures that are provisionally justified under one of the paragraphs of Article XIV GATS must also satisfy the chapeau of Article XIV GATS. The chapeau requires that measures are not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade in services.¹³⁶ WTO members must act in a consistent manner across comparable situations.¹³⁷ The jurisprudence of the WTO’s adjudicating bodies shows that the chapeau presents a stumbling block for the justification of measures with legitimate policy objectives. Out of all cases that reached the adjudicative stage of WTO dispute settlement, eight cases entailed a measure that was provisionally justified under a paragraph of the general exceptions in Article XX GATT or Article XIV GATS, but only in one case could the measure successfully pass analysis under the chapeau.¹³⁸

The AB has portrayed the chapeau as an expression of the principle of good faith.¹³⁹ Its function is to prevent the general exceptions from being abused.¹⁴⁰ The interpretation of the chapeau focuses on the equilibrium between the right of WTO members to invoke the general exceptions and the obligation not to misuse that right and thereby frustrate the rights of other WTO members under WTO law.¹⁴¹ The first requirement for the application of a measure under the chapeau is due process. The AB stressed in US – Shrimp that rigorous compliance with the fundamental requirements of due process should be required in the application and administration of a measure which purports to be an exception to the treaty obligations of the Member imposing the measure and which effectively results in a suspension pro hac vice of the treaty rights of other Members.¹⁴²

The chapeau entails three written standards to assess a measure: arbitrary discrimination, unjustifiable discrimination, and disguised restriction on trade. The AB has chosen a conceptual and holistic approach to interpret the chapeau without emphasizing the individual meaning of the three standards because they involve overlapping concepts that are not easy to separate.¹⁴³ In general, the WTO adjudicating bodies do not distinguish between the standards of arbitrary and unjustifiable discrimination.¹⁴⁴

The words arbitrary and unjustifiable qualify the word discrimination. A certain degree of discrimination is allowed under the chapeau.¹⁴⁵ In order to determine arbitrary or unjustifiable discrimination, the adjudicating bodies often use a proxy:

[W]hether a measure was applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination depends on if the measure has been applied reasonably.¹⁴⁶

The fact that discrimination could have been reasonably avoided with another application of a measure renders the measure arbitrary and unjustifiable.¹⁴⁷ It is also important that the discrimination can be reconciled with, or is rationally related to, the policy objective under which the measure has been provisionally justified.¹⁴⁸

With regard to disguised restrictions on international trade, the scope of the standard remains rather unclear.¹⁴⁹ GATT panels seem mainly concerned with transparency.¹⁵⁰ The AB has underlined that “concealed or unannounced restriction or discrimination in international trade does not exhaust the meaning of disguised restriction.”¹⁵¹ A measure need not be formally hidden in order to constitute a disguised restriction on international trade within the meaning of the chapeau.¹⁵²

The application of the general exceptions follows the standard patterns of WTO law. It is incumbent upon the responding party to prove that a measure is justified under Article XIV GATS. After a complaining party has established a prima facie case of inconsistency with a provision in the GATS, the burden of proof shifts to the responding party if the latter claims an affirmative defense.¹⁵³

2.1.4.3 Security Exceptions

The raison d’être of the security exceptions in Article XIV bis GATS is to preserve WTO members’ freedom of action in areas relating to national defense and security.¹⁵⁴ The security exceptions are the widest among the exceptions listed in the WTO texts and have only rarely been invoked by WTO members.¹⁵⁵ Recently, national security has been cited more often as a rationale to restrict digital trade.¹⁵⁶ The most important paragraph of the security exception for the EU system for data transfers can be found in Article XIV bis:(1)(b)(iii) GATS:

1. Nothing in this Agreement shall be construed:

1. (b)

   to prevent any Member from taking any action which it considers necessary for the protection of its essential security interests:

   (iii) taken in time of war or other emergency in international relations;

The panel in Russia – Traffic in Transit provided some guidance regarding the application of the security exception in Article XXI GATT.¹⁵⁷ The design of the security exception in Article XIV bis GATS is basically the same as the design of the security exceptions in Article XXI GATT. This is why the interpretation of the security exception in Article XXI GATT serves as a guideline for the interpretation of Article XIV bis GATS.¹⁵⁸ The panel in Russia – Traffic in Transit clarified that the term “essential security interests” may generally be understood to refer to those interests relating to the quintessential functions of the state, namely, the protection of its territory and its population from external threats, and the maintenance of law and public order internally.¹⁵⁹ The final determination is left in the hands of WTO members and will depend on the particular situation and the perception of the state in question.¹⁶⁰ A WTO member only needs to consider that its essential security interests are endangered, which amounts to a subjective standard. That determination is nevertheless subject to good faith.¹⁶¹

The panel also clarified that the subparagraphs in Article XIV bis:1(b) GATS operate as limitative qualifying clauses, implying that they limit the discretion granted to WTO members when invoking the security exceptions.¹⁶² This prevents the security exceptions from becoming a catch-all provision for unverified unilateral determinations and a circumvention of the GATS.¹⁶³ For example, the term emergency in international relations is amenable to an objective determination.¹⁶⁴ The term is not firmly entrenched in international law and must be construed by the WTO adjudicative bodies.¹⁶⁵ The panel in Russia – Traffic in Transit pointed out that “political or economic differences between Members are not sufficient, of themselves, to constitute an emergency in international relations.”¹⁶⁶ It defined an emergency in international relations as a “situation of armed conflict, or of latent armed conflict, or of heightened tension or crisis, or of general instability engulfing or surrounding a state.”¹⁶⁷ This limits the application of the security exception to restrictions on cross-border flows of personal data to very specific circumstances.

2.2 Annex on Telecommunications

The telecommunications sector was one of the sectors that required additional rules to the GATS because it is essential for the supply of other services (Sect. 4.2.2.1). The GATS Annex on Telecommunications entails substantive obligations on access to and use of public telecommunications transport networks and services (Sect. 4.2.2.2). The internet can be qualified as a public telecommunications transport network (Sect. 4.2.2.3). In addition to the substantive obligations, the Annex on Telecommunications also foresees exceptions for the confidentiality of messages (Sect. 4.2.2.4).

2.2.1 Enabling Function

During the negotiations of the GATS, WTO members recognized that the telecommunications sector played an important role as the underlying means for other economic activities.¹⁶⁸ The GATS Annex on Telecommunications thus aimed to ensure that commitments of WTO members in sectors other than telecommunications were not frustrated through the lack of access to and use of foreign telecommunications services.¹⁶⁹ The Annex on Telecommunications only comes into effect once a WTO member has offered a specific commitment in a given sector.¹⁷⁰ Despite being an act on telecommunications, the Annex on Telecommunications mostly liberalized trade in non-telecommunications services whose effective performance require access to and use of communications networks and services in the destination country.¹⁷¹ The Annex on Telecommunications is a general insurance policy for service suppliers to have access to telecommunications networks and services abroad.¹⁷²

2.2.2 Substantive Obligations

The main substantive obligation of the Annex on Telecommunications can be found in Paragraph 5. The Annex on Telecommunications requires in Paragraph 5(a) that WTO members grant access to and use of public telecommunications transport networks and services on reasonable and non-discriminatory terms and conditions for the supply of services included in their schedules.¹⁷³ The Annex on Telecommunications specifically requires in Paragraph 5(c) that other WTO members may use public telecommunications transport networks and services for the movement of information within and across borders, including for intra-corporate communications, and for access to information contained in data bases or otherwise stored in machine-readable form on the territory of any WTO member.¹⁷⁴

2.2.3 Coverage of the Internet

A “public telecommunications transport network” is defined in Paragraph 3(c) Annex on Telecommunications as “the public telecommunications infrastructure which permits telecommunications between and among defined network termination points.”¹⁷⁵ The exact scope of this obligation is not entirely clear, especially when it comes to the internet.

The GATS was drafted with a narrow idea of telecommunications in mind. Tim Wu explains that the drafters “had no idea that nearly every type of service under the GATS might eventually be offered over the TCP/IP protocol. In trade lingo, the framers thought of the Internet as a service sector, when, instead, it is usually a service mode.”¹⁷⁶ Cross-border flows of personal data on the internet are relevant for the supply of many services.¹⁷⁷ Access to and use of the internet in the territory of another WTO member is of the utmost importance for trade in services. The Council for Trade in Services noted regarding the application of the Annex on Telecommunications to the internet that

[t]he general view was that the Annex on Telecommunications applies to access to and use of the Internet network when it is defined in a Member’s regulatory system as a public telecommunications transport service and/or network in terms of that Annex.¹⁷⁸

This view is widely shared by scholars.¹⁷⁹ The aim of the Annex on Telecommunications was to prevent access to communication networks becoming a barrier to trade.¹⁸⁰ This is why the WTO adjudicative bodies applied the GATS to internet-based service transactions.¹⁸¹ Article 2(2) Regulation (EU) 2015/2120 defines an “internet access service” as a “publicly available electronic communications service that provides access to the internet, and thereby connectivity to virtually all end points of the internet, irrespective of the network technology and terminal equipment used.”¹⁸² The EU is therefore obligated to grant access to and use of the internet for the services it has scheduled in order for service suppliers to move information within the EU, for their cross-border data flows, including intra-corporate communications, and for access to information contained in data bases or otherwise stored in the EU.

The regulation of data transfers in the EU does not forbid access to and use of the internet for foreign service suppliers and services. Rather it regulates the cross-border flow of personal data from the EU to a third country. Even in cases in which the EU does not allow cross-border flows of personal data to a service supplier in the territory of a WTO member, this does not violate Paragraph 5(c) Annex on Telecommunications. The reason for the restriction on the cross-border flows of personal data is not a prohibition to access and use the internet for the movement of information within and across borders but related to the protection for personal data. The fact that the based regulation of data transfers in the EU also applies to the manual transportation of personal data to third countries underlines this.

Nevertheless, it must be acknowledged that Paragraph 5(c) Annex on Telecommunications has never been subject to dispute settlement and its exact scope is still unclear. During the negotiations, the US stated that “the cross-border movement of information was an intrinsic part of access to and use of the services of the public telecommunications transport network.”¹⁸³ The EC, in reaction, said that “the issue of data protection and privacy bore a strong link to that of the movement of information.”¹⁸⁴ There is a possibility that a restriction on cross-border flows of personal data could amount to a restriction on access to and use of a public telecommunications transport network because the movement of (personal) information is intrinsically linked with the access and use.

2.2.4 Confidentiality Exception

Paragraph 5(d) Annex on Telecommunications allows WTO members to take measures that are necessary to ensure the security and confidentiality of messages, notwithstanding the obligation to open public telecommunications transport networks and services for the movement of information within and across borders, including the intra-corporate communications of such service suppliers, and for access to information contained in data bases or otherwise stored in machine-readable form in their territory.¹⁸⁵ These measures may not be applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade in services.

Some scholars have argued that this exception covers privacy and data protection considerations.¹⁸⁶ The OED explains that confidential means “characterized by the communication of secrets or private matters.”¹⁸⁷ Nevertheless, context suggests that this exception does not cover privacy and data protection considerations. It must be observed from a systematic perspective that Paragraph 8 GATS Understanding on Commitments in Financial Services and the privacy exception in Article XIV(c)(ii) GATS distinguish the concepts of privacy and data protection from the concept of confidentiality by naming them separately. The negotiation history of the Annex on Telecommunications as supplementary means of interpretation according to Article 32 VCLT helps to clarify the interpretation of Paragraph 5(d). It was unclear during the GATS negotiations where a privacy exception should be inserted (if at all).¹⁸⁸ At the end, it was decided that the privacy-related aspects in the Annex on Telecommunications of the Brussels Text from December 1990 should be deleted and included in the framework text of the GATS in the Dunkel Draft from December 1991.¹⁸⁹ It seems to be clear from the preparatory work of the Annex on Telecommunications and the circumstances of the conclusion of the GATS that the concepts of privacy and data protection should not be part of Paragraph 5(d) Annex on Telecommunications.¹⁹⁰

Accordingly, the exception in Paragraph 5(d) Annex on Telecommunications must be construed narrowly and privacy as well as data protection considerations are only relevant where they overlap with considerations relating to the confidentiality of messages.

2.3 Treatment of Digital Services

Since the negotiation of the GATS coincided with the early development of the internet, the parties did not necessarily think of digital services when they drafted the GATS. This raises legal questions that are highly relevant for restrictions on cross-border flows of personal data, which affect trade in digital services: Are digital services part of the scope of the commitments in the schedule of WTO members (Sect. 4.2.3.1)? Which mode of supply covers the supply of digital services (Sect. 4.2.3.2)? How should digital services be classified in the Service Sectoral Classification List (W/120) (Sect. 4.2.3.3)? The classification of digital services is important for the commitments of WTO members in their respective schedules. A list with examples illustrates the classification of different digital services (Sect. 4.2.3.4).

2.3.1 Commitments

There was an early understanding among WTO members that the electronic supply of a service is covered by the commitments under GATS. The WTO Council for Trade in Services underlined in 1999 that

[t]he electronic delivery of services falls within the scope of the GATS, since the Agreement applies to all services regardless of the means by which they are delivered, and electronic delivery can take place under any of the four modes of supply. Measures affecting the electronic delivery of services are measures affecting trade in services and would therefore be covered by GATS obligations.¹⁹¹

The Council for Trade in Services stressed that according to the technological neutrality of the GATS, the electronic supply of a service is covered by specific commitments unless the schedule of a WTO member states otherwise.¹⁹² All GATS provisions would be applicable to the supply of services through electronic means.¹⁹³ The WTO adjudicative bodies followed this interpretation. They found in US – Gambling that by limiting the electronic supply of gambling services, the US failed to accord services and service suppliers in Antigua treatment no less favorable than that provided for under the terms, limitations, and conditions agreed and specified in the market access column of its schedule.¹⁹⁴ The modes of supply in the GATS cover the “supply [of] a service through all means of delivery, whether by mail, telephone, Internet etc., unless otherwise specified in a Member's Schedule.”¹⁹⁵ The panel added that this was “in line with the principle of ‘technological neutrality’, which seems to be largely shared among WTO Members” and also referred to the above mentioned report of the Council on Trade in Services.¹⁹⁶

In the subsequent case China – Audiovisual Products, the panel found that the electronic distribution of sound recordings was technically feasible and a commercial reality as early as 1998, and in any case before China’s accession to the WTO in December 2001.¹⁹⁷ It found, and the AB confirmed, that sound recording distribution services in China’s schedule of specific commitments extend to the distribution of sound recordings in non-physical form through technologies such as the internet.¹⁹⁸ The panel added that there was no need to invoke the principle of technological neutrality because it has already found that the core meaning of China’s commitment on these services includes the distribution of audio content on non-physical media.¹⁹⁹ The WTO adjudicative bodies confirmed that the GATS applies to digital services.

2.3.2 Mode of Supply

The supply of digital services could either fall within mode 1 (cross-border) or mode 2 (consumption abroad).²⁰⁰ With regard to mode 1, it can be argued that a digital service is sent to a recipient in another country via the internet. The panel in Mexico – Telecoms confirmed that the cross-border supply of services can encompass services which begin on one country’s telecommunication network and terminate on another’s.²⁰¹ With regard to mode 2, it can be argued that the consumer abroad actually visits the website of a service provider in another country.²⁰² The distinction is of some interest as, generally, concessions under mode 2 are more liberal than under mode 1.²⁰³

The panel in US – Gambling addressed the question with regard to digital gambling services. The panel first established that cross-border supply must be distinguished from remote supply.²⁰⁴ It used the term “remote supply” to refer to “any situation where the supplier, whether domestic or foreign, and the consumer of gambling and betting services are not physically together.”²⁰⁵ The logic behind the panel’s reasoning is that the GATS does not distinguish between remote or on-site supply but between four modes of supply out of which only mode 1 can be remote.²⁰⁶ The panel therefore limited its analysis to mode 1. It clearly stated that “[t]his dispute concerns one of the four modes of supply under the GATS, that is, the so-called ‘cross-border supply’ of gambling and betting services.”²⁰⁷ The AB followed this line of reasoning and only assessed mode 1 in its review of the dispute.²⁰⁸ The WTO adjudicative bodies therefore confirmed that digital services are supplied through mode 1.²⁰⁹

2.3.3 Classification

The Service Sectoral Classification List (W/120) has remained unchanged since 1991.²¹⁰ The W/120 is somewhat outdated when it comes to the classification of digital services. Nevertheless, it has proven to be flexible enough to cover most current digital services (Sect. 4.2.3.3.1). The allocation of a digital service to a service sector and subsector is an interpretative exercise of the WTO members’ schedules (Sect. 4.2.3.3.2). Three elements should be given due consideration when classifying digital services:²¹¹ First, the ordinary meaning of the terms in a schedule of commitments might change with the development of technology (Sect. 4.2.3.3.3). Second, the classification is based upon the output of services (Sect. 4.2.3.3.4). Third, integrated or composite services should be classified as if they consisted of the service that gives them their essential character (Sect. 4.2.3.3.5). Finally, a functional approach is suggested for the classification of digital services (Sect. 4.2.3.3.6).

2.3.3.1 Coverage of the Service Sectoral Classification List

The GATS is molded by a comprehensive approach. It should be applicable in principle to any service in any sector as laid down in Article I:I(3)(b) GATS.²¹² Given that the W/120 and the CPC are intended to be exhaustive, presumably any service should automatically fall under some category on the list.²¹³ The GATS liberalized trade in services with a positive list approach, in which WTO members actively commit to open their markets for a specific service sector or subsector. The result of this approach is that potentially not all current tradable services are encompassed. The question here is whether a WTO member could be assumed to have undertaken commitments on a service that was not foreseen at the time of submitting the commitments. New services might only be covered if they can be clearly identified under an existing sectoral classification that has been committed by a WTO member.²¹⁴

The concept of new services must be approached cautiously. There is no definition of new services in the GATS.²¹⁵ During discussions in the WTO Committee on Specific Commitments in 2014, it was underlined that in considering new services, WTO members should be mindful of the distinction between new means of delivery and genuinely new services.²¹⁶ Many WTO members shared the opinion that genuinely new services are rare, if they exist at all, and that the rest could be accommodated in the W/120.²¹⁷ The same opinion is also expressed by scholars. Ines Willemyns has argued that “very limited genuinely new services exist and that many allegedly new digital services can be classified within the W/120.”²¹⁸ The question is how an activity can be allocated to a service sector and subsector.

2.3.3.2 Interpretation of the Schedules

The W/120 is based on a taxonomy of distinct and mutually exclusive services. The sectors and subsectors in a WTO member’s schedule must be mutually exclusive. If that were not the case, and a WTO member scheduled the same service in two different sectors, then the scope of the commitment would not be clear if the WTO member made a full commitment in one of those sectors and a limited commitment in the other.²¹⁹ The allocation of digital services to a service sector and subsector is an interpretative exercise of WTO members’ schedules. The general rules of interpretation of public international law in Articles 31 and 32 VCLT apply.²²⁰ First, the ordinary meaning of the relevant terms in a schedule must be determined based on the dictionary meaning.²²¹ The AB cautioned that panels should acknowledge when multiple interpretations are possible and not just focus solely on the preferred interpretation.²²² Second, the meaning of the terms can be informed by the relevant context, namely:

(i) the remainder of the [...] Schedule of specific commitments; (ii) the substantive provisions of the GATS; (iii) the provisions of covered agreements other than the GATS; and (iv) the GATS Schedules of other Members.²²³

Context does not include the W/120 or the Scheduling Guidelines of 1993 because they do not constitute agreements between the parties.²²⁴ The object and purpose of the GATS can offer further guidance for the interpretation.²²⁵ Finally, Article 31 VCLT also refers to subsequent practice as a tool for interpretation.²²⁶

Where the ordinary meaning of the terms, interpreted together with the context and relevant subsequent practice, leaves the meaning of the terms ambiguous, recourse should be made to the supplementary means of interpretation as provided in Article 32 VCLT.²²⁷ The AB confirmed that both the W/120 and the Scheduling Guidelines of 1993 constitute supplementary means of interpretation.²²⁸

2.3.3.3 Evolution of Technology

When classifying digital services it is important to take into consideration that the ordinary meaning of the terms in a schedule of commitments can change with the development of technology. Exactly how this works has been an issue in dispute settlement before:

In EC – IT Products, a dispute concerning the Information Technology Agreement (ITA) that entails concessions to provide zero tariffs for selected IT products, the panel was asked to elaborate to what extent the state of technology that existed at the time of the negotiations is relevant to determining the scope of the concessions. The panel stated that “it is neither desirable nor possible to answer such questions in the abstract and without reference to the terms of the concessions that are being interpreted.”²²⁹ In responding to the EC’s argument that multifunctional monitors were new products that had not existed at the time of negotiations, the panel explained that the notion of multifunctional monitors was not unknown to the negotiators at the time. The panel continued to explain that even if the EC’s argument were accepted, it was of limited relevance to the question of whether the product in question was covered by the concessions, because “this must be determined by interpreting the terms of the concession in accordance with the Vienna Convention.”²³⁰ The panel decided that the products in question were covered by the ITA on the basis of a strict textual interpretation.²³¹

In China – Publications and Audiovisual Products, the panel had to assess China’s argument that its commitment on sound recording distribution services should not be considered to cover the electronic distribution of sound recordings because the latter had emerged as an established business only after the negotiation of its schedule of commitments and its accession to the WTO.²³² The panel admitted that evidence on the technical feasibility or commercial reality of a service at the time of the commitments might constitute circumstances that are relevant to the interpretation of the commitment under Article 32 VCLT:

We consider therefore that any evidence that sound recordings delivered in non-physical form were not, unlike today, technically possible or commercially practiced at the time China’s Schedule was negotiated might, in principle, be relevant as a supplementary means of interpretation with respect to the scope of that commitment.²³³

The panel assessed the technical feasibility and commercial practice with respect to the electronic distribution of sound recordings before and at the time of China's Protocol of Accession and found that it was technically feasible and a commercial reality before China’s accession to the WTO and therefore confirmed its finding under Article 31 VCLT.²³⁴ The AB upheld the panel’s finding but added a nuance as to how schedules should be interpreted:

We further note that interpreting the terms of GATS specific commitments based on the notion that the ordinary meaning to be attributed to those terms can only be the meaning that they had at the time the Schedule was concluded would mean that very similar or identically worded commitments could be given different meanings, content, and coverage depending on the date of their adoption or the date of a Member's accession to the treaty.²³⁵

Without explicitly referring to the state of technology, the AB argued that a historic interpretation “would undermine the predictability, security, and clarity of GATS specific commitments.”²³⁶ Especially because GATS schedules, like the GATS itself and all WTO agreements, constitute multilateral treaties with continuing obligations entered into for an indefinite period of time—regardless of whether they were original WTO members or acceded after 1995.²³⁷ The AB also argued that “the terms used in China’s GATS Schedule (‘sound recording’ and ‘distribution’) are sufficiently generic that what they apply to may change over time.”²³⁸ The AB therefore indicated that the ordinary meaning of the terms of specific commitments could not be limited to the meaning that they had at the time the schedule had been concluded. They rather must be interpreted based on their contemporary meaning if the terms are sufficiently generic.²³⁹

2.3.3.4 Service Output

Another element that should be given due consideration when classifying digital services is that the classification of services in the W/120 and the CPC is based on the service output provided by service suppliers.²⁴⁰ Service output means the result of the production of the service.²⁴¹ Footnote 9 to the GATS excludes input services from the market access obligation in Article XVI:2(c) GATS. This qualification in Footnote 9 to the GATS provides a safeguard against unwanted liberalization.²⁴² It allows WTO members to limit trade in input services that have not been committed to themselves. The Scheduling Guidelines of 2001 clarify that market access and national treatment commitments “do not imply a right for the service supplier of a committed service to supply uncommitted services which are inputs to the committed service.”²⁴³ It is ultimately the service output (i.e. the product), and not the activity that generates the output, which enters trade and is subject to the commitments in the schedules of WTO members.²⁴⁴ The classification of a service must focus on the output.

