Privacy as an Obstacle – Data Privacy Laws under the GATS

Johannes Thierer*

(Artikel als PDF herunterladen)


The World Trade Organisation (WTO) is the guardian of free trade and aims to remove most of the obstacles for this. In the future the WTO will have to face a new hurdle, namely data privacy laws. This law can be considered a barrier to trade regarding the growing branch of gathering and processing of data. The article focuses on the question of how the WTO and especially the regime of the General Agreement on Trade in Services (GATS) can deal with this confrontation.


A. Introduction

Personal data has been labelled as the „currency“ of the digital economy. More and more companies and their concepts base themselves on the harvesting and trading of personal data. On the other side the awareness raised that – especially regarding the risks in the online world – the protection of an individual’s personal sphere should be guaranteed. As a consequence, more than 110 countries now have a data privacy law[ref]United Nations Conference on Trade and Development, Global Cyberlaw Tracker, 2016, status on June 2016.[/ref] and new rights like the “right to be forgotten” on the Internet were partly established.[ref]See e.g. Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC [2016] OJ L119/1, Art. 17.[/ref]

The WTO has to face this development. Data privacy law with high requirements can be an obstacle for free trade. The article tries to give an answer to the pressing question of whether there is room in the WTO for personal data privacy and protection. Although up until now there has been no decision of the dispute settlement system on data privacy, the article wants to present an outlook on how the GATS regime could deal with future disputes. To sum it up the crucial question is how (strict) data privacy laws infringe obligations under the GATS and whether and how these breaches can be justified.


B. The Idea of Data Protection

I. Definition

To set a scope for this Article, first of all it must try to define the terms “data privacy” and “data protection”. Although the terms “privacy” and “protection” may not be synonymous, they are closely related, and, therefore, will be used as representing one notion hereinafter.

So far, there is no generally-accepted definition of privacy. The different, cultural shaped roots of privacy make this difficult. The continental European idea of privacy stems from the thought of human dignity; whereas the Americans mainly grounds on the protection of individual autonomy from state interference.[ref]James Q Whitman, ‘The Two Western Cultures of Privacy: Dignity Versus Liberty’ (2004) 113 Yale LJ 1152.[/ref] The English definition is based on the proprietary right and the linked breach of confidence resulting from a lack of privacy.[ref]Anne SY Cheung, ‘Rethinking Public Privacy in the Internet Era: A Study of Virtual Persecution by the Internet Crowd’ (2009) 1 J Media L 191, 192.[/ref] Consequently, the notion of privacy was developed from different starting points.

In order to embrace all these different approaches a broad understanding of privacy shall be used from now on. Following Weber, across the board privacy means the “protection of an individual’s personal sphere”[ref]Rolf H Weber, ‘Regulatory Autonomy and Privacy Standards under the GATS’ (2012) 7 Asian J WTO & Int’l Health L & Pol’y 25, 30.[/ref]. Of course, this definition leads to the question, what is the personal sphere and what is personal data? There are different attempts to define this, from a very broad approach, which includes all the data[ref]Paul Ohm, ‘Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization’ (2010) 57 UCLA L Rev 1701.[/ref], to a narrower one saying that data is only personal if there is the risk of being re-identified by them[ref]Betsy Masiello and Alma Whitten, ‘Engineering Privacy in an Age of Information Abundance’ (2010) AAAI Spring Symp. Series 119, 122 < viewFile/1188/1497> accessed 07 January 2018.[/ref].[ref] See Omer Tene and Jules Polonetsky, ‘Privacy in the Age of Big Data: A Time for Big Decisions’ (2012) 64 Stan L Rev Online 63, 66.[/ref] However, these questions have not necessarily been answered for the objective of this article and, therefore, can remain unanswered.


II. Approaches to Regulate Data Flows

Especially regarding the international context of data protection, it is important to illustrate the different approaches of states to regulate transnational data flows.

1. Geographically-based Approach

One approach is the geographically-based approach. The majority of the countries which have a data privacy law follow this approach, for example the European Union, Russia or Argentina.[ref]Christopher Kuner, Transborder Data Flows and Data Privacy Law (Oxford University Press 2013) 64.[/ref] The idea of this concept is that data privacy is applicable where the data is gained. To export data, this approach requires that the country to which the data is transferred grants a level of protection which is comparable to the state where the data was obtained.[ref]ibid. [/ref] Therefore, this approach is closely related to the concept of an “adequate level of data protection”.[ref]Rolf H Weber, ‘Regulatory Autonomy and Privacy Standards under the GATS’ (n 5) 31.[/ref] This means that national data privacy law determines minimum standards of protection which countries have to meet if data is exported in their legislature. The disadvantage of this approach is that the examination of whether a country satisfies the requirements or not can become a political issue.

