2016 Year in Review: Data Flows and Privacy

By Joshua Blume
Data Flows
2016 started with a bang. One article from PIIE just a few months before detailed the ticking clock of the Trans-Pacific Partnership. Passed the year before, the “Bipartisan Congressional Trade Priorities and Accountability Act of 2015” provided then sitting President Obama, and his successor, the authority to move a trade bill through Congress much more efficiently than typically required by the bicameral rules. This was meant to create the perfect scenario for passing a new blueprint for American trade policies while also upgrading NAFTA, or as President Obama put it, “fix a lot of what was wrong with NAFTA in the first place.” While we all know how that ended, one specific update may continue: “standards to protect digital freedom.” Though still stalled, Trade in Services Agreement (TiSA) negotiations sought inclusion of data flows language that would reduce localization requirement, a politically sensitive issue for many countries in the EU. The EU has specifically been contemplating seeking internal reforms on data flows and other digital issues through its Digital Single Market (DSM) initiative that has been backed by industry groups and associations seeking to reduce costs and provide more streamlined services and products throughout the EU. Politics in the EU emphasized in the stalled CETA and TTIP agreements, as well as Brexit, however, call into question the capacity of the EU to bring agreement on highly sensitive topics, such as data localization, in the near future, and without EU consensus, it will be very unlikely to have multilateral agreement on data transfers and localization agreements.
While 2016 ended in many stalemates for data flows, the fields of privacy were dramatically landscaped. Reforms have been pushed in the wakes of major data breaches, including the 500 million users affected by Yahoo, 412 million users on AdultFriendFinder.com, 700,000 taxpayers information hacked at the Internal Revenue Service, and 68 million compromised Dropbox accounts. Perhaps the largest reformation is the EU’s General Data Protection Regulation, or GDPR (EU 2016/679), a massive document “designed to harmonize data privacy laws across Europe.” While not in force until May 25, 2018, the law rewrites the Data Protection Directive and codifies a new set of standards that will impact virtually any international business that houses or utilizes data garnered from individuals residing in the EU.  While smaller in scale, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) called for breach notification requirements to be synthesized and come into force just a year after the law’s passage. With regards to transatlantic data transfers, the so called “Umbrella agreement” was agreed to by the EU late last year, with the EU-U.S. Privacy Shield agreement coming into force earlier in August 2016, as well as the Judicial Redress Act becoming law in February show an increased European scrutiny towards treatment of personal information across the pond. Separately, the Cross Border Privacy Rules System continued to expand and was updated in November 2016 applying to all signing members of APEC
The field of digital services and its impact on international trade is very much still a burgeoning field, and with the renouncement of Trans-Pacific Partnership, the stalling of CETA, TTIP, and TiSA, there is an increasing likelihood that a new standard will first be created under the Regional Comprehensive Economic Partnership, with China at the helm.  As always, however, nothing is written in stone, and as the international privacy protection frameworks show, finding agreement often requires great time, effort, and exhaustive agreements. One can only imagine what the web of laws and treaties will look like in one year, let alone another 21.