2.3.3.5 Integrated Services

A third element that should be given due consideration when classifying digital services is that integrated or composite services should be classified as if they consisted of the service that gives them their essential character. WTO members have already acknowledged that due to the evolution of technology, increasingly complex and combined services are entering the market.²⁴⁵ This is especially true for digital services.

The notion of integrated services was introduced in China – Electronic Payment Services. In identifying the nature of electronic payment services, the panel noted that two issues arise: One was whether the services at issue could be considered as an integrated service, which was supplied as such. The other was whether the services at issue should be classified under a single subsector or under more than one subsector in the classification system.²⁴⁶ The panel first underlined that electronic payment services are composed of several elements, which are services in their own right.²⁴⁷ In spite of this, the panel found that while these elements might be individually identifiable services, all of them together, were necessary for a payment card transaction to materialize and are thus integrated into a whole.²⁴⁸ Thus the different services combined together result in a distinct service that is supplied and consumed as such.²⁴⁹ The panel therefore concluded that electronic payment services for payment card transactions constitute an integrated service.²⁵⁰ Furthermore, the panel found that electronic payment services, as an integrated service, were covered by China’s commitments under a single subsector.²⁵¹

These findings are compatible with the focus on service output and the fact that input services are not automatically committed.²⁵² The panel focused on the service output and found that the final service, as supplied to the consumer (considering the transaction from start to end), is a distinct service (without input services) and can therefore be classified within a single subsector. This is also compatible with Article XXVIII(b) GATS that defines the supply of a service as including production, distribution, marketing, sale, and delivery of a service.

The CPC also addresses integrated services. The introductory part of the CPC suggests some general rules to guide statisticians in their use of the classification system.²⁵³ These include: Composite services shall be classified as if they consisted of the service which gives them their essential character.²⁵⁴ Services that cannot be classified in accordance with the general rules shall be classified under the category appropriate to the services to which they are most akin.²⁵⁵

2.3.3.6 Functional Approach

The functional approach to classification of digital services focuses on service output and considers integrated services where applicable. The functional approach to classification is based on the determination of a service’s end-use.²⁵⁶ The question is what function is achieved by the service?²⁵⁷ Based on this determination, the service sector and subsector that has the closest relation to the function can be considered the correct classification.²⁵⁸ The panel in China – Publications and Audiovisual Products made an important finding in this regard:

A description of a service sector in a GATS schedule does not need to enumerate every activity that is included within the scope of that service, and is not meant to do so. A service sector or subsector in a GATS schedule thus includes not only every service activity specifically named within it, but also any service activity that falls within the scope of the definition of that sector or subsector referred to in the schedule.²⁵⁹

The determination of a service’s function can be tricky when it comes to services that may serve multiple end-uses.²⁶⁰ For example, advertising online games, which are either specifically designed for advertising purposes or simply entail advertisements.²⁶¹ The determination will depend on the perspective taken. This could be the perspective of the producers, consumers, or regulators and each might yield a different result. In China – Electronic Payment Services, the panel referred to the consumers’ perspective when determining the correct classification.²⁶² The functional approach is also supported by the principle of technological neutrality, as the focus on the end-use of the service does not take account of, or is at least not determined by, the means through which the service is being supplied.²⁶³

The components-based approach to classification stands in contrast to the functional approach. The components-based approach relies on identifying the separate components a service consists of, after which the main component (or the one most easily classified) determines the classification of the service. Ines Willemyns explains that a components-based classification approach can lead to converging classification of widely different digital services, because it is based on the main constituting elements (that may even be inputs) of the service rather than the final service being provided.²⁶⁴ If the components-based approach would prevail, a majority of digital services might be classified as data transmission services, since data transmission is the major component in how these services are supplied. This would not allow for a differentiated classification of different digital services. Consequently, I argue that the components-based approach to classification is not suitable and the functional approach should be used.²⁶⁵

2.3.4 Examples

The functional approach to classification is best illustrated with examples. The following examples have already been introduced as examples of services that require cross-border flows of personal data.²⁶⁶ The classifications suggested here for these examples will be used in the legal analysis of the regulation of data transfers in the EU and the market access obligation in Article XVI GATS.²⁶⁷

2.3.4.1 Cloud Computing Services

The use of cloud computing should not automatically be considered as a single final service output for trade in services. It also offers ways in which other services can be supplied.²⁶⁸ Services using cloud computing do not necessarily amount to computer services based on the functional approach to service classification. They often constitute integrated services, which can be classified elsewhere. Nevertheless, cloud computing services are also traded independently. In order to produce a service that relies on cloud computing, the supplier of that service might have recourse to foreign suppliers and import cloud computing services.

2.3.4.1.1 Cloud Computing Without Distinction by Type

In 2007, a group of 19 WTO members, including the EC (not counting its member states) and the US, circulated the Understanding on the scope of coverage of CPCprov 84 in which they submitted that CPCprov 84 covers all computer and related services.²⁶⁹ Division 84 of the CPCprov includes the following groups:

• 841 - Consultancy services related to the installation of computer hardware

• 842 - Software implementation services

• 843 - Data processing services

• 844 - Data base services

• 845 - Maintenance and repair services of office machinery and equipment including computers

• 849 - Other computer services

The US and the EU later argued that according to this understanding, CPCprov 84 also includes cloud computing services.²⁷⁰ They did not maintain a distinction between the different types of cloud computing services. In 2015, the WTO Secretariat provided the United Nations Expert Group on International Statistical Classifications with an illustrative list of services that did not have explicit references in W/120 and included on it cloud computing services.²⁷¹ The experts also concluded that cloud computing services would fall under CPCprov 84.²⁷² They also did not push for a distinction between the different types of cloud computing services either.

It was mainly China that objected and stated that cloud computing clearly overlapped with both computer and related services and telecommunications services.²⁷³ China argued that cloud computing could not simply be classified as falling either under computer-related services or telecommunications services.²⁷⁴ The EU disagreed with China that cloud computing is a new service and that it should (also) be considered as a (value-added) telecommunication service.²⁷⁵ The EU pointed out that telecommunications are only the means of delivery, and not the core of the service provided (just as cloud computing itself could be an enabling service).²⁷⁶ In 2016, the WTO Secretariat noted that the discussions on the classification of cloud computing services in the WTO had not resulted in any consensus.²⁷⁷

I argue that cloud computing services themselves also should be seen as integrated services.²⁷⁸ They are composed of several elements, each of which are services in their own right. Even though there are elements that are individually identifiable services, such as computer and related services and telecommunications services, all of them together, are necessary to supply could computing services. Only the elements combined result in a distinct service that is supplied and consumed as such. With a focus on the output, it seems that cloud computing services should be classified in the sector “Business Services” and the subsector “Computer and Related Services” (W/120-1.B), which corresponds to CPCprov 84.

Nevertheless, China made a valid point that there are three different types of cloud computing services that should be individually classified because they satisfy different consumer needs: IaaS, PaaS, and SaaS.²⁷⁹

2.3.4.1.2 IaaS

IaaS may be classified in the category “Data processing services” (W/120-1.B.c), which corresponds to CPCprov 843.²⁸⁰ The OED defines processing as “the subjection of something to a special process.”²⁸¹ Cloud computing as IaaS allows a consumer to rent cloud computing infrastructure from the provider. The consumer can rely on the provider for processing, storage, networks, and other fundamental computing resources located in the cloud. The provider therefore subjects the data of the consumer to special processing operations. The CPC as a supplementary means of interpretation supports that conclusion. CPCprov 843 entails a sub-class 84320 with the title “Data-processing and tabulation services.” The sub-class is defined as services such as data processing tabulation services, computer calculating services, and rental services of computer time. The rental of computer time fits the IaaS model.

2.3.4.1.3 PaaS

PaaS may be classified in the category “Software implementation services” (W/120-1.B.b), which corresponds to CPCprov 842. The OED defines software as the “collection of programs essential to the operation of a particular computer system” or as “programs designed to enable a computer to perform a particular task or series of tasks.”²⁸² Implementation refers to an action and also means fulfillment.²⁸³ Cloud computing as PaaS allows a consumer to work with tools supported by the cloud provider. A consumer can create web or mobile applications on an existing cloud computing platform. The interpretation based on the ordinary meaning of the terms “software implementation services” is not conclusive. It is not clear how the action of implementing something should be associated with PaaS. The CPC as a supplementary means of interpretation clarifies the classification. The description of software implementation services in CPCprov 842 explains that all services involving consultancy services for development and implementation of software are covered. Sub-class 84230 with the title “Systems design services” includes technical solutions, with respect to methodology or new technologies.²⁸⁴ PaaS offers technical solutions for consumers.

2.3.4.1.4 SaaS

SaaS may also be classified in the category “Software implementation services” (W/120-1.B.b). SaaS allows a consumer to use a software application of a cloud provider on various client devices. The provider manages the application and handles maintenance. The interpretation based on the ordinary meaning of the terms software implementation services is not conclusive, but the CPC as a supplementary means of interpretation clarifies the classification. Sub-classes 84240 with the title “Programming services” and 84250 with the title “System maintenance services” suggest that the writing of programs and the maintenance of software products in use are covered by software implementation services.

2.3.4.2 Search Engine Services

Search engines crawl the internet and index the results for search queries.²⁸⁵ They use cloud computing and algorithms to grant users access to databases containing a plethora of websites and the information therein. The use of cloud computing should not be considered the final service output for trade in search engine services. The use of cloud computing is an element of the integrated service of a search engine.

Before classifying search engine services, it is necessary to address an important element of the operation of a search engine. The services offered by search engines are usually free of charge to the consumers. Additional targeted advertising services usually cover the financial needs of the search engine. Virtual space is sold to businesses which are interested in reaching a wide, but targeted audience. Advertising is the main revenue source for search engines. The ECJ found that the search engine functions and advertising activities

are inextricably linked since the activities relating to the advertising space constitute the means of rendering the search engine economically profitable and that the search engine is, at the same time, the means enabling those advertising activities to be performed.²⁸⁶

The reasoning of the ECJ does not translate easily into WTO law. The panel found in China – Electronic Payment Services that electronic payment services are composed of several elements, which are services in their own right but that all of them, together, are necessary for a payment card transaction to materialize and are thus integrated into a whole.²⁸⁷ The panel’s jurisprudence on integrated services is based on functional and not economic considerations. From a functional perspective, the advertising services are not necessary for the supply of search engine services. In addition, there could be other business models for search engine services than advertising.²⁸⁸ This indicates that search engine services do not necessarily have to be linked with advertising services. I thus conclude that search engine services should not be seen as an integrated service that includes advertising services.²⁸⁹ Rather the advertising services should be classified separately.

Search engine services may be classified under the sector “Business Services” and the subsector “Computer and Related Services” as “Data base services” (W/120-1.B.c), which correspond to CPCprov 844. The OED defines “database” as a “structured set of data held in computer storage and typically accessed or manipulated by means of specialized software.”²⁹⁰ Search engines consist of a database and an interface that makes the database accessible.²⁹¹ They fit the ordinary meaning of W/120-1.B.c perfectly. The CPCprov as a supplementary means of interpretation supports this classification. The description of database services in CPCprov 844 includes all services provided from primarily structured databases through a communication network. Search engines satisfy both conditions of that description.²⁹²

2.3.4.3 Social Network Services

Social networks are cloud-based platforms encompassing digital relationships between individuals, groups, organizations, or even entire societies. The use of cloud computing should not be considered the final service output for trade in social network services. The use of cloud computing rather is an element of the integrated service of a social network.

Just as in the case of search engines, it is necessary to address advertising services before classifying social network services. The services offered by a social network are usually free of charge to the consumers. Additional targeted advertising services often cover the financial needs of a social network. It is the main revenue source for social networks. The jurisprudence of the WTO adjudicative bodies on integrated services is based on functional and not economic considerations. From a functional perspective, the advertising services are not necessary for the supply of social network services. Social network services cannot be seen as an integrated service that includes advertising services.²⁹³ The advertising services must be classified separately.

Social networks may be classified under the sector “Business Services” and the subsector “Computer and Related Services” as “Data base services” (W/120-1.B.c), which correspond to CPCprov 844.²⁹⁴ Social network services enable electronic interaction and allow access to and manipulation of information in databases because whatever is posted or shared by the users is included in the online database of the social network.²⁹⁵ The CPCprov as a supplementary means of interpretation supports this classification. The description of database services in CPCprov 844 includes all services provided from primarily structured databases through a communication network. Social networks satisfy both conditions of this description.²⁹⁶

2.3.4.4 Online Advertising Services

Online advertising services may be classified under the sector “Business Services” and the subsector “Other Business Services” as “Advertising services” (W/120-1.F.a), which correspond to CPCprov 871.²⁹⁷ The ordinary meaning of the term advertising services in W/120-1.F.a matches online advertisement services, especially when taking account of the evolution of technology. It is not necessary to consult the CPCprov as a supplementary means of interpretation as the result of the interpretation according to Article 31 VCLT does not leave the meaning of the terms ambiguous.

2.3.4.5 IoT Services

One of the examples given above for IoT services was related to internet-connected automobiles. Maintenance and the improvement of the driving experience are important services with regard to internet-connected vehicles. IoT maintenance services for internet-connected vehicles can be classified in the sector “Transport Services” and the subsector “Road Transport Services” as “Maintenance and repair of road transport equipment” (W/120-11.F.d), which corresponds to CPCprov 6112. The ordinary meaning of the terms “maintenance” and “repair of road transport equipment” matches the IoT maintenance services for internet-connected vehicles, especially when taking account of the evolution of the ordinary meaning of the term due to technological development. The CPCprov as a supplementary means of interpretation supports this classification. Sub-class 611120 with the title “Maintenance and repair services of motor vehicles” includes a detailed list of maintenance services. The terms are sufficiently generic that what they apply to may change over time.²⁹⁸

The second example for IoT service given above was related to smart fridges. Restocking groceries is an important service provided by smart fridges. IoT restocking services for smart fridges cannot be classified in any sector and subsector of W/120. I am of the opinion that IoT restocking services for smart fridges is one of the rare examples of a new service that is not covered by the W/120. The subsector “Retailing services” is not pertinent (W/120-4.C). The OED defines “retail” as the “action or business of selling goods in relatively small quantities for use or consumption rather than for resale.”²⁹⁹ IoT restocking services of smart fridges involve the buying of goods and not their sale. The subsector “Computer and Related Services” is not pertinent either (W/120-1.B). Even though data processing services are a component of IoT restocking services, the classification must focus on the service output, which is ordering groceries and filling up the fridge. Furthermore, none of the “Other” subsectors are pertinent. IoT restocking services are essentially personal shopping services from a technologically neutral perspective. Someone (or something) is going to the stores (or contacting the stores) for you (or maybe with you) to select and/or buy the things you need. There is no classification for personal shopping in the W/120.

2.3.4.6 Sharing Economy Platform Services

The treatment of sharing economy platform services is tricky, not only with regard to the GATS. Countries have historically struggled to find sensible regulatory solutions for the sharing economy. Should the respective companies be treated as tech-companies or the same as their analogue counterparts?³⁰⁰ Similarly, in the GATS context, their services can be classified either as computer and related services, or as the services that they facilitate.

The first example for sharing economy platform services discussed above was related to the arrangement of lodging. I would classify digital lodging arrangement platform services under the sector “Tourism and Travel Related Services” and the subsector “Hotels and restaurants” (W/120-9.A), which corresponds to CPCprov 641-643. The interpretation, however, based on the ordinary meaning of the terms hotels and restaurants leaves the classification ambiguous. The CPCprov as a supplementary means of interpretation offers further guidance. Sub-class 64193 with the title “Letting services of furnished accommodation” includes lodging and related services provided by cabins, private apartments, and homes. There is no requirement as to who owns the subject property. The mere fact that a company like Airbnb does not own the property does not preclude them from providing such services.³⁰¹ The classification in the subsector hotels and restaurants focuses on service output from the perspective of the consumer/user that travels. Data processing and database services are certainly elements of digital lodging arrangement platform services, and constitute services in their own right, but all of them, together, are necessary for digital lodging arrangement platform services to materialize. The different services are thus combined and result in a distinct integrated service that is supplied and consumed as such.³⁰²

The second example for sharing economy platform services was related to the arrangement of transportation. I would classify digital transportation arrangement platform services under the sector “Transportation Services” and the subsector “Road Transport Services” as “Passenger transportation” (W/120-11.F.a), which corresponds to CPCprov 7121+7122. The interpretation based on the ordinary meaning provides a clear classification. The CPCprov as a supplementary means of interpretation supports this classification. Sub-class 71221 with the title “Taxi services” includes services that are generally rendered on a distance-traveled basis, for a limited duration of time, and to a specific destination. The classification as passenger transportation focuses on service output from the perspective of the consumer/user that travels. Data processing and database services are certainly elements of digital transportation arrangement platform services, and constitute services in their own right, but all of them, together, are necessary for digital transportation arrangement platform services to materialize. The different services are combined together and result in a distinct integrated service that is supplied and consumed as such.³⁰³

2.3.4.7 Travel Agencies

Travel agencies supply services that can be classified under the sector “Tourism and Travel Related Services” and the subsector “Travel agencies and tour operator services” (W/120-9.B), which corresponds to CPCprov 7471. The services offered by travel agencies fit the ordinary meaning of W/120-1.B.c perfectly.

2.3.4.8 Digital Medical Services

Digital medical services as described above may be classified under the sector “Business Services” and the subsector “Professional Services” as “Medical and dental services” (W/120-1.A.h), which correspond to CPCprov 9312. The ordinary meaning of the term “medical services” matches digital medical services, especially when taking into account the evolution of technology. The CPCprov as a supplementary means of interpretation supports this classification.

2.3.4.9 Legal Services

Legal services as described above may be classified under the sector “Business Services” and the subsector “Professional Services” as “Legal Services” (W/120-1.A.a), which correspond to CPCprov 861. The interpretation according to the ordinary meaning of the terms suffices for the classification.

2.4 Electronic Commerce Negotiations

The cross-border flow of personal data is not directly regulated by the law of the WTO yet, but it is part of the electronic commerce negotiations held at the WTO since 1998. These negotiations can be divided into four stages: the preparatory work until 2015 (Sect. 4.2.4.1), the emancipation from the Doha structure from 2015 to 2017 (Sect. 4.2.4.2), the Joint Statement Initiative from 2017 to 2019 (Sect. 4.2.4.3), and the current negotiations that started in 2019 (Sect. 4.2.4.4).

2.4.1 Preparatory Work

At the second Ministerial Conference of the WTO in May 1998, the delegations recognized that growing global electronic commerce was creating new opportunities for trade. They thus adopted the Declaration on Global Electronic Commerce.³⁰⁴ The declaration directed the WTO General Council to establish a comprehensive work program to address trade-related issues concerning electronic commerce. In September 1998, the General Council established the “Work Programme on Electronic Commerce,” instructing each of its councils to look at specific issues under their respective responsibilities.³⁰⁵

The Work Programme on Electronic Commerce has an exploratory and informative nature. It was mainly designed to build understanding around the trade-related aspects of electronic commerce without the pre-set objective to negotiate new rules.³⁰⁶ Discussions did not see significant progress until the Nairobi Ministerial Conference in 2015.³⁰⁷ The International Centre for Trade and Sustainable Development noted that the topic was completely absent in some of the councils for years.³⁰⁸ In spite of this and in spite of the Doha agenda deadlock, some pertinent trade-related aspects of electronic commerce were identified.³⁰⁹ With regard to trade in services, such aspects included the technological neutrality of the GATS, the fact that specific commitments for market access and national treatment also cover the supply of services through electronic means (unless otherwise specified), and the application of the Annex on Telecommunications to access and use of the internet when it is defined in a WTO member’s regulatory system as a public telecommunications transport service.³¹⁰

2.4.2 Emancipation from the Doha Structure

At the Nairobi Ministerial Conference in 2015, it was recognized that many WTO members desired to carry out the work on the basis of the Doha structure, while some wanted to explore new negotiation architectures.³¹¹ Given the rapid growth of electronic commerce and the absence of global rules, some WTO members called for electronic commerce to be prioritized among the new issues for consideration.³¹²

In the runup to the Buenos Aires Ministerial Conference in 2017, the discussions of the Work Programme on Electronic Commerce intensified and several WTO members, or groups of WTO members, issued statements and proposals on potential issues for discussion. These issues also included data flows and data protection. Developing countries, especially WTO members in Africa, argued against negotiating new rules at the WTO, concerned that this would detract attention from the outstanding issues of the Doha agenda, along with imposing constraints on policy space.³¹³

2.4.3 Joint Statement Initiative

The Buenos Aires Ministerial Conference in 2017 witnessed the launch of a Joint Statement Initiative for exploratory talks on potential negotiations of trade rules on electronic commerce by 71 WTO members.³¹⁴ The WTO members involved in this Joint Statement Initiative met on an almost monthly basis. A total of nine meetings were held, in which proposals and submissions were discussed with the aim of setting and agreeing on the agenda for the negotiations.³¹⁵ That phase was concluded by the signing of a second Joint Statement Initiative in Davos in January 2019, announcing the intention of 76 WTO members to begin plurilateral negotiations on electronic commerce.³¹⁶

2.4.4 Current Negotiations

By the end of February 2020, seven negotiating rounds had been completed, with more than 80 WTO members participating. Big differences have been reported between three influential WTO members—China, the EU and the US—but also between developed and developing countries when it comes to subjects like data protection and cross-border flows of personal data.³¹⁷

The EU’s first proposal was circulated on 26 April 2019 and entailed safeguards for WTO members to regulate the protection of personal data and privacy:³¹⁸

2.8 Protection of Personal Data and Privacy

1. 1.

