1. Introduction
Many service providers require access to personal data to function, whether in banking, tourism, online or offline education, transportation, and, particularly, companies operating in data processing, other computer services, and telecommunications.Footnote 1 Domestic data protection legislation has progressively been extended to cross-border transfers of data, impacting firms and consumers located in other jurisdictions. Service suppliers operating in several different countries must comply with the applicable domestic law in each state. In the field of personal data protection, service providers are subject to different domestic rules that apply to cross-border data transfers. This considerably expands the complexity of their operations. International regulatory cooperation is a means to address the associated compliance challenges confronting firms.
While data flows are addressed in ‘traditional’ free trade agreements (FTAs) and increasingly in new-age digital economy agreements (DEAs), these agreements do not achieve harmonization of personal data protection rules, remain highly fragmented, and fail to address the global scale of this complexity.Footnote 2 Nor does the recently adopted WTO joint statement initiative (JSI) on E-Commerce provide answers in this regard. How can a balance be found between the proliferation of agreements, the ‘actual’ regulation of personal data protection rules, and existing international commitments under the GATS? This issue is particularly relevant in light of another form of regulatory cooperation that has been growing in recent years: ‘data adequacy’ frameworks that recognize personal data protection regulations of different countries.Footnote 3 This type of cooperation has been subject to little systematic analysis that can inform efforts by WTO members to facilitate data flows and trade in services. In principle, GATS Article VII (Art. VII) (Recognition) may provide scope for regulatory cooperation on cross-border personal data flows through adequacy, allowing WTO members to set the standards they consider necessary for the protection of personal data and improve compatibility at the same time.
Article 45 (Art. 45) of the European Union's (EU) General Data Protection Regulation (GDPR) on adequacy decisions articulates a comprehensive and long-standing (dating back to 1995) framework for establishing the compatibility of personal data protection regimes. To date, it has been used as the basis for regulating cross-border data transfers between 30 EU/EEA countries and 15 other countries. In this paper, I investigate the consistency of data adequacy frameworks with WTO law using the EU as a case study, undertaking a comprehensive analysis of the specific requirements of GATS Art. VII and their applicability to domestic personal data protection frameworks. These frameworks are established by assessing whether foreign regulatory frameworks ensure an equivalent level of protection and are, in EU parlance, deemed ‘adequate'. I argue that GATS Art. VII covers adequacy frameworks adopted by WTO members. However, to date, neither the EU nor other WTO members have notified the WTO regarding any of their adequacy decisions. The consistency of adequacy decisions with applicable WTO provisions therefore remains an open question.
The literature on potential GATS inconsistencies in relation to the EU adequacy decisions,Footnote 4 coupled with the growing adoption of various other adequacy frameworks globally, necessitates a more focused and thorough assessment of GATS Art. VII as a means for enhancing international cooperation, addressing the need for transparency of domestic regulations for business, and safeguarding WTO members’ right to protect non-economic values. The absence of notifications of data adequacy frameworks to the WTO, the lack of disputes and more generally limited discussions within the WTO of such frameworks have led them to be largely overlooked as an instrument to facilitate global services trade. As a result, these frameworks pertaining to personal data protection and cross-border data flows are being negotiated without oversight by WTO members, with an associated risk of eroding the core non-discrimination principles of the multilateral trading system and reducing the prospects for building on these developments through the pursuit of plurilateral agreements among WTO members.
The WTO law literature on multilateral disciplines and assessment of the compatibility of adequacy frameworks with GATS Art. VII is very limited. In an early contribution, Shaffer argued that the EU–US data transfer framework (Safe Harbor) is a mutual recognition agreement in the context of WTO law but did not undertake a legal analysis of the requirements of GATS Art. VII that would pertain to the Safe Harbor framework.Footnote 5 Mitchell and Mishra point out that GATS Art. VII has never been used to ensure compatibility of the bilateral data privacy protection frameworks of WTO members.Footnote 6 This paper answers their call for greater use of this possibility as a means to support cross-border data flows through the unaddressed discussion of the legal consistency of the EU adequacy regime with Art. VII. While Mishra analyzes the GDPR in light of GATS Art. VII, she only considers Art. VII applicable to the EU–US adequacy decision because that is the only one relying on certificationFootnote 7 to determine conformity with the framework.Footnote 8 The premise of this paper is that all adequacy decisions adopted by the EU – 15 at the time of writing (see section 2) – are based on authorization, including the decisions with the US, and that consequently all these decisions constitute recognition pursuant to GATS Art. VII.
