Briefing: how the UK-Japan trade deal severs post-Brexit data adequacy
WHAT THE UK-JAPAN TRADE DEAL MEANS FOR DIGITAL RIGHTS
5 November 2020
Javier Ruiz
INTRODUCTION
The UK has just signed its first new free trade agreement independently from the EU, with Japan. As a rule, digital trade deals are a risk to digital rights because they can weaken consumer protections by providing binding enforceable commitments to deregulate the digital environment with limited public debate and democratic oversight. This deal is especially problematic. The agreement is mainly a straight copy of the EU- Japan deal the UK currently enjoys, but there are some small additions which are very relevant for digital rights.
These changes signal that the UK intends to diverge significantly from EU digital policy, shifting towards the Asia-Pacific regulatory model of lower data protection, while trying to maintain data flows with the EU. This have-your-cake-and-eat-it approach may not hold and the deal could be the final straw which breaks the EU adequacy decision to enable data flows with the UK.
In this briefing we analyse the deal, both in the context of other global trade agreements as well as its impact on domestic digital rights. We also place the deal in the global context of wider regulation to show how this treaty has severe implications for UK digital policy. As we will show, the deal is being used to make these sweeping changes to domestic policy and governance by stealth with limited public debate.
The deal is not groundbreaking in macroeconomic terms. Government cheerleaders and official Twitter accounts have sent out excited claims about the significant contribution that the deal will make to UK finances. Meanwhile, experts and fact-checking organisations have tempered expectations, noting that although undoubtedly it has political significance in the Brexit context, it is mainly a copy of the existing EU-Japan deal and most of the stated benefits would have come anyway. (Most ordinary people who know of the treaty do so thanks to government gaffes about the provenance of soya sauce in tweets around the popular “Bake Off Japan Special” TV show.)
Industry groups have described the new measures on digital trade in positive but dry tones, but there is limited public analysis of what they mean in practice. The Department of Trade mentions fintech firms Transferwise and Revolut as examples of companies which will benefit from the deal, but it is not clear how UK digital services, other than possibly games, will crack the Japanese market, with its huge linguistic and technological barriers. For example, the most popular social media in Japan is the Korean app Line, completely unknown in the UK.
Some observers have pointed that the government’s own impact assessment shows that Japan stands to gain a lot than than the UK in this deal: £2.6 billion vs £13 billion in about 15 years compared to the 2019 levels. Government officials have promised to update their model to better reflect the contributions of “digital, data, tech and services, all of which are areas of the Japan deal where we’ve gone well beyond the EU deal”. The modelling of the impact on digital in the assessment appears to be missing: “The reductions in non-tariff measures and regulatory restrictions to services reflect generalised assumptions of ambition and do not attempt to model any specific provisions.” (p. 41) This lack of social and economic evidence of the impact of such far- reaching proposals for digital regulation is quite shocking.
Japan and the UK are vigorous advocates of digital trade liberalisation. The digital trade and IP additions which the UK has introduced to the EU-Japan deal follow closely the priorities of the US, as expressed in high-profile trade deals where the US has been influential, chiefly the United States-Mexico-Canada Free Trade Agreement (USMCA) and the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP). To that end, the EU-Japan agreement already includes digital trade measures found in other trade deals, except for cross-border data flows, where the EU could not agree to the Japanese proposals, which were based on the CPTPP. Apparently, Japan also refused to agree to the EU model clauses on data flows, as it would have weakened its strategic interests in promoting the CPTPP model.
The UK deal includes these and goes further in some digital trade areas, fintech (mainly linked to digital trade) and intellectual property enforcement. Many of these digital regulation proposals, except those related to IP, also reflect the recent US-Japan Digital Trade agreement, which contains even fewer exceptions and limitations to protect the public interest and digital rights than the above. This treaty is like the USMCA and represents, together with the current UK-Japan deal, the most ambitious attempt to bring digital regulation into the realm of trade.
WHAT’S IN THE AGREEMENT
DATA FLOWS
The UK deal includes measures which ban restrictions on the free flow of personal data, an open door which could clash with the restrictions that European data protection laws place on international transfers. The EU could not adopt these measures in its treaty and, instead, put a placeholder text committing both parties to review the situation in three years. The UK-Japan text heels the wording of the USMCA, with some extra clauses to exclude procurement and data kept on government orders.
The ban allows for public policy objectives, following a standard formulation in trade agreements. These would cover government measures that are “necessary to achieve a legitimate public policy objective”, as long as these exceptions are not an “arbitrary or unjustifiable discrimination or a disguised restriction on trade” and are not “greater than are necessary to achieve the objective”. These are standard terms inherited from the World Trade Organization treaties.
