As negotiators for the European Union (EU) and the United Kingdom (UK) press ahead to devise the bloc’s future trading relationship with its departed member, time and tempers are growing short. The United Kingdom’s transition away from EU membership concludes at the end of 2020. If future preferential terms of trade are not agreed by then, significant friction in cross-Channel commerce would result. The parties will decide in June whether to extend the negotiation period, but the UK appears intent on sticking to the current timetable.
In late May, the chief negotiators—Michel Barnier for the EU and David Frost for the UK—exchanged public letters starkly outlining the major points of disagreement. Since both sides, unusually, have also publicly released the texts of their voluminous opening proposals, a detailed picture of the challenges in crafting compatible regulatory standards is open to view. While the United Kingdom seeks a definitive break from the EU’s single market and customs union, the EU aims to bind Britain to its wide-ranging regulatory standards as much as possible. If negotiations succeed, they will yield an agreement combining the form of a comprehensive EU free trade agreement, such as its recent accords with Canada or Japan, with a level of detail reflecting the UK’s previous assimilation of EU law.
Doing a digital deal
Digital trade is but one of the thirty-four chapters under negotiation, but it’s an important topic for the UK’s and EU’s shared economic future. Both the United Kingdom and the European Union need a deep and comprehensive accord on digital trade. In 2018, the EU imported $124.5 billion in digitally enabled services from Britain. As a result, the UK enjoyed a substantial surplus of £77 billion in overall service exports to the EU that year—more than offsetting its deficit in goods trade—according to official UK statistics. Data transfers form an integral part of overall services trade and they play an increasingly important role in goods commerce, as well. Approximately three-quarters of Britain’s data flows are with EU countries, making continuity crucial for its data-dependent businesses, such as financial services.
The UK and EU already appear to be closely aligned on many provisions for the digital trade chapter, as a comparison of their respective texts reveal. For example, both have put forward similar proposals: no customs duties may be placed on electronic transmissions nor prior authorization requirements be imposed for services provided electronically. Both would enable contracts to be concluded by electronic means and, likewise, would allow authentication and trust services to be conducted electronically. In addition, both would broadly prohibit requirements for the transfer of, or access to, source code of software in order to protect proprietary corporate interests.
Balancing data transfers and privacy
The UK and EU clearly disagree, however, on the crucial question of enabling cross-border transfer of electronic information, and on the related issue of the extent to which transfers may be limited for public policy reasons, such as privacy. Britain proposes that each party assume a positive obligation to allow cross-border data transfers for business purposes. It acknowledges that transfers may be made subject to regulatory requirements, but only to those requirements that are narrowly tailored to meet “legitimate” public policy objectives. They must also not be applied in an arbitrary or discriminatory manner or as a disguised restriction on trade. These proposed disciplines are drawn from World Trade Organization (WTO) agreements and they would be backed by a dispute settlement mechanism.
The EU, by contrast, rejects, in principle, the assumption of an obligation to allow cross-border data flows with the United Kingdom. Instead, the EU suggests focusing only on data “localization.” This entails outlawing rules that require a company to locate its computing facilities or network in the territory of the other party or that require data to be stored or processed there. The European Union also insists upon giving each party an absolute right to maintain any data privacy safeguards it deems appropriate, with no objective trade disciplines of the nature proposed by the UK.
The UK’s data transfer proposal largely draws from the US playbook, mirroring provisions contained in the 2019 US-Mexico-Canada Agreement and US-Japan Digital Trade Agreement. The EU’s position resembles the one it took in the abortive Transatlantic Trade and Investment Partnership (TTIP) negotiations, where the two sides ultimately deadlocked on data transfers. Japan, subsequently, sought to include a US-style data transfer obligation in its 2019 Economic Partnership Agreement with the EU. The EU rebuffed the proposal and Japan, eventually, settled for a modest EU commitment to revisit the issue in 2022—the same consolation prize that the EU would offer the United Kingdom.