This paper is the first to comprehensively analyze the EU adequacy decisions framework in the context of GATS Art. VII. It contributes to the literature on three levels: (1) clarifying the doctrinal interpretation of the WTO legal texts to explore its pertinence for pursuing regulatory convergence; (2) unveiling some practices linked to the EU adequacy process that has not been addressed by scholars in the GATS context; and (3) developing practical recommendations for greater transparency and predictability for business while safeguarding WTO members’ regulatory autonomy to preserve their non-economic values. Given the non-notification of adequacy frameworks of WTO members, combined with a lack of case law, as well as the restricted information publicly available, I supplement the doctrinal analysis with interviews as a complementary source of the legal research. The findings of semi-structured interviews with the Commission and national supervisory authorities in the EU support the understanding of the specific procedures and criteria used in its adequacy determinations.Footnote 9
The paper is organized as follows. Section 2 introduces the framework of EU adequacy decisions and their place and role within the scope of EU's data transfer ‘tools’ under Chapter V of the GDPR. The European Commission (Commission) treats these ‘tools’ as a set of alternative frameworks for adequacy decisions with third countries, which play a vital role in determining the applicability of GATS Art. VII to adequacy decisions. Section 3 examines whether the definition of recognition in GATS Art. VII:1 applies to cross-border data transfer cooperation frameworks by examining the impact of EU adequacy decisions on service suppliers, whether EU determinations of ‘essential equivalence’ imply recognition, and how the unilateral vs. reciprocal nature of adequacy decisions is perceived in the context of GATS Art. VII. Section 4 analyzes EU adequacy decisions in light of the non-discrimination obligations of GATS Articles VII and II:1. The non-discrimination obligation in GATS Art. VII is key to understanding the solutions it offers for GATS consistency and for pursuing the implementation of standards and regulatory cooperation. Section 5 concludes.
2. Rationale for Examining the EU's State-to-State Approach to Validating Personal Data Protection Frameworks in the WTO Context
This section examines EU adequacy decisions given that their sophistication and global outreach arguably makes them the appropriate yardstick to understand the relevance of the WTO GATS Art. VII in the current regulatory fragmentation context.
2.1 What Are EU Adequacy Decisions?
The GDPRFootnote 10 ‘lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data’Footnote 11 within the EU. It additionally requires personal data covered by the GDPR to be protected outside of the EU.Footnote 12 Any personal data of individuals in the EU that exist within the EU and move outside of its territory fall within the scope of the GDPR as it applies to the processing of personal data irrespective of whether done within the EU or not.Footnote 13 The GDPR applies to anyone having access to that data. It also covers cases where goods or services are offered to data subjects within the EU, or where their behavior is monitored by parties located outside the EU.Footnote 14 Articles 44–50 of Chapter V GDPR regulate these requirements and obligations through a set of rules, or ‘tools’, on ‘Transfers of personal data to third countries or international organisations’. They stipulate that transfers of personal data outside of EU's territory can be either based on (1) adequacy decisions,Footnote 15 (2) appropriate safeguards such as standard contractual clauses (SCCs), binding corporate rules (BCRs) or other mechanisms,Footnote 16 or (3) derogations.Footnote 17 These conditions for transfers are designed with a view to providing the same threshold of certainty for smooth, efficient, and safe movement of data as within the EU.Footnote 18
Compared to the other types of ‘tools’ defined above, adequacy decisions under GDPR Art. 45 provide an automatic authorization to access and process personal data from the EU without incurring the additional implementation costs associated with alternative mechanisms when engaging in data processing. GDPR Art. 45 has the most extensive applicability between the EU and a third country, as an adequacy decision can cover all the data processors within a third country, whereas appropriate safeguards according to Art. 46 are only applicable to the companies (e.g., in the case of SCCs) or groups of companies (e.g., BCRs) subject to them. There is no need to use appropriate safeguards or derogations when an adequacy decision is in place.