   Members recognize that the protection of personal data and privacy is a fundamental right and that high standards in this regard contribute to trust in the digital economy and to the development of trade.

2. 2.

   Members may adopt and maintain the safeguards they deem appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data. Nothing in the agreed disciplines and commitments shall affect the protection of personal data and privacy afforded by the Members' respective safeguards.

3. 3.

   Personal data means any information relating to an identified or identifiable natural person.

The wording of the EU’s proposal is very similar to the Model Data Flow Clauses for their future trade agreements.³¹⁹ It entails a deferential approach allowing WTO members to choose the safeguards they deem appropriate for the protection of personal data and privacy including rules on cross-border flows of personal data. It does not mention any qualifying requirement such as necessity or standards similar to the chapeau of Article XIV GATS. The EU’s proposal tries to safeguard the right to continuous protection of personal data in Article 8 CFR and the legal mechanisms for the transfer of personal data in the GDPR.

China’s first proposal was circulated on 23 April 2019 and only briefly addressed the protection of personal information:³²⁰

3.9. Personal Information Protection: Members should adopt measures that they consider appropriate and necessary to protect the personal information of electronic commerce users.

The wording of China’s proposal, while less detailed, is similarly deferential as regards the protection of personal data. China explicitly stated that WTO members “should respect each other’s design of the electronic commerce development paths, and the legitimate right to adopt regulatory measures in order to achieve reasonable public policy objectives.”³²¹ China seems to side with the EU on privacy issues in its proposal, arguing that appropriate and necessary measures can be implemented to protect privacy.³²² However, while the EU’s focus is on fundamental rights, China’s focus is on security:

4.1. […] However, more importantly, the data flow should be subject to the precondition of security, which concerns each and every Member’s core interests. To this end, it is necessary that the data flow orderly in compliance with Members’ respective laws and regulations.

This might be explained by the fact that China’s Cybersecurity Law states that operators of critical information infrastructure must pass a security assessment by government agencies before cross-border flows of personal data are possible.³²³

The US proposal was circulated on 26 April 2019 and entailed detailed rules on protection of personal information and cross-border transfers of information:³²⁴

Article 7: Personal Information Protection

1. 1.

   Each Party shall adopt or maintain a legal framework that provides for the protection of the personal information of the users of digital trade.³²⁵

2. 2.

   Each Party shall publish information on the personal information protections it provides to users of digital trade, including how:

   1. (a)

      individuals can pursue remedies; and

   2. (b)

      an enterprise can comply with legal requirements.

3. 3.

   Recognizing that the Parties may take different legal approaches to protecting personal information, each Party should encourage the development of mechanisms to promote interoperability between these different regimes.

4. 4.

   The Parties recognize the importance of ensuring compliance with measures to protect personal information and ensuring that any restrictions on cross-border flows of personal information are necessary and proportionate to the risks presented.

Article 8: Cross-Border Transfer of Information by Electronic Means

1. 1.

   No Party shall prohibit or restrict the cross-border transfer of information, including personal information, by electronic means, if this activity is for the conduct of the business of a covered person.

2. 2.

   This Article does not prevent a Party from adopting or maintaining a measure inconsistent with paragraph 1 that is necessary to achieve a legitimate public policy objective, provided that the measure:

   1. (a)

      is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and

   2. (b)

      does not impose restrictions on transfers of information greater than are necessary to achieve the objective.³²⁶

The US proposal is characterized by a commitment to recognize different legal approaches to protect personal data and the interoperability of these approaches.³²⁷ The US suggested in a follow-up communication from 17 June 2019 that so-called “interoperability regimes” can be instituted between economies where national standards on data protection diverge.³²⁸ It explicitly mentioned the Privacy Shield as an example for the use of such an interoperability regime.³²⁹ The invalidation of Decision (EU) 2016/1250, the Privacy Shield adequacy decision, by the ECJ in Schrems 2 shows the limits of such regimes from the perspective of the EU.³³⁰ At the same time, the US proposal also significantly limits domestic regulatory space for rules on cross-border flows of personal data with qualifying requirements. First, parties must generally ensure that restrictions on cross-border flows of personal data are necessary and proportionate to the risks presented. This requires an explanation of the risks of cross-border flows of personal data and a test of necessity and proportionality of the restrictions. Second, and somewhat overlapping, the proposal forbids prohibitions and restrictions of cross-border flows of personal data for the conduct of businesses, except where a measure is necessary to achieve a legitimate public policy objective and is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and does not impose restrictions on transfers of information greater than are necessary to achieve the objective. Contrary to the EU’s and China’s proposal, the US proposal entails many legal tests for data flow regimes.

An agreement that reconciles differing national approaches to personal privacy seems elusive.³³¹ Nevertheless, the parties had hoped to publish a consolidated text at the Nur-Sultan Ministerial Conference of the WTO in June 2020.³³² The conference was postponed due to the COVID-19 pandemic, which has given the negotiations more time. On 14 December 2021 the co-convenors of the WTO e-commerce negotiations—Australia, Japan and Singapore—issued a joint statement welcoming the substantial progress in the negotiations and setting the goal for members to secure convergence on the majority of issues by the end of 2022.³³³ The negotiations seem to have produced a number of clean articles such as on spam, electronic signatures, online consumer protection and open government data but privacy and data flows remain two of the significant open issues.³³⁴ The co-convenors stated on 15 September 2022 that a finalisation of the negotiations in 2023 is within reach.³³⁵

2.5 Summary

Digital services often require cross-border flows of personal data. When the GATS was drafted, many digital services that now rely on the free flow of personal data were not yet invented. Nevertheless, I argue that most digital services are covered by the commitments in the schedules of WTO members. They fall under mode 1 (cross-border supply of services). Since the GATS applies to measures affecting trade in services, the EU’s fundamental rights-based regulation of data transfers is subject to the obligations in the GATS because any restriction on the free flow of personal data across borders affects trade in services. The MFN treatment obligation in Article II GATS prohibits discrimination between foreign services and service suppliers from different third countries. The domestic regulation obligation in Article VI GATS requires “reasonable, objective, and impartial” administration of measures and practicable, judicial, arbitral, or administrative tribunals or procedures that provide for the prompt review of measures and appropriate remedies. Subject to the specific commitments undertaken by the EU, the market access obligation in Article XVI (a) and (c) GATS does not allow limitations on the number of service suppliers and operations, and the national treatment obligation in Article XVII GATS prohibits discrimination between foreign and domestic services and service suppliers. Exceptions pertaining to economic integration in Article V GATS, privacy in Article XIV(c)(ii) GATS, and security in Article XIV bis GATS can justify violations of the obligations in the GATS. The GATS Annex on Telecommunications aims to ensure that the specific commitments are not frustrated through lack of access to foreign telecommunications services. In addition, the ongoing electronic commerce negotiations at the WTO involve rules on cross-border flows of personal data. However, it still seems rather difficult to reconcile the differing national approaches to privacy protection at the level of the WTO.

3 The Regulation of Data Transfers as Trade Barrier

The multilateral framework of the WTO allows its members to challenge the EU’s fundamental rights-based regulation of data transfers as a trade barrier. The analysis of the obligations under the GATS highlights how the regulation of data transfers in the EU interferes with the rules of the WTO on trade in services. The analysis focuses on the MFN treatment obligation in Article II GATS (Sect. 4.3.1), the domestic regulation obligation in Article VI GATS (Sect. 4.3.2), the market access obligation in Article XVI:2(a) and (c) GATS (Sect. 4.3.3), and the national treatment obligation in Article XVII GATS (Sect. 4.3.4).

3.1 MFN Treatment

The MFN treatment obligation in Article II:1 GATS applies to any measure affecting trade in services irrespective of whether specific commitments have been undertaken.³³⁶ The EU is required to accord to services and services suppliers of any WTO member treatment no less favorable than that it accords to like services and service suppliers of any other country immediately and unconditionally. The analysis of the EU’s regulation of data transfers under the MFN treatment obligation focuses on regular adequacy decisions (Sect. 4.3.1.1), special framework adequacy decisions (Sect. 4.3.1.2), the management of the adequacy assessment (Sect. 4.3.1.3), and instruments providing appropriate safeguards (Sect. 4.3.1.4).

3.1.1 Adequacy Decisions

The EU system for data transfers interferes with the MFN treatment obligation in so far as adequacy decisions by the European Commission lead to situations in which services and service suppliers in some WTO members are treated less favorably than services and service suppliers in other states. Where the Commission decides that a third country provides an adequate level of protection for personal data according to Article 45 GDP, services and services suppliers from that third country benefit from the possibility to transfer personal data without any specific authorization. Services and service suppliers in WTO members without an adequacy decision must have recourse to other legal mechanisms for their data transfers. An interference with the MFN treatment obligation may occur with regard to services and service suppliers that require systematic, structural, and continuous cross-border flows of personal data (Sect. 4.3.1.1.1) but also with regard to services and service suppliers that only require occasional cross-border flows of personal data (Sect. 4.3.1.1.2).³³⁷

3.1.1.1 Services with Systematic Flows of Personal Data

Service suppliers in a WTO member without an adequacy decision that require systematic, structural, and continuous cross-border flows of personal data for their services have to rely on instruments providing appropriate safeguards according to Article 46 GDPR to transfer personal data from the EU to their home country. In such cases, services and service suppliers are treated less favorably than like services and service suppliers from third countries with an adequacy decision. It is not sufficient under Article II:1 GATS to accord a WTO member similar treatment to that accorded to another state.³³⁸ By virtue of the MFN treatment obligation, any WTO member must be given exactly the same treatment as any other state.³³⁹ The use of instruments providing appropriate safeguards is more burdensome than transferring personal data on the basis of an adequacy decision.³⁴⁰ The concept of treatment no less favorable in Article II:1 GATS focuses on a measure’s modification of the conditions of competition.³⁴¹ Any evidence that the EU intruded into the competitive relationship between services or service suppliers satisfies that legal standard and establishes treatment less favorable under Article II:1 GATS. It is more costly for services and service suppliers to use instruments providing appropriate safeguards than relying on an adequacy decision. The instruments in Article 46 GDPR are less flexible, they entail additional obligations, and require ongoing legal management. The requirement to use those instruments creates a competitive disadvantage for services and service suppliers in WTO members without an adequacy decision. This constitutes treatment less favorable. The EU does not immediately and unconditionally accord to those services and service suppliers treatment no less favorable than that it accords to like services and service suppliers in states with an adequacy decision. This constitutes an interference with the MFN treatment obligation in Article II:1 GATS.³⁴²

Carla Reyes argues that there is less favorable treatment for services and service suppliers in the specific situation where a WTO member’s claim of adequacy has been rejected compared to like services and service suppliers from those states for which adequacy remains undetermined.³⁴³ Svetlana Yakovleva and Kristina Irion disagree because the available legal mechanisms for the transfer of personal data in the GDPR for a country with a negative adequacy decision by the Commission and for countries whose data protection regime have never been assessed are the same, i.e. the instruments providing appropriate safeguards according to Article 46 GDPR.³⁴⁴ Yakovleva and Irion also add that this is a highly hypothetical scenario because the Commission has never issued a single negative adequacy decision so far.³⁴⁵ It must be added that there might in fact be consequences for the available data transfer mechanisms should the Commission, or a supervisory authority, or the ECJ, find that the level of protection for personal data that is transferred from the EU to a third country, is not essentially equivalent to that guaranteed within the EU. The instruments providing appropriate safeguards in Article 46 GDPR can only be used if they comply with the right to continuous protection of personal data. They are not available for the transfer of personal data to third countries in which they cannot ensure a level of protection for personal data that is essentially equivalent to that guaranteed within the EU.

3.1.1.2 Services with Occasional Flows of Personal Data

Without an adequacy decision, services and service suppliers that only require occasional cross-border flows of personal data from the EU will usually rely on the derogations in Article 49 GDPR. In such cases, services and service suppliers are treated less favorably than like services and service suppliers from states with an adequacy decision. The use of the derogations creates a competitive disadvantage for services and service suppliers in WTO members without an adequacy decision because of the additional burden to comply with the conditions of the derogations.³⁴⁶ Services and service suppliers from a state with an adequacy decision may transfer personal data without any further requirements. This amounts to treatment less favorable and constitutes an interference with the MFN treatment obligation in Article II:1 GATS.

3.1.2 Special Framework Adequacy Decisions

The EU adopted some adequacy decisions for special frameworks with third countries such as the invalidated Decision 2000/520, the Safe Harbor adequacy decision, or Decision (EU) 2016/1250, the Privacy Shield adequacy decision. The EU already has plans to adopt a new special framework adequacy decision regarding the US called the Transatlantic Data Privacy Framework.³⁴⁷ Special framework adequacy decisions must be assessed separately under WTO law. Although these adequacy decisions have the same effect as regular adequacy decisions with regard to the modification of the conditions of competition for services and service suppliers from third countries without an adequacy decision, the justification for the interference with the MFN treatment obligation under the general exceptions in Article XIV GATS will be different. This is because special framework adequacy decisions are often tailor-made decisions for countries that otherwise would not necessarily qualify for a regular adequacy decision.

Perry Keller has argued that that the more lenient treatment for an adequacy finding with such special framework adequacy decisions—a privilege only so far given to the US—in effect afforded the US more favorable treatment compared to other third countries.³⁴⁸ This argument focuses on the management of the adequacy procedure by the Commission and not on the competitive advantages that the enactment of an adequacy decision can produce for certain countries and not for others. This argument is relevant under Article VI:1 GATS on domestic regulation.

3.1.3 Adequacy Assessment

Some scholars have focused on the adequacy assessment in their analyses of the MFN treatment obligation in Article II:1 GATS. First, Stefano Saluzzo argues that the EU would be able to claim that there is no interference with the MFN treatment obligation because all WTO members are on equal footing concerning the access to an adequacy assessment (Sect. 4.3.1.3.1). Second, Eric Shapiro and Carla Reyes claim that irregularities in the management of the adequacy assessment may amount to an infringement of the MFN treatment obligation (Sect. 4.3.1.3.2).

3.1.3.1 Access

The panel in EC – Bananas III (Article 21.5 – Ecuador) maintained that the EC had treated Ecuador less favorably than other WTO members because Ecuador’s service suppliers did “not have opportunities to obtain access to import licences on terms equal to those enjoyed by service suppliers of EC/ACP origin.”³⁴⁹ Stefano Saluzzo used this finding to show that the EU could rebut a prima facie case that the EU’s handling of adequacy decisions constitutes a de facto interference with the MFN treatment obligation.³⁵⁰ He argued that “the EU would be able to claim that no violation of the MFN clause occurred in relation to data transfer restrictions, since every country is on an equal footing as far as the adequacy assessment is concerned.”³⁵¹

I am of the opinion that the situation in EC – Bananas III (Article 21.5 – Ecuador) cannot be applied to adequacy decisions. Saluzzo is right to point out that any country is on equal footing to (informally) ask for an adequacy decision. In that regard, any country has the opportunity to obtain access to an adequacy assessment on terms equal to those enjoyed by other countries. However, in EC – Bananas III (Article 21.5 – Ecuador), access to import licenses on equal terms would automatically have created equal competitive opportunities and erased the less favorable treatment. This is different with respect to adequacy decisions. Access to an adequacy assessment does not automatically create equal competitive opportunities. Access to an adequacy assessment does not erase the less favorable treatment because it does not guarantee a favorable outcome in the form of an adequacy decision.

The argument brought forward by Saluzzo would imply that there is an aims-and-effect test in Article II:1 GATS. Only considering the aim of the EU’s fundamental rights-based regulation of data transfers under Article II:1 GATS would justify that some countries receive a positive adequacy decision, while others do not. According to the aims-and-effect test, a measure will not be considered as discriminating if the aim of the measure is not discriminatory, even if the result is discriminatory.³⁵² This is basically what Saluzzo noted when he wrote that “the EU would be able to claim that no violation of the MFN clause occurred in relation to data transfer restrictions, since every country is on an equal footing as far as the adequacy assessment is concerned.”³⁵³ The AB stated clearly in EC – Bananas III that there is no authority in Article II:1 GATS for the proposition that the aims and effects of a measure are in any way relevant in determining whether that measure is inconsistent with the MFN treatment obligation.³⁵⁴ In Argentina – Financial Services, the AB underlined that the legal standard for the concept of treatment no less favorable in Article II:1 GATS focuses on the modification of the conditions of competition and that this legal standard does not include a separate and additional inquiry into the regulatory objective of, or the regulatory concerns underlying, the contested measure.³⁵⁵

3.1.3.2 Management

Some scholars have claimed that there is less favorable treatment between services and service suppliers in different WTO members because the management of the adequacy assessments lacks consistency.³⁵⁶ For example, Eric Shapiro argued that there is an interference with the MFN treatment obligation because the EU offered the US much less rigorous terms and that the (invalidated) Safe Harbor adequacy decision required much less of the US than the EU required of Hungary or Australia.³⁵⁷ Similarly, Carla Reyes argued that services and service suppliers from Australia have been afforded less favorable treatment than like services and service suppliers from other countries where the Article 29 WP also made determinations of inadequate data protection standards, such as for the US and Canada.³⁵⁸

These arguments are based on the fact that the application of the adequacy mechanism may amount to an interference with the MFN treatment obligation.³⁵⁹ They primarily focus on the management of the adequacy assessment by the Commission and not on the advantages that the enactment of an adequacy decision can produce for certain countries and not for others. These arguments are rather relevant under Article VI:1 GATS on domestic regulation, which concerns the administration of a measure, than under Article II:1 GATS, which focuses on the conditions of competition.

3.1.4 Appropriate Safeguards

Where no adequacy decision is in place and where the instruments providing appropriate safeguards in Article 46 GDPR are not available either, service suppliers that require systematic, structural, and continuous cross-border flows of personal data for their services cannot rely on any other legal mechanism in the GDPR. Such situations may arise in cases in which a supervisory authority in an EU member state uses its corrective powers and imposes a temporary or definitive limitation including a ban on processing of personal data in the form of data transfers to a third country according to Article 58(2)(f) GDPR or suspends data flows to a recipient in a third country according to Article 58(2)(j) GDPR.³⁶⁰ In such cases, services and service suppliers are treated less favorably than like services and service suppliers from countries in which the use of the instruments in Article 46 GDPR are generally possible. This modifies the conditions of competition in favor of services and service suppliers from these countries. The EU does not immediately and unconditionally accord treatment no less favorable. This interferes with the MFN treatment obligation in Article II:1 GATS.

3.2 Domestic Regulation

Article VI GATS on domestic regulation balances trade liberalization with the right of WTO members to regulate. Some of the requirements for domestic regulation in Article VI GATS are relevant for the EU system for data transfers. This concerns the procedural requirements in Paragraph 1 that relate to the administration of a measure (Sect. 4.3.2.1) and the requirements in Paragraph 2 that relate to judicial, arbitral or administrative mechanisms for the review of measures at the request of an affected service supplier (Sect. 4.3.2.2). Contrary to the claims of some scholars, the other requirements in Article VI GATS are not relevant for the EU system for data transfers. This concerns Paragraph 3 relating to authorization requirements (Sect. 4.3.2.3) and Paragraphs 4 and 5 relating to qualification procedures, technical standards, and licensing requirements (Sect. 4.3.2.4).

3.2.1 Administration of Measures

Article VI:1 GATS relates to the administration of measures.³⁶¹ The requirements for domestic regulation in Article VI:1 GATS oblige WTO members to administer measures of general application affecting trade in services in sectors where specific commitments are undertaken in a reasonable, objective, and impartial manner. A measure of general application covers a range of cases and situations and thus affects an unidentified number of economic operators.³⁶² The GDPR in general, and the regulation of data transfers specifically, can be considered a measure of general application as they cover all transfers of personal data from the EU to third countries and thus affect an unidentified number of economic operators.³⁶³ The aim of Article VI:1 GATS is to promote the principles of consistency and predictability in the application of domestic measures, so as to avoid adverse effects on the business performance of foreign service suppliers. The regulation of data transfers in the EU should be dealt with according to the different ways and procedures it is applied rather than the degree of the restrictions imposed.³⁶⁴ Potential problems with the administration may occur with regard to regular adequacy decisions (Sect. 4.3.2.1.1), special framework adequacy decisions (Sect. 4.3.2.1.2), standard data protection clauses (Sect. 4.3.2.1.3), BCRs (Sect. 4.3.2.1.4), derogations (Sect. 4.3.2.1.5), and overlapping requirements due to the geographical scope of application of the GDPR (Sect. 4.3.2.1.6).

3.2.1.1 Adequacy Decisions

The administration of the regulation for data transfers in the EU potentially faces four problems regarding adequacy decisions and Article VI:1 GATS. The number of adequacy decisions (Sect. 4.3.2.1.1.1), the selection of countries for adequacy decisions (Sect. 4.3.2.1.1.2), the consistency of the adequacy assessment (Sect. 4.3.2.1.1.3), and the procedures of the adequacy assessment (Sect. 4.3.2.1.1.4).