2. Organizationally-based Approach

Another approach is the organizationally-based approach. This approach holds the organization receiving the information accountable for its protection. The consequence is that the original collector of the data is still responsible by virtue of the privacy law where data was collected.[ref]Malcolm Crompton, Christine Cowper, and Christopher Jefferis, ‘The Australian Dodo Case: An Insight for Data Protection Regulation’ (2009) Bloomberg BNA Priv & Sec L R 180, 181.[/ref] The new legislature under which the data is now is irrelevant. Some international agreements on data protection like the APEC Privacy Framework and countries such as Canada are using this concept.[ref]Christopher Kuner (n 9) 71.[/ref] On a practical level the concerned organization must, for example, implement certain privacy policies. It is criticized that it is difficult to control the measures taken for protecting the data.

These two approaches overlap and thus are not mutually exclusive. As a consequence, many states try to combine both concepts to seek the best level of data protection.


C. The GATS Framework

I. An Overview on the GATS

Probable future disputes can fall under the regime of the GATS. To analyse this, first the article delivers a short overview on GATS. The starting point of the GATS is the four different modes of supply, in which every service has to fall.[ref]Article 1:2(a): cross border supply, Article 1:2(b): consumption abroad, Article 1:2(c): commercial presence, Article 1:2(d): presence of natural persons; see Diana Zacharias, ‘Article I GATS’ in Rüdiger Wolfrum, Peter-Tobias Stoll & Clemens Feinäugle (eds), 6 Max Planck Commentaries on World Trade Law, WTO – Trade in Services (Martinus Nijhof Publishers 2008) 31, 48-53.[/ref]

Furthermore, the GATS contains, like the GATT, some general obligations, in particular the Most Favoured-Nation (MFN) obligation (Article II of the GATS) and the transparency obligation (Article III of the GATS). For this article the MFN obligation is especially important, because it requires that a WTO Member has to extend a preferential trade treatment granted to a specific WTO Member to all other WTO Members.[ref]See Peter Van den Bossche and Werner Zdouc, The Law and Policy of the World Trade Organization (3rd edn, Cambridge University Press 2013) 335-45.[/ref]

Additionally, the GATS has also some so-called “specific commitments”. The market access (Article XVI of the GATS) is particularly mentionable. In contrast to the regime of the GATT, where the Members have to exclude certain areas from the application (“negative list”), the Members must take positive action to accept the commitment by a notification (“positive list”). [ref]Rolf H Weber, ‘Regulatory Autonomy and Privacy Standards under the GATS’ (n 5) 28.[/ref] New services are not automatically covered by the GATS.

There are two other provisions in the GATS which are worth alluding to. Firstly, the domestic regulation (Article VI of the GATS) which contains obligations concerning measures of domestic regulations. Secondly, the general exception (Article XIV of the GATS) which can be invoked by the Members in order to justify breaches of obligations. It should be mentioned that this Article finds its parallel in Article XX of the GATT.


II. Data – GATT or GATS?

Before the topic can be evaluated on how the GATS could treat cases on data privacy laws, the question arises whether such disputes, general data and the normally connected E-commerce fall in the scope of the GATT or the GATS. This topic is still the subject of heated, broad discussions. That is why this article only provides a small insight into this issue.[ref]See generally to theories about the separation between the GATT and the GATS: John P Gaffney, ‘The GATT and the GATS: Should They Be Mutually Exclusive Agreements?’, (1999) 12 LJIL 135, 151; Joost Pauwelyn, Conflict of Norms in Public International Law: How WTO Law Relates to Other Rules of International Law (Cambridge University Press 2003) 405.[/ref]

The core problem is that neither the GATT nor the GATS contain clear guidelines. Both Agreements state that measures affecting trade in goods or services[ref]Article I:3(b)(A) of the GATS.[/ref] fall in their scope and as an outcome there are overlapping cases or cases where no regime seems to be applicable. An example could be a sale of digital delivery or data without physical attributes, because only carrier media is embraced by the GATT and it is not a service under the GATS.[ref]cf Rolf H Weber, ‘Digital Trade in WTO-Law – Taking Stock and Looking Ahead’ (2010) 5 Asian J. WTO & Int’l Health L & Pol’y 1, 3.    [/ref] Regarding the described differences between the GATT and the GATS in the section above, this problem can lead to varying legal results.

It is difficult to draw a distinction between the GATT and the GATS from decisions of the Panels or the Appellate Body. In the Canada Periodicals[ref]AB Report, Canada – Certain Measures Concerning Periodicals WT/DS31/AB/R (30 Jul. 1997).[/ref] case from 1997 the Appellate Body held that any measure that indirectly affects goods falls in the scope of the GATT. In this case the Appellate Body has not even examined the possibility that the measure could also be in the regime of the GATS or that the provisions of the GATS oerrules the ones of the GATT.