EU adequacy decisions were first regulated under Article 25 of the Directive 95/46 on the processing of Personal Data (Directive 95/46).Footnote 19 Directive 95/46 was repealed by the GDPR, which applies since 25 May 2018. EU adequacy decisions set stringent requirements on securing personal data protection for cross-border datatransfers based on a comparison between domestic regulations in the EU and in a third country.Footnote 20
The EU framework for cross-border data transfers comprises compatible data protection regimes where the GDPR is applicable and where data adequacy decisions were obtained. Thus, the analysis covers the 27 EU member countries and the three European Economic Area (EEA) states where the GDPR is applicable,Footnote 21 and 15 other jurisdictions that have obtained data adequacy decisions (Table 1): Switzerland, Canada, Argentina, Guernsey, Isle of Man, Jersey, Faroe Islands, Andorra, Israel, Uruguay, New Zealand, Japan, the UK, Korea, and the US.
Table 1. Overview and status of EU adequacy decisions
2.2 Why Consider EU Adequacy Decisions in the Context of GATS Article VII?
A contribution of this paper is that it includes an examination of the process for determining ‘adequacy’, something that is not addressed in either the GDPR or the Directive. This was done through semi-structured interviews with Commission officials in DG Trade and DG Justice to better understand how the framework functions and how to examine it in the context of GATS. One important nuance consistently emphasized by DG Justice motivates the analysis regarding GATS Art. VII, which permits recognition through alternative arrangements (see paragraph 2 of Art. VII). DG Justice highlighted that the ‘toolbox’ provided by the GDPR, along with that of its predecessor, Directive 95/46, facilitates the establishment of an adequacy decision by employing a combination of different ‘tools’. This approach becomes relevant when adequacy cannot be solely derived from the domestic legal framework of the third country, as exemplified by the EU–US adequacy frameworks, which incorporate standards contractual clauses (SCCs) from the other available ‘tools’.Footnote 22 This nuance is not explicitly evident from the GDPR itself, and it was not known that the Commission extended this option of similar alternatives to countries other than the US. If alternative frameworks for adequacy were not considered or offered to other countries as part of the adequacy assessment, it could be deemed discriminatory under GATS, as Mishra has also highlighted.Footnote 23 I systematically review the arguments to clarify this critical element of the EU's adequacy assessment.
Besides the option to incorporate different ‘tools’ to establish ‘adequacy’, the EU's adequacy decisions, as state-to-state arrangements,Footnote 24 may encompass all operators within a third country or be tailored to ‘a territory or one or more specified sectors within that third country’. For example, the EU's adequacy decision with Canada applies exclusively to Canadian commercial organizations.Footnote 25 In all cases, EU's adequacy decisions are measures discussed and adopted between countries. GATS Art. VII regulates measures enacted at the governmental level by WTO members, including the EU, that affect trade in services. Art. VII:2 requires WTO members to provide the possibility of negotiating comparable frameworks when identical agreements are not feasible. The definition of an adequacy decision under GDPR Art. 45 and Directive 95/46 Art. 25, which allows for the existence of alternative approaches to establishing compatibility between domestic personal data protection rules, is a key reason why this paper examines EU adequacy decisions in light of the GATS Art. VII:1 definition of recognition agreements. These intricacies are analyzed in section 4 covering GATS Art. VII:1 non-discrimination obligation that is linked to GATS Art. VII:2 ‘alternatives’.
Another rationale for assessing the EU adequacy framework in the context of GATS Art. VII is the emergence of Digital Economy Agreements (DEAs). While studying the intricacies of the EU adequacy frameworks, New Zealand was, at the same time, actively promoting its Digital Economy Partnership Agreement (DEPA) as a potential pathway for plurilateral harmonization of digital trade rules, including personal data protection. SalusteFootnote 26 compares DEPA with other frameworks and argues that DEPA cannot serve as a model outside an FTA setting, as it does not pass the challenge of regulating a specific segment of the economy independently from an FTA while meeting the ‘substantially all trade’ requirement of GATS Article V for its non-FTA partners. This is because DEPAs non-discrimination rule differs from that of the GATS, preventing it from functioning as an open plurilateral agreement that could allow other WTO members without FTAs with New Zealand and other signatories to join.Footnote 27 Moreover, DEPA, like many other DEAs, lacks substantive rules on personal data protection.