3.2.1.1.1 Number of Adequacy Decisions

A first problem relates to the number of countries that receive an adequacy decision. Carla Reyes has argued that the EU has had difficulties in explaining why the current selection of countries with an adequacy decision—14 in total under the GDPR—is reasonable given the more than 140 other countries that continue to import personal data from the EU in the absence of an adequacy decision.³⁶⁵

The administration of a measure is reasonable if it is in accordance with generally accepted standards of rationality and sound judgment.³⁶⁶ There must be a rational reason for the conduct in question.³⁶⁷ Apart from the fact that adequacy decisions are only available for countries that provide a level of protection of personal data that is essentially equivalent to that guaranteed within the EU, it would require a huge amount of effort on the part of the European Commission to maintain 100 or more adequacy decisions. The GDPR entails extensive obligations regarding their monitoring and review.³⁶⁸ These obligations are necessary to comply with the right to continuous protection of personal data. It is reasonable that the Commission has been slow to extend the number of adequacy decisions as the necessary assessments and negotiations for an adequacy decision are complicated and lengthy.

This is supported by the fact that the GDPR provides alternative legal mechanisms for the transfer of personal data for WTO members that do not yet have an adequacy decision yet provide a level of protection of personal data that is essentially equivalent to that guaranteed within the EU. The instruments providing appropriate safeguards in Article 46 GDPR allow the same kind of data transfers as adequacy decisions. The lack of an adequacy decision thus has no impact on the kind of transfers of personal data from the EU to a third country, but it is more burdensome to use the instruments in Article 46 GDPR. A prima facie case of compliance with Article VI:1 GATS could be rebutted when a complainant shows that there are many WTO members without an adequacy decision that provide a level of protection for personal data that is essentially equivalent to that guaranteed within the EU and that the EU consciously avoids granting them an adequacy decision or even enter into the procedures to adopt one. I do not find that this is currently the case, but I submit that such a situation would amount to an unreasonable administration of the EU regulation of data transfers and as such would interfere with the standards of Article VI:1 GATS.

3.2.1.1.2 Selection of Countries for Adequacy Decisions

A second problem relates to the selection of countries that receive adequacy decisions. Svetlana Yakovleva and Kristina Irion have submitted that the country-by-country adequacy assessment falls short of the impartiality and objectivity standard in Article VI:1 GATS.³⁶⁹ They argue that there are no formal criteria on when and how third countries’ data protection regimes are to be assessed for their adequacy. They underline that adequacy decisions do not seem to rely on a legal-only assessment and may not be considered even-handed.

The administration of a measure is not impartial if the application is unfair, biased or prejudiced.³⁷⁰ For the administration of a measure to be objective, it may not be arbitrary.³⁷¹ According to the OED, “arbitrary” means “derived from mere opinion or preference” and “not based on the nature of things.”³⁷² While it is true that there are certain indications for preferential treatment of countries with regard to adequacy decisions, none of these indications amount to a biased application of the EU’s regulation of data transfers in general, and adequacy decisions specifically. I have shown that neither geographical nor economic factors seem to be coherently applied for preferential treatment with regard to adequacy decisions.³⁷³ Yakovleva and Irion point out that there are no formal criteria on when and how third countries’ data protection regimes are to be assessed for their adequacy, but the Commission has a strategy for adequacy decisions with informal criteria.³⁷⁴ The strategy puts third countries at a disadvantage if they are not negotiating a trade agreement with the EU, could be dangerous for the outsourcing of data processing operations, and are neither geographically nor culturally close to the EU.³⁷⁵ But even this strategy allows the consideration of countries that are potentially at a disadvantage if they are data protection champions and serve as a role model for other third countries. This would underline that the country-by-country adequacy assessment is not unfair nor prejudiced, but actually based on the nature of things, i.e., the protection for personal data that is essentially equivalent to that guaranteed within the EU.

I thus argue that the administration of the EU regulation of data transfers regarding the selection of countries that receive an adequacy decision does not interfere with the standards in Article VI:1 GATS. An exception to that submission would concern a country that is constantly denied an adequacy decision even when it is widely acknowledged—over a substantial period of time—that it provides a level of protection for personal data that is essentially equivalent to that guaranteed within the EU. There does not, however, seem to be a WTO member to which this description applies.

3.2.1.1.3 Consistency of Adequacy Assessments

A third problem relates to the consistency of adequacy assessments. Some content-related inconsistencies have been mentioned above.³⁷⁶ Yakovleva and Irion have specifically highlighted that not all of the Commission’s adequacy decisions require that the third country restricts the onward transfer of personal data to countries without adequate protection.³⁷⁷ Even though the GDPR now entails more detailed requirements for adequacy decisions, including rules for the onward transfer of personal data, such inconsistencies in the adequacy assessment under Directive 95/46/EC may put into question the impartiality of the administration of the EU system for data transfers with regard to adequacy decisions.³⁷⁸ In spite of this, it has to be noted that in order to constitute a violation of Article VI:1 GATS, there must be “a significant impact on the overall administration of the law, and not simply on the outcome in the single case in question.”³⁷⁹ The EU’s more recent adequacy decisions have been much more carefully drafted and the new detailed requirements in the GDPR leave less room for such inconsistencies, if any at all. It would thus be difficult to argue that the mentioned content-related inconsistencies have a significant impact on the overall administration of the EU system for data transfers with regard to adequacy decisions and not just on the single case in question. This is especially true when considering that under the GDPR all adequacy decisions must be reviewed every four years, which includes the adequacy decisions taken under Directive 95/46/EC.³⁸⁰ I thus conclude that the administration of the EU regulation of data transfers with regard to the consistency of adequacy assessments does not interfere with the high standards in Article VI:1 GATS.

3.2.1.1.4 Procedures of the Adequacy Assessment

A fourth problem relates to the procedures of adequacy assessments. The Commission oversees all adequacy decisions. There are no formal procedures third countries can pursue to apply for an adequacy decision. Consequently, the informal ways in which the EU deals with inquires for an adequacy decision may be susceptible to interferences with Article VI:1 GATS.

The Commission has never issued a negative adequacy decision. However, Australia received a negative adequacy assessment from the Article 29 WP and the four African countries Burkina Faso, Mauritius, Tunisia, and Morocco all received negative adequacy assessments from an academic institution in the EU tasked to research the level of data protection in these countries.³⁸¹ The administration of a measure is not impartial if the application is unfair, biased or prejudiced.³⁸² The mentioned example do not show prejudice because there is some form of assessment even if it is not by the same institution for all inquiring countries, and even if it is not followed by a final administrative decision when the preliminary results of the assessment are negative. Article VI:1 GATS does not require the EU to issue negative administrative decisions in order for the EU system for data transfers to be fair with regard to adequacy decisions.³⁸³

Jennifer Stoddart, Benny Chan, and Yann Joly underline that the ad hoc and discretionary manner in which the Article 29 WP, the EDPB and the Commission seek clarifications and broker deals for adequacy decisions “speaks volumes about the consistency and predictability of adequacy assessments” and therefore seems to be arbitrary at times.³⁸⁴ It has also been mentioned above that some countries receive more active support in order to reach an adequacy decision.³⁸⁵ Nevertheless, any claim about impartiality here is highly unlikely to succeed because this extra support does not have a significant impact on the overall administration of the EU’s regulation of data transfers with regard to adequacy decisions, but rather on the outcome of the single case in question.³⁸⁶ In consequence, I argue that the administration of the EU system for data transfers with regard to the procedures of the adequacy assessment does not interfere with the standards in Article VI:1 GATS.

3.2.1.2 Special Framework Adequacy Decisions

The administration of the EU’s regulation for data transfers also faces a problem with special framework adequacy decisions such as the invalidated Decision 2000/520, the Safe Harbor adequacy decision, or the invalidated Decision (EU) 2016/1250, the Privacy Shield adequacy decision, and Article VI:1 GATS. Special framework adequacy decisions are tailor-made decisions for countries that otherwise would not necessarily qualify for a regular adequacy decision. After the invalidation of the Privacy Shield adequacy decision by the ECJ in Schrems 2, there are no special framework adequacy decisions in force anymore. However, the European Commission already negotiated a new special framework for an adequacy decision with the US and initiated the process to adopt the corresponding adequacy decision.³⁸⁷ If this adequacy decision is adopted, then other WTO members that may not necessarily qualify for an adequacy decision either—and have not been able to negotiate such a special framework—could claim that the administration of the EU system for data transfers with regard to special framework adequacy decisions is not compatible with Article VI:1 GATS because it is not impartial. These countries could also claim that there is a significant impact on the overall administration of the EU system for data transfers because the special framework adequacy decisions are an additional mechanism for data transfers which is not available to them.³⁸⁸ Accordingly, the administration of the EU’s regulation of data transfers with regard to special framework adequacy decisions would not comply with Article VI:1 GATS.

3.2.1.3 Standard Data Protection Clauses

The administration of the EU’s regulation of data transfers could also have a problem with regard to the standard data protection clauses and Article VI:1 GATS. Control over continuous protection for personal data in relation with standard data protection clauses lies primarily with the supervisory authorities of the EU member states.³⁸⁹ Each of them is vested with the power to examine whether data transfers from its home EU member state to a third country on the basis of standard data protection clauses comply with the requirements laid down in the GDPR and the right to continuous protection of personal data in Article 8 CFR. If data transfers do not comply with these requirements, the supervisory authorities must use their corrective powers such as the imposition of a temporary or definitive limitation according to Article 58(2)(f) GDPR or the suspension of data flows to a recipient in a third country according to Article 58(2)(j) GDPR.

There is a risk that some transfers of personal data to a third country on the basis of standard data protection clauses could be permitted in one EU member state but suspended or banned in another depending on whether the responsible supervisory authority had investigated issues surrounding the transfer of personal data to that third country, or had reached a different conclusions regarding the violation of the requirements in the GDPR and Article 8 CFR.³⁹⁰ The risk that the approaches taken by the different supervisory authorities can be fragmented is inherent in the decentralized structure for supervision intended by the EU legislator.³⁹¹ That risk is somewhat mediated with the voluntary consistency mechanism in Article 64(2) GDPR, which enables supervisory authorities to request an opinion from the EDPB when deciding to suspend or ban data transfers to a third country. Regular opinions of the EDPB are not legally binding, but they carry considerable weight. It can be expected that supervisory authorities will follow an EDPB opinion regarding the suspension or ban of data transfers to a third country. The EDPB also has the option to adopt a legally binding decision under Article 65(1)(c) GDPR, should a supervisory authority not follow an opinion of the EDPB.³⁹² Even though this voluntary mechanism is in place, the risk remains that some transfers of personal data to a third country on the basis of standard data protection clauses could be permitted in one EU member state but suspended or banned in another.

I therefore argue that a fragmented application of the corrective powers of supervisory authorities with regard to data transfers on the basis of standard data protection clauses would allow for a successful claim under the objective and/or impartial standard of Article VI:1 GATS. This is especially true since the assessment of an interference with Article VI:1 GATS may also involve an examination of the impact on the competitive situation due to alleged partiality in the application of a law or regulation.³⁹³ The voluntary consistency mechanism in Article 64(2) GDPR and the power of the EDPB to adopt a legally binding decision in Article 65(1)(c) GDPR should be used in order to prevent any incompatibility with Article VI:1 GATS.

3.2.1.4 BCRs

The administration of the EU’s regulation of data transfers regarding BCRs and Article VI:1 GATS is not as problematic compared to standard data protection clauses. Control over continuous protection for personal data through BCRs also primarily lies with the supervisory authorities of the EU member states.³⁹⁴ The mechanism to approve BCRs allows the responsible supervisory authority the possibility to prohibit data transfers to third countries where interferences with the right to continuous protection for personal data might occur. The approval of BCRs is subject to the mandatory consistency mechanism in Article 63 GDPR.³⁹⁵ This mechanism supports a consistent administration of the EU system for data transfers with regard to BCRs that is compatible with Article VI:1 GATS.

3.2.1.5 Derogations

The administration of the EU’s regulation of data transfers regarding derogations under Article 49 GDPR and Article VI:1 GATS is also unproblematic. Andrew D. Mitchell and Jarrod Hepburn have submitted that there is a likelihood that the requirement to obtain consent before transmitting personal information across borders violates the domestic regulation obligation in Article VI GATS.³⁹⁶ In their argument they refer to Usman Ahmed and Anupam Chander who in turn have argued that there are difficulties in obtaining consent when it comes to devices that capture information about more than one person.³⁹⁷ While it may be a valid point that a framework that requires consent for systematic, structural, and continuous data transfer is unreasonable, the derogations under Article 49 GDPR can only be used for occasional data transfers anyway. Even though Usman and Chander also stated that “[w]e do not typically require a special consent before a consumer purchases a good, or even food, from a foreign source,” a consent requirement is reasonable with regard to occasional data transfers because, contrary to the mentioned examples, the purchase of a service such as supplied by travel agencies, or digital medical diagnosis services, or legal services requires processing of personal data.³⁹⁸ The requirement of an agreement from the data subject for occasional data transfers based either on consent according to Article 49(1)(a) GDPR or on a contract according to Article 49(1)(b) GDPR is not unreasonable and therefore compatible with Article VI:1 GATS.

3.2.1.6 Overlapping Requirements

There is an additional element that must be considered when analyzing the administration of the EU’s regulation of data transfers according to Article VI:1 GATS. Svetlana Yakovleva and Kristina Irion have stressed that the regulation of data transfers and the provisions on the geographical scope of application in the GDPR create two sets of overlapping requirements that are not coordinated with each other.³⁹⁹ According to Article 3(2)(a) GDPR, the regulation also applies to the processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU in cases in which the processing activities are related to the offering of services to data subjects in the EU irrespective of whether a payment of the data subject is required.⁴⁰⁰ A service supplier in a WTO member without an adequacy decision whose services require data transfers from the EU must thus potentially comply with the regulation of data transfers and the other rules of the GDPR at the same time. I therefore conclude that the overlapping requirements are reasonable with regard to Article VI:1 GATS.⁴⁰¹ The safeguards for personal data provided by the EU’s regulation of data transfers are necessary to prevent the circumvention of EU law.⁴⁰² I thus argue that the administration of the EU regulation of data transfers as a measure to prevent the circumvention of EU law taken together with the provisions on the geographical scope of application in the GDPR, does not interfere with accepted standards of rationality and sound judgment.⁴⁰³ It is consistent with Article VI:1 GATS.

3.2.2 Judicial, Arbitral or Administrative Mechanisms

Article VI:2(a) GATS relates to the administration of justice.⁴⁰⁴ The requirements for domestic regulation in Article VI:2(a) GATS oblige WTO members to maintain practicable, judicial, arbitral or administrative tribunals or procedures that provide, at the request of an affected service supplier—and where justified—appropriate remedies for administrative decisions affecting trade in services. Potential problems with the administration of justice regarding the EU’s fundamental rights-based regulation of data transfers may occur with regard to adequacy decisions (Sect. 4.3.2.2.1), standard data protection clauses (Sect. 4.3.2.2.2), and BCRs (Sect. 4.3.2.2.3).⁴⁰⁵

3.2.2.1 Adequacy Decisions

Adequacy decisions face a potential problem with Article VI:2(a) GATS. Stefano Saluzzo has submitted that a rejection of an adequacy assessment may not easily be subject to judicial scrutiny in the EU.⁴⁰⁶ Saluzzo has argued that a positive adequacy assessment is adopted in the form of an “implementing act,” the legitimacy of which can be verified by the ECJ, whereas in case of a negative adequacy assessment no formal act is actually made.⁴⁰⁷ There is no right to an adequacy assessment under EU law.⁴⁰⁸ Consequently, there is no obligation for the European Commission to issue a negative adequacy decision under EU law when a third country does not provide an adequate level of protection for personal data. Negative adequacy assessments were/are either issued by the Article 29 WP, the EDPB or an academic institution tasked to research the level of protection for personal data in a third country.⁴⁰⁹ The reports that contain negative adequacy assessments are not legally binding and do not constitute administrative decisions according to Article VI:2(a) GATS. In the absence of an administrative decision, ArticleVI:2(a) GATS does not oblige the EU to maintain review procedures and remedies. There is no interference with Article VI:2(a) GATS.

3.2.2.2 Standard Data Protection Clauses

The procedures surrounding standard data protection clauses satisfy the requirements in Article VI:2(a) GATS. Every natural and legal person has the right to an effective judicial remedy against a legally binding decision of a supervisory authority concerning them based on Article 78(1) GDPR. This also covers a decision of a supervisory authority to impose a temporary or definitive limitation or ban on processing of personal data according to Article 58(2)(f) GDPR or the suspension of data flows to a recipient in a third country according to Article 58(2)(j) GDPR. The proceedings against a supervisory authority must be brought before the courts of the EU member state in which the supervisory authority is established according to Article 78(3) GDPR. There is no interference with Article VI:2(a) GATS.

3.2.2.3 BCRs

The procedures surrounding BCRs satisfy the requirements in Article VI:2(a) GATS. The right of every legal person to an effective judicial remedy against a legally binding decision of a supervisory authority in Article 78(1) GDPR also covers the decisions of a supervisory authority not to approve BCRs. The proceedings against the supervisory authority must be brought before the courts of the EU member state in which the supervisory authority is established according to Article 78(3) GDPR. Where the proceedings are brought against a decision of a supervisory authority which was preceded by an opinion of the EDPB according to the consistency mechanism, such as in the case of the approval of BCRs, the opinion must be forwarded to the responsible court based on Article 78(4) GDPR. In these cases, there is no interference with Article VI:2(a) GATS.

3.2.3 Authorization Requirements

Article VI:3 GATS relates to authorization requirements for the supply of a service on which a specific commitment has been made. Where such authorization requirements are in place, Article VI:3 GATS obliges WTO members to inform applicants of the decision concerning the status of their application. Carla Reyes claims that the regulation of data transfers in the EU interferes with this provision to the extent that countries initially determined to provide inadequate data protection standards remain uninformed of opportunities to rectify their status, and countries for which no determination has been made remain uninformed of the investigation timeline.⁴¹⁰ This claim is wrong because the regulation of data transfers in the EU does not constitute an authorization requirement for the supply of services.⁴¹¹ Article VI:3 GATS does not apply to the EU system for data transfers.

3.2.4 Qualification Procedures, Technical Standards and Licensing Requirements

Article VI:4 and Article VI:5 GATS relate to qualification procedures, technical standards, and licensing requirements. Shin-Yi Peng claims that these paragraphs apply to the rules on the protection of personal data because they constitute technical standards within the meaning of Article VI GATS.⁴¹² Peng argues that according to WTO negotiating papers, technical standards are measures that lay down the characteristics of a service or the manner in which it is supplied.⁴¹³ The regulation of data transfers in the EU, however, determines how personal data can be transferred from the EU to a third country. While it affects the supply of services, it does not lay down the characteristics of a service or the manner in which it is supplied.⁴¹⁴ Paragraphs 4 and 5 of Article VI GATS therefore do not apply to the EU system for data transfers.

3.3 Market Access

The market access obligation in Article XVI GATS applies only to the commitments, conditions, and qualifications in the schedule of a WTO member.⁴¹⁵ In sectors in which the EU has undertaken market access commitments, it need not maintain—unless specified in the schedule—limitations on the number of service suppliers according to Article XVI:2(a) GATS and limitations on the total number of service operations or on the total quantity of service output according to Article XVI:2(c) GATS. The analysis of the EU’s fundamental rights-based regulation of data transfers under the market access obligation requires clarifications regarding the relationship of data localization and market access (Sect. 4.3.3.1). It is only possible to determine an interference with Article XVI:2(a) and (c) GATS when looking at specific examples of services that require systematic, structural, and continuous cross-border flows of personal data (Sect. 4.3.3.2) and specific examples of services that require occasional cross-border flows of personal data (Sect. 4.3.3.3). To complete the picture, it is necessary to mention two options to prevent interference with the market access obligation in Article XVI:2(a) and (c) GATS: the EU could either modify its schedule of commitments or the WTO members could conclude the electronic commerce negotiations with a horizontal provision on the protection of personal data and privacy (Sect. 4.3.3.4).

3.3.1 The Relationship Between Data Localization and Market Access

The relationship between data localization and market access has to be clarified before the obligation in Article XVI GATS can be assessed. When cross-border flows of personal data are restricted, foreign service suppliers are required to store and process personal data on servers located in the EU. It is necessary to clarify whether the supply of services in mode 1 (cross-border) includes the ability to store and process personal data in the territory of the WTO member where the service supplier is located (Sect. 4.3.3.1.1). Furthermore, it is necessary to clarify whether the market access obligation covers both quantitative and qualitative implications of data localization on trade in services (Sect. 4.3.3.1.2).

3.3.1.1 Cross-border Supply of Services and Data Localization

When the regulation of data transfers in the EU leads to a restriction on cross-border flows of personal data to a certain country, foreign service suppliers in that country may not export personal data from the EU and store and process it where they are located. This amounts to a data localization requirement. In that case, foreign service suppliers have to store and process personal data in the EU. Should the supply of services in mode 1 (cross-border) include the ability to store and process personal data in the territory of the WTO member in which the service supplier is located, then the market access obligation in Article XVI:2(a) and (c) GATS is affected by the EU’s regulation of data transfers.

The Scheduling Guidelines of 2001 clarify that under mode 1 the “[s]ervice supplier [is] not present within the territory of the Member.”⁴¹⁶ The panel in Mexico – Telecoms relied on the explanatory note on scheduling of initial commitments in trade in services, which states that the supply of a service through telecommunications is an example of cross-border supply “since the service supplier is not present within the territory of the Member where the service is delivered.”⁴¹⁷ This indicates that the cross-border supply of services is not compatible with data localization. Data localization implies a certain presence or operation of the service supplier in the territory of the WTO member where the service is consumed. Daniel Crosby has submitted that where a WTO member makes a full mode 1 commitment, “it may not condition the supply of cross-border services on the services suppliers’ presence or operation within its territory.”⁴¹⁸

This submission is supported by the fact that the supply of services includes the production, distribution, marketing, sale, and delivery of a service according to the definition in Article XXVIII(b) GATS. The storage and processing of personal data can be essential to produce a service. The supply of services in mode 1 (cross-border) therefore includes the ability to store and process personal data in the territory of the WTO member where the service supplier is located. Trade in services under mode 1 thus covers cross-border flows of personal data required to produce services. Data localization hinders this cross-border supply of services.