In a following case the topic was raised again. In the EC Bananas III case the Panel and the Appellate Body held that the GATT and the GATS are not mutually exclusive in their scopes of application.[ref]Panel Report, European Communities – Regime for the Importation, Sale and Distribution of Bananas WT/DS27/R/GTM, WT/DS27/R/HND (22 May 1997), modified by AB Report, WT/DS27/AB/R (9 September 1997).[/ref] The Appellate Body reasoned this with the fact that otherwise it could be easy to circumvent both agreements “by the adoption of measures under one agreement with indirect effects on trade covered by the other without the possibility of any legal recourse”[ref]AB Report, EC − Bananas III (n 21) 220-221.[/ref].

In Canada Automotive Industry[ref]AB Report, Canada – Certain Measures Affecting the Automotive Industry WT/DS139/AB/R, WT/DS142/AB/R (19 Jun 2000) 151ff.[/ref] the Appellate Body departed from this view and stated a more restrictive two-tier test. The decision dictates that:

Two key legal issues must be examined to determine whether a msure is one ‚affecting trade in services‘: first, whether there is ‚trade in services‘ in the sense of art 1:2; and, second, whether the measure in issue ‚affects‘ such trade in services within the meaning of art 1:1.[ref]ibid 155.[/ref]

Hence, there has to be an actual trade or service and not only a potential trade or service according to Article 1:2.[ref]Vranes criticizes this decision, because it seems to ignore the implication of “affecting” in Article I:1 of the GATS and the chronological order of Article I:1 and I:2 of the GATS (Erich Vranes, ‘The overlap between GATT and GATS: A methodological mate’ (2009) 36 L Issues of Econ Int 215, 225).[/ref] To identify an activity as a good or a service the WTO member refer to the GATS Service Sectoral Classification List (W/120) and the UN Provisional Central Product Classification (CPC). Regarding W/120, data processing activities are categorised as being in the computer-related services[ref]This section is a subsection of “Business Services”. It is further divided into five sub-sub-sections, namely (i) consultancy services related to the installation of computer hardware (841), (ii) software implementation services (842, with further five subcategories), (iii) data processing services (843, with further four subcategories), (iv) database services (844), and (v) other services (845 and 849).[/ref], especially in “(iii) data processing services”. Sometimes a differentiation from telecommunication services and business process outscoring services is very difficult,[ref]See Rolf H Weber, ‘Digital Trade in WTO-Law’ (n 19) 11.[/ref] but for the result this separation is often irrelevant. Additionally, the service in question has to fall in one of the four modes of supply according to Article 1:2. In Mexico – Telecoms the panel held that cross-border services can involve services which begin on one nation’s telecommunication network and terminate on another’s.[ref]       Panel Report, Mexico − Measures Affecting Telecommunications Services WT/DS24/R (2 April 2004) 7.45 [/ref] Taking this decision into consideration data processing is certainly embraced by the cross-border supply mode of services. E-commerce can additionally fall into the consumption mode of supply.[ref]See Henry Gao, ‘Can WTO Law Keep up with Internet?’ (2014) 108 Am. Soc’y Int’l L. Proc. 350, 352.[/ref] Therefore, you can conclude that data and the processing of data fall under the GATS.


D. Infringement of Obligations under the GATS by Privacy Rules

By enacting a data privacy law, the state may violate two GATS obligations: the MFN principle in Article II and the market access obligations of Article XVI.

The following chapters are mainly dealing with the principle of “adequate level of data protection”, explained in chapter B.II. The obvious reason for this is that this principle has the biggest impact of data privacy laws on free data flow and so on free trade, because it requires from other legislature the satisfaction of certain inquiries.
The principle is connected to the geographically-based approach. It is difficult to foresee what the outcome of the organizationally-based approach is, in particular how the policies, which must be implemented by the entity, are designed. However, the result of both approaches is similar, because both are addressing certain requirements for exporting data.


I. Article II: The Most-Favoured Nation Obligation

The MFN obligation was created to prevent WTO members from granting special treatment to third countries. It should be recognized that the margin of application of the MFN obligation in Article II of the GATS is wider than the parallel Article I:1 of the GATT.[ref]GATT Art 1:1 applies only to “customs duties, methods of levying such duties, rules and formalities in connection with importation and exportation, and matters referred to in Art III:2 and III:4 GATT 1994”, while GATS Art 11 applies to “any measure covered by the agreement”.[/ref]

In Canada Automotive Industry the Appellate Body held that one must compare the treatment afforded by one member to services of another member with the treatment of like services of any other country in order to determine whether the provision in question is a breach of the GATS.[ref]AB Report, Canada − Automotive Industry (n 23) 171; cf Rüdiger Wolfrum, ‘Article II GATS’ in Rüdiger Wolfrum, Peter-Tobias Stoll & Clemens Feinäugle (n 14) 71, 82-84.[/ref] This can be the case if the first service supplier receives less favourable treatment than the other one.[ref]ibid.[/ref]