The observed fragmentation in regulatory practices continues to evolve and expand through DEAs,Footnote 28 raising a critical question about the growing fragmentation of global regulatory cooperation: is an FTA the only viable option for harmonizing rules, such as the adoption of adequacy decisions? Or are there alternative approaches that could foster greater transparency, enable an objective, effective exchange of best practices, ensure the right of WTO members to set standards they deem appropriate, and simultaneously secure compliance with WTO obligations?
The EU has adopted adequacy decisions not only with its FTA partners. Regulatory cooperation is encouraged. Thus, the question arises: is GATS Art. VII providing a pathway for harmonizing personal data protection rules in and outside of FTAs while keeping the door open to all interested parties? Recognition agreements under GATS Art. VII enable WTO members to enhance consistency and harmonization between national domestic measures affecting trade in services in and outside of FTAs on a bilateral and plurilateral basis. If adequacy decisions fall under the scope of Art. VII, adequacy decisions could support global regulatory cooperation by fostering essential and obligatory transparency and, additionally, allow WTO members to uphold standards that reflect their economic and non-economic values.
As the GDPR is the most comprehensive framework in practice and has been the inspiration of other frameworks, the EU adequacy decisions framework is the relevant starting point to achieve a comprehensive analysis of the relevance of Art. VII for regulatory cooperation on data protection. Additionally, its sophistication enables a thorough examination of the option given by Art. VII to use alternative tools. GDPR Chapter V provides several options for service suppliers to be in compliance with the GDPR. This research shows that the Commission is able to combine the different options to create an adequacy decision. This means that there are more options for other countries to establish an adequacy decision with the EU. However, it is not publicly known as it has only been limitingly discussed with the only countries having had adequacy talks with the EU. The potential of the research to explore an unexplored approach for contributing to international harmonization of data protection is furthermore demonstrated through the versatile lens that Art. VII analysis offers for preferential, bilateral, and plurilateral agreements.
To advance regulatory cooperation, raise awareness of compatibility with rules applicable to WTO members, and foster further alignment, section 3 analyzes the EU's framework as a case study using the criteria established under GATS Art. VII:1. This analysis contributes to the broader question of whether WTO members need to reconsider how data flows should be addressed in FTAs and DEAs if ‘data adequacy frameworks’ constitute recognition agreements/arrangements. It also underscores the need for WTO members to provide notifications when employing ‘data adequacy’ for cross-border data transfers and to accompany these notifications with technical overviews in Geneva.
3. The EU Data Protection Framework, Adequacy Decisions and GATS Article VII:1
Neither the EU nor other countries have notified their adequacy decisions to the WTO.Footnote 29 This is puzzling as the analysis of GATS Art. VII:1 that follows reveals that the broad definition of recognition, along with the drafters’ intention to include Art. VII to promote regulatory compatibility on a scale suitable for WTO members,Footnote 30 encompasses the EU's adequacy decisions. This reasoning applies equally to other WTO members that ‘grant’ adequacy based on the requirements of their domestic data protection laws.
The first sentence of Art. VII:1 identifies four required criteria for assessing recognition: (1) service suppliers subject to recognition; (2) recognition of service suppliers must be based on specific standards or criteria; (3) recognition must be granted through authorization, licensing, or certification of service suppliers; and (4) non-discrimination obligation must be respected when ‘granting’ recognition. The second sentence of Art. VII:1 establishes the forms in which recognition between two or more countries is achieved: (5) either through harmonization or other means; and further stipulates that recognition (6) ‘may be based upon an agreement or arrangement with the country concerned or may be accorded autonomously’. EU adequacy decisions are analyzed in the context of these criteria, following the same order. However, the non-discrimination obligation is addressed separately in section 4, as it does not establish recognition but is required when recognition exists.
3.1 The Interrelation between Adequacy Decisions and Service Suppliers under the GATS
Any form of recognition is granted to the relevant service(s) supplier(s) being recognized (GATS Art. VII:1). As addressed in subsection 2.1, when a third country has been granted adequacy by the EU there is automatic authorization, and the service suppliers do not need to do anything additionally to ensure compliance with the GDPR.
