Personal data privacy and the WTO.

• Author: MacDonald, Diane A.

1. May a WTO Member Prohibit the Transfer of Personal Data from its Territory? II. The WTO's Trade in Services Framework A. General and Specific Obligations B. General Exception for Data Privacy III. Will Online Data Privacy Protection Prove to be an Exceptional Exception Under GATS? A. Specific Commitments B. The "Necessity" Exception--Article XTV(c) IV. Conclusion Personal data has been labeled the "currency" of the digital economy (1)--unsurprisingly, since many large and small companies rely heavily on the harvesting of Internet-based personal data. While "personal data" takes many forms, it is generally recognized to consist of information that could potentially identify an individual, regardless of whether the individual willingly sends the information to a provider of services (such as a bank or a social media site) or unknowingly supplies it to a third party collector (just by visiting a website). In a virtual market with capacities unknown to many regulators and which, by virtue of the Internet, transcends geographic boundaries, companies buy, sell, process, and store volumes of personal data that may help them identify consumer preferences, medical histories, and financial profiles. As countries rush to address the competing interests between the invaluable free-flow of information and consumers' "right to be forgotten" on the Internet, the data privacy issue sits on a collision course with international trade rules now more than it ever has in the past. (2)

   If personal data is the currency of the digital economy, then "big data" is its jackpot. (3) The claims for big data--"mass repositories of data that can be collected across multiple platforms, in multiple jurisdictions, and in multiple

   languages" (4)--are that it fosters transformative innovation, (5) stimulates economic growth, (6) enhances the development of new medicines, (7) drives productivity, efficiency, and growth, (8) and combats terrorism, (9) to name a few. Yet, the collection of big data brings concomitant and complex privacy concerns that span national borders and regulatory regimes.

   Much has been written about the (in)adequacy of World Trade Organization (WTO) disciplines to address the burgeoning issues associated with Internet-based personal data trade. (10) Meanwhile, companies are racing to enter new markets and to provide cross-border data services because no one can afford to sit on the sidelines. (11) In addition, countries are moving full-speed ahead on new privacy regulations with or without the WTO's blessing, demanding their regulatory sovereignty regarding the protection of their citizens' data. (12) The European Union formally led the charge on January 25, 2012, by releasing the draft of a sweeping new general data protection regulation. (13) The United States quickly followed with the White House's framework for protecting privacy in the digital economy in February 2012, (14) and the Federal Trade Commission's privacy framework final report and recommended best practices in March 2012. (15) Additionally, the United States has begun drafting new consumer privacy legislation, which could address some of the concerns that the European Union, among others, have with the perceived lack of data privacy controls in the United States. (16) China and India are also critical players in the data privacy space. (17) Not only do both countries have draft guidelines or rules circulating to crack down on the use of personal data on the web, the countries will also soon have more people online than the United States and Europe have citizens. (18)

   How can WTO Members regulate the collection, storage, and use of personal data without running afoul of their trade commitments? Put another way, do WTO disciplines provide any measurable limits on a Member's ability to regulate the use of data collected within one Member's borders by a company whose home base is in another Member? Given these fast-moving developments, this paper examines whether the WTO's General Agreement on Trade in Services (GATS) can provide relief for cross-border services companies facing a dizzying array of country-specific privacy laws.

1. MAY A WTO MEMBER PROHIBIT THE TRANSFER OF PERSONAL DATA FROM ITS TERRITORY?

   Personal data privacy can become a trade issue in a number of ways, ranging from the fairly simple (a multinational super store opens a local branch in Vietnam, where it will maintain a server that collects buying histories of its Vietnamese customers) to the more complex (a healthcare management company uses a "cloud" based server sited in India to store X-rays and medical records of U.S. citizens). (19) In particular, the issue of cross-border transfers of personal data has arisen in the recent free trade agreement between the United States and South Korea. (20)

   The financial services chapter of the United States-Korea Free Trade Agreement (KORUS FTA) provides that "[e]ach Party shall allow a financial institution of the other Party to transfer information in electronic or other form, into and out of its territory, for data processing where such processing is required in the institution's ordinary course of business." (21) While the United States already allows this, Korea's current data privacy rules require financial services firms to locate their data servers in Korea and prevent data from being transferred outside of the country for processing. (22) However, Korea pledged to effect its KORUS FTA commitment to allow the offshoring of data processing within two years of the date KORUS FTA entered into force, or March 15, 2014. (23)

   In response to this commitment, Korea has issued a draft regulation that "would allow financial services firms to transfer data outside of Korea, subject to several limitations." (24) The draft regulation allows the offshoring of data, but it retains the requirement mandated by Korean law to obtain consent from the consumer, for each transaction, before doing so. (25) Additionally, according to sources, the draft law only allows the transfer of data to the headquarters or to a direct affiliate of the financial services company and prevents offshoring if the financial services company has been sanctioned by any regulatory body within the past three years. (26) Furthermore, the draft regulation requires financial service firms to receive prior approval from the Korean Financial Services Commission for data offshoring. (27) However, there is no timeline for this approval and it must be based on a "necessity" test. (28)

   U.S. companies have made it known that they believe the draft regulation does not meet the commitments of the KORUS FTA. (29) In particular, companies object based on the difficulties of doing business in the face of the consent requirements; the prohibition against using third-party processors; and the requirement of prior approval and proving the necessity of the transfer. (30) All of these measures would seriously curtail the use of data in a manner comparable to that of U.S. consumers' data--whether in the cloud, by third-party processors, or by moving data cross-border to the most appropriate servers--and hinder the agglomeration and processing of big-data treasuretroves. (31)

   The U.S. Trade Representative has called the financial services chapter of KORUS FTA a "groundbreaking" agreement that provides more extensive provisions related to financial services, including increased market access and the data-transfer provision, than any previous free trade

   agreement. (32) KORUS FTA has also been referred to as a "Rgold standard" agreement, (33) and one that will be a model for future U.S. free trade agreements, precisely because of the importance of the data-transfer provision to financial services companies. (34) While the issue, therefore, is just being framed, it is one that has significant future effect.

   Given that U.S. financial services companies have established, and are going to continue to establish, footholds in Korea regardless of the status of negotiations over this issue, (35) what options are available to a U.S. company trying to navigate market access in Korea?

   Using Korea's restriction on the offshoring of data as an example, we consider how that measure would fare if the provision remained unchanged and if the United States instituted dispute settlement procedures at the WTO. While this analysis involves a provision in the KORUS FTA (and one that may be resolved by negotiation or through dispute settlement provisions within that agreement), it serves as a useful example of an issue that may arise with any number of other countries that may or may not have entered into a free trade agreement with the United States or that may be party to an agreement that does not contain the advanced financial services provisions of the KORUS FTA. In fact, cross-border U.S. services trade has grown rapidly since 1986 (45% for export services; 30% for import services), (36) and promises to continue to do so. And, the Internet has transformed front- and back-end operations everywhere, particularly for U.S. providers in the financial services, professional services, healthcare, and education services fields. (37) Cross-border service disputes and data privacy issues are therefore international trade's new frontier.

2. THE WTO'S TRADE IN SERVICES FRAMEWORK

   GATS is the first multinational agreement governing cross-border trade in services. It applies to "measures by Members affecting trade in services," (38) where "measure" is defined as a "law, regulation, rule, procedure, decision, administrative action, or any other form...." (39) This article presumes, without concluding, that the Korean regulations restricting U.S. cross-border financial services companies from processing data outside of Korea constitutes a measure that affects the trade in services, and thus should be considered under the GATS framework. (40)

   1. General and Specific Obligations

      GATS is a list-based, "positive" agreement" a Member...