3.3.1.2 Quantitative and Qualitative Implications of Data Localization

The implications of data localization for the cross-border supply of services can be either quantitative or qualitative in nature. Market access is a legally defined concept that encompasses a limited set of situations that do not entail qualitative elements.⁴¹⁹ The AB has maintained that a measure that totally prohibits the supply of a service constitutes a market access limitation according to Article XVI:2(a) and (c) GATS because it effectively limits to zero the number of service suppliers, service operations, and service output.⁴²⁰ The focus lies on the numerical or quantitative nature of a measure. A zero quota constitutes a market access limitation that takes the form of a numerical quota.⁴²¹

The regulation of data transfers in the EU, however, is not numerical or quantitative in regard to the supply of services. It does not directly prohibit the supply of services. Rather it relates to cross-border flows of personal data and not to the supply of specific services. Nevertheless, the regulation of data transfers may amount to an indirect prohibition for the supply of a service when cross-border flows of personal data are restricted.⁴²² Two types of services that require data transfers need to be distinguished:

• The first type covers services for which the cross-border flow of personal data is an unavoidable element. In this type, the use of personal data, and the corresponding data flows, are a conditio sine qua non for the supply of those services. This creates an interference with the market access obligation in Article XVI:2(a) and (c) GATS whenever the regulation of data transfers in the EU prevents the performance of a service for which cross-border flows of personal data are an unavoidable element.⁴²³ In these cases, the data localization amounts to a zero quota because it effectively limits to zero the number of service suppliers, service operations, and service output.

• The second type covers services which can also be supplied without cross-border flows of personal data. In this type, the use of personal data, and the corresponding data flows, are not unavoidable for the services to be supplied. Such services use personal data, and the corresponding data flows, to improve the quality of the services or to generate additional income. In these cases, the data localization is a qualitative element not encompassed by Article XVI:2(a) and (c) GATS.⁴²⁴

3.3.2 Services with Systematic Flows of Personal Data

Some scholars have submitted that the default prohibition on the transfer of personal data from the EU to third countries with inadequate protection effectively constitutes a zero quota violating the market access obligation in Article XVI:2(a) and (c) GATS.⁴²⁵ Svetlana Yakovleva, Kristina Irion, and Marija Bartl argue that this submission ignores the availability of other legal mechanisms for data transfers.⁴²⁶ They offer a convincing argument, but it needs further differentiation:

In the absence of an adequacy decision, service suppliers may use instruments that provide appropriate safeguards according to Article 46 GDPR for systematic, structural, and continuous cross-border flows of personal data. Nevertheless, this still leaves open situations in which the data exporter has to stop the transfer of personal data from the EU or supervisory authorities in EU member states use their corrective powers and ban or suspend the data transfers in order to comply with the right to continuous protection for personal data in Article 8 CFR. It has to be stressed that the exercise of the powers of supervisory authorities to suspend and prohibit transfers set out in Article 58(2)(f) and (j) of the GDPR is no longer merely an option left to the supervisory authorities’ discretion.⁴²⁷ The data exporter and the supervisory authorities are obliged to ensure compliance with the GDPR and the right to continuous protection for personal data. This could increasingly lead to the unavailability of the instruments that provide appropriate safeguards under Article 46 GDPR for certain transfers of personal data to certain third countries in the future. Especially in cases in which measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data are not available.⁴²⁸ In this situation, the fundamental rights-based regulation of data transfers in the EU potentially interferes with the market access obligations in Article XVI:2(a) and (c) GATS with regard to services that require systematic, structural, and continuous cross-border flows of personal data.

In addition, the availability of derogations for data transfers in Article 49 GDPR cannot preclude an interference with the market access obligation in Article XVI:2(a) and (c) GATS when the services require systematic, structural, and continuous cross-border flows of personal data. The consent-based derogation in Article 49(1)(a) GDPR and the contract-based derogation in Article 49(1)(b) GDPR are not available are only available for services that require occasional cross-border flows of personal data.

I now turn to analyze whether the following services cannot be supplied through mode 1withouth cross-border flows of personal data: cloud computing services (Sect. 4.3.3.2.1), search engine services (Sect. 4.3.3.2.2), social network services (Sect. 4.3.3.2.3), online advertising services (Sect. 4.3.3.2.4), IoT services (Sect. 4.3.3.2.5), and sharing economy platform services (Sect. 4.3.3.2.6).

3.3.2.1 Cloud Computing Services

When cloud computing is not part of another integrated service, it may constitute trade in services itself. There are three different types of cloud computing services that should be individually classified. IaaS may be classified as “Data processing services” (W/120-1.B.c) while PaaS as well as SaaS may be classified as “Software implementation services” (W/120-1.B.b).⁴²⁹ The EU did not schedule any limitations on market access with regard to the cross-border supply of data processing services. Apart from Malta, which remains unbound, the EU member states committed to open their markets to the cross-border supply of data processing services.⁴³⁰ The same is true for software implementation services.⁴³¹

It is difficult to determine whether restrictions on structural, continuous, and systematic cross-border flows of personal data amounts to a zero quota for cloud computing services (regardless of the type). Answering this question requires in-depth knowledge of the industry, the technology, and current practices. It is not possible to give a definitive answer here. There are examples for IaaS that do not involve cross-border flows of personal data such as IaaS in support of cloud-based numerical weather prediction.⁴³² Yet, restrictions on the free flow of personal data across borders drastically limits the possibilities of foreign cloud computing providers to supply IaaS. Nevertheless, I would argue that it does not amount to a zero quota and an interference with the market access obligation in Article XVI:2(a) and (c) GATS because IaaS would be available for a certain segment of the market that does not require personal data. The limitations on the possibilities of foreign cloud computing providers to supply IaaS will be relevant with regard to the modification of the conditions of competition under the national treatment obligation in Article XVII GATS.

It is less clear whether there are also examples for PaaS or SaaS that do not involve cross-border flows of personal data.⁴³³ It should be assumed that there is a valid case for a zero quota for PaaS and SaaS when such data flows are prohibited. In these cases, the fundamental rights-based regulation of data transfers in the EU would constitute an interference with the market access obligation in Article XVI:2(a) and (c) GATS.⁴³⁴

3.3.2.2 Search Engine Services

Search engine services may be classified as “Data base services” (W/120-1.B.c).⁴³⁵ The EU did not schedule any limitations on market access with regard to the cross-border supply of data processing services. Apart from Malta, which remains unbound, the EU member states committed to open their markets to the cross-border supply of data base services.⁴³⁶

Systematic, structural, and continuous cross-border flows of personal data are not necessary for the supply of search engine services. For the delivery of search results, it is not absolutely necessary to process personal data.⁴³⁷ There are examples of search engines that do not collect any personal data from their users, and accordingly do not depend on personal data flows.⁴³⁸ Some search engines use personal data and the corresponding cross-border flows of personal data to improve the quality of their services (targeted search results) and for the supply of other services (online advertising) to generate income. The restriction on the free flow of personal data across borders in such cases is not of numerical or quantitative nature with regard to the supply of services, but a qualitative element not encompassed by Article XVI:2(a) and (c) GATS.

3.3.2.3 Social Network Services

Social network services may also be classified as “Data base services” (W/120-1.B.c).⁴³⁹ The EU did not schedule any limitations on market access with regard to the cross-border supply of data processing services. Apart from Malta, which remains unbound, the EU member states committed to open their market to the cross-border supply of data base services.⁴⁴⁰

Systematic, structural, and continuous cross-border flows of personal data are necessary for the supply of social network services. Social networks are platforms on which individuals interact. Even in cases in which individuals are not identifiable for other visitors of a social network, the suppliers of the social network services still necessarily handle personal data. The restriction on the free flow of personal data across borders amounts to a zero quota for social network services because it effectively limits to zero the number of service suppliers, service operations, and service outputs. In these cases, the fundamental rights-based regulation of data transfers in the EU interferes with the market access obligation in Article XVI:2(a) and (c) GATS.

3.3.2.4 Online Advertising Services

Online advertising services may be classified as “Advertising services” (W/120-1.F.a).⁴⁴¹ The EU did not schedule any limitations on market access with regard to the cross-border supply of advertising services.⁴⁴² All EU member states committed to open their markets to the cross-border supply of advertising services.⁴⁴³

Systematic, structural, and continuous cross-border flows of personal data are not necessary for the supply of online advertising services. For the posting of advertisements, it is not absolutely necessary to process personal data.⁴⁴⁴ Some suppliers of online advertising services use personal data and the corresponding data flows to improve the quality of their services (targeted advertising).⁴⁴⁵ The restrictions on the free flow of personal data in such cases is not of a numerical or quantitative nature with regard to the supply of services, but instead a qualitative element that is not encompassed by Article XVI:2(a) and (c) GATS.

3.3.2.5 IoT Services

The first example for IoT services considered above was internet-connected vehicles.⁴⁴⁶ IoT maintenance services of connected vehicles may be classified as “Maintenance and repair of road transport equipment” (W/120-11.F.d). Most EU member states did not schedule any limitation on market access regarding the cross-border supply of maintenance and repair services of road transport equipment. With the exceptions of Cyprus, the Czech Republic, Finland, Lithuania, Latvia, Malta, Poland, Sweden, and the Slovak Republic—which each remain unbound—all other EU member states committed to open their markets to the cross-border supply of maintenance and repair services of road transport equipment.⁴⁴⁷

Systematic, structural, and continuous cross-border flows of personal data are necessary for the supply of IoT maintenance services of connected vehicles. This kind of service would not be possible without the processing of personal data and the corresponding data flows it requires. Consequently, in these cases the fundamental rights-based regulation of data transfers in the EU interferes with the market access obligation in Article XVI:2(a) and (c) GATS.

The second example for IoT services considered above was smart fridges.⁴⁴⁸ Restocking and ordering food are important services pertaining to smart fridges, but they cannot be classified in any sector and subsector of W/120. IoT restocking services for smart fridges is one of the rare examples of a new service not covered by the W/120. Accordingly, no commitments were scheduled, and the EU member states did not commit to open their markets to the cross-border supply of IoT restocking services for smart fridges. There is thus no interference with the market access obligation in Article XVI:2(a) and (c) GATS.

3.3.2.6 Sharing Economy Platform Services

The first example of a sharing economy platform services considered above was the arrangement of lodging.⁴⁴⁹ Digital lodging arrangement platform services may be classified as “Hotel and restaurant” services (W/120-9.A). Most EU member states did not schedule any limitation on market access regarding the cross-border supply of hotel and restaurant services. With the exceptions of Estonia, Finland, and Hungary, which remain unbound, the EU member states committed to open their market to the cross-border supply of hotel and restaurant services.⁴⁵⁰

Systematic, structural, and continuous cross-border flows of personal data are necessary for the supply of digital lodging arrangement platform services. This kind of service would not be possible without the processing of personal data and the corresponding data flows. The service supplier has to connect users with the hosts, and this is not possible without cross-border flows of personal data when the service is supplied across borders. The EU system for data transfers thus interferes with the market access obligation in Article XVI:2(a) and (c) GATS with such restrictions.

The second example considered above of sharing economy platform services related to the arrangement of transportation.⁴⁵¹ Digital transportation arrangement platform services may be classified as “Passenger transportation” services (W/120-11.F.a). All EU member states remain unbound regarding the cross-border supply of passenger transportation services.⁴⁵² There is no interference with the market access obligation in Article XVI:2(a) and (c) GATS.

3.3.3 Services with Occasional Flows of Personal Data

Occasional cross-border flows of personal data are possible based on contract with Article 49(1)(b) GDPR or based on consent with Article 49(1)(a) GDPR even if the level of protection for personal data is not essentially equivalent to that guaranteed within the EU.⁴⁵³ Both derogations require an agreement by the data subject to the risk of the data transfer. Without the agreement of the data subject, the transfer of personal data may not take place. The examples for services that require occasional cross-border flows of personal data include travel agency services, digital medical diagnosis, and legal services.⁴⁵⁴ They are strongly intertwined with the necessary data transfers. In cases in which the data subject rejects the data transfers, they also essentially reject the cross-border supply of such a service.

Gianpaolo Maria Ruotolo has submitted that this cannot be “compatible with the multilateral trading rules, since it leaves to the will of private individuals the possibility for the EU of respecting international trade obligations.”⁴⁵⁵ Ruotolo does not consider, however, the quantitative nature of the market access obligation in Article XVI:2(a) and (c) GATS. The AB maintained that a measure that totally prohibits the supply of a service constitutes a market access limitation because it effectively limits to zero the number of service suppliers, service operations, and service output.⁴⁵⁶ The contract-based and consent-based derogations do not limit to zero the number of service suppliers, service operation, and service output in cases in which the data subject (which is also the consumer of the service in question) agrees to the data transfers. The consumer decides whether they want a service based on the conditions of the service. This is not a zero quota on the number of service suppliers, service operations, and service output. There is no interference with the market access obligation in Article XVI:2(a) and (c) GATS.

3.3.4 Preventing Interferences

There are two options to prevent an interference with the market access obligation in Article XVI:2(a) and (c) GATS. The first option requires the EU to modify its schedule of commitments and include a reservation concerning the EU system for data transfers (Sect. 4.3.3.4.1). The second option requires that the ongoing e-commerce negotiations conclude with an exception for data protection-based restrictions on cross-border flows of personal data (Sect. 4.3.3.4.2).

3.3.4.1 Modification of the Schedule

Each WTO member specified the terms, limitations, and conditions on market access according to Article XX:1(a) GATS when it joined the WTO. Even though the EC was well aware of data protection issues relating to trade in services when it negotiated the GATS, it did not specify any terms, limitations, and conditions on market access with regard to data protection when it joined the WTO. Presumably, the EC was satisfied with the inclusion of the privacy exception in Article XIV GATS and convinced that it could justify any potential inconsistencies of the developing data protection directive with the market access obligation in Article XVI GATS.⁴⁵⁷

WTO members can modify or withdraw a commitment according to the rules in Article XXI GATS, usually by making concessions in the form of compensatory adjustments in other areas. The EU could add a horizontal reservation for compliance with the GDPR and the Charter (including the regulation of data transfers) in the market access column of its schedule.⁴⁵⁸ Should the EU choose to include such a reservation, it has to notify the Council for Trade in Services three months before the intended date of implementation of the modification.⁴⁵⁹ Any WTO member whose benefits under the GATS might be affected by this modification, could then enter into negotiations with the EU regarding necessary compensatory adjustments.⁴⁶⁰ These adjustments would have to be made on an MFN basis.⁴⁶¹ Without any agreement between the parties on necessary compensatory adjustments, affected WTO members can refer the matter to arbitration.⁴⁶² The findings of the arbitration would be binding for the EU.

Such a modification of the schedule of commitments is nearly unprecedented. The only effort to withdraw a commitment was initiated in 2007 by the US after they lost their case in US – Gambling. The process to find compensatory adjustments is still ongoing.⁴⁶³ As long as the general exceptions in Article XIV GATS can justify an interference with the market access obligation, the modification of commitments seems like an unnecessary and potentially risky undertaking. It is not foreseeable which WTO members might seek compensatory adjustments and what form these adjustments might take or how much it would ultimately cost the EU. There is also the chance that WTO members with a bad track record on data protection issues would use this opportunity to demand further commitments.

3.3.4.2 Electronic Commerce Negotiations

It is still unclear if there will be an outcome of the electronic commerce negotiations and what it will look like. Should the position of the EU on cross-border flows of personal data (or a similar one) prevail and WTO members adopt a new provision on the protection of personal data and privacy, this provision could also legitimate interferences with the market access obligation in Article XVI:2(a) and (c) GATS by the EU system for data transfers. Article 2.8(2) of the EU proposal provides that

Members may adopt and maintain the safeguards they deem appropriate to ensure the protection of personal data and privacy, including through the adoption and application of rules for the cross-border transfer of personal data. Nothing in the agreed disciplines and commitments shall affect the protection of personal data and privacy afforded by the Members’ respective safeguards.⁴⁶⁴

According to this provision, the fundamental rights-based regulation of data transfers in the EU would not affect the market access obligation in Article XVI:2(a) and (c) GATS because nothing in the agreed disciplines and commitments shall affect the protection of personal data and privacy. This provision would amount to a super exception without any chapeau requirements as in Article XIV GATS.

3.4 National Treatment

The national treatment obligation in Article XVII GATS also applies only according to the commitments, conditions, and qualifications in the schedule.⁴⁶⁵ In sectors in which the EU has undertaken national treatment commitments, it must—unless specified in the schedule—accord to foreign services and service suppliers treatment no less favorable than that it accords to like services and service suppliers located in the EU. The analysis of the compatibility of the EU’s regulation of data transfers with the national treatment obligation focuses on adequacy decisions according to Article 45 GDPR (Sect. 4.3.4.1), instruments providing appropriate safeguards in Article 46 GDPR (Sect. 4.3.4.2), and the derogations of Article 49 GDPR (Sect. 4.3.4.3). Just as in the case of interferences with the market access obligation in Article XVI GATS, there are two options to justify an interference with the national treatment obligation in Article XVII GATS. The EU could modify its schedule of commitments or the WTO members could conclude the electronic commerce negotiations with a horizontal provision on the protection of personal data and privacy (Sect. 4.3.4.4).

3.4.1 Adequacy Decisions

Adequacy decisions according to Article 45 GDPR apply equally to cross-border flows of personal data of foreign and domestic service suppliers. Although treatment is identical, adequacy decisions are especially relevant for foreign service suppliers because they need cross-border flows of personal data for the cross-border supply of their services in the EU.⁴⁶⁶

Foreign service suppliers located in a third country with an adequacy decision can use this legal mechanism for their data transfers without any specific authorization. There are no restrictions on the free flow of personal data between the EU and third countries with an adequacy decision. The situation is comparable to the free movement of data on the internal market of the EU.⁴⁶⁷ Competition between foreign and domestic service suppliers is not affected by the EU system for data transfers when a third country has an adequacy decision. There is no interference with the national treatment obligation in Article XVI GATS.

3.4.2 Appropriate Safeguards

The instruments providing appropriate safeguards in Article 46 GDPR also apply equally to foreign and domestic service suppliers for their systematic, structural, and continuous cross-border flows of personal data. Although treatment is identical, the instruments providing appropriate safeguards are especially relevant for foreign service suppliers because they need cross-border flows of personal data for the cross-border supply of their services in the EU. An interference with the national treatment obligation in Article XVII GATS may obviously occur in cases in which instruments providing appropriate safeguards cannot be used (Sect. 4.3.4.2.1) but an interference may also occur in cases in which they can (Sect. 4.3.4.2.2).

3.4.2.1 Appropriate Safeguards Are Not Available

In cases in which foreign service suppliers cannot rely on Article 46 GDPR for their systematic, structural, and continuous cross-border flows of personal data, and the EU has made a positive commitment to grant national treatment, foreign service suppliers are treated less favorably than domestic service suppliers because they have no possibility to make the necessary transfers of personal data.

This is especially true for foreign services and service suppliers for whom cross-border flows of personal data are an unavoidable element. In these cases, there is a modification of the competition between foreign and domestic service suppliers to the detriment of foreign service suppliers when the instruments providing appropriate safeguards in Article 46 GDPR are not available. I thus argue that this constitutes less favorable treatment for foreign service suppliers and thus an interference with the national treatment obligation in Article XVII GATS.⁴⁶⁸ From the list of examples for services that require systematic, structural. and continuous cross-border flows of personal data, this concerns some cloud computing services,⁴⁶⁹ social network services,⁴⁷⁰ IoT maintenance services of connected vehicles,⁴⁷¹ and digital lodging arrangement platform services.⁴⁷²

In the analysis of the market access obligation, I have argued that only the quantitative implications of data localization may lead to an interference with Article XVI GATS because the qualitative implications do not amount to a zero quota for the supply of services. This is different regarding interferences with the national treatment obligation in Article XVII GATS. Foreign service suppliers whose services can also be supplied without cross-border flows of personal data rely on Article 46 GDPR for systemic, structural, and continuous data flows to improve the quality of their services or use them to generate additional income. When the instruments providing appropriate safeguards in Article 46 GDPR are not available, there is consequently a modification of the competition to the detriment of the foreign service suppliers. I thus conclude that this constitutes less favorable treatment and is thus an interference with the national treatment obligation in Article XVII GATS. The relevant examples from the list of services that require systematic, structural, and continuous data transfers highlight how competition is modified to the detriment of the foreign service suppliers. These include: cloud computing service suppliers that cannot offer IaaS to businesses in the EU that require cross-border flows of personal data;⁴⁷³ search engines that cannot use cross-border flows of personal data to customize search results for the users and thus lose an important feature;⁴⁷⁴ and online advertising services that cannot use cross-border flows of personal data to individually target advertisements.⁴⁷⁵

3.4.2.2 Appropriate Safeguards Are Available

In cases in which foreign service suppliers can rely on Article 46 GDPR for systematic, structural, and continuous cross-border flows of personal data, and the EU has made a positive commitment to grant national treatment, foreign service suppliers are still treated less favorably than domestic service suppliers because they have to bear a regulatory double burden. Foreign service suppliers must comply with the conditions for instruments providing appropriate safeguards in addition to the other rules of the GDPR. I would argue that this double burden modifies the competition to the detriment of the foreign service suppliers.⁴⁷⁶ These additional compliance efforts translate into additional costs, which domestic service suppliers do not have to bear. This amounts to an interference with the national treatment obligation in Article XVII GATS for all services that require systematic, structural, and continuous cross-border flows of personal data (in cases in which the EU has committed to national treatment).