The relevant foreign service suppliers subject to EU's adequacy decisions or other ‘tools’ (subsection 2.1) can both be based within the territory of the EU and outside of the EU. Therefore, the foreign supplier can both have the role of data importer and exporter. The foreign service supplier is impacted by GDPR Chapter V when they conduct data transfers between the foreign territory and the EU territory and also other countries when the data transfer includes personal data from the EU. Yakovleva provides a comprehensive overview based on the European Data Protection Board (EDPB) GuidelinesFootnote 31 explaining what constitute data transfers subject to GDPR Chapter V and who is impacted.Footnote 32 In the GDPR technical terms depending on the nature of data transfers, the service supplier has either the role of being a data controllerFootnote 33 or a processor.Footnote 34 Services suppliers are both natural and juridical persons supplying a service.Footnote 35 Supplying a service can cover, e.g., ‘distribution, marketing, sale and delivery of a service’.Footnote 36 The EU definition of data processing (GDPR Art. 4(2)) covers a wide range of actions that essentially encompass any type of access to personal data, including storage, use, and classification of data. Data processing can impact all facets of supplying a service, such as distribution, marketing, sales, and delivery of the service, and depends on the business focus of the service suppliers and what the processed data are used for.
The definition of recognition in GATS Art. VII:1 does not set any sectoral limitations: it applies across sectors to any supplier operating any service. The literature on EU adequacy often only addresses ‘Computer and Related Services’, as it directly covers data processing.Footnote 37 The EU has also expressed the view that adequacy decisions fall within the scope of GATS, without specifying the impacted services.Footnote 38 Personal data transfers are integral to the functioning and existence of a broad range of services, including financial services, insurance, telecommunications, tourism, audiovisual services, transportation, postal, courier, health, and research and development services.Footnote 39 Ferracane et al. have conducted an empirical analysis of the service suppliers impacted by EU's adequacy decisions.Footnote 40 They identify the impact for ‘IT and information, publishing and telecom services’, ‘business and professional services’, ‘financial services’, and ‘restaurants, accommodation, health and education services’.Footnote 41
Considering that the applicability of the GATS on services suppliers is conditional on the mode of supply that is used,Footnote 42 the coverage of EU cross-border rules on personal data transfers contained in the GDPR is extensive. Cross-border data transfers substantially impact trade in services (mode 1 (cross-border supply), but also affect consumption abroad (mode 2) and in some cases commercial presence (mode 3) and presence of natural persons (mode 4).Footnote 43 Trade in services under mode 1 as defined in the GATS and the GDPR cover both the movement of data through electronic and non-electronic means.Footnote 44 Many examples can be given under mode 1 including cases where only a limited amount of personal data from the EU could be subject to data transfer requirements of the GDPR compared to the service of data-processing itself. Providing health services via online consultations is an example. When a firm located in a WTO member provides a health service to EU customers located within the territory of the EU, this service supplier is subject to the GDPR under mode 1. Consumption abroad (mode 2), e.g., tourism services, is impacted by the GDPR if a company in the territory of another WTO member welcomes tourists from the EU and needs access to their personal data prior to their arrival and this is sent from the EU by the customer or by an intermediary office based in the EU.Footnote 45 Under mode 3, commercial presence within the EU might likewise require processing of personal data, e.g., information pertaining to local (European) employees. Data flows can also impact mode 4 (presence of natural persons) in cases where there is back-and-forth movement of people processing data between the EU and a third country, e.g., a doctor offering services in several countries. This is because a data controller/processor can also be a natural person in the context of the GDPR. These examples show that the ability of the supplier to provide services can be impacted by the GDPR and thus be subject to EU data transfer requirements across multiple modes of supply.
As shown above, personal data processing within the meaning of the GDPR, has broad sectoral and modal coverage, as it applies to any quantity of personal data movements of EU citizens for a variety of processing actions, including storage, access, use, and classification of data. The GDPR impacts the supply of any service by the respective service supplier that is accompanied by personal data between the EU and third countries.
The connection between the services suppliers and recognition agreements/arrangements applicability to domestic regulations on personal data protection under GATS is also supported by the sole example of a recognition notified to the WTO by Switzerland pertaining to telecommunications concerning consumer and personal data protection.Footnote 46 This notification has never been addressed in the literature, perhaps because it cannot be found under WTO GATS Art. VII:4 notifications of recognition agreements/arrangements.Footnote 47 The notification nonetheless supports the understanding that there is a connection between recognition agreements, services suppliers, and personal data protection. Furthermore, it shows that recognition agreements are used for cooperation between countries on personal data protection.