To clarify this test, the panel in EC Bananas III delivered the decision that “at least to the extent that entities provide these like services, they are like service suppliers”[ref]Panel Report, EC − Bananas III (n 21) 7.346.[/ref]. Additionally, in the same case the Appellate Body held that Article II of the GATS contains both the de jure and de facto discrimination.[ref]AB Report, EC − Bananas III (n 21) 231; cf Rüdiger Wolfrum, ‘Article II GATS’ in Rüdiger Wolfrum, Peter-Tobias Stoll & Clemens Feinäugle (n 14) 71, 88.[/ref]

Related to privacy law a challenge could be based on the reason that data services and service suppliers from one state have suffered from less favourable treatment than like data services and service suppliers from another state fulfilling the adequacy.

Furthermore in practice, states, which believe that they have the same level of protection, often conclude agreements to facilitate the data flow between each other. An example for this is the EU-US Privacy Shield agreement[ref]             The successor of the Safe Harbour agreement. [/ref]. Such agreements may also be a ground for challenges.

In both cases, the state, bringing the dispute to the panel, has to prove the likeness of domestic services and services suppliers with the ones receiving better treatment. This has to be examined in a case by case-analyse. Across the board you can say that in the online world the services are similar and comparable, for example search engines or internet service providers.[ref]Carla L Reyes, ‘WTO-Compliant Protection of Fundamental Rights: Lessons from the EU Privacy Directive’ (2011) 12 Melb J Int’l L 141, 155.[/ref]

After affirmation of the likeness it has to be analysed whether there is a de jure or de facto discrimination. Like written above, this is given if a “member receives more burdensome treatment than other countries in the same service sector”[ref]ibid 156.[/ref]. Regarding the adequacy or agreements like EU-US Privacy Shield, a disc­rimination seems to be possible.


II. Article XVI: Market Access

The market access under Article XVI is a specific commitment and therefore, as shown above in chapter C.I., the members have to access it for every sector separately in their schedule. In the field of data processing services this provision is an important one, because both the US and the EU, which have comparatively high levels of data protection, must grant market access in the data processing sector by virtue of their schedules.[ref]US Schedule, WTO Doc S/DCS/W/USA, 41-42; EU Schedule, WTO Doc GATS/SC/31, 32; [/ref]

Article XVI:2 embraces an exhaustive list of six types of market access restrictions which are prohibited if a member accesses to this specific commitment. In US Gambling the question was whether the restriction of a market access to effectively zero in­fringes Article XIV:2(a) and XVI:2(c). In this case, Antigua challenged that the US prohibited cross-border supply of gam­bling and betting services with the reasoning that this violates the US’ commitment. The Appellate Body finally agreed with Antigua and delivered the following rule:

A measure prohibiting the supply of certain services where specific commitments have been undertaken is a limitation (…) within the meaning of Article XVI:2(c) (…). [S]uch a ban results in a ‚zero quota‘ on one or more or all means of delivery included in mode.[ref]AB Report, United States − Measures Affecting the Cross-Border Supply of Gambling and Betting Services, WT/DS285/AB/R (7 Apr 2005) 252. This decision is not uncontroversial, see Rolf H Weber, ‘Regulatory Autonomy and Privacy Standards under the GATS’ (n 5) 34.[/ref]

The question related to data privacy is whether high privacy standards establish a quantitative limitation and, thus, are inconsistent with Article XVI:2 (a) and (c) of the GATS or whether such quotas constitute only a qualitative restriction. Reading the decision of US Gambling the conclusion stands to reason that very high privacy standards could also lead to a “zero quota” of data processing services, because for some countries it could be almost impossible to fulfil the criteria e.g. due to a lack of technological possibilities and infrastructure.

In the recent case China Audiovisual the Appellate Body had to deal with the question of technological neutrality.[ref]Panel Report, China − Measures Affecting Trading Rights and Distribution Services for Certain Publications and Audiovisual Entertainment Products, WT/DS/363 (12 Aug 2009); AB Report, China − Measures Affecting Trading Rights and Distribution Services for Certain Publications and Audiovisual Entertainment Products WT/DS363/AB/R (21 Dec 2009).[/ref] Weber deduces from this decision the conclusion that “privacy standards should also be designed in a technologically neutral way”[ref]Rolf H Weber, ‘Regulatory Autonomy and Privacy Standards under the GATS’ (n 5) 33.[/ref]. This means that technical requirements of privacy law shall not cause an insuperable obstacle for other states that would also lead to quantitative limitation.

To sum it up it can be assumed that a country with high privacy standards would jeopardize market access commitments.


E. Article VI: Domestic Regulation

The first provision, which could justify the mentioned violations of the GATS, is the domestic regulation of Article VI:4/5. After the US Gambling decision, the role of Article VI with regard to Article XVI was highly discussed. On ground of the complexity and the width of this issue, this Article only presents an overview.


