I. May a WTO Member Prohibit the Transfer of Personal Data from its Territory? II. The WTO's Trade in Services Framework A. General and Specific Obligations B. General Exception for Data Privacy III. Will Online Data Privacy Protection Prove to be an Exceptional Exception Under GATS? A. Specific Commitments B. The "Necessity" Exception--Article XTV(c) IV. Conclusion
Personal data has been labeled the "currency" of the digital economy (1)--unsurprisingly, since many large and small companies rely heavily on the harvesting of Internet-based personal data. While "personal data" takes many forms, it is generally recognized to consist of information that could potentially identify an individual, regardless of whether the individual willingly sends the information to a provider of services (such as a bank or a social media site) or unknowingly supplies it to a third party collector (just by visiting a website). In a virtual market with capacities unknown to many regulators and which, by virtue of the Internet, transcends geographic boundaries, companies buy, sell, process, and store volumes of personal data that may help them identify consumer preferences, medical histories, and financial profiles. As countries rush to address the competing interests between the invaluable free-flow of information and consumers' "right to be forgotten" on the Internet, the data privacy issue sits on a collision course with international trade rules now more than it ever has in the past. (2)
If personal data is the currency of the digital economy, then "big data" is its jackpot. (3) The claims for big data--"mass repositories of data that can be collected across multiple platforms, in multiple jurisdictions, and in multiple
languages" (4)--are that it fosters transformative innovation, (5) stimulates economic growth, (6) enhances the development of new medicines, (7) drives productivity, efficiency, and growth, (8) and combats terrorism, (9) to name a few. Yet, the collection of big data brings concomitant and complex privacy concerns that span national borders and regulatory regimes.
Much has been written about the (in)adequacy of World Trade Organization (WTO) disciplines to address the burgeoning issues associated with Internet-based personal data trade. (10) Meanwhile, companies are racing to enter new markets and to provide cross-border data services because no one can afford to sit on the sidelines. (11) In addition, countries are moving full-speed ahead on new privacy regulations with or without the WTO's blessing, demanding their regulatory sovereignty regarding the protection of their citizens' data. (12) The European Union formally led the charge on January 25, 2012, by releasing the draft of a sweeping new general data protection regulation. (13) The United States quickly followed with the White House's framework for protecting privacy in the digital economy in February 2012, (14) and the Federal Trade Commission's privacy framework final report and recommended best practices in March 2012. (15) Additionally, the United States has begun drafting new consumer privacy legislation, which could address some of the concerns that the European Union, among others, have with the perceived lack of data privacy controls in the United States. (16) China and India are also critical players in the data privacy space. (17) Not only do both countries have draft guidelines or rules circulating to crack down on the use of personal data on the web, the countries will also soon have more people online than the United States and Europe have citizens. (18)
How can WTO Members regulate the collection, storage, and use of personal data without running afoul of their trade commitments? Put another way, do WTO disciplines provide any measurable limits on a Member's ability to regulate the use of data collected within one Member's borders by a company whose home base is in another Member? …