December 11, 2019 | Javier Ruiz

Leaked UK US trade talks risk future flow of data with the EU

We come to the end of the 2019 election campaign, which has seen some huge controversies. Jeremy Corbyn hit the headlines when he claimed that the Conservative government had agreed to “sell-off the NHS” in a post-Brexit free trade agreement (FTA) with the US. The source of this explosive claim was a trove of leaked documents that apparently had laid quiet for over a month in an online Reddit forum without garnering press attention. There are plausible accusations that Russian trolls may be behind the leak, but this should not deflect from the substance of the documents.

The leaked documents include the minutes of extensive discussions on Digital Trade, including discussions to create an unrestricted “free flow of data” between the two countries, which would put the UK on a collision course with the EU. We already knew that this was one of the negotiating objectives of the US side, but we now have confirmation that the UK is willing to go along with this agenda.  

These minutes are part of a series of bilateral discussions involving hundreds of civil servants from both countries that have taken place over the past two years, and provide some really important insights into the logic and priorities of trade negotiators. The scope is very broad, covering the full range of issues that could be included in the UK-US flagship FTA the government hopes to fast track after Brexit.  Headlines have been generated on many topics, including drug pricing, agriculture and product standards, and as trade and policy experts pour through the contents we can expect more.

The documents confirm that the core issues discussed under digital trade correspond more or less to the US public negotiating objectives that were released in February 2019: cloud services and the interconnectedness of businesses, cross-border data flows, provisions for preventing computer facility localisation requirements, and stronger protection for algorithms. These provisions are found in various free trade agreements, including the recently signed US-Mexico-Canada (USMCA), thoroughly discussed by UK and US officials as the state of the art in digital trade.

US digital trade policy aims to protect Silicon Valley

The minutes make clear that the US digital trade agenda is not just about allowing SMEs in poor countries to sell their wares to a global market, but primarily an active policy to protect large internet companies from regulation. 

US trade officials explain the reports that various digital trade provisions on data flows are designed to solve problems for cloud services. The US claims to have received complaints from cloud companies that “their decisions were made based on borders instead of market or efficiency and the US addressed the concerns in the digital trade chapter.” The US stated position in-caveat that they want to enable national regulators to do their job, but the language of the exceptions in the actual texts of the FTAs - e.g. Art 19.11 USCMA - makes it very hard to implement these in practice.

The notes discuss specific provisions for “interactive computer services” commonly known as platforms.” These measures include policy issues that go to the core of internet regulation, including the sometimes difficult balancing of the human right to freedom of expression and the protection of vulnerable internet users. For example, intermediary liabilities for platforms are currently being discussed extensively in the UK “online harms” white paper and in the coming review of the E-Commerce directive in the EU. These are important issues that go beyond trade, and policy makers should not be restrained by an FTA when making their assessment. 

Free flow of data with the US risks compatibility with the EU

The US and the UK aim to have a completely free flow of data between the two countries, and believe that this should not create problems for the UK to simultaneously keep similar arrangements with the EU in continuity of the GDPR regime. We are not convinced that this is possible, and renowned privacy scholars such as Graham Greenleaf and Kristina Irion have raised concerns about the compatibility of free trade agreements on data and GDPR.  

The leaked notes restate the official position that the UK is looking at a bespoke deal with the EU based on adequacy. However, the detailed notes show that divergence from GDPR is on the table. DCMS officials are quoted as saying that “There are countries that have adequacy decisions from the EU that have signed up to free flow provisions.” This is the first time that the UK has explicitly set this position out on paper, albeit internally to their US counterparts and not to its own citizens. US officials are reported as saying that “conclusions on discussions with EU are that there is no legal reason why you can’t commit to free flow and have adequate data protection – such as through GDPR.” Some countries such as Japan have an EU adequacy decision and are signatories to the free flow of data provisions in CPTPP, but it remains to be seen whether this situation does not create any conflicts in the future.