Compliance with the GDPR requires an extensive risk-based analysis by the service suppliers unless there is an adequacy decision in place that establishes that the requirements in the country where they operate are equivalent to EU GDPR requirements. EU adequacy decisions are largely symmetric in their sectoral coverage: they are applicable to any service suppliers operating in the third countries in any services sector subject to EU–third country data transfers involving access to personal data from the EU. Among the EU adequacy decisions there is one example where all the service suppliers need to self-certify themselves. This framework was established with the US due to the lack of governmental regulations on data protection.
The implementation of the self-certification system requires the companies themselves to register for the processing of personal data from the EU. This means that data are provided on the impacted services suppliers within the US, including companies specialized in services sectors, such as data processing, telecommunication, and financial services (insurance and banking).Footnote 48 This example limits the types of organizations or companies having access to personal data transfers from the EU but does not limit the services sectors. Under Directive 95/46 (Table 1) there were also sector-specific adequacy decisions adopted in the case of Canada and the US: both were granted adequacy on processing the passenger data from airlines laying down a framework for enhanced cooperation. This impacted ‘Air Transport Services’ according to the GATS Services Sectoral Classification List.Footnote 49
The EU adequacy framework allows to set different scope according to GDPR Art. 45 (with a ‘third country, territory or one or more specified sectors within that third country') and approach for covered service suppliers with different countries. This illustrates that adequacy decisions permit flexibility in the way they address compatibility between the data protection regimes applicable in the EU and in the third countries. The adequacy assessments under Directive 95/46 (Table 1) also demonstrate that adequacy may be constrained. In some cases, adequacy was not found and there was no alternative solution adopted. These elements addressed in subsection 3.1 also show that in the framework of EU's 20 adopted and four unadopted adequacy decisions ‘comparable’ solutions were found (GATS Art. VII:2) which are further addressed in section 4.
In practice, several recognition notifications to the WTO have been recorded with horizontal applicability to the services sectors,Footnote 50 hence also to their respective service suppliers. Regarding EU's adequacy decisions, the same would apply. Subsection 3.1 demonstrates that the existing EU’ adequacy decisions apply to all service suppliers covered by the GATS when there are cross-border data transfers taking place that apply to any foreign service supplier subject to that data transfer.
We now turn to the second criterion of GATS Art. VII:1 to identify whether the EU's assessment to grant adequacy under Art. 45 GDPR is based on ‘standards or criteria for the authorization, licensing or certification of service suppliers’ (emphasis added).
3.2 Is the EU Adequacy Assessment Based on ‘Standards or Criteria’?
This subsection examines if the assessment to obtain EU adequacy decisions on cross-border data transfers is based on ‘standards or criteria’ as a condition to meet one of the criteria of recognition pursuant to GATS Art. VII:1. WTO members have not defined what ‘standards or criteria’ are encompassed or excluded under GATS Art. VII:1. Therefore, the definition appears to be rather broad, potentially covering a wide range of elements. This subsection examines the meaning of ‘standards and criteria’ in line with the international rule of interpretation, and evaluates whether the Commission's adequacy assessment is based on ‘standards or criteria’ by analyzing the evaluation process and the requirements applied to it under GDPR Art. 45.
GDPR Art. 45(2) provides a non-exhaustive list of elements to evaluate whether the data protection in the third country is equivalent to the GDPR.Footnote 51 These elements can be grouped into three main categories: (1) the assessment of the rule of law; (2) the existence of independent supervisory authorities, including the enforceability of data protection rules; and (3) the international obligations adopted by the third country. The GDPR offers little clarity on how these elements are to be examined.
The Commission has stated that its first assessment of GDPR Art. 45(2) elements is based on the ‘Adequacy Referential’.Footnote 52 It provides guidance through set core data protection principles to analyze the procedures established in the legislation of the third country. This document is governed by the European Data Protection Board (EDPB).Footnote 53 This is the only document that clarifies what the assessment entails. The Commission does not publish their internal assessment, but the EDPB provides an opinion to the Commission during its assessment, which is publicly available.Footnote 54 These are the sources to grasp how these elements are exactly addressed and whether GDPR Art. 45(2) assessment can be considered as ‘standards or criteria’ under GATS Art. VII:1.
