The CPTPP: trading away your privacy rights

The Government have recently announced the UK accession to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). This trade agreement will contribute to a whopping 0.08% of the national gross domestic product over a period of ten years, but under a seemingly inconsequential move lies a very tangible risk: the agreement includes clauses that could force the UK to remove protections to personal data when transferred to foreign jurisdictions—mostly countries of the Asia-Pacific region.

Before this, the UK joined the Cross-Border Privacy Rules (CBPR) Forum, an international data transfer regime based on the weak Asia-Pacific privacy framework. Meanwhile proposals in the Data Protection and Digital Information Bill are outspokenly meant to position the UK as the data-laundering hub of Europe.

In other words, the Government are setting the stage to make your personal data their bargaining chip during trade negotiations.

The CPTPP

Chapter 14 of the CPTPP imposes a prohibition on its members demanding that a business entity operating within its territory uses or locates computing facilities within its borders as a prerequisite for conducting business. Likewise, it imposes a duty on contracting states to allow the cross-border transfer of information, including personal data by electronic means. Restrictions against these clauses are allowed only if they pursue a legitimate public policy objective, provided that the latter meets a severe four-step test.

These provisions strike at the heart of the existing UK international data transfer regime, which imposes restrictions on personal data transfers to countries that do not provide enforceable rights and effective remedies in case of abuses. While these restrictions could be valid in principle, historical records suggest that this has rarely been the case in practice. In other words, if the UK were to attempt to retain restrictions to international data transfers to safeguard privacy, these would likely not stand a challenge in Court.

Free data flow provisions in trade agreements are a risky and ultimately dirty business: they would allow “Big Tech” companies to claim the UK are breaking their international obligations and thus challenge legislative safeguards that prevent them from laundering or selling your data illegally.

The DPDI Bill

The DPDI Bill will provide ample discretion to the Government to authorise international data transfers, such as by removing the requirement to have enforceable rights and effective remedies available to individuals whose personal data are being transferred. At the same time, the Government would be given discretion to authorise transfers when “desirable”, as well as to delegate these decisions or their annulment to a designated third entity — for instance, the state-investors dispute settlement body established by the CPTPP, or Accountability Agents under the CBPR framework.

In other words, the UK currently enjoys the free flow of personal data to and from the European Union (EU) thanks to the UK adequacy decision, a framework which the UK Government means to exploit. This would allow companies to circumvent EU restrictions that apply to personal data transfers to countries that don’t have adequacy status with the EU. At the same time, the UK has joined the infamous CBPR Forum, a US-backed initiative that wants to challenge the EU data protection framework and start a global race to the bottom.

The EU is, unsurprisingly, not very pleased, and politicians and civil society are already asking the withdrawal of the adequacy decision— a move that would inflict a fatal hit on the UK digital economy. But our valiant Government are, of course, of the opinion that the EU would be happy to be circumvented, a strategy that has notoriously proven successful during Brexit negotiations.

Connecting the dots

Existing UK data protection laws may not meet the requirements set forth by the CPTPP, a more than hypothetical occurrence as we’ve seen how the Government are reforming UK data protection rules to potentially fit into these lower standards. However, as the EU have demonstrated, imposing high standards of data protection did not prevent the EU from establishing the biggest free trade area in the world, but the UK Government would have you believe that your rights are worth sacrificing in order to give them an edge in trade agreements that are worthless at best, and damaging at worst.

The Government are, once again, trying to turn the UK into a digital safe haven for privateers and crooks, at our expense. Open Rights Group will oppose them: join us, or keep up with the updates.

Digital Privacy

Stop Data Discrimination

The government wants to make it easier for companies and authorities to use your data against you.

Find Out More