Despite the emollient tone about the UK maintaining GDPR-based compatibility with EU norms, US officials are simultaneously undermining the EU model, saying that “the US will want to engage with the UK on the best approach around its future international transfers model... and are proponents of APEC-CBPR model which is based around individual companies rather than whole legal systems. Adequacy is a flawed system that cannot become a global standard and is very difficult for developing countries in particular to adopt.”  US officials go on to explain that “the US has been working with Japan, who are seeking adequacy and operate the APEC-CBPR system. A mapping exercise took place mapping CBPR against the EU corporate rules system, and it was discovered that while there were differences, they were not as extensive as one would presume.” 

The US nudging the UK away from GDPR and EU rules is problematic for the future relation with Europe. 

The EU Adequacy decision on Japan explicitly mentions the APEC-CBPR as an example of rules that fail to “create a binding relationship between the Japanese data exporter and the third country's data importer of the data and that do not guarantee the required level of protection”.

Both the UK government and the European Commission need to explain urgently whether these two approaches are compatible and the impact of the US FTA as discussed on the future data flows between the UK and the EU.

Localisation of data and computer facilities 

The latest digital trade measures in FTAs include a ban on the forced localisation of computer facilities. This is a complex issue. On the one hand some technology companies complain that having to build a data centre in every country where they operate is not cost effective or even energy efficient, and there is an element of truth to this. Besides, forced data localisation has traditionally been associated with authoritarian regimes trying to control the communications of their own citizens. But this has changed in recent years. Since the Snowden revelations there has been a breakdown of trust on US-based services, with various countries around the world, including Brazil, openly developing policies for localised infrastructure and even alternative basic internet technologies. This last point is also addressed in some trade policies, which ban governments from forcing specific technologies or standards.

More recently, a new crop of Chinese digital giants - Huawei, Baidu, etc. - has started to challenge US dominance of cyberspace, leading to a new global race over technologies such as machine learning and 5G. There is a renewed interest in national innovation strategies and the use of data for national economic growth, with a prime example being  India. 

Using a different approach to data localisation the UK also uses personal data as a national economic asset. The care.data debacle was an attempt to use the health data of NHS users to attract investment and generate economic growth, and although that programme was stopped the underlying strategy has not been abandoned. 

Some civil society organisations have embraced this framework of data nationalism and localisation as a path towards global economic justice and potentially a more equitable and decentralised form of internet governance. This new “national liberation” of data is presented as a reaction to a new wave of colonialism, this time my digital behemoths. Rights groups instead tend to view with suspicion claims of national interests over personal data, and see data privacy as a fundamental right of individuals that needs to be protected against the intrusive practices of both companies and governments.

The leaked documents show that regulations may require data localisation in a variety of contexts. US officials stated in meetings with their UK counterparts that “decisions about localisations of computer facilities should be driven by costs and climate requirements involved, not by regulations. The scale of interconnection means that costs are driven down dramatically”. However, they also showed that US itself is bound by regulation and struggles with these issues, saying that  “the most problematic area within the data localization issue is health information and the HIPAA (Health Insurance Portability and Accountability Act, 1996), which dictates that cross-border data flows are allowed as long as certain standards are met.” 

A recent example of localisation is a proposed Spanish law that will force all public sector computing facilities to be located within the EU. This comes as a response to the use of online services by the organisers of the independence referendum in Catalonia.

A ban on the disclosure of source code and algorithms will hamper accountability and development

The documents confirm that the US wants to create new protections for algorithms, which generally fall outside of the current framework of intellectual property. Some free trade agreements already contain restrictions on the ability of countries to demand disclosure of software “source code”. The argument is that some countries will use forced transparency requirements for unfair competition, i.e. stealing other people’s work. The source code of software is the human readable text that engineers write to create computer programmes. Source code is covered by copyright and there is a well developed global system of protections. On occasions there is a need to force the disclosure of the source code of software for security or other accountability reasons. A ban on source code disclosure is problematic, even if accompanied by an exception for regulators and courts as it sets a higher burden of proof and opens the way for litigation. More broadly, technology transfer has been a common vehicle to advance economic developing in poorer countries, and a ban on software disclosure could put a stop on that for the digital age, locking poorer countries into a subservient position.