3.4.3 Derogations

The derogations in Article 49 GDPR also apply equally to foreign and domestic service suppliers. Although treatment is identical, the derogations in Article 49 GDPR especially affect foreign service suppliers because they depend on cross-border flows of personal data for the cross-border supply of their services in the EU. Many foreign service suppliers thus have to rely on the contract-based derogation in Article 49(1)(b) GDPR or the consent-based derogation in Article 49(1)(a) GDPR for the transfer of personal data, while service suppliers located in the EU can rely on a contract according to Article 6(1)(b) GDPR or on consent according to Article 6(1)(a) GDPR as legal bases for the processing of personal data.

The decisive aspect for less favorable treatment is the modification of the competition to the detriment of the foreign service or service supplier.⁴⁷⁷ There is no detrimental modification of the competition for foreign service suppliers with regard to the contract-based derogation. Article 49(1)(b) GDPR simply requires from foreign service suppliers that data transfers must be necessary for the performance of a contract. The principles of purpose limitation in Article 5(1)(b) GDPR and data minimization in Article 5(1)(c) GDPR impose a similar obligation on service suppliers located in the EU. Furthermore, the transparency requirement in Article 5(1)(a) GDPR and the general information duty in Article 13 GDPR—from which the information duty for foreign service suppliers concerning the risks of the data transfers derives—are also applicable to service suppliers located in the EU. I therefore find that the regulation of data transfers in the EU does not distort the existing market conditions and opportunities in favor of domestic service suppliers with regard to the contract-based derogation in Article 49(1)(b) GDPR because both domestic and foreign service suppliers have to comply with essentially the same obligations under the provisions of the GDPR.

However, it is possible to claim that there are detrimental modifications of the competition for foreign service suppliers with regard to the consent-based derogation. Article 49(1)(a) GDPR requires foreign service suppliers to seek explicit consent from the data subject for data transfers, while service suppliers located in the EU can use regular consent for the processing of personal data.⁴⁷⁸ The GDPR requires explicit consent in situations in which particular data protection risks may emerge, and so, a high individual level of control over personal data is important.⁴⁷⁹ The EU legislator has decided that such high risks appear in the context of international data transfers.

This context might suggest the relevance of Footnote 10 to Article XVII:1 GATS. Footnote 10 stipulates that specific commitments assumed under Article XVII:1 GATS shall not be construed to require any WTO member to compensate for any inherent competitive disadvantages which result from the foreign character of the relevant services or service suppliers. The AB stressed in Argentina – Financial Services that the inherent competitive disadvantages caused by the foreign character of the relevant services or service suppliers under Footnote 10 “must be distinguished from the measure’s impact on the conditions of competition in the marketplace.”⁴⁸⁰ With regard to the consent-based derogation, the competitive disadvantage is imposed by the EU’s regulation of data transfers requiring explicit instead of routine consent for data transfers. This amounts to a de facto discrimination not covered by Footnote 10.

In these cases, foreign service suppliers are placed at a disadvantage because of the additional requirement to seek explicit consent. The term “explicit” refers to the way consent is expressed by the data subject. It means that the data subject must give an express statement of consent.⁴⁸¹ It is evidently an additional burden to obtain such an express statement of consent. The Article 29 WP stated that

[a]n obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. Where appropriate, the controller could make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future.⁴⁸²

It could be argued that this additional burden of seeking explicit consent only has a minimal effect on the conditions of competition. However, the jurisprudence of the WTO adjudicative bodies does not acknowledge such a de minimis standard for the national treatment obligation. Two panels rejected arguments suggesting that the minimal effect of less favorable treatment should be taken into account.⁴⁸³

Nevertheless, it must be stressed that service suppliers can always rely on the contract-based derogation in Article 49(1)(b) GDPR that complies with the national treatment obligation in Article XVII GATS. From the perspective of examples like travel agencies, digital medical diagnosis, and legal services, the contract-based derogation seems to be an appropriate legal mechanism for the necessary cross-border flows of personal data. Moreover, the whole fundamental rights-based regulation of data transfers in the EU must be seen as the measure affecting trade in service. The availability of a practical alternative within the derogations for occasional data flows thus prevents the distortion of the market conditions in favor of domestic service suppliers. It is unclear whether the WTO adjudicating bodies would follow such an interpretation. The panel in Canada – Autos stated that

The less favourable treatment of imported products which is the result of the denial of the advantage in case of sale or use of imported products is not negated by the fact that the advantage may also be obtained by other means than sale or use of domestic products.⁴⁸⁴

In spite of this, I conclude that there is no interference with the national treatment obligation in Article XVII GATS based on the fact that the EU’s regulation of data transfers as a whole guarantees equality of opportunities to compete in the EU market for both foreign and domestic service suppliers.

3.4.4 Preventing Interferences

There are also two possible ways to prevent interferences with the national treatment obligation. The first option requires the EU to modify its schedule of commitments and to include a reservation concerning the EU system for data transfers. The second option requires the ongoing e-commerce negotiations to conclude with an exception for data protection-based restrictions on cross-border flows of personal data.⁴⁸⁵

In addition to what has been outlined above, it is necessary in the case of the national treatment obligation to refer to Article XX:2 GATS:

Measures inconsistent with both Articles XVI and XVII shall be inscribed in the column relating to Article XVI. In this case the inscription will be considered to provide a condition or qualification to Article XVII as well.

It has been shown that the regulation of data transfers in the EU can be inconsistent with both the market access obligation in Article XVI GATS and the national treatment obligation in Article XVII GATS. To remedy this inconsistency, it would be sufficient to add a horizontal reservation for compliance with the GDPR and the Charter (including the regulation of data transfers) in the market access column of the EU’s schedule of commitments.⁴⁸⁶

3.5 Summary

Two types of interferences with GATS obligations caused by the EU regulation of data transfers can be distinguished. The first type relates to countries without an adequacy decision where the instruments providing appropriate safeguards generally can be used for data transfers. These countries could raise the following three claims:

• Adequacy decisions interfere with the MFN treatment obligation because the EU does not accord treatment no less favorable to services and service suppliers from WTO members without an adequacy decision.

• Special framework adequacy decisions––should one be adopted again (e. g. the Transatlantic Data Privacy Framework between the EU and the US)––interfere with the domestic regulation obligation. Until now, special framework adequacy decisions were negotiated with third countries that would otherwise not qualify for an adequacy decision. This is not impartial and has a significant impact on the overall administration of the EU’s regulation of data transfers.

• Instruments providing appropriate safeguards interfere with the national treatment obligation in cases in which the EU has made specific commitments. Foreign services and service suppliers must comply with the conditions of the instruments providing appropriate safeguards in addition to the other rules of the GDPR.

The second type of interference relates to countries without an adequacy decision where the instruments providing appropriate safeguards generally cannot be used for data transfers. These countries could raise the following four claims:

• The restriction on the use of instruments providing appropriate safeguards interferes with the MFN treatment obligation because the EU does not accord treatment no less favorable to services and service suppliers from WTO members which cannot profit from these instruments.

• The use of corrective powers by supervisory authorities may lead to an interference with the domestic regulation obligation when it results in a fragmentation of EU member states’ policies regarding data transfers. Such fragmentation contradicts the standard of objective and/or impartial administration of a measure.

• The restriction on the use of instruments providing appropriate safeguards interferes with the market access obligation when a service that is covered by the EU’s market access commitments cannot be supplied without systematic, structural, and continuous cross-border flows of personal data. The restriction then amounts to a zero quota because it effectively limits to zero the number of service suppliers, service operations, and service output.

• The restriction on the use of instruments providing appropriate safeguards also interferes with the national treatment obligation because it modifies the conditions of competition to the detriment of foreign services and service suppliers.

4 The Regulation of Data Transfers as a Justifiable Trade Barrier

The interferences with GATS obligations caused by the EU fundamental rights-based regulation of data transfers are subject to exceptions in the GATS. These exceptions may justify the trade barriers erected by the EU. The analysis shows, however, that the economic integration exception in Article V GATS (Sect. 4.4.1) and the security exceptions in Article XIV bis GATS (Sect. 4.4.2) can only be used in certain circumstances. Moreover, the confidentiality exception in Paragraph 5(d) of the Annex on Telecommunications does not cover interferences of the GATS at all (Sect. 4.4.3). The justification focuses on the privacy exception in Article XIV(c)(ii) GATS (Sect. 4.4.4).

4.1 Economic Integration Exception

The departure from the MFN treatment obligation may be justified under the economic integration exception in Article V GATS.⁴⁸⁷ Interferences with the MFN treatment obligation can be assessed in terms of economic integration based on trade agreements. However, it must be noted that an adequacy decision alone does not qualify as an agreement liberalizing trade in services under Article V GATS (Sect. 4.4.1.1). The first interference with the MFN treatment obligation relates to less favorable treatment for services and service suppliers in a WTO member without an adequacy decision. Only under particular circumstances can such an interference be justified under Article V GATS (Sect. 4.4.1.2). The second interference with the MFN treatment obligation relates to less favorable treatment for services and services suppliers in a WTO member where instruments providing appropriate safeguards cannot be used. Such interferences can be difficult to justify under Article V GATS (Sect. 4.4.1.3). Finally, the EU common market cannot be used to justify interferences with the MFN treatment obligation under Article V GATS (Sect. 4.4.1.4).

4.1.1 Adequacy Decisions Are Not Economic Integration Agreement

Adequacy decisions do not constitute an agreement liberalizing trade in services. Instead, they are unilateral acts of the EU and while they may have a liberalizing effect, they do not correspond to the logic of Article V GATS that requires the opening of service sectors to the supply of services in the four modes. Adequacy decisions only concern the transfer of personal data and do not specifically cover the supply of services. Adequacy decisions alone therefore do not qualify for the economic integration exception in Article V GATS.

4.1.2 Adequacy Decision and Economic Integration Agreements

Adequacy decisions are often adopted for third countries that also have some form of an economic integration agreement with the EU. For example, Andorra is a European microstate and widely integrated into the EU common market through an association agreement. Switzerland is also partly integrated in the common market through an array of bilateral agreements; and Japan, Canada, South Korea, and Israel as well as the UK have all concluded trade agreements with the EU.

The first condition in Article V:1(a) GATS requires that all economic integration agreements liberalizing trade in services must have substantial sectoral coverage. The second condition in Article V:1(b) GATS demands the elimination of substantially all discrimination in the sectors covered by granting national treatment to the contracting parties. Adequacy decisions are a tool for the EU to comply with Article V:1(b) GATS because they eliminate national treatment discrimination among services and service suppliers that require cross-border flows of personal data.⁴⁸⁸ Where an adequacy decision was taken for a country that also has an economic integration agreement covering trade in services with the EU, the interference with the MFN treatment obligation could be covered with the requirement to comply Article V:1(b) GATS.

Nevertheless, not all adequacy decisions have been tied to some form of economic integration agreement with the EU. For example, Uruguay and the EU concluded negotiations of a trade agreement at the end of 2019, but the agreement is not yet ratified. Moreover, New Zealand and the EU only started negotiations for a trade agreement in 2018. Furthermore, the partial integration of Switzerland in the common market does not cover trade in services.⁴⁸⁹ Consequently, interferences with the MFN treatment obligation involving these states cannot be justified on the basis of the economic integration exception in Article V GATS.

4.1.3 Appropriate Safeguards and Economic Integration Agreements

Contrary to adequacy decisions, instruments providing appropriate safeguards do not eliminate national treatment discrimination with regard to services and service suppliers that require cross-border flows of personal data.⁴⁹⁰ It is much more difficult to satisfy the second condition in Article V:1(b) GATS concerning the elimination of substantially all discrimination in the sectors covered, by granting national treatment to the contracting parties without an adequacy decision. In addition, there will always be states without an economic integration agreement with the EU. Interferences with the MFN treatment obligation involving these states cannot be justified on the basis of the economic integration exception in Article V GATS.

4.1.4 The Common Market of the EU

Some scholars have argued that the EU common market could be used under the economic integration exception in Article V GATS to justify interferences with the MFN treatment obligation in Article II GATS (Sect. 4.4.1.4.1) and the national treatment obligation in Article XVII GATS (Sect. 4.4.1.4.2).

4.1.4.1 Most-Favored Nations Treatment Violations

Some scholars have implied that the EU common market could be used to justify the interferences with the MFN treatment obligation caused by the EU regulation of data transfers under Article V GATS.⁴⁹¹ However, there seems to be a misunderstanding about the underlying interference with the MFN treatment obligation that needs to be justified. In their explanations, Kristina Irion, Svetlana Yakovleva and Marija Bartl refer to a situation where an EU measure would “accord less favorable treatment to a WTO Member State as compared to an EU Member State.”⁴⁹² Similarly, Federica Velli refers to an interference of the MFN treatment obligation in cases in which an EU member state accords treatment less favorable to services and service suppliers of a non-EU WTO member than that it accords to like services and service suppliers of another EU member state.

What these scholars fail to consider in their arguments is that such a scenario—an EU member state interferes with the MFN treatment obligation because of its less favorable treatment of a non-EU WTO member compared to another EU member state—is only possible if the measure at issue is attributed to the EU member state and not to the EU itself. From the perspective of EU law, it is clear that Article 16 TFEU is the legal basis of the GDPR and that Chapter V GDPR consolidates the legal mechanisms for the transfer of personal data to third countries on the level of the EU. From the perspective of WTO law however, the international responsibility of the EU vis-à-vis that of its member states is decisive. Pursuant to Article 6(1) ARIO complaints that concern the legal acts of EU institutions are regularly attributable to the EU.⁴⁹³ The GDPR is a legal act of the EU. Consequently, the regulation of data transfers is a measure that is attributable to the EU—and not to the member states—under international law. An EU member state cannot be liable under the MFN treatment obligation for treating other EU member states differently than non-EU WTO members on the basis of the GDPR or the Charter. This also extends to decisions of supervisory authorities in the EU member states to suspend or prohibit data transfers because those powers are based on EU law.⁴⁹⁴ The interferences with the MFN treatment obligation concern situations between two non-EU states.⁴⁹⁵ The common market therefore does not provide a justification under the economic integration exception in Article V GATS in these situations.

4.1.4.2 National Treatment Violations

It is controversial whether Article V GATS may be used to justify interferences with GATS obligations other than the MFN treatment obligation.⁴⁹⁶ Svetlana Yakovleva and Kristina Irion submit that the economic integration exception in Article V GATS also applies to interferences with the national treatment obligation, but they do not substantiate how.⁴⁹⁷

However, interferences with the national treatment obligations based on economic integration agreements should be settled according to the procedures under Article XXI GATS. If the members of an economic integration agreement withdraw or modify specific market access or national treatment commitments they have previously made in the area of services, then the procedures under Article XXI GATS require consultations and negotiations with the affected parties regarding compensation.⁴⁹⁸ This implies that interferences with the national treatment obligation cannot find justification under Article V GATS. Such an interpretation is supported by the fact that Article V:5 GATS specifically refers to the procedures of Article XXI GATS if, in the conclusion of an economic integration agreement, a WTO member intends to withdraw or modify a specific scheduled commitment. A representative of Japan also stressed this point in a meeting of the Committee on Regional Trade Agreements:

With regard to paragraph 5 and the chapeau of GATS Article V:1, her delegation considered that the scope of the exemptions granted to EIAS [economic integration agreements] included MFN obligations, but did not include other general obligations of the GATS.⁴⁹⁹

In addition, the panel in Canada – Autos stressed that “it is worth recalling that Article V provides legal coverage for measures taken pursuant to economic integration agreements, which would otherwise be inconsistent with the MFN obligation in Article II.”⁵⁰⁰ Based on these considerations, I argue that the economic integration exception in Article V GATS cannot justify interferences with the national treatment obligation.

4.2 Security Exceptions

The security exceptions allow for the justification of interferences with obligations in the GATS caused by the EU regulation of data transfers only under very particular circumstances. Article XIV bis(1)(b)(iii) GATS requires that the security measure be taken in a time of war or other emergency in international relations. The use of corrective powers by supervisory authorities might meet this requirement if it is made in time of an emergency in international relations. The other interferences with obligations in the GATS identified above cannot satisfy the chronological concurrence that is necessary for a security justification under Article XIV bis(1)(b)(iii) GATS.⁵⁰¹

The panel in Russia – Traffic in Transit defined an emergency in international relations as “a situation of armed conflict, or of latent armed conflict, or of heightened tension or crisis, or of general instability engulfing or surrounding a state.”⁵⁰² There would have to be a very specific situation for the EU to be able to invoke this exception. The situation disclosed by Edward Snowden in the US could be an example. If a massive surveillance program is revealed in a WTO member, it could be possible to qualify it as a situation of heightened tension or crisis. Should a supervisory authority react and use its corrective powers to ban or suspend data transfers, it might be interpretable as a measure taken in a time of an emergency in international relations. However, if it is known for a long period of time that there is massive surveillance program in a WTO member, it would not be possible to qualify it as a situation of heightened tension or crisis to justify measures under Article XIV bis(1)(b)(iii) GATS.

A measure must also be considered necessary for the protection of essential security interests according to Article XIV bis(1)(b)(iii) GATS. It is incumbent on the invoking WTO member to articulate the essential security interests and to demonstrate their veracity.⁵⁰³ What qualifies as a sufficient level of articulation will depend on the situation.⁵⁰⁴ The panel in Russia – Traffic in Transit considered that

the less characteristic is the ‘emergency in international relations’ invoked by the Member, i.e. the further it is removed from armed conflict, or a situation of breakdown of law and public order (whether in the invoking Member or in its immediate surroundings), the less obvious are the defence or military interests, or maintenance of law and public order interests, that can be generally expected to arise. In such cases, a Member would need to articulate its essential security interests with greater specificity than would be required when the emergency in international relations involved, for example, armed conflict.⁵⁰⁵

Following the Snowden example, the EU would have to articulate its essential security interests with great specificity because governmental surveillance in a third country is far removed from armed conflict. The panel in Russia – Traffic in Transit underlined that “essential security interests” is a narrower concept than security interests and may be understood “to refer to those interests relating to the quintessential functions of the state, namely, the protection of its territory and its population from external threats, and the maintenance of law and public order internally.”⁵⁰⁶

Marina Francesca Ferracane has submitted that as long as the surveillance activities do not result in unauthorized access of confidential government, military or critical information that can undermine the sovereignty of third countries, these activities cannot be considered to pose a direct threat to national security.⁵⁰⁷ Similarly, Bruce Schneier finds that it is necessary to distinguish between surveillance and espionage.⁵⁰⁸ While cyber espionage may be related to national security, cyber surveillance is more likely a law enforcement issue.⁵⁰⁹ Only in cases in which governmental surveillance in the respective WTO member also involves cyber espionage would it be possible to claim an essential national security interest.

It must also be underlined that it might not be in the interest of the EU and its member states to use the security exceptions to justify their fundamental rights-based regulation of data transfers in WTO dispute settlement, or in general discourse. Doing so opens the door for other WTO members to do the same for their data transfer regulation, which might not be as deeply rooted in the protection of fundamental rights but rather used as a protectionist tool.

4.3 Confidentiality Exception

The confidentiality exception in Paragraph 5(d) of the Annex on Telecommunications only justifies interferences with the provisions in the Annex on Telecommunications. The Annex recognizes that its provisions relate to and build upon the obligations and disciplines contained in the GATS.⁵¹⁰ Paragraph 1 of the Annex on Telecommunications explicitly states that the Annex provides notes and supplementary provisions to the GATS. Consequently, interferences with the GATS cannot be justified with the confidentiality exception in Paragraph 5(d) of the Annex on Telecommunications.

Should the EU not be successful with the argument that its regulation of data transfers does not directly restrict the use of the internet but only the movement of certain types of information, it can resort to the confidentiality exception in Paragraph 5(d) of the Annex on Telecommunications for interferences with the annex. The exception, however, must be construed narrowly without referring to privacy or data protection considerations.⁵¹¹ If the EU is found to restrict the use of the internet for the movement of information across borders because of surveillance practices in a WTO member that compromise the integrity of messages, then the confidentiality exception is available as a justification as long as the restriction is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade in services.

4.4 General Exceptions

The general exceptions in Article XIV GATS are often used to justify interferences with GATS obligations.⁵¹² The interpretation of the general exceptions has become the core mechanism in WTO law to distinguish between domestic measures that are legitimate and those that are protectionist.⁵¹³ It is important that the aspect of the measure that gives rise to an interference with a GATS obligation is the same as the one addressed under Article XIV GATS.⁵¹⁴ A respondent may not justify the inconsistency of a measure by basing its defense on aspects of a measure different from those that were found to be inconsistent with the GATS.⁵¹⁵ The different interferences with GATS obligations caused by the EU fundamental rights-based regulation of data transfers must therefore be justified independently from each other.⁵¹⁶ This section analyzes the justification for interferences with the MFN treatment obligation (Sect. 4.4.4.1), the domestic regulation obligation (Sect. 4.4.4.2), the market access obligation (Sect. 4.4.4.3), and the national treatment obligation (Sect. 4.4.4.4).

4.4.1 Interference with the MFN Treatment Obligation

The aspects of the EU regulation of data transfers that interfere with the MFN treatment obligation in Article II GATS can be provisionally justified under the privacy exception in Article XIV(c)(ii) GATS (Sect. 4.4.4.1.1),⁵¹⁷ but they encounter challenges under the chapeau of Article XIV GATS (Sect. 4.4.4.1.2).

4.4.1.1 Privacy Exception

Interferences with the MFN treatment obligation must be justified under the privacy exception in Article XIV(c)(ii) GATS. The first interference considered takes place because service suppliers in WTO members without adequacy decisions must rely on the instruments providing appropriate safeguards for their transfers of personal data (Sect. 4.4.4.1.1.1). The second interference considered takes place because service suppliers in WTO members cannot rely on the instruments providing appropriate safeguards either and thus have to use the derogations for their transfers of personal data (Sect. 4.4.4.1.1.2).