This exception regime looks reasonable on paper, but unfortunately in practice it is very difficult to implement public interest policies that may clash with trade liberalisation. Until 2015, only one public policy exception out of 44 (asbestos in the EU) had successfully passed all the hurdles at the WTO.
There is widespread awareness among legal scholars such as Graham Greenleaf and Kristina Irion that the EU data protection framework, and the UK’s at present, could fall foul of these restrictions, being perceived as a discriminatory measure. The US Trade Department has regularly labelled the GDPR an unfair barrier to trade. So far no country has started legal proceedings against the EU on data protection because of its power and the potential ramifications. The UK being a smaller player may not be so lucky.
DATA LOCALISATION
Separately from data flows, the UK-Japan deal contains a ban on the forced localisation of computing facilities as a condition to carry out business in the country. The same exceptions and limitations to procurement, government data and data retention found in relation to data flows apply here. The article on localisation in the USMCA does not contain any such exceptions.
Forcing companies to locate their servers in a country can be problematic in some contexts where the privacy and confidentiality of the customers could be at risk. It could also mean more expensive computing costs. However, there are some situations when having access to data in the country is necessary, and introducing these clause sin a trade agreement will constrain the policy space. For example, it is unclear to what extent NHS sensitive data could be kept in the UK under this agreement, given the complex public- private partnerships in place.
DATA PROTECTION
The presence of clauses in the treaty that provide for the adoption by the parties of The presence of clauses in the treaty that provide for the adoption by the parties of data protection frameworks should minimise the privacy risks to consumers of unrestricted data flows. Unfortunately, this is not that simple. The text is almost a word-for-word copy of similar provisions in the CPTPP and commits the UK to seek interoperability between the different data protection regimes. It also states “for greater certainty” that valid data protection frameworks include “laws that provide for the enforcement of voluntary undertakings”. CPTPP signatories tailored this wording to cover self-regulatory regimes in place in the Asia-Pacific region, but these regimes would be incompatible with the stricter data protection regime currently in place in the UK and the EU.
This clause could create problems for the UK to get adequacy under GDPR from the European Union. The situation is complicated, and we discuss it in more detail below.
IMPACT ON THE RELATIONSHIP WITH THE EU
There is a risk that this new deal could help undermine the EU decision on adequacy for the UK, which is already under huge strain, but could also out a spotlight on Japan’s own adequacy decision.
The effect of the UK creating a lightly regulated digital market with Japan, with unrestricted data flows, needs to be analysed in the context that Japan has similar unrestricted flows with the US while considering the data flows with the EU.
The UK is now part of a US-led global effort to undermine the EU data protection framework by introducing the notion that all regimes vaguely based on international principles have equal validity to GDPR. Legal scholars and regulators have repeatedly found that this is not the case.
The Japan-EU deal is critical because Japan is one of few countries that have both an adequacy decision from the EU and a free trade agreement with the US enabling unrestricted data flows. This provides the UK with an example for its own digital trade future.
Leaked documents on the UK-US negotiations for a trade deal show that US officials are actively trying to undermine EU adequacy as “a flawed system that cannot become a global standard and is very difficult for developing countries in particular to adopt”. US trade official also said they were working with Japan on mapping GDPR to the Asia-Pacific privacy framework APEC-CBPR. Leaked documents show that these issues have been part of trade discussions between the UK and the US officials, with the latter quoted as saying that according to the EU “there is no legal reason why you can’t commit to free flow and have adequate data protection – such as through GDPR.”
The 2019 EU Adequacy decision on Japan was the first in the Pacific region since GDPR. While the EU was negotiating the economic partnership deal, digital rights group Edri opposed the inclusion of personal data in trade talks, because of the risk of “back- door onward transfers” to other countries with lower protections. The US-Japan deal makes this a pressing danger.
The EU’s Japan adequacy decision explicitly mentions the APEC-CBPR as an example of rules that “do not guarantee the required level of protection”. The EU required Japan to change its data protection regime, including supplementary rules on onwards transfers of EU data to other countries. The European Parliament has expressed further concerns and Japan is considering further changes.
We expect the UK to give Japan an adequacy decision under its new regime in the new year, but it is unclear if the restrictions on onward transfers for EU data will also apply to UK data. Given the desire of the UK to join the CPTPP, it seems unlikely that this will be a priority.
This complex interplay of nations, laws, and trade deals could provide the blueprint for a patchy mess of regulations which would allow data about both UK and EU citizens to enter the UK, and then be sent onwards to Japan, and then to the US, with limited safeguards and oversight. This would establish the UK as a hub for “data washing” – the digital equivalent of money laundering – which is a form of innovation no government should wish to encourage.