The terms ‘standards or criteria’ under GATS Art. VII have not been interpreted in case law. Neither the Council for Trade in Services (CTS) nor any of its subsidiary bodies (the relevant WTO entities for addressing this matter) have further discussed their meaning in GATS Art. VII to date. Therefore, the interpretation should be compared, if applicable, with definitions and practice under other provisions of the GATS or other WTO agreementsFootnote 55 and/or evaluated based on the ordinary meaning of the terms in accordance with the Vienna Convention on the Law of Treaties Article 31.Footnote 56
Regarding ‘standards’, GATS Art. VI on domestic regulation covers ‘technical standards’, which are not identical to the term ‘standards’ in GATS Art. VII.Footnote 57 The difference between the application of these terms was not addressed in the 2021 Services Domestic Regulation (SDR) Agreement.Footnote 58 Even though the SDR Agreement also adds a clarification on recognition regarding cooperation between professional bodies showing a connection between Articles VI and VII, it does not give ground to argue that ‘standards and criteria’ in Art. VII have the same meaning as ‘technical standards’ in Art. VI.
Additionally, WTO members have not stated that GATS Art. VII ‘standards’ are equivalent to the ‘standards’ within the meaning of the Agreement on Technical Barriers to Trade (TBT Agreement) that regulates standards and technical regulations in trade in goods. According to TBT Agreement Art. 5, standards are established by central governmental bodies or issued by international standardizing bodies having the given certification system and authority to do that. Neither the Commission conducting the initial assessment of ‘adequacy’, nor the EDPB are standard setting bodies. The principles set in the Adequacy Referential could to some extent be considered as established standards as the EDPB is the highest authority on data protection within the EU to provide guidance on the assessment and the Commission follows the Adequacy Referential adopted by the EDPB.Footnote 59 In any case, as GATS Art. VII refers to ‘standards or criteria’ and not only ‘standards’ there is wider scope compared to the TBT Agreement. Zampetti argues that the wording of GATS Art. VII ‘appears to be broad enough to cover virtually all domestic regulatory instruments with a direct impact on the ability to provide services’.Footnote 60
Furthermore, the ordinary meaning of a standard is ‘[a] rule, principle, criterion, or measure by which something can be judged or evaluated’; also ‘an accepted norm against which something can be compared’.Footnote 61 Gulczyńska considers GDPR Art. 45 as one of the ‘standards of protection’ among the other safeguards established in GDPR Chapter V based on the analysis of the CJEU in Schrems and Schrems II.Footnote 62 The Commission also refers to the elements of the adequacy assessment as standards.Footnote 63 These references follow the ordinary meaning. Even if a WTO panel were to find that the assessment principles for adequacy decisions would not qualify as standards, GDPR Art. 45(2) together with the Adequacy Referential would potentially meet the threshold of ‘criteria’ pursuant to GATS Art. VII:1.
The analysis conducted in subsection 3.2 illustrates that the basis for recognition established through ‘standards or criteria’ pursuant to GATS Art. VII:1 provides WTO members with significant policy flexibility, allowing them to define applicable rules for recognition, including EU adequacy decisions. This broad definition suggests that the ‘data adequacy’ frameworks of other WTO members could potentially fall within its scope.
3.3 EU Adequacy Standards ‘for the Authorization, Licensing or Certification of Services Suppliers’
In addition to demonstrating whether EU adequacy ‘standards or criteria’ (hereinafter ‘standards’) constitute recognition according to GATS Art. VII:1, these ‘standards’ should be applied to the service suppliers to authorize, license, or certify them. These three mechanisms establish a confirmation and a proof of recognition that is extended to service suppliers in one or more countries that provide certain means for them to operate. The author argues that the 15 EU adequacy decisions currently in force are all based on authorization.Footnote 64 Mishra discusses the legal interpretation of the GDPR and GATS Art. VII:1 but does not address ‘authorization’ as she focuses on licensing and certification within GATS Art. VII:1 definition. In the analysis, Mishra considers recognition applicable to the EU–US Privacy ShieldFootnote 65: the only EU adequacy decision incorporating certification out of 12 other decisions that were in force in 2019. The author challenges whether GATS Art. VII:1 is only applicable to the currently in force EU–US Data Privacy Framework (DPF) that also incorporates certification,Footnote 66 or is Art. VII:1 applicable also to the 14 other adequacy decisions in force to date when evaluating the three mechanisms used for recognition: authorization, licensing, and certification. A key argument in