4.4.1.1.1 Adequacy Decisions Versus Appropriate Safeguards

The first interference with the MFN treatment obligation in Article II GATS takes place because service suppliers in WTO members without adequacy decisions must use the instruments providing appropriate safeguards for their transfers of personal data. This treats these WTO members unfavorably compared to states with adequacy decisions. The privacy exception requires a demonstration that the respective measure is designed to secure compliance with laws that are not in themselves inconsistent with the GATS.⁵¹⁸ Panels have previously followed a three-step approach, whereby the WTO member invoking such a defense must

(i) identify the laws and regulations with which the challenged measure is intended to secure compliance, and prove that (ii) those laws and regulations are not in themselves inconsistent with WTO law; and (iii) that the measure challenged is designed to secure compliance with those laws or regulations.⁵¹⁹

First, adequacy decisions in Article 45 GDPR are intended to secure compliance with the GDPR and the right to continuous protection for personal data in Article 8 CFR.⁵²⁰ Second, the GDPR and the right to continuous protection of personal data in Article 8 CFR are consistent with WTO law. The panel in Argentina – Financial Services stated that “a Member’s legislation shall be presumed WTO-consistent until proven otherwise.”⁵²¹ The AB added in its review of Argentina – Financial Services that “there may be circumstances in which the GATS-inconsistency of certain provisions of a legal instrument could affect or taint the GATS-consistency of other parts of the same instrument or of the instrument as a whole.”⁵²² I thus argue on this basis that the GDPR and the right to continuous protection of personal data in Article 8 CFR can be presumed to be WTO-consistent and that potential inconsistencies of the GDPR do not affect the GDPR as a whole.⁵²³ Third, it has been shown above that adequacy decisions are designed to comply with the right to data protection in Article 8 CFR.⁵²⁴

Furthermore, the privacy exception requires that a measure is necessary to secure such compliance.⁵²⁵ This entails an in-depth and holistic weighing and balancing exercise of the relationship between the inconsistent measure and the relevant laws.

In particular, this element entails an assessment of whether, in the light of all relevant factors in the ‘necessity’ analysis, this relationship is sufficiently proximate, such that the measure can be deemed to be ‘necessary’ to secure compliance with such laws or regulations.⁵²⁶

The balancing must take into account the importance of the objective pursued, the measure’s contribution to that objective, and the trade restrictiveness of a measure.⁵²⁷ The AB underlined that the greater a measure’s contribution to the end pursued, the more easily a measure might be considered to be necessary.⁵²⁸ The assessment of trade restrictiveness is similar.⁵²⁹ A measure with a relatively small impact on trade might more easily be considered necessary than a measure with intense or broader restrictive effects.⁵³⁰ But balancing also requires a comparison between the challenged measure and possible alternatives.⁵³¹ The AB clarified that a measure can only be necessary “if there were no alternative measure consistent with the General Agreement, or less inconsistent with it.”⁵³² It is up to the complaining party to identify reasonably available alternative measures that achieve the same level of protection with respect to the objective pursued.⁵³³ The AB explicitly underlined that a reasonably available alternative measure “must be a measure that would preserve for the responding Member its right to achieve its desired level of protection.”⁵³⁴ In turn, the responding party must demonstrate why it does not consider the proposed alternative measure to be appropriate.⁵³⁵

Compliance with the right to continuous protection of personal data is the objective of an adequacy decision. This objective must be considered of the utmost importance because it is a constituent part of the fundamental right to data protection in Article 8 CFR.⁵³⁶ Adequacy decisions directly contribute to continuous protection for personal data.⁵³⁷ At the same time, the trade restrictiveness of using instruments providing appropriate safeguards instead of an adequacy decision as the legal basis for transfers of personal data is low because instruments providing appropriate safeguards also allow structural, systemic, and continuous cross-border flows of personal data. The interference with the MFN treatment obligation based on adequacy decisions versus appropriate safeguards should therefore satisfy the necessity test in Article XIV(c)(ii) GATS.

Aaditya Mattoo and Joshua P. Meltzer do not share this conclusion. They argue instead that

the Privacy Shield may be used to show that such flexible negotiated agreements are able to achieve the EU’s desired level of privacy protection in a way that is less trade restrictive than the Commission’s relatively rigid approach to determining the (lack of) adequacy of India’s privacy regime.⁵³⁸

This submission cannot be supported. In cases in which the compliance of a measure with its objective is high and the trade restrictiveness is low, necessity can be assumed without resorting to reasonably available alternatives. In addition, Decision (EU) 2016/1250, the Privacy Shield adequacy decision, was invalidated exactly because it did not achieve the EU’s desired level of protection.

Should the adjudicative bodies of the WTO nevertheless resort to an assessment of alternative measures and suggest that special framework adequacy decisions, such as the Privacy Shield, constitute a measure that is less inconsistent with the GATS, the EU could argue that such special frameworks do not constitute a measure that is reasonably available in all cases.⁵³⁹ The adoption of special framework adequacy decisions could be impossible in cases in which the WTO members have a level of protection for personal data that is much lower than in the EU.

However, it is possible that the WTO adjudicative bodies would find that special framework adequacy decisions would still be available for other WTO members. The AB held in China – Publications and Audiovisual Products that

an alternative measure should not be found not to be reasonably available merely because it involves some change or administrative costs [...] Rather, in order to establish that an alternative measure is not ‘reasonably available’, the respondent must establish that the alternative measure would impose undue burden on it, and it must support such an assertion with sufficient evidence.⁵⁴⁰

The EU could argue that negotiating that many special framework adequacy decisions would be an undue burden. Again, it is possible that the WTO adjudicative bodies would find that efforts to adopt special framework adequacy decisions are not an undue burden for the EU, but a legitimate change to the adequacy-based system of data transfers that comes with certain administrative costs. In that case, the interference with the MFN treatment obligation would not satisfy the necessity test in Article XIV(c)(ii) GATS. Nevertheless, it must be underlined one more time that necessity should be assumed here because the compliance of the measure with its objective is high and trade restrictiveness is low.

4.4.1.1.2 Appropriate Safeguards Versus Derogations

The second interference with the MFN treatment obligation in Article II GATS occurs when services and service suppliers in WTO members cannot rely on adequacy decisions or the instruments providing appropriate safeguards and have to use the derogations for their transfers of personal data. The first task to justify the interference is demonstrating that the measure in question is designed to secure compliance with laws that are not in themselves inconsistent with the GATS.⁵⁴¹ The instruments providing appropriate safeguards in Article 46 GDPR are intended to secure compliance with the other provisions of the GDPR and the right to continuous protection for personal data in Article 8 CFR.⁵⁴² Consequently, the instruments providing appropriate safeguards may be considered as attempting to secure compliance with laws consistent with WTO law. Importantly, the AB underlined in Argentina – Financial Services that

[a] measure can be said ‘to secure compliance’ with laws or regulations when its design reveals that it secures compliance with specific rules, obligations, or requirements under such laws or regulations, even if the measure cannot be guaranteed to achieve such result with absolute certainty.⁵⁴³

This is especially important with regard to the instruments providing appropriate safeguards because the compliance with the right to continuous protection of personal data in Article 8 CFR heavily depends on the awareness of the data exporter and the supervisory authorities’ use of their corrective powers and, therefore, cannot be guaranteed to achieve such result with absolute certainty.

The second task to justify the interference is to verify that the measure in question is necessary to secure such compliance.⁵⁴⁴ The instruments providing appropriate safeguards must be attributed a lower level of compliance with the right to continuous protection of personal data than adequacy decisions because the responsibility for compliance lies with the data exporter and control over the compliance is decentralized.⁵⁴⁵ At the same time, the effect on trade restrictiveness between appropriate safeguards and the derogations is greater than between adequacy decisions and appropriate safeguards because structural, systemic, and continuous cross-border flows of personal data are not possible with the derogations. This may result in a zero quota for certain services.⁵⁴⁶ This interference with the MFN treatment obligation therefore requires an additional analysis to determine if there are reasonably available alternative measures that are consistent with the GATS and still achieve the same level of protection for personal data.

Some scholars have submitted—without going into much detail—that the necessity of data transfer rules could be successfully challenged if the complaining party claims that there are less restrictive alternatives, such as the principle of accountability, which has been adopted in Canada and many Asia-Pacific Economic Community (APEC) states.⁵⁴⁷ It is important to bear in mind, however, that this interference with the MFN treatment obligation takes place because the instruments providing appropriate safeguards cannot guarantee the right to continuous protection of personal data that is transferred from the EU to a WTO member. Consequently, the principle of accountability cannot constitute an alternative measure because it is not the legal mechanism for data transfers that is the problem. Rather, it is the level of protection for personal data in the non-EU WTO member that is the problem. Should a level of protection that is essentially equivalent to that guaranteed within the EU not be available for the transfer of personal data to the non-EU WTO member, then the principle of accountability would not be sufficient in itself to comply with the right continuous protection of personal data.⁵⁴⁸

Carla Reyes has argued that using technology to enforce data protection laws would increase compliance and decrease the impact on international trade.⁵⁴⁹ It is unclear however to what extent technological measures would be considered as reasonably available alternatives by the WTO adjudicative bodies. Should the adjudicative bodies choose to consider technological measures as reasonably available measures, then the EU may attempt to show that technological measures do not allow it to achieve the level of protection it requires and, therefore, cannot be a genuine alternative.⁵⁵⁰ The EDPB already provided guidance on the limitations of technological solutions to comply with the right to continuous protection of personal data in Article 8 CFR.⁵⁵¹ For example, the EDPB stated that if a data exporter transfers personal data to a cloud service provider which requires access to the data in the clear in order to execute the task assigned and the power granted to the public authorities of the recipient country to access transferred data (such as for surveillance purposes) goes beyond what is necessary and proportionate in a democratic society, then the “current state of the art [is] incapable of envisioning an effective technical measure to prevent that access from infringing on data subject rights.”⁵⁵² The EDPB added that in the given scenario,

where unencrypted personal data is technically necessary for the provision of the service by the processor, transport encryption and data-at-rest encryption even taken together, do not constitute a supplementary measure that ensures an essentially equivalent level of protection if the data importer is in possession of the cryptographic keys.⁵⁵³

This assessment must be taken into account by the WTO adjudicative bodies when they consider technological measures as reasonably available alternatives. It is difficult to say if the WTO adjudicative bodies would deviate from the guidelines provided by the EDPB. The explicit reference to the EU’s desired level of protection in the guidelines––an essentially equivalent level of protection––indicates that a deviation would have to be justified with great effort and in-depth technological assessments, also with regard to the regime of government access to the transferred personal data in the respective WTO member. There is much to suggest that such technological measures would not be considered reasonably available alternatives. The interference with the MFN treatment obligation should therefore satisfy the necessity test in Article XIV(c)(ii) GATS.

4.4.1.2 Chapeau

Any interference with the MFN treatment obligation based on adequacy decisions (Sect. 4.4.4.1.2.1) and appropriate safeguards (Sect. 4.4.4.1.2.2) must also satisfy the chapeau requirements of Article XIV GATS.

4.4.1.2.1 Adequacy Decisions Versus Appropriate Safeguards

The examination under the chapeau requires an assessment of whether the conditions prevailing in the countries between which the measure allegedly discriminates are the same. The AB has underlined that only conditions that are relevant for the purpose of establishing arbitrary or unjustifiable discrimination in the light of the specific character of the measure should be considered.⁵⁵⁴ In particular, conditions relating to the policy objective under the applicable subparagraph of Article XIV GATS are relevant.⁵⁵⁵ It can be assumed that for the purposes of privacy in the digital sphere, the same conditions prevail in all WTO members. The impact of the processing of personal data of individuals can be expected to be the same regardless of the physical location of the individual. Similarly, the AB confirmed the panel’s finding in Brazil – Retreaded Tyres “that the health impact of remoulded tyres imported from MERCOSUR countries and their European counterparts can be expected to be comparable.”⁵⁵⁶ In contrast, Neha Mishra focuses on the “regulatory culture of privacy” in different WTO members to establish same conditions.⁵⁵⁷ The reports of the WTO adjudicative bodies, however, do not support such a focus on the regulatory culture when establishing same conditions for the purposes of the chapeau.

In cases in which the same conditions prevail, the analysis of whether discrimination is arbitrary or unjustifiable within the meaning of the chapeau must focus on the cause of the discrimination, or the rationale put forward to explain its existence.⁵⁵⁸ The AB relied on a number of factors in making this determination:

(i) a ‘rigid and unbending requirement’ that countries exporting shrimp into the United States must adopt a regulatory programme that is essentially the same as the United States' programme; (ii) the fact that the discrimination resulted from the failure to take into account different circumstances that may occur in the territories of other WTO Members, in particular, specific policies and measures other than those applied by the United States that might have been adopted by an exporting country for the protection and conservation of sea turtles; and (iii) the fact that, while the United States negotiated seriously with some WTO Members exporting shrimp into the United States for the purpose of concluding international agreements for the protection and conservation of sea turtles, it did not do so with other WTO Members.⁵⁵⁹

In addition, one of the most important factors in the assessment of arbitrary or unjustifiable discrimination is the question of whether the discrimination can be reconciled with—or is rationally related to—the policy objective with respect to which the measure has been provisionally justified under the paragraphs of Article XIV GATS.⁵⁶⁰ In US – Shrimp, the AB highlighted that the measure treated shrimp caught using methods identical to those employed in the US differently from shrimp caught in the US or other certified countries, solely because they have been caught in the waters of countries that have not been certified by the US.⁵⁶¹ The AB found that this discrimination was “difficult to reconcile with the declared policy objective of protecting and conserving sea turtles.”⁵⁶² Another important factor in the assessment of arbitrary or unjustifiable discrimination is the question of whether the application of the measure at issue allows for any inquiry into the appropriateness of the regulatory program given the conditions prevailing in the concerned countries.⁵⁶³

An interference with the MFN treatment obligation based on adequacy decisions seems to satisfy many of the factors for finding arbitrary or unjustifiable discrimination. Third countries must adopt a regulatory program for the protection of personal data that is essentially the same as in the EU and there is not much flexibility regarding the level of protection for personal data when it comes to regular adequacy decisions. In this regard, it is important to note that all WTO members should have the same opportunities to obtain an adequacy decision.

First, the assessment must be the same for all WTO members. This is why many adequacy decisions underline in the recitals that

any decision based on Article 25(6) of Directive 95/46/EC should be made and enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail, nor constitute a disguised barrier to trade, regard being had to the Community's present international commitments.⁵⁶⁴

However, as has been noted, there are some content-related inconsistencies between the different existant adequacy assessments.⁵⁶⁵ This could be problematic under the standards of the chapeau depending on the extent of these inconsistencies. In spite of this, the mandatory review process in Article 45(9) GDPR of the older adequacy decisions under the GDPR addresses such inconsistencies because the legal requirements in the GDPR are much more detailed than they were in Directive 95/46/EC. The GDPR simply does not leave room for such inconsistencies anymore.

Second, the EU must undertake a serious, good faith effort to assess the level of a country’s data protection measures when formally asked for an adequacy decision by a WTO member. Here, the AB also underlined that

rigorous compliance with the fundamental requirements of due process should be required in the application and administration of a measure which purports to be an exception to the treaty obligations of the Member imposing the measure and which effectively results in a suspension pro hac vice of the treaty rights of other Members.⁵⁶⁶

In US – Shrimp the AB criticized the US for not providing formal notice for a denied application nor an explanation of the reasons for the denial.⁵⁶⁷ This was compounded by the fact that the US further offered no formal legal procedure for reviewing or appealing a denial.

I would argue that an assessment of a country’s level of protection for personal data by an independent EU institution such as the Article 29 WP or the EDPB would constitute a serious, good faith effort to assess the level of data protection in a third country. An external non-governmental assessment—such as the ones conducted by the Research Centre on IT and Law at the University of Namur (CRID) for Burkina Faso, Mauritius, Tunisia, and Morocco in 2010—might not be enough because the findings are not legitimated by an official governmental institution. At the same time, an opinion of the Article 29 WP or the EDPB cannot be reviewed or appealed. Nevertheless, it provides a detailed explanation of the reasons for the denial of an adequacy finding that should be sufficient.

It is necessary to distinguish the situation adjudicated in US – Shrimp from hypothetical situations concerning the EU’s personal data protection regime. The effect of the measure in US – Shrimp was “a rigid and unbending standard by which United States officials determine whether or not countries will be certified, thus granting or refusing other countries the right to export shrimp to the United States.”⁵⁶⁸ In contrast to this, the interferences with the MFN treatment obligation caused by EU adequacy decisions still allow structural, systematic, and continuous cross-border flows of personal data on the basis of Article 46 GDPR and cannot be construed as an export prohibition.⁵⁶⁹ The trade restrictive effect of the measure is not comparable in the EU case and therefore the implicit due process standards of the chapeau should be satisfied. As long as every WTO member asking for an adequacy decision receives an assessment by the EDPB, the interference with the MFN treatment obligation caused by EU adequacy decisions does not amount to arbitrary or unjustifiable discrimination under the chapeau.⁵⁷⁰

With regard to the prohibition on disguised restrictions on trade, the AB acknowledged that it is often difficult to prove the hidden factors marking a disguised protectionist measure: “Although it is true that the aim of a measure may not be easily ascertained, nevertheless its protective application can most often be discerned from the design, the architecture, and the revealing structure of a measure.”⁵⁷¹

An interference with the MFN treatment obligation based on adequacy decisions could be considered a disguised restriction on trade if WTO members interested in obtaining an adequacy decision do not receive any kind of assessment of their level of protection for personal data. In sum, I find that there is no disguised restriction on international trade in cases in which a third country is subject to an assessment of the EDPB.

The chapeau analysis will be different when a special framework adequacy decision—such as the invalidated Decision (EU) 2016/1250, the Privacy Shield adequacy decision—is in force. Currently, there are no special framework adequacy decisions in force, but the EU started the process of adopting a new special framework adequacy decision for the US covering the Transatlantic Data Privacy Framework.⁵⁷² The AB clarified in US – Shrimp (Article 21.5 – Malaysia) that the chapeau does not require the conclusion of an agreement in order to avoid arbitrary or unjustifiable discrimination.⁵⁷³ Rather, it is simply necessary that all countries be provided with similar opportunities.⁵⁷⁴ Accordingly, the EU is bound to provide all countries with similar opportunities to negotiate a special framework adequacy decision if the EU adopts a new one. The standard of a good faith effort to negotiate a special framework adequacy decision would need to be assessed against the efforts made in the special framework adequacy decisions in force, or former special framework decisions.⁵⁷⁵ Comparable resources must be invested, and comparable energy must be devoted.⁵⁷⁶ This would set a high standard given the efforts made by the European Commission to negotiate the Privacy Shield or the Transatlantic Data Privacy Framework with the US. Should the EU once again adopt a special framework adequacy decision, it would amount to an interference with the MFN treatment obligation if the EU does not provide all WTO members with similar opportunities.⁵⁷⁷

4.4.1.2.2 Appropriate Safeguards Versus Derogations

The interference with the MFN treatment obligation based on the instruments providing appropriate safeguards in Article 46 GDPR amounts to an export prohibition for certain services.⁵⁷⁸ Such an interference with the MFN treatment obligation may occur in cases in which supervisory authorities in EU member states make use of their corrective powers to ban or suspend data transfers in order to safeguard the right to continuous protection for personal data in Article 8 CFR. In these cases, the EU would be able to make a prima facie case that there is no arbitrary or unjustifiable discrimination for two reasons. First, the interference with the MFN treatment obligation can be reconciled with the measure’s policy objective under Article XIV(c)(ii) GATS. Second, the due process requirements are fulfilled because any decision of supervisory authorities can be subject to judicial review. Nevertheless, two scenarios are imaginable that could still lead to arbitrary or unjustifiable discrimination:

• The first scenario relates to inconsistencies among the supervisory authorities of different EU member states. For example, if the French supervisory authority prohibits a Chinese service supplier to use “instruments providing appropriate safeguards,” but the Dutch supervisory authority does not. This divergence is not reconcilable with the policy objective of securing compliance with the right to continuous protection of personal data in Article 8 CFR. A scenario like this is possible when supervisory authorities do not coordinate the use of their corrective powers for data transfers, for example by using the voluntary consistency mechanism in Article 64(2) GDP, or when they do not implement the results of the voluntary consistency mechanism, in which case the EDPB could still issue a legally binding decision according to Article 65(1)(c) GDPR.⁵⁷⁹

• The second scenario relates to inconsistencies regarding the actions of a single supervisory authority in comparable situations. This scenario would arise if for example the French supervisory authority prohibits a Chinese service supplier to transfer personal data from the EU to China on the basis of Article 46 GDPR because of fundamental rights considerations, but at the same time a Russian service supplier is still allowed to transfer personal data from the EU to Russia on the basis of Article 46 GDPR when similar fundamental rights concerns exist with regard to those data transfers. The complainant would have to show that the data transfers to Russia on the basis of Article 46 GDPR would undermine the declared policy objective of securing compliance with the right to continuous protection of personal data in Article 8 CFR.

Should a complainant be able to show the existence of either scenario, it might be possible to rebut the EU’s prima facie case of consistency. In such cases, interferences with the MFN treatment obligation based on the instruments providing appropriate safeguards in Article 46 GDPR would amount to arbitrary or unjustifiable discrimination under the chapeau.

With regard to the standard of disguised restriction on trade, the the EU could make a prima facie case for compliance by referring to the independence of supervisory authorities according to Article 8(3) CFR.⁵⁸⁰ Where supervisory authorities use their corrective powers in reaction to a complaint lodged with them, there cannot be a disguised restriction on international trade. Where they use their corrective powers on their own initiative, a complainant would have to show that the relevant decision was not motivated by the protection of the right to continuous protection for personal data in Article 8 CFR.

4.4.2 Interference with the Domestic Regulation Obligation

One aspect of the EU regulation of data transfers that interferes with the domestic regulation obligation in Article VI GATS can be provisionally justified under the privacy exception in Article XIV(c)(ii) GATS (Sect. 4.4.4.2.1), but it does not satisfy the requirements of the chapeau in Article XIV GATS (Sect. 4.4.4.2.2).

4.4.2.1 Privacy Exception

Interferences with the domestic regulation obligation must be provisionally justified under the privacy exception in Article XIV(c)(ii) GATS. The first type of interference occurs because special framework adequacy decisions are usually negotiated with a WTO member that would otherwise not qualify for an adequacy decision (Sect. 4.4.4.2.1.1). The second type of interference occurs when the use of corrective powers by different EU member supervisory authorities results in a fragmentation of conditions for the use of instruments providing appropriate safeguards in Article 46 GDPR across the EU (Sect. 4.4.4.2.1.2).