THE PACIFIC PIVOT AND THE NATIONAL DATA STRATEGY
Most critical commentators have stressed the continuity and similarities with the EU- Japan deal, and dismissed the new additions on e-commerce – digital trade – as inconsequential while completely ignoring the IP provisions. This may be true from the point of view of short-term GDP, but these minor changes signal a seismic shift in digital policy for the UK.
The trade minister Liz Truss has stressed that this deal opens the way for the UK to join the CPTPP with Japan’s support. This realignment away from the EU and towards the Asia-Pacific region has huge consequences for digital policy, as discussed above.
The Chinese news agency Xinhua have pointed at the implications of the FTA for the “future cooperation in digital trade, e-commerce and other fields between Japan, the United States and European countries”. Few UK trade commentators seem to grasp this significance. One exception is the Japan expert at the Sussex University UK Trade Observatory, Dr Minako Morita-Jaeger, who has expressed that “the UK needs substantial policy-discussion on its post-Brexit digital trade policy and digital rule-making using FTAs. The National Data Strategy launched in September 2020 appears to be consistent with the Asia-Pacific approach to data governance.”
This raises concerns that the National Data Strategy, which government is presenting as a wholly benign domestic initiative, is in fact political legerdemain to shift the UK’s standards of data protection to the self-regulatory Asia-Pacific model, using the UK-Japan trade deals as a means to facilitate that shift without public consultation or adequate Parliamentary scrutiny.
ALGORITHMS AND SOURCE CODE
Both the UK and the EU deals with Japan contain provisions that ban the transfer or access to source code as a condition for trade in any form. In principle, this excludes voluntary transfers or government procurement, but still could be an issue in situations where the inspection of software is required to provide for transparency and accountability of algorithmic systems. Every day brings a fresh scandal of a technical systems gone rogue, from welfare decisions and job adverts to racist bias in predictive policing.
There is a growing demand for technical systems to become accountable, including from Parliament. There are genuine debates on how to best achieve algorithmic transparency, but it will always require more and no less technical scrutiny. Commercial considerations already hamper these efforts and restrictions on access to source code will make this worse.
The UK deal goes further than the EU in also extending these restrictions to the “algorithm expressed in that source code”, which is even more problematic, in a measure lifted straight from the USMCA. Algorithms here are defined as “a defined sequence of steps, taken to solve a problem or get a result”, and a ban on disclosing these would shield the very logic of the software from scrutiny.
The text includes some exceptions for courts and regulators that are more elaborate than in the EU-Japan deal and USMCA.
IP ENFORCEMENT
The treaty also departs from the EU-Japan agreement in the enforcement of Intellectual Property (IP) infractions. The text contains articles tacking the circumvention of technical protection measures (TPM) and rights management information (RMI). We find TPM everywhere, from the encryption of Netflix and Spotify streams to the anti-copy mechanisms on DVD disks. RMI includes the watermarking of videos and photographs.
Industries using TPM insist that their principal aim is to stop abuse of their product, but the effect is to shape markets. This is the case for example in the Kindle ebooks from Amazon, which are incompatible with other systems thanks to TPM. These technologies are also used to restrict lawful behaviour by consumers, such as copying and pasting text or consuming media under certain conditions.
The requirement for legal remedies against the circumvention of technological measures is found in the World Copyright Treaty and has filtered down to the legislation of the EU and the UK. However, the laws in Europe also require government to ensure the exercise of public interest exceptions, including allowing the limited circumvention of TPM under certain circumstances. In the case of software, there are some additional exceptions for reverse engineering to enable interoperability, study or error correction. These limitations to anti-circumvention do not work very well in practice, but exist in the law. The US also protects TPM in the Digital Millennium Copyright Act (DMCA).
The clauses in the UK-Japan agreement are similar to those found in the USMCA. (Similar clauses are also in the CPTPP but were put on hold when the US pulled out and are not currently in force.) The UK-Japan text appears less restrictive and more analysis should be provided by the Intellectual Property Office on any immediate impacts that the treaty may have on the UK regime. One immediate concern for digital rights is to ensure these new anti- circumvention commitments do not hamper the nascent movement for the “right to repair” digital technology.
When Canada agreed the USMCA it also had legislation in place to protect TPMs, like the UK. The practical impacts are not yet clear, but Canadian farmers are concerned that the provisions against circumvention of TPMs in the USMCA will stop them from repairing their tractors, as these have protected software.
Another concern for digital rights in the UK is the potential criminalisation of circumvention outside commercial endeavours, affecting ordinary people. Circumvention is not a niche activity. Millions of people used to make backup copies of DVDs and many today have to bypass technological protections in order to convert their protected ebooks to other formats. The provisions in the USMCA will require Mexico to beef up its anti- circumvention laws, including introducing criminal penalties for “commercial advantage or private gain”. We need the government to explain whether the Japan trade deal will have similar effects here.