I. The Dividing Line between Article VI and XVI

It is still an on-going discussion when Article VI, XVI or both are applicable. This question is of importance, because, for example, the application of Article VI could exclude the invoking of Article XVI and could justify a breach of the MFN under certain conditions, since a domestic regulation does not constitute unnecessary barriers to trade in services according Article VI:4.

The reason for this risk of overlapping is that both provisions are broadly defined and can, in particular, cover non-discriminatory measures. In literature, the opinion is widely spread that the dividing line is the following: Article XVI generally deals with quantitative limitation, while Article VI covers domestic regulatory measures having a qualitative nature.[ref]Markus Krajewski, ‘Article VI GATS’ in Rüdiger Wolfrum, Peter-Tobias Stoll & Clemens Feinäugle (n 14) 165, 195ff; Panagiotis Delimatsis, ‘Don’t Gamble with GATS: The Interaction between Articles VI, XVI, XVII and XVIII GATS in the Light of the US − Gambling Case’ (2006) 40 J World Trade 1059, 1069; Joost Pauwelyn, ‘Rienne Va Plus? Distinguishing domestic regulation from market access in GATT and GATS’ (2005) 4 World Trade Rev 131, 152 ff. Additionally, both parties in the US − Gambling case agreed with this distinction and accept that qualitative restrictions are not covered by Article XVI (Panel Report, United States − Measures Affecting the Cross-Border Supply of Gambling and Betting Services, WT/DS285/R (10 Nov 2004) 6.327).[/ref] This division can be clarified by using the criterion that the former covers maximum limitations, whereas the latter is a minimum requirement. This means that, for example, licensing, qualification or technical standards constitutes a minimum level to ensure the quality of the supplied service. In contrast, a total prohibition represents a maximum or quantitative restriction.

However, in US Gambling the panel decided – without being reassessed by the Appellate Body – that “Articles VI:4 and VI:5 on the one hand and XVI on the other hand, are mutually exclusive”[ref]Panel Report, US − Gambling (n 42) 6.305.[/ref]. The Panel found that where a full market access commitment has been made “a prohibition on one, several or all means of delivery (…) would be a limitation on market access”[ref]Panel Report, US − Gambling (n 42) 7.2.[/ref]. Therefore US law on gambling falls in the scope of Article XVI.
The Appellate Body agreed with the Panel on the result. However, the Appellate Body did not confirm the finding according the mutual exclusiveness and held that “[i]t is neither necessary nor appropriate for us to draw, in the abstract, the line between quantitative and qualitative measures, and we do not do so here”[ref]AB Report, US − Gambling (n 39) 250. [/ref]. The Appellate Body confirmed, to some extent, the opinions in the literature and noted that “the focus of Article XVI:2(a) is on limitations relating to numbers or, put differently, to quantitative limitations”[ref]AB Report, US − Gambling (n 39) 255.[/ref] However, it regarded Article XVI as isolated from Article VI.

This decision caused a lot of criticism, especially the mutual exclusiveness. The arguments are that there is no textual support for such mutual exclusiveness[ref]Joost Pauwelyn, ‘Rienne Va Plus? Distinguishing domestic regulation from market access in GATT and GATS’ (n 42) 156.[/ref] and the two Articles should be regarded as complementary and not mutually exclusive[ref]Panagiotis Delimatsis, ‘Don’t Gamble with GATS’ (n 42) 1070.[/ref].[ref]For different result, applying mutual exclusiveness or not, see Joost Pauwelyn, ‘Rienne Va Plus? Distinguishing domestic regulation from market access in GATT and GATS’ (n 42) 157.[/ref] Moreover, the decision, that the US provision is covered by Article XVI, is controversial in the literature.[ref]Agreeing: Panagiotis Delimatsis, ‘Don’t Gamble with GATS’ (n 42); Disagreeing: Joost Pauwelyn, ‘Rienne Va Plus? Distinguishing domestic regulation from market access in GATT and GATS’ (n 42); Federico Ortino F, ‘Treaty Interpretation and the WTO Appellate Body Report in US − Gambling: A Critique’ (2006) 9 JIEL 117.[/ref]


II. In the Context of Data Privacy

The question is how this case can be taken into consideration in the context of data privacy laws and whether data privacy law could be justified by alluding to the domestic regulation in Article VI:4/5.

First of all, the issue has to be examined whether data privacy laws theoretically falls in the scope of Article VI. The requirement for that is that the privacy provisions are measures of general application according to Article VI:1. Normally, privacy laws, following the principle of “adequate level of data protection”, is not limited to certain field of data in their scope of application. Although such laws are often related to personal data, this term is usually used very broadly provided that the concerned privacy law is an effective one.[ref]See Carla L Reyes (n 36) 158.[/ref]

Additionally, bearing in mind that Article VI is a specific commitment, the state in question must have accessed to this commitment in the data processing services sector, especially in Mode 1 and Mode 2.