4.4.2.1.1 Interference Based on Special Framework Adequacy Decisions

The first type of interference has a significant impact on the overall administration of the EU regulation of data transfers because it essentially introduces an additional legal mechanism for data transfers that is not available to all WTO members. To justify this interference, it must be demonstrated that the respective measure is designed to secure compliance with the GDPR and the right to continuous protection of personal data in Article 8 CFR.⁵⁸¹ The ECJ has invalidated both of the special framework adequacy decisions that the European Commission has negotiated so far. The most important reason for the invalidations was that the decisions did not comply with the right to continuous protection for personal data in Article 8 CFR. It is therefore not even entirely clear whether these special framework adequacy decisions would have satisfied the first standard.

Furthermore, it must be demonstrated that the respective measure is necessary to secure compliance with the GDPR and the right to continuous protection of personal data in Article 8 CFR.⁵⁸² This requires a weighing and balancing test. It must take into account the importance of the objective pursued, the measure’s contribution to that objective, and the trade restrictiveness of the measure.⁵⁸³ Securing compliance with the right to continuous protection for personal data is of the utmost importance because it is a constituent part of the fundamental right to data protection in Article 8 CFR. If a special framework adequacy decision is actually found to secure compliance with the right to continuous protection for personal data, it can be assumed that its contribution to that objective is high. Moreover, the trade restrictiveness of special framework adequacy decisions is not very high because instruments providing appropriate safeguards also allow structural, systemic, and continuous cross-border flows of personal data. If a specific special framework adequacy decision actually complies with the right to continuous protection of personal data in Article 8 CFR, the interference with the MFN treatment obligation should satisfy the necessity test in Article XIV(c)(ii) GATS.

4.4.2.1.2 Interference Based on Corrective Powers of Supervisory Authorities

The second type of interference with the domestic regulation obligation occurs when the use of corrective powers by supervisory authorities results in a fragmentation among EU member states of the conditions for data transfers using instruments providing appropriate safeguards in Article 46 GDPR. Supervisory authorities must use their corrective powers to safeguard the right to continuous protection of personal data. The corrective powers are designed to secure compliance with the right to continuous protection of personal data. This objective is of the utmost importance.⁵⁸⁴ While the use of the corrective powers is essential for the compliance with the right to continuous protection of personal data, the trade restrictiveness of a fragmentation among EU member states as regards the conditions for data transfers with instruments providing appropriate safeguards is quite high. Consequently, reasonably available alternative measures must be assessed.

The ECJ has addressed the issue of fragmentation in in Schrems 2.⁵⁸⁵ Here the Court highlighted that the voluntary consistency mechanism in Article 64(2) GDPR enables supervisory authorities to request an opinion from the EDPB when deciding whether to suspend or ban data transfers to a third country.⁵⁸⁶ The ECJ also emphasized the possibility for the EDPB in Article 65(1)(c) GDPR to adopt a legally binding decision, should a supervisory authority not follow an opinion of the EDPB.⁵⁸⁷ However, the consistency mechanism in Article 64(2) GDPR is not a water-tight solution because it is voluntary. A requirement to use the mandatory consistency mechanism in Article 64(1) GDPR would be a reasonably available alternative measure that is consistent with the GATS because it guarantees the impartial application of these powers and preserves for the EU its right to achieve the desired level of data protection. Supervisory authorities must already communicate a draft decision to the EDPB for an opinion when they approve BCRs based on Article 64(1)(f) GDPR. The list for the mandatory consistency mechanism in Article 64(1) GDPR would have to be extended with decisions to ban or suspend data transfers according to Article 58(2)(f) and (j) GDPR. Should the use of corrective powers by supervisory authorities lead to an interference with Article VI:1 GATS because the voluntary consistency mechanism could not prevent the fragmentation among EU member states for the use of instruments providing appropriate, it cannot be considered necessary for the purposes of Article XIV(c)(ii) GATS.

4.4.2.2 Chapeau

Any interference with the domestic regulation obligation in Article VI GATS based on special framework adequacy decisions must also be justified under the chapeau of Article XIV GATS. The analysis of whether discrimination is arbitrary or unjustifiable within the meaning of the chapeau must focus on the cause of the discrimination, or the rationale put forward to explain its existence.⁵⁸⁸ I have shown above that an interference with the MFN treatment obligation in Article II GATS based on special framework adequacy decisions amounts to arbitrary or unjustifiable discrimination in cases in which other WTO members do not have similar opportunities to negotiate such a special framework for an adequacy decision. The same is true for the interference with the impartiality standard in Article VI:1 GATS. As long as special framework adequacy decisions are in force and the EU does not provide all WTO members with similar opportunities to negotiate such a solution, the interference with the domestic regulation obligation based on special framework adequacy decisions constitutes arbitrary and unjustifiable discrimination and cannot be justified under the chapeau of Article XIV GATS.

4.4.3 Interference with the Market Access Obligation

Interferences with the market access obligation in Article XVI:2(a) and (c) GATS can be provisionally justified under the privacy exception in Article XIV(c)(ii) GATS (Sect. 4.4.4.3.1) and the EU can also make a prima facie case of consistency with the chapeau of Article XIV GATS (Sect. 4.4.4.3.2).

4.4.3.1 Privacy Exception

There is an interference with the market access obligation in Article XVI:2(a) and (c) GATS in cases in which supervisory authorities restrict the cross-border flow of personal data and structural, systematic, and continuous cross-border flows of personal data are a necessary element of the cross-border supply of a service covered by the EU’s market access commitments.⁵⁸⁹ First, it must be demonstrated that the respective measure is designed to secure compliance with the GDPR and the right to continuous protection of personal data in Article 8 CFR.⁵⁹⁰ I have concluded above that the use of corrective powers by supervisory authorities is designed to secure compliance with the right to continuous protection for personal data in Article 8 CFR.⁵⁹¹

Second, it must be demonstrated that the respective measure is necessary to secure compliance with the GDPR and the right to continuous protection of personal data in Article 8 CFR. The weighing and balancing test must take into account the importance of the objective pursued, the measure’s contribution to that objective, and the trade restrictiveness of the measure.⁵⁹² The objective of securing compliance with the right to continuous protection for personal data is of the utmost importance and the use of corrective powers by supervisory authorities is essential for compliance with the right to continuous protection for personal data. Nevertheless, the trade restrictiveness of the interference with the market access obligation in Article XVI:2(a) and (c) GATS is high because the use of corrective powers results in a zero quota for the services at issue. Consequently, reasonably available alternative measures must be assessed.

In contrast to the interference with the domestic regulation obligation, the mandatory consistency mechanism in Article 64(1) GDPR does not constitute a reasonably available alternative measure that could mediate the interference with Article XVI:2(a) and (c) GATS. Nor could the principle of accountability constitute an alternative measure.⁵⁹³ In addition, the corrective powers in Article 58(2)(f) and (j) GDPR already foresee temporary measures in cases where non-compliance with the right to continuous protection for personal data can be improved. I conclude that there are no reasonably available alternative measures and that therefore the use of corrective powers by supervisory authorities can be provisionally justified under the privacy exception in Article XIV(c)(ii) GATS.

4.4.3.2 Chapeau

Interferences with the market access obligation in Article XVI:2(a) and (c) GATS must also be justified under the chapeau of Article XIV GATS. The analysis of whether discrimination is arbitrary or unjustifiable within the meaning of the chapeau must focus on the cause of the discrimination, or the rationale put forward to explain its existence.⁵⁹⁴ The EU would be able to make a prima facie case that there is no arbitrary or unjustifiable discrimination for two reasons. First, the use of the corrective powers by supervisory authorities can be reconciled with the policy objective under Article XIV(c)(ii) GATS. Supervisory authorities make use of their corrective powers to ban or suspend data transfers in cases in which data exporters infringe the right to continuous protection for personal data in Article 8 CFR. Second, the due process requirements are satisfied because all decisions of the supervisory authorities are subject to judicial review.

Nevertheless, two scenarios could still lead to arbitrary or unjustifiable discrimination. First, when a complainant successfully shows that supervisory authorities in different EU member states maintain different regimes for services and service suppliers for the same WTO member. Second, when a complainant successfully shows that a single supervisory authority in an EU member state selectively uses its corrective powers to discriminate against certain WTO members.

The EU would also be able to make a prima facie case that there is no disguised restriction on trade by referring to the independence of supervisory authorities according to Article 8(3) CFR.⁵⁹⁵ Only when a complainant can successfully show that the use of the corrective powers by supervisory authorities is not motivated by the protection of the right to continuous protection for personal data can there be a finding of disguised restrictions on international trade.

4.4.4 Interference with the National Treatment Obligation

Finally, the aspects of the EU regulation of data transfers that interfere with the national treatment obligation in Article XVII GATS can also be provisionally justified under the privacy exception in Article XIV(c)(ii) GATS (Sect. 4.4.4.4.1) and the chapeau of Article XIV GATS (Sect. 4.4.4.4.2).

4.4.4.1 Privacy Exception

Interferences with the national treatment obligation must be provisionally justified under the privacy exception in Article XIV(c)(ii) GATS. The first interference is based on the instruments providing appropriate safeguards in Article 46 GDPR because foreign service suppliers must comply with the conditions of their use in addition to the other rules in the GDPR (Sect. 4.4.4.4.1.1). The second interference is based on the use of the corrective powers of supervisory authorities (Sect. 4.4.4.4.1.2).

4.4.4.1.1 Interference Based on Appropriate Safeguards

It must be demonstrated that the use of instruments providing appropriate safeguards in Article 46 GDPR is designed to secure compliance with the GDPR and the right to continuous protection of personal data in Article 8 CFR.⁵⁹⁶ These instruments must be attributed a lower level of compliance with the right to continuous protection of personal data than adequacy decisions. At the same time, the trade restrictiveness of an interference with the national treatment obligation is not very high. The use of the instruments in Article 46 GDPR is a regulatory burden, but they still allow structural, systematic, and continuous data transfers. It is thus not clear whether it is necessary to look into alternative measures that are reasonably available and achieve the same level of protection with respect to the objective pursued.

Should the adjudicative bodies of the WTO decide to look into alternative measures, it seems sensible to address the principle of accountability again with regard to the national treatment obligation.⁵⁹⁷ The scholars who submit that it could present a less restrictive alternative refer to a text by Christopher Kuner from 2009: “An Alternative Standard for International Data Transfers.”⁵⁹⁸ In this text, Kuner argues that it is necessary to investigate what legal mechanisms could ensure that data exporters remain accountable and responsible for data processing once personal data have been transferred outside the EU. He suggests that “[t]his might include reliance on liability concepts under national law, or use of data transfer mechanisms that are already recognized, such as BCRs or the use of standard contractual clauses for International Data Transfers.”⁵⁹⁹ This scholarship overlooks the fact that the instruments in Article 46 GDPR––which also existed under Directive 95/46/EC––already work with the principle of accountability. The contractual solutions foreseen in Article 46 GDPR include liability concepts. For example, BCRs have to specify the liability by the data exporter established on the territory of an EU member state for any breaches of the BCRs by any member of the group of enterprises not established in the EU according to Article 47(2)(f) GDPR and Clause 6 of the standard data protection clauses adopted with Decision 2010/87/EU also entail detailed rules on liability. I thus argue that there are no alternative measures that are reasonably available and achieve the same level of protection with respect to the right to continuous protection for personal data. The interference with the national treatment obligation based on instruments providing appropriate safeguards therefore satisfies the necessity test in Article XIV(c)(ii) GATS.

4.4.4.1.2 Interference Based on Corrective Powers of Supervisory Authorities

The second interference with the national treatment obligation is based on the use of corrective powers by supervisory authorities. To justify this interference, it must be demonstrated that the respective measure is designed to secure compliance with the GDPR and the right to continuous protection of personal data in Article 8 CFR.⁶⁰⁰ Furthermore, it must be demonstrated that the respective measure is necessary to secure such compliance. The corrective powers are designed to secure compliance with the right to continuous protection of personal data but because of the trade restrictiveness of the decision of a supervisory authority to use corrective powers to suspend or ban data transfers to a third country is high, reasonably available alternative measures must be assessed.

I submit that there are no alternative measures that would achieve the same level of protection. The GDPR itself already entails a scaled set of corrective powers in Article 58(2)(f) and (j) GDPR. A supervisory authority may only suspend data transfers according; it may impose a temporary limitation or ban on data transfers; and it may impose a definitive limitation or ban on data transfers. The national treatment violation caused by the corrective powers of supervisory authority would therefore satisfy the necessity test in Article XIV(c)(ii) GATS.

4.4.4.2 Chapeau

Interferences with the national treatment obligation in Article XVII GATS based on appropriate safeguards (Sect. 4.4.4.4.2.1) and the corrective powers of supervisory authorities (Sect. 4.4.4.4.2.2) must also be justified under the chapeau of Article XIV GATS.⁶⁰¹

4.4.4.2.1 Interference Based on Appropriate Safeguards

The EU would be able to make a prima facie case that there is no arbitrary or unjustifiable discrimination in the interference with the national treatment obligation based on the instruments providing appropriate safeguards in Article 46 GDPR. The interference can be reconciled with the policy objective under Article XIV(c)(ii) GATS. The transfer of personal data presents a risk for individuals in the EU because information about them leaves the EU where the GDPR applies and can be enforced. This is the rationale of the discrimination because in contrast, domestic services and service suppliers do not necessarily require data transfers.

The EU would also be able to make a prima facie case that there is no disguised restriction on international trade because services and service suppliers in the EU must also use these instruments when they transfer personal data to a third country. Accordingly, the interference with the national treatment obligation can be justified under the chapeau of Article XIV GATS.

4.4.4.2.2 Interference Based on Corrective Powers of Supervisory Authorities

The EU would also be able to make a prima facie case that there is no arbitrary or unjustifiable discrimination in the interference with the national treatment obligation based on the corrective powers of supervisory authorities. Supervisory authorities make use of their corrective powers to ban or suspend data transfers where data exporters infringe the right to continuous protection for personal data in Article 8 CFR.

Nevertheless, a complainant could, as Svetlana Yakovleva and Kristina Irion suggest, try to rebut the prima facie case and argue that the EU applies double standards when it comes to foreign internet surveillance.⁶⁰² Should supervisory authorities—and ultimately the ECJ—require a higher standard for internet surveillance in third countries than applicable for the EU member states, then the interference with the national treatment obligation based on the corrective powers of supervisory authorities would amount to arbitrary and unjustifiable discrimination. Such a double standard could not be reconciled with the policy objective with respect to which the measure has been provisionally justified under the paragraphs of Article XIV GATS. However, I showed above that there are no double standards for foreign internet surveillance and the EU member states are bound to comply with the same requirements as third countries.⁶⁰³

The EU would also be able to make a prima facie case that there is no disguised restriction on trade by referring to the independence of supervisory authorities according to Article 8(3) CFR.⁶⁰⁴ Only when a complainant can successfully show that the use of corrective powers by supervisory authorities is not motivated by the protection of the right to continuous protection on personal data can there be a finding of a disguised restriction on international trade. The interference with the national treatment obligation caused by the corrective powers of supervisory authorities can therefore be justified under the chapeau of Article XIV GATS.

4.5 Summary

The justification of interferences with GATS obligations caused by the EU’s fundamental rights-based regulation of personal data focuses on the general exceptions in Article XIV. The economic integration exception in Article V GATS could be relevant to justify interferences with the MFN treatment obligation if the EU concluded a trade agreement with every country that has an adequacy decision. The security exception in Article XIV bis GATS is only relevant in situations of heightened tension or crisis. Finally, the confidentiality exception in Paragraph 5(d) of the Annex on Telecommunications can only justify interferences with the provisions of the annex.

I find that most of the interferences with GATS obligations can be provisionally justified under the general exceptions in Article XIV GATS. Only one interference fails provisional justification under the privacy exception in Article XIV(c)(ii) GATS: The interference with the domestic regulation obligation in Article VI:1 GATS caused by a fragmented application of the corrective powers of different supervisory authorities among EU member states. The trade restrictiveness of such a fragmentation is high. Subjecting the decisions of supervisory authorities to a mandatory consistency mechanism in Article 64(1) GDPR could be a reasonably available alternative measure that is consistent with the GATS because it guarantees the impartial application of these powers and preserves for the EU its right to achieve its desired level of protection for personal data.

In addition, some of the provisionally justified interferences fail the assessment under the chapeau of Article XIV GATS:

• The interference with the MFN treatment obligation based on regular adequacy decisions amounts to arbitrary or unjustifiable discrimination should a WTO member that asks for an adequacy decision not receive an assessment by the EDPB concerning the level of protection for personal data.

• The interference with the MFN treatment obligation as well as the interference with the domestic regulation obligation caused by special framework adequacy decisions—if and when a new special framework adequacy decision comes into force (e.g. the Transatlantic Data Privacy Framework with the US)—also amounts to arbitrary or unjustifiable discrimination insofar as the EU does not provide all WTO members with similar opportunities to negotiate a special framework adequacy decision.

• The interference with the market access obligation based on restrictions to use the instruments providing appropriate safeguards in Article 46 GDPR amounts to arbitrary or unjustifiable discrimination if different supervisory authorities in different EU member states maintain different regimes for service supplies in the territory of the same WTO member, or if a single supervisory authority in an EU member state selectively uses its corrective powers for certain WTO members and not for others and thereby undermines the right to continuous protection of personal data.

5 Conclusion

The rules of the multilateral trading system of the WTO can be used as proxies to distinguish legitimate regulation from protectionism. When applied to the EU’s fundamental rights-based regulation of data transfers, they allow for the legal assessment of the line between data protection and data protectionism. The analysis above shows that the regulation of data transfers is largely compatible with WTO law. Seven interferences with obligations in the GATS have been identified. Most of them are justifiable under the privacy exception in Article XIV(c)(ii) GATS. The history of the privacy exception shows that the EC negotiated the WTO’s trade agreement on services with great foresight. The EC pushed for the adoption of a privacy exception during the negotiations of the GATS with a view to its future data protection framework. Nevertheless, some aspects of the EU system for data transfers need further attention because they may not be justifiable under the privacy exception in Article XIV(c)(ii) GATS.

The first aspect concerns the application of adequacy decisions. Adequacy decisions interfere with the MFN treatment obligation in Article II:1 GATS. The AB maintained that the chapeau of the general exceptions demands “rigorous compliance with the fundamental requirements of due process.”⁶⁰⁵ This includes formal notice for a denial of an application or an explanation of the reasons for the denial.⁶⁰⁶ This interference with the MFN treatment obligation would amount to arbitrary or unjustifiable discrimination under the chapeau should a WTO member ask the EU for an adequacy decision and not receive an assessment by the EDPB. In order to comply with WTO law, the European Commission must ask the EDPB for an assessment of the level of protection for personal data in a third country when a third country asks for an adequacy decision, or, alternatively, issue a negative adequacy decision itself.

The second aspect concerns special framework adequacy decisions such as the invalidated Decision (EU) 2016/1250, the Privacy Shield adequacy decision. Special framework adequacy decisions are often tailor-made solutions for countries that otherwise would not qualify for a regular adequacy decision. They interfere with the MFN treatment obligation and the impartiality standard of the domestic regulation obligation. Should a new special framework adequacy decision come into force, this interference would amount to arbitrary or unjustifiable discrimination under the chapeau if the EU does not provide all WTO members with similar opportunities to negotiate a special framework for an adequacy decision. To comply with WTO law, the European Commission will have to stop negotiating special framework adequacy decision unless it is ready to initiate such negotiations with all interested WTO members. Since the EU already works towards adopting a special framework adequacy decision for the Transatlantic Data Privacy Framework with the US, an unjustifiable violation of the MFN treatment obligation is foreseeable.⁶⁰⁷

The third aspect concerns the administration of the corrective powers of supervisory authorities. The ECJ confirmed that supervisory authorities must suspend or ban transfers of personal data in cases in which the right to continuous protection of personal data in Article 8 CFR cannot be guaranteed and the data exporter refuses to take action.⁶⁰⁸ The suspension or ban of data transfers may lead to an interference with the MFN treatment obligation and the market access obligation. These interferences amount to arbitrary or unjustifiable discrimination under the chapeau if the administration of the corrective powers is inconsistent. For example, when supervisory authorities in different EU member states maintain different regimes for services and service suppliers in the same WTO member, or when a supervisory authority in an EU member state selectively uses its corrective powers for data transfers to certain WTO members and not for data transfers to other WTO members where similar deficiencies regarding data protection exist, and the selective use of the corrective powers thereby undermines the right to continuous protection of personal data. Such a fragmented use of the corrective powers of supervisory authorities also interferes with the impartiality standard of the domestic regulation obligation. The interference does not satisfy the necessity test of the privacy exception. Currently, supervisory authorities are not obliged to coordinate the use of their corrective powers. They may use the voluntary consistency mechanism in Article 64(2) GDPR to ask for an opinion from the EDPB, which all supervisory authorities should then implement. A requirement to use the mandatory consistency mechanism in Article 64(1) GDPR would be a reasonably available alternative measure that is consistent with the GATS because it guarantees the impartial application of these powers and preserves for the EU its right to achieve the desired level of protection. This would require a change in the GDPR. Supervisory authorities must be aware that they are responsible for complying with WTO law and use their corrective powers accordingly.

With regard to the interferences with the market access obligation and the interferences with the national treatment obligation, it is important to note that allegations that the EU maintains a higher standard for internet surveillance in third countries than applicable for EU member states do not challenge the compliance of the regulation of data transfers with the chapeau of the general exceptions. There are no double standards for foreign internet surveillance. The EU member states are bound to comply with the same requirements as third countries in the assessment of their level of protection for personal data.⁶⁰⁹

From the perspective of WTO law, the design of the EU system for data transfers does not constitute data protectionism. However, the analysis has revealed that the European Commission and the supervisory authorities in the EU member states must make sure the system is applied without protectionist side effects. The Commission must treat third countries equally when it comes to adequacy assessments and the supervisory authorities must coordinate their corrective powers and use them consistently in the same or similar situations. Lastly, special framework adequacy decisions should not be adopted as WTO law would then require the EU to offer the same possibilities to all other WTO members.