The IP section of the treaty also includes a commitment to the criminalisation of piracy on a “commercial scale”. Again this is US trade policy copied from the USMCA. The clauses on criminal penalties may mirror many existing provisions in UK law, but would artificially fix IP policy for the foreseeable future with no public debate.
The treaty specifically criminalises the recording of movies in cinemas, aping the USMCA. This is already illegal in the UK, with most offenders convicted under both fraud charges and copyright. It is unclear what is the point of including this paragraph beyond helping spread US trade and IP policy around the world.
The deal also contains detailed measures for parity in the enforcement of IP in the digital environment. The USMCA also contains commitments in this sense, including limiting the liability of online service providers, but the UK-Japan deal brings in new language. The UK has already reformed its legislation to introduce the so-called online parity and bring higher jail sentences for online piracy.
Some text seems designed to engage on the issues brought by the EU Copyright Directive, which forced some online platforms to check user uploads for copyrighted materials and to explore mechanisms to share revenues with rights holders. The UK has already confirmed that it will not transpose that directive as it came into force after Brexit.
The treaty brings a weak commitment – shall endeavour – to “promote cooperative efforts within the business community to address trademark and copyright or related rights infringement effectively while preserving legitimate competition and, consistent with that Party’s law, preserving fundamental principles such as freedom of expression, fair process and privacy.” (Art 14.59).
OTHER DIGITAL ISSUES
The UK-Japan treaty contains provisions that ban custom duties on electronic transactions, which as similar to those in the EU-Japan deal, but include a caveat to allow for taxes and other charges. The new text is copied verbatim from the USMCA and CPTPP.
The text also includes measures similar to the EU-Japan deal on open government data, consumer protection, electronic signatures, and spam. Net neutrality is in the UK but not in the EU deal. Overall, these add little value to the existing UK regulatory framework inherited from the EU. European consumer groups have been quite critical of the treatment of consumers in digital trade agreements.
Some agreements such as the USMCA exclude government procurement from digital trade, wholesale, but in the UK-Japan digital trade section, some aspects appear to be covered, and some excluded, like data flows and algorithms. This requires more careful analysis.
WHAT IS MISSING
LIABILITY PROTECTIONS FOR INTERNET COMPANIES
Intermediary liability is a complex issue which should not be part of a trade deal. The the UK-Japan deal does not contain clauses to protect internet and cloud providers form liability and regulation. The USMCA and the latest US-Japan digital trade deal contain provisions on “interactive computer services” which would protect US companies from foreign regulation, including the UK online harms initiatives, except for intellectual property violations.
WHAT IS UNIQUE
CRYPTOGRAPHY
The UK-Japan deal introduces first-ever provisions to shield cryptography from a very broad range of government requirements – including to share and disclose keys or underlying technology or production processes but also to be forced to use specific technology.
The creation of these protections for cryptography, similar to those for source code, express the belief that crypto is now a core asset of businesses. There are some exceptions for regulatory intervention, similar in form to those for source code. What is different here is that the UK also introduces a specific exception for law enforcement to demand access
to encrypted communications and for financial regulation. This is not surprising given that the UK is at the forefront of government demands to access data from encrypted messaging systems such as WhatsApp or Telegram. There are no public interest policy exceptions in this area, however limited, only demands from courts, regulators or police.
In trade circles there has been disquiet for some time over special requirements from counties such as Vietnam in order to allow the import of crypto technologies. Japan had already complained at the WTO about mandatory requirements on encryption technologies. These concerns may be legitimate, but it is not clear that the proposed solution will work or won’t have collateral effects. This is policy-making on the hoof with zero public debate in the UK. The implications of bringing cryptography into these trade deals have not been explored properly, including how it may interact with other regulations on export controls or cybercrime.
The IP of cryptography is not straightforward, as patents on public key cryptography have given way to open technology, after holding back developments for decades. Trade secrets will protect any algorithms that are not public, so it is unclear why this new provision is required. Particularly, given the caveat for law enforcement.
Cryptography is also part of TPMs, and sometimes the Secretary of State can force companies to remove these to enable legitimate exceptions, but this may not be possible with this treaty’s exceptions that do not cover ministers.
Even more problematically, the clauses ban forced joint ventures, which are lawful under international trade rules and are a core element of legitimate technology transfer required for less developed countries to raise their standards of living. For decades the Japanese government limited the equity share of foreign investors and required joint venture companies.
WHAT COMES NEXT
The treaty is now with Parliament for 21 days before ratification, open to debate and public consultation. This is a chance for the government to explain where it sees the UK going and for citizens and MPs to ask for evidence-based digital trade policy and hold ministers and their special advisers to account.