However, the question is whether Article VI is actually applicable. Taking the findings of the Panel in US Gambling it can be concluded that Article VI is not applicable due to the mutual exclusiveness, because Article XVI is applicable, as shown in section III.B.

Even if you exercise the approach of the Appellate Body or the division in the literature, you will reach the same conclusion, since strict privacy law must be considered as zero quota and therefore as a quantitative limitation.

As an outcome, the relationship between Article VI and XVI is not completely clarified, but it does not seem imaginable that a strict data privacy law could be justified by referring to the domestic regulation.


F. Article XIV: Exception Clause

Consequently, it has shed light on the question of whether the violations mentioned above can be justified by referring to the exception clause in Article XIV of the GATS.

For this it is important to recall that in general there is a big similarity between Article XIV of the GATS and Article XX of the GATT. Therefore you can draw some conclusions regarding Article XIV of the GATS by deducing from analogies.[ref]See Panel Report, US − Gambling (n 42) 6.448; AB Report, US − Gambling (n 39) 291; M V Perez Asinar, ‘Is there any Room for Privacy and Data Protection within the WTO Rules?’ (2002) 9 Elec Comm’n L Rev 249, 257. [/ref]

The dispute settlement bodies follow a two-tiered test to examine whether a measure is covered by the exception clause.[ref]AB Report, US – Gambling (n 39) 292; Thomas Cottier, Panagiotis Delimatsis & Nicolas F. Diebold, ‘Article XIV GATS’ in Rüdiger Wolfrum, Peter-Tobias Stoll & Clemens Feinäugle (n 14) 287, 294-96.[/ref] The first one requires that the measure in question falls in the scope of one of the purposes described in Article XIV and it must be necessary to fulfil this. Two exceptions in Article XIV are possible, namely the public morals and public order exception in Article XIV(a) and the protection of the privacy of individuals in Article XIV(c)(ii). In the second tier the measure must satisfy the requirements of the chapeau.


I. Article XIV(c)(ii): Protection of the Privacy of Individuals

Article XIV(c)(ii) would probably be the starting point of an examination in order to invoke the exception clause. Regarding the wording, this Article embraces the “protection of the privacy of individuals” provided that these personal data are related to “processing and dissemination” and “the protection of confidentiality of individual records and accounts”. The term “processing and dissemination” sets some limits for the application of Article XIV(c)(ii), because not every data pool is used for processing. An example could be the registration requirement of data collections.[ref]Rolf H Weber, ‘Regulatory Autonomy and Privacy Standards under the GATS’ (n 5) 40.[/ref] Additionally, as discussed in section B.I., the extent of the private sphere of individuals is open for interpretation. For instance, when the data is disaggregated and it is impossible to trace it back to an individual.[ref]Diane A MacDonald and Christine M Streatfeild, ‘Personal Data Privacy and the WTO’ (2014) 36 Hous J Int’l L 625, 644.[/ref] However, only further decisions can establish clear guidelines to set the scope of Article XIV(c)(ii).


II. Article XIV(a): Public Morals and Public Order

If the case in question did not meet the wording of Article XIV(c)(ii) it could fall in the scope of Article XIV(a). This Article contains two terms which overlap to some extend[ref]Panel Report, US − Gambling (n 42) 6.468; see for a closer look Nicolas F Diebold ‘The Morals and Order Exceptions in the WTO Law: Balancing the Toothless Tiger and Undermining Mole’ (2008) 11 JIEL 43, 71-74.[/ref] and on which exceptions can be based.  The first term is “public morals”. In US Gambling the Appellate Body defined public morals as “standards of right and wrong conduct maintained by or on behalf of a community or nation”[ref]Panel Report, US − Gambling (n 42) 6.465.[/ref]. Although beside US Gambling there are two other cases in recent time dealing with public morals, namely China Audiovisual[ref]Panel Report, China − Audiovisual (n 40); AB Report, China − Audiocisual (n 40).[/ref] and EC Seal Products[ref]Panel Report, European Communities − Measures Prohibiting the Importation and Marketing of Seal Products, WT/DS400/R, WT/DS401/R (25 Nov 2013); AB Report, European Communities − Measures Prohibiting the Importation and Marketing of Seal Products, WT/DS400/AB/R, WT/DS401/AB/R (22 May 2014).[/ref], it is still a very unclear field.[ref]See generally public morals and the online world: Panagiotis Delimatsis ‘Protecting Public Morals in a Digital Age: Revisiting the WTO Ruling on US − Gambling and China − Publications and Audiovisual Products’ (2011) 14 JIEL 257.[/ref] It is impossible to forecast dispute settlement proceedings in which a party invoke public morals to protect data privacy.