The current discussions between the UK and the US want go even further, “from purely proprietary source code issues to the proprietary algorithms that support software.” This is a very worrying development because algorithms as such are not always covered by intellectual protection in Europe. Algorithms are sets of rules to be applied to data, and despite their growing complexity are generally considered as ideas, and intellectual property does not protect ideas, which collectively belong to humanity at large, only specific developments of those ideas and for a certain period of time. 

In the field of patents, algorithms are considered mathematical methods and can only be patented as part of a wider technical solution, but once patented the algorithm is disclosed to the public. That is the essence of patents: disclosure in exchange for a temporary monopoly that supposedly benefits society by extending the state of the art in a particular technological field. Algorithms are not covered by copyright in the same way as source code. A specific embodiment of an algorithm into source code could be copyrighted, but not the basic set of rules by themselves. There are also certain protections for algorithms as trade secrets, and trade agreements also seek to strengthen these. Tech companies see their complex algorithms as something that increasingly deserves protection in their own right and the US is attempting to use free trade agreements to provide for this.  

Why is the UK doing this?

There are many other issues in the leaked minutes, some that could be relevant to a genuine e-commerce discussion, such as  e- signatures and authentication. Other issues covered are positive in principle but the actual content of the discussions is too shallow and could be seen as a step back. This is the case for example of consumer protection for online activities, which is stronger within the EU framework than in free trade agreements.  

Other issues are altogether so complex and subject to such huge legislative efforts in Brussels that it would seem foolish to try to lock the UK into any positions in a deal with the US. Telecoms and e-privacy regulation (spam, cookies, etc.) are prime example of these cases. The US is specifically asking for a “a lighter touch approach” in the regulation of “value added” online communications services like Skype, “and in particular not to treat them like public Telecoms providers, e.g. with requirements to make their services generally available”. This is one of the hot topics currently being debate at the EU level.

Generally, the documents show that the US has been driving the agenda, with the notes from the initial meetings in 2017 being mainly reports on the US position, with UK civil servants having little to add. However, the UK is not a passive actor. Officials are aggressively pursuing a strong trade liberalisation agenda, and throughout the reports we can see the evolution of their thinking from generic questions such as “could there be something more ambitious than TPP in the future?” towards more concrete positions. Interestingly, it appears that the UK had been at the front of the plurilateral digital trade efforts at the WTO earlier in 2017, before the US got on board, with Liam Fox lobbying the Director General of the organisation.

The UK has developed a framework for its digital trade priorities around various themes: supporting jobs and protecting citizens, etc. This is the first time that ORG has heard if this framework, despite having engagement meeting with officials  firm DCMS and the Department  for International Trade on many occasions. UK officials are quoted in the leaked minutes as elated for “the first chance for the UK to outline and discuss our digital trade priorities in any international forum. We were able to emphasise to US counterparts that we had chosen to share them with the US first.” A lack of domestic transparency in trade discussion is typically defended with the argument that  you don’t want to give away your objectives to your negotiating counterparts. It is unclear why the UK government feels safer discussing their trade priorities with the US than with its own citizens.

Despite the advances in the trade policies manifested in the leaked documents, what the UK position lacks is a clear statement of the specific interests defended in the pursuit of these measures. The US is very upfront on the need to protect US internet platforms from regulations restricting personal data flows or forcing them to disclose their algorithms. The UK is defending the service sector in generic terms, and foreign direct investment in digital, but the government has not explained how British businesses will benefit from the introduction of specific measures in a deal with the US. At face value it would appear that this part of the agreement would disproportionately benefit the US.

The documents also show that trade officials have a very clear understanding of the far-reaching implications of these measures, stating that “many companies across numerous sectors, including agriculture, retail and financial services, are using equipment increasingly reliant on cloud services and Artificial Intelligence.” The Digital Trade agenda will affect the whole of the economy.

We hope the new government - whether led by Labour or the Conservatives - will improve their transparency and engagement, with full disclosure and discussion of the trade priorities with civil society. We also expect the government to explain how the free flow of data negotiated with the US will not harm the existing flow of data with the EU.