Share

Last month I wrote about the threat that TTIP represented to data protection and privacy in the EU because of its likely insistence that data flow as freely as goods. We still don't know for sure how TTIP will be approaching this area, but today we had an important leak of a section from TISA - the Trade in Services Agreement - that forms part of a kind of trinity of trade agreements along with TTIP and the TransPacific Partnership agreement (TPP).

Last month I wrote about the threat that TTIP represented to data protection and privacy in the EU because of its likely insistence that data flow as freely as goods. We still don't know for sure how TTIP will be approaching this area, but today we had an important leak of a section from TISA - the Trade in Services Agreement - that forms part of a kind of trinity of trade agreements along with TTIP and the TransPacific Partnership agreement (TPP).

Although it is entitled "Trade in Services Agreement Proposal: New Provisions Applicable to All Services", one of the biggest impacts of the text proposed by the US will be in the area of data protection. I was already concerned about the effect that TISA would have here when I wrote about the previous leak, but the new document is much worse.

A detailed legal analysis is available, but here I'll concentrate on the two main problems that emerge.  Article X.2 bears the innocuous heading "Local Content", and seems to be only about forbidding countries from requiring a certain percentage of local content. Interestingly, that means that France's carve-out from TTIP for its French-language culture would no longer be possible if the EU signs up to TISA in this form. But the really worrying part is hidden away later in this section, and reads:

l. Subject to any conditions, limitations and qualifications set out in its Schedule, no Party may, in connection with the supply of a service by a service supplier, impose or enforce any requirement; enforce any commitment or undertaking; or, in connection with the supply of a service through commercial presence, condition the receipt or continued receipt of an advantage on compliance with any requirement:

(a) to purchase, use or accord a preference to: 

...

(iii) computing facilities located in its territory or computer processing or storage services supplied from within its territory;

That might seem to be a mere extension of the ban on local content, but it goes much further. What it would mean in practice is that the EU could not, for example, insist that Google, Facebook and the rest kept data relating to EU citizens in the EU. That's something that has been suggested as a way of solving the problem that once personal data leaves the EU, its laws no longer apply, and therefore it is not covered by Europe's stringent data protection laws. This allows Google, Facebook et al. to do pretty much what they like with it. That includes passing it to the NSA, either willingly or not-so-willingly through backdoors in their systems.

That's not the only place where the EU's data protection laws would be undermined by TISA. Here's Article X.4 from the leak:

No Party may prevent a service supplier of another Party from transferring, accessing, processing or storing information, including personal information, within or outside the Party's territory, where such activity is carried out in connection with the conduct of the service supplier's business.

That covers the situation where US companies with servers inside or outside the EU gather personal data in Europe, and then want to pull it back across the Atlantic. Currently, that's possible using the totally useless "Safe Harbour" agreement, which may be cancelled in the wake of NSA spying. If the European Commission signs up to TISA with the above clause, there would be no way it could stop US companies from taking information - including, specifically, "personal information" - overseas. At that point, the EU's data protection framework would be completely neutered.

But the damage doesn't end there. Article X.5 on "Open Networks, Network Access and Use" is as follows:

Each Party recognizes that consumers in its territory, subject to applicable laws, and regulations, should be able to:

(a) access and use services and applications of their choice available on the Internet, subject to reasonable network management;

The trouble is that "subject to reasonable network management" is not only undefined here, but it not well defined anywhere. That opens the door to any kind of network management that might be claimed as "reasonable" - including forms that destroy network neutrality.

On the European Commission's Questions and Answers page about TISA, we read:

Will TiSA undermine data protection laws?

No, it will not.

TiSA will contain the same safeguards for protecting privacy that currently exist in the General Agreement on Trade in Services (GATS), an international agreement signed by all members of the World Trade Organisation (WTO).

Nothing in TiSA would stop a country from applying its confidentiality or data protection laws.

...

As for the transfer of financial data, all existing EU and national laws on the protection of privacy will continue to apply. TiSA

In the light of the fact that we know the US is proposing a text that would make all those statements untrue, we need the European Commission to confirm that it will not accept an agreement that gives the US what it wants here. If it is not prepared to do that, we will have to assume the worst, and that the Commission intends to sell out on the issues of European data protection and net neutrality for the sake of obtaining an agreement.

Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+