However, the clause Article XIV(a) is different to the parallel one in Article XX of the GATT, because it also mentions, beside the public morals, the public order. The Panel decided in US Gambling that public order “refers to the preservation of fundamental interest of a society, as reflected in public policy and law”, mirrored in particular in “standards of law, security and morality”.[ref]Panel Report, US − Gambling (n 42) 6.467.[/ref] It held that the states have a leeway in order to define “public morals” and “public order”.[ref] Panel Report, US − Gambling (n 42) 6.461.[/ref] Therefore WTO Members could try to invoke the public order and present data protection as a fundamental interest. However, footnote five of the GATS clarifies that the public order exception can only be appealed “where a genuine and sufficiently serious threat is posed to one of the fundamental interests of society”.[ref]See Thomas Cottier, Panagiotis Delimatsis & Nicolas F. Diebold, ‘Article XIV GATS’ in Rüdiger Wolfrum, Peter-Tobias Stoll & Clemens Feinäugle (n 14) 287, 301ff.[/ref] Regarding this high requirement, it seems very doubtful that states are able to invoke the public order to justify their data privacy law.


III. Necessity Test

The necessity test is a “weighing and balancing”[ref]AB Report, US − Gambling (n 39) 305.[/ref] analysis stemming from the proportionality principle. In US Gambling the Appellate Body held that, regarding the “textual and conceptual similarities between the two provisions”[ref]Panel Report, US − Gambling (42) 6.448; AB Report, US − Gambling (n 39) 291.[/ref] of the GATT and GATS, the necessity test developed according the GATT can also be used for the GATS. The Appellate Body took in this decision that the necessity test elaborated in Korea Beef[ref]Korea − Measures Affecting Imports of Fresh, Chilled and Frozen Beef, WT/DSl61/AB/R, WT/DS169/AB/R (11 December 2000). [/ref] according to Article XX(d) of the GATT to interpret Article XIV(a) of the GATS, although Article XX(a) of the GATT is the parallel provision to Article XIV(a) of the GATS.[ref]It is notable that Article XX(a) of the GATT has never been invoked.[/ref] Thus, this decision supports the assumption that in a possible dispute the bodies would also apply the guidelines of US Gambling and Korea Beef for Article XIV(c)(ii).


1. Relative Importance of the Policy Objective

The first prong of this test is the relative importance of the policy objective.[ref]AB Report, US − Gambling (n 39) 206.[/ref] The Panel has to evaluate whether data protection is deep-seated in the concerned national legislature. For example, the EU considers data privacy as one of the fundamental rights.[ref]Article 8 of the Charter of Fundamental Rights of the European Union of the 26. October 2012, C 326/39.[/ref] Moreover, every Member state could support its claim for the exceptional clause by alluding to international agreements protecting data privacy e.g.  the Universal Declaration of Human Rights and Article 17 of the International Covenant on Civil and Political Rights,[ref]Both guarantee the freedom to transfer data “regardless of frontiers” as an expression of freedom of speech (Christopher Kuner (n 9) 32).[/ref] APEC-Framework[ref]APEC Privacy Framework (2005).[/ref], the OECD Privacy Guideline[ref]OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980).[/ref] or the Council of Europe Convention 108[ref]Convention for the Protection of Individuals with regard to Automatic Data Processing of Personal Data, 28 January 1981.[/ref]. Consequently, it is highly probable that data protection is seen as an objective with relative interest. Especially if you take into consideration that the necessity test is a flexible concept which tends to protect regulatory diversity.[ref]Thomas Cottier, Panagiotis Delimatsis & Nicolas F. Diebold, ‘Article XIV GATS’ in Rüdiger Wolfrum, Peter-Tobias Stoll & Clemens Feinäugle (n 14) 287, 316.[/ref]


2. Contribution to the Objective and Effect on Trade

After this examination the Appellate Body imposed two other requirements: “the contribution of the measure to the realisation of the ends pursued by it” and “the restrictive impact of the measure on international commerce”.[ref]AB Report, US − Gambling (n 39) 307.[/ref] Given the first prong, the notion of “adequate level of data protection” aspires to prohibit the uncontrolled data flow and the abuse of data. Therefore data privacy laws can contribute to achieve the political objective of protecting data. It is not necessary that the laws of this issue achieve the ends with absolute certainty.[ref]AB Report, Mexico − Taxes on Soft Drinks, WT/DS308/AB/R (6 March 2006) 74.[/ref] To the second inquiry, such adequacy requirements, independent on how they are formed in detail, obviously have a negative impact on international trade.


