Measures agreed to in an international trade treaty between Pacific Rim countries threaten Internet users’ privacy and consumer rights, civil and digital rights organizations have warned today.
The full text of the Trans Pacific-Partnership (TPP) international trade agreement — some eight years in the negotiating — was published online earlier today (in a version marked “subject to legal review”), after agreement was reached between the 12 countries early last month, which include the U.S., Australia, Canada, Japan and New Zealand.
The text still needs to be ratified in the individual countries before the treaty becomes binding.
“The E-Commerce chapter has serious implications for online privacy,” said Peter Maybarduk, of non-profit consumer rights organization, Public Citizen, in a statement on TPP. “The text reveals that policies protecting personal data when it crosses borders could be subject to challenge as a violation of the TPP.”
Public Citizen says the agreement puts a requirement on countries to allow unregulated cross-border transfer of Internet users’ data and prohibits governments from requiring companies host data on local servers — with what it says is no express protection for privacy and data protection policies to be exempted from the rules.
Rather it says policies would be subject to review by TPP tribunals to determine if they meet what it dubs “highly subjective, restrictive standards”.
This means governments seeking to protect consumer privacy via conditioning international data transfers on compliance with data protection regulations could find their policies exposed to challenges by other governments under the TPP — as well as via extra-judicial tribunals agreed via the treaty’s controversial Investor State Dispute Settlement mechanism.
“In some cases, our data may be vulnerable in another country – to surveillance or marketing abuses — in ways that it is not at home,” continues Maybarduk. “The TPP could limit governments’ ability to protect us against such threats.”
TPP seeks to govern multiple aspects of trade and economic policy, with a stated goal of lowering barriers to trade and promoting economic activity. However, as with other such expansive international trade agreements — such as the still-being-negotiated TTIP, between the European Union and the U.S. — there has been plenty of controversy already, not least over the secrecy of the negotiations.
The scope of proposed measures in TPP has also caused major alarm, after portions of the agreement were leaked during negotiations. For example, the EFF has slammed TPP’s stance on copyright, such as the extension of copyright terms and prohibition on circumvention of DRM, writing in an analysis last month: “If you look for provisions in the TPP that actually afford new benefits to users, rather than to large, rights-holding corporations, you will look in vain.”
Responding to the publication of the full text today, the EFF is no less damning — saying, for example, that the copyright chapter contains “dangerous threats to the public’s rights to free expression, access to knowledge, and privacy online” (the full text of the IP chapter can be read here) — and describing the Investment chapter‘s definition of intellectual property as “an asset that can be subject to the investor-state dispute settlement process” as “shocking”.
“What this means is that companies could sue any of the TPP nations for introducing rules that they allege harm their right to exploit their copyright interests — such as new rights to use copyrighted works for some public interest purpose. A good example of this might be a country wishing to limit civil penalties for copyright infringement of orphan works, which are works whose authors are deceased or are nowhere to be found,” the EFF writes on the latter point.
The digital rights organization is also — like Public Citizen — critical of the treaty’s bid to restrict the use of data localization laws. “Although we generally agree that data localization is an ineffective approach to the protection of personal data, a trade agreement is the wrong place for a sweeping prohibition of such practices,” the EFF writes. “For particularly sensitive user data, regulating cross-border transfer of that data or its storage on vulnerable overseas servers may be a valid policy option.
“The E-Commerce chapter does not prohibit recourse to this option altogether, but imposes a strict test that such measures must not amount to ‘arbitrary or unjustifiable discrimination or a disguised restriction on trade’ — a test that would be applied by an investment court, not by a data protection authority or human rights tribunal,” it adds.
So the EFF is basically making the same critique as Public Citizen — that corporate interests are trumping privacy and human rights in TPP.
It’s also notable that measure to enforce international data flows are driving in the opposite direction vs the recent ruling by the European Court of Justice invalidating the fifteen year old Safe Harbor data-transfer agreement between the U.S. and the EU — on the grounds that Europeans’ data was not being adequately protected under a self-certification regime. (It remains to be seen what TTIP will have to say on data flows. Truly that will be a *gets popcorn* moment.)
The EFF says TPP takes the same “flawed approach” as the old EU-U.S. Safe Harbor — i.e. that it tries to “streamline” cross-border data-flows between regions with “comprehensive data protection laws” and those with “weak or voluntary arrangements” by encouraging the former to treat the latter “as in some way equivalent to their own”.
“Data flows often are beneficial. At the same time, rules mandating data flows should be narrowly tailored with exceptions that clearly and explicitly allow for the protection of privacy and individual liberties,” adds Public Citizen’s Maybarduk. “The memory of misuse of data and National Security Agency surveillance is so fresh, and we should be careful about giving up control of our data.”
Other criticisms of TPP by consumer and digital rights organizations include: weak provisions on net neutrality (and empty provisions on spam); inadequate definitions of personal information; weak protections for personal data — such as allowing companies to define their own “self-serving standards” (as the EFF puts it) when it comes to privacy; a lowering of consumer protection standards, given that ‘unfairness’ has been left out of the consumer protection section — leaving only ‘fraudulent’ and ‘deceptive’ conduct to be specifically proscribed; prohibitions on government requiring the disclosure of source code for mass market software or products containing the software, thereby limiting the ability of countries to take steps to, for example, bolster the cybersecurity of such products.
The EFF also attacks the Telecommunications chapter for subordinating the security and privacy of users to the commercial interests of business — noting that the former are “only allowed to be taken into account if it can be established that they are not ‘a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade in services’.”
“This is completely backward,” it adds. “There is no value in having telecommunications services if they do not protect the privacy and security of end users; in fact, such services can be positively harmful, causing serious human rights infringements of users. In any other context, human rights would trump commercial considerations — in fact, this would go entirely without saying — but in the topsy-turvy world of trade negotiations, it’s the other way around.”