The furore over Cambridge Analytica is a sharp reminder of the extent to which technology companies store and harvest personal data, so it seems timely that the EU General Data Protection Regulation (“GDPR”) is about to come into effect. This post considers its compatibility with the EU’s WTO commitments.

Any measure regulating the cross-border flow of personal data could have an effect on trade in services, for the simple reason that the transfer of personal data is an important element for the provision of many services, particularly cross-border services (Mode 1) and services supplied via consumption abroad (Mode 2). A restriction on the cross-border transfer of personal data would in many situations violate national treatment commitments by providing less favourable treatment for foreign service suppliers. A prohibition would also violate market access commitments in respect of any service that necessarily depends on the data transfer, such that prohibiting data transfers is tantamount to a prohibition on supplying the service (following the reasoning of the panel on “integrated services” in China – Electronic Payment Systems).

The GDPR does not go so far as to prohibit cross-border data flows, but it will certainly continue the current policy under the Data Protection Directive of restricting them. In particular, personal data may not be transferred outside the European Economic Area except in certain circumstances. One of these is that the European Commission has determined that the data protection laws of another jurisdiction are “adequate”. To date, only a handful of adequacy findings have been made under the Data Protection Directive, and the European Commission will need to use its discretion carefully if it is to minimise the risk of the EU breaching its MFN obligations. For those wishing to transfer personal data elsewhere, alternatives include entering into model contracts with recipients of personal data (although this is under judicial challenge) and using binding corporate rules for transfers within a multinational business.

As the EU has in fact made unlimited national treatment commitments for Modes 1 and 2 for a number of relevant services – including data base services and data processing services – there is a prima facie question whether the GDPR is inconsistent with the EU’s legal obligations to other WTO Members.

Of course, the EU could argue that the GDPR falls squarely within the privacy exception in Article XIV(c) GATS, which permits measures “necessary to secure compliance with laws or regulations… relating to the protection of the privacy of individuals in relation to the processing and dissemination of personal data”. However, there may be greater room for debate over whether the GDPR would meet the two-pronged chapeau test – does it objectively constitute arbitrary or unjustifiable discrimination between countries where like conditions prevail? And might it be a disguised restriction on trade in services?

In conjunction with the detailed provisions of the GDPR, these two tests raise all kinds of interesting issues. One example concerns government surveillance. Under the GDPR, transfers of personal data across national borders within the EEA are permitted, regardless of whether and how the government in the recipient state can access that data in the name of national security. At the same time, the GDPR requires the European Commission to take government surveillance into account when deciding whether to make an adequacy determination for another jurisdiction. This is de jure discrimination, and it could be difficult to justify, especially given that other justifications under the GDPR for transferring personal data outside the EEA (such as using model contracts between private parties) do not address concerns about government surveillance (although the Privacy International case may yet show that EU law makes up for this imbalance in other ways). In any case, because of these and other issues, and as data becomes more important to the global economy, we may yet see the GDPR challenged.

Written by Samuel Coldicutt and Nivedita Sen, PhD candidate at the Graduate Institute of International and Development Studies in Geneva.

Edited by the Linklaters Trade Practice. The views and opinions expressed here are the personal opinions of the author(s) and do not necessarily represent the views and opinions of Linklaters.