3. Alternative Measures

In US Gambling the Appellate Body then analysed whether there are alternative measures which are less infringing on the GATS.[ref]AB Report, US − Gambling (n 39) 308. See also AB Report, EC − Asbestos, WT/DS135/AB/R (12 March 2001) 174; Panel Report, EC − Asbestos, WT/DS135/R (18 September 2000) 8.207-8.216.[/ref] This examination must be done in a case by case-manner dealing with the data privacy law at issue in detail. Restriction can be an alternative to full prohibition, the standards for “adequacy” could be lower while achieving the objective of protection and, eventually, the states should be able to find agreements on an international level or at least a binational level[ref]The AB in US − Gambling (n 39, 317) did not consider consultations as an appropriate alternative. Different view for the GATT: AB Report, United States — Import Prohibition of Certain Shrimp and Shrimp Products WT/DS58/AB/R (12 October 1998) 150, 172.[/ref].[ref]Carla L Reyes (n 36) 172-73.[/ref]


IV. The Chapeau

The application of Article XIV of the GATS requires another inquiry, namely the Chapeau. The Panel in US Gambling noted that interpretations of Article XX of the GATT can be applied for Article XIV of the GATS, but in this case there was no need to interpret this.[ref]Panel Report, US − Gambling (n 42) 6.566.[/ref] In EC Seal the Appellate Body confirmed this view and ruled that measures are not allowed to be exercised “in a manner that constituted a means of arbitrary or unjustifiable discrimination”[ref]AB Report, EC − Seal Products (n 73) 5.338.[/ref]. Hence, one can take into account the settled test of the Chapeau:

First, arbitrary discrimination between countries where the same conditions prevail; second, unjustifiable discrimination between countries where the same conditions prevail; and third, a disguised restriction on international trade.[ref]AB Report, United States − Standards for Reformulated and Conventional Gasoline WT/DS2/AB/R (29 April 1996) 22; see also AB Report, US − Shrimps (n 78) 150.[/ref]

It is again highly difficult to predict an outcome on a future dispute. With regard to the Chapeau a dispute will depend on how the process, in order to be acknowledged as a country with adequate level, is executed. This could be the case when a member negotiates with some members on an agreement on data flow without engaging in negotiations with others.[ref]cf AB Report, US − Shrimps (n 78) 172; Thomas Cottier, Panagiotis Delimatsis & Nicolas F. Diebold, ‘Article XIV GATS’ in Rüdiger Wolfrum, Peter-Tobias Stoll & Clemens Feinäugle (n 14) 287, 323ff.[/ref]


G. Conclusion

Taking up the imposed question in the introduction whether the WTO provides room for data privacy the Article showed that WTO is well equipped to face future disputes between data privacy and trade. Notwithstanding reasonable, international calls for transnational data flow regulation,[ref]See eg the Madrid Resolution, ‘International Standards on the Protection of Personal Data and Privacy’ (2009) <;jsessionid=0F6FD41816FE634344E3005A1E3E90FE.1_cid329?__blob=publicationFile&v=3> accessed 07 January 2018.[/ref] in the field of trade and services the provisions of the WTO seems to be sufficient.

The article tried to forecast how the GATS could deal with a future case on privacy law. To sum this up: It seemed very likely that such a law considers a breach of Article II and Article XVI of the GATS. Against the background that strict data protection law should be regarded as zero quota Article VI is not applicable.

The infringement could be justified through Article XIV(c)(ii) of the GATS. Nevertheless future decisions have to clarify the term “privacy of individuals” and set the ambit of this exception. It seems to be preferable to grant a wide scope of the Article itself and not exclude some cases because of the wording. The reason for this is that on the one side it could be difficult to draw a line between personal and non-personal data, for example IP-addresses[ref]cf Joseph Cutler and Carla L Reyes, ‚Was That Your Computer Talking to Me? The EU and IP Addresses as „Personal Data”’ (2008) 13 Cyberspace Lawyer.[/ref]. On the other side the following necessity test and the Chapeau are more appropriate to give a leeway for discretion and argumentation. Additionally the necessity test and the Chapeau can be very well based on settled decisions.

In order to avoid that Article XIV(a) be established as a catch-all clause it should not be possible to invoke this Article. Another reason being because the lex specials principle requires that Article XIV(c)(ii) have primacy as an explicit exception for data privacy.

In the light of the tremendously increasing E-commerce and transnational data flow it is only a matter of time until the first case dealing with data privacy is brought to the Bodies. This could be even earlier than imagined, because the Trump administration is apparently thinking about accusing the EU data privacy regime before the WTO.[ref]oris Segalis, Mia Havel and Sonia Lee, ‘Will the Trump Administration Take US-EU Data Protection Disputes to the WTO?’ (2017) NY L J <> accessed 09. March 2017.[/ref] Therefore the dispute settlement bodies of the WTO must find answers to the questions imposed in this article.

*Der Autor studiert im 6. Fachsemester Rechtswissenschaft an der Albert-Ludwigs-Universität Freiburg. Der Artikel beruht auf einem Essay, der während eines Auslandsaufenthaltes an der Handelshögskolan Göteborg im Rahmen des Kurses „International Trade Regulation“ bei Dr. Trisha Rajput entstanden ist.