Japan-UK Trade Deal Shows How Controversial Digital Policies Can Be Slipped Through With Little Scrutiny Or Resistance
from the welcome-to-the-data-washing-hub dept
Techdirt has been writing about trade agreements for many years. The reason is simple: as digital technology permeates ever more aspects of modern life, so international trade deals reflect this by including sections that have an important impact on the online world. A new trade agreement between Japan and the UK (pdf) is a good example. It is essentially a copy of the earlier trade deal between the EU and Japan (pdf) — because of Brexit, UK negotiators have not had the time or resources to draw up their own independent text, which typically requires years of drafting and negotiation. But significantly, the Japan-UK agreement adds several major sections purely about digital matters. All are terrible for the general public, as a briefing document from the UK-based Open Rights Group explains.
One issue concerns transfers of personal data between the UK and Japan. In the EU, this is governed by the well-known and relatively stringent GDPR. In fact, in order to achieve “adequacy” — essentially, legal permission to receive EU personal data — Japan has had to strengthen its data protection laws:
The EU required Japan to change its data protection regime, including supplementary rules on onwards transfers of EU data to other countries. The European Parliament has expressed further concerns and Japan is considering further changes.
However, the Japan-UK trade deal explicitly calls for personal data flows to be made easier, with a consequent watering-down of EU-level protections:
The UK deal includes measures which ban restrictions on the free flow of personal data, restrictions which could clash with the limits which European data protection laws place on international transfers. The EU could not adopt these measures in its treaty with Japan, and instead put in placeholder text committing both parties to review the situation in three years. The UK-Japan text heeds the wording of the USMCA [United States-Mexico-Canada Free Trade Agreement], with some extra clauses to exclude procurement and data kept on government orders.
The banning of restrictions on the free flow of personal data allows for public interest policies, following a standard formulation in trade agreements. This regime looks reasonable on paper, but in practice, it is very difficult to implement public interest policies which clash with trade liberalisation, as they are open to legal challenge, which rarely find in favour of restrictions.
Open Rights Group notes two important consequences of this decision not to follow the EU text here. First, it potentially allows personal data flowing to the UK from third countries to be passed to Japan and then on to other jurisdictions, for example the US, with almost no controls or restrictions. This would turn the UK into a “data washing hub” as the Open Rights Group puts it. In this respect, the UK-Japan deal contrasts with the EU-Japan deal, where:
The EU specifically excluded data flows from their trade agreement with Japan. Although Japan has an adequacy decision from the EU, it had to put specific arrangements in place for EU data to stay in Japan.
Given that risk, it is highly likely that the EU will refuse to grant adequacy to the UK, in order to prevent the personal data of EU citizens being sent via the UK to Japan or the US without adequate protections. The crucial role of personal data in modern business means a failure to gain adequacy will have a hugely negative impact on EU-UK trade. The other significant addition to the text in the digital sphere concerns “technical protection mechanisms” (TPMs) — DRM and similar technologies — and the criminalization of circumventing them. Open Rights Group points out:
Another concern for digital rights in the UK is the potential criminalisation of circumvention outside commercial endeavours, affecting ordinary people. Circumvention is not a niche activity. Millions of people used to make backup copies of DVDs and many today have to bypass technological protections in order to convert their protected ebooks to other formats. The provisions in the USMCA will require Mexico to beef up its anti- circumvention laws, including introducing criminal penalties for “commercial advantage or private gain”.
Finally, there is an interesting section dealing with cryptography. The Japan-UK deal introduces provisions to shield cryptography from a range of government requirements, such as sharing or disclosing keys. However:
What is different here is that the UK also introduces a specific exception for law enforcement to demand access to encrypted communications and for financial regulation. This is not surprising given that the UK is at the forefront of government demands to access data from encrypted messaging systems such as WhatsApp or Telegram. There are no public interest policy exceptions in this area, however limited, only demands from courts, regulators or police.
Of course, the UK is not alone in wanting access to encrypted communications: a recent Techdirt article noted that the EU is also looking to require what is euphemistically termed “lawful access” — that is, backdoors — to end-to-end encrypted communications, as is the US and elsewhere. What is significant here is that the exception is being introduced in the context of trade, with no expert input or public debate about the details, as are the other measures discussed above. The danger is that this will become a common practice, where governments try to slip through contentious digital policies as short sections of obscure but far-reaching trade deals.