Instead of trade agreements, the EU relies on its privacy law—the General Data Protection Regulation (GDPR)—as a legal framework for international data transfers. The GDPR allows personal data to be transferred from EU territory only if the EU is satisfied that it will be accorded equivalent privacy protection in the foreign country. The European Commission has the authority to issue an “adequacy” finding to a foreign country meeting this standard. It has issued only thirteen of them, including to the United States—for data transfers made under the US-EU Privacy Shield Framework—and to Japan.
The EU’s “border control” approach to data transfers differs philosophically from the US, UK, and Japanese view that data should move freely in international trade, with objective limits placed on how privacy regulation may interfere. The EU fears that accepting such limits in a trade agreement on decisions it makes under the GDPR could lead to trade disputes over whether decisions made ostensibly on privacy grounds in fact are motivated by trade protectionism.
Faced with the evident difficulty of persuading the EU to accept a free data transfer regime, the United Kingdom has, therefore, made obtaining an adequacy finding an important objective for its post-Brexit trade relations with the EU. The EU agreed to give priority to the UK adequacy request and the European Commission is due to decide on it by the end of 2020. If the UK bid for adequacy succeeds, it would not need data transfers to be safeguarded separately in its trade agreement with the EU.
Since the United Kingdom currently applies the GDPR, securing a Commission determination that its domestic privacy protections meet EU standards seems straightforward. However, the pending Commission decision will be more fraught than it appears because of the UK’s robust law enforcement and national security surveillance laws. In the 2016 Watson case, the European Court of Justice (ECJ) held that a UK law requiring communications service providers to retain metadata on all messages—for potential future use by law enforcement authorities—conflicted with a protection in EU privacy law against “general and indiscriminate” data retention. In a second case, now pending before the ECJ, Privacy International poses a similar question about bulk data retention provisions in the UK’s national security laws.
Escaping the jurisdiction of the ECJ has long been a principal objective of Brexit. Nevertheless, contrary to expectations, the UK’s departure from the EU will not give it license, henceforth, to ignore troublesome ECJ privacy rulings. On the contrary, Britain’s urgent need for an adequacy finding gives the EU ideal leverage to insist that the UK continue to adhere to the substance of its privacy jurisprudence, including on such, seemingly, sovereign matters as law enforcement and national security.
In fact, Britain is, ironically, now in a worse position than EU member states to chart its own course on national security surveillance. Member states largely are protected from ECJ scrutiny in this area by a provision in the EU Treaties, stating that national security is their “sole responsibility.” By contrast, a Commission adequacy decision must examine whether a third country’s privacy regime is undermined by expansive national security surveillance powers. Therefore, it is not unlikely that a cutback in UK surveillance laws will be part of the price that the Commission will demand for finding the UK adequate, particularly, if the ECJ finds them deficient in the Privacy International case.
Implications for the United States
As the United Kingdom struggles to establish a durable commercial data transfers regime with the European Union, the United States is more than an interested bystander. In May, London and Washington finally launched negotiations on a US-UK free trade agreement and a digital trade chapter is expected to be a key component. US negotiators see an opportunity to establish a free data transfer regime like their other recent agreements, but, in this case, with a European country that will retain a GDPR-compliant privacy regime. UK negotiators, in turn, may hope for leverage with the EU by reaching for a more ambitious digital trade regime with the United States than the EU is inclined to grant them. The United Kingdom also may envisage such a deal with the United States as a favorable precedent for its future trade negotiations with Australia and other countries.
If the United Kingdom can navigate a way forward on data transfers with both its ex-masters in Brussels and its ally in Washington, its success might ultimately yield benefits beyond these two bilateral trade contexts. Although prospects for the United States and the EU to pick up the pieces of the failed TTIP digital trade talks remain a distant glimmer, there’s at least a chance that the UK’s current negotiations with both capitals could, eventually, help point the path back to the negotiating table for Washington and Brussels.
Kenneth Propp is a nonresident senior fellow in the Atlantic Council’s Future Europe Initiative.