Nov. 5, 2015

Contact: Peter Maybarduk, pmaybarduk@citizen.org, (202) 588-7755
Burcu Kilic, bkilic@citizen.org, (202) 588-7792
Karilyn Gower, kgower@citizen.org,  (202) 588-7779

TPP Text Reveals Risk for Consumer Privacy Reform

TPP Would Limit Options for Online Privacy Policies

WASHINGTON, D.C. – The future of consumer privacy protection may be imperiled by the Trans-Pacific Partnership (TPP), Public Citizen said today. The final text of the TPP E-Commerce chapter reveals rules that could tie the hands of policymakers seeking to safeguard consumer and Internet user privacy, according to Public Citizen’s analysis of the text.

“The E-Commerce chapter has serious implications for online privacy,” said Peter Maybarduk, director of Public Citizen’s information society program. “The text reveals that policies protecting personal data when it crosses borders could be subject to challenge as a violation of the TPP.”  

The E-Commerce chapter includes rules that would require countries to allow the unregulated cross-border transfer of Internet users’ data and prohibit governments from requiring companies to host data on local servers, subject to certain exceptions. While privacy should be considered such an exception, privacy and data protection policies are not expressly protected under the TPP rules.

Instead, such policies would be subject to review by TPP tribunals empowered to decide if the policies meet several highly subjective, restrictive standards. These TPP standards replicate language in World Trade Organization agreements under which tribunals have ruled against domestic policies in 43 of 44 challenges. Yet, only those privacy and data protection policies determined to meet these tests would be considered permissible.

Information technology companies and industry associations have lobbied to ban or seriously limit government regulation of cross-border data flows as a means to keep down industry costs. At a U.S. House Judiciary Committee hearing this week, representatives from those groups testified that any exceptions should be narrow. 

“The IT companies are getting what they want, but what about consumers and Internet users?” said Burcu Kilic, a policy director with Public Citizen’s information society program.

Policy options for governments that want to protect privacy include conditioning international data transfers on compliance with data protection regulations. Such policies may be exposed to challenges by other governments under the TPP as well as through extra-judicial tribunals empowered by the agreement’s controversial Investor State Dispute Settlement mechanism.

“In some cases, our data may be vulnerable in another country – to surveillance or marketing abuses – in ways that it is not at home,” said Maybarduk. “The TPP could limit governments’ ability to protect us against such threats.”

Through these provisions in the TPP, the United States appears to be moving to limit policy options for safeguarding privacy across borders, even while the European Union moves to expand them. The European Court of Justice recently struck down its “Safe Harbor” arrangement with the United States, saying the regime, which was based on companies self-certifying compliance with European privacy protections when moving personal data to the U.S., did not adequately protect European consumers. The European Union will seek more robust data protection in new negotiations with the United States.

The TPP could limit the ability of the United States and other countries to follow Europe’s path, or to protect privacy by conditioning the movement of data across borders on compliance with the host country’s privacy rules for personal information.

“The memory of misuse of data and National Security Agency surveillance is so fresh, and we should be careful about giving up control of our data,” said Kilic.

Country rules requiring the “localization” of either data or computing facilities (such as servers) have been used by some governments to support efforts at censorship. But local data protections also include privacy rules – for example, rules preventing cross-border trade in patients’ health information collected by private entities, which could easily be caught in the TPP’s broad sweep.

“Data flows often are beneficial,” Maybarduk said. “At the same time, rules mandating data flows should be narrowly tailored with exceptions that clearly and explicitly allow for the protection of privacy and individual liberties.”

The text also includes provisions on net neutrality and software source code.

“It is important not to give up on protection of privacy,” Kilic said. “The substantive obligations of the TPP E-Commerce chapter would impose more constraints on domestic policy space. The measures protecting individuals’ rights and liberties need to be broader and easier to use than ever before.”

Modeled after the North American Free Trade Agreement, the TPP is a pact among the U.S., Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore and Vietnam. The negotiating governments released the TPP text today, which still must be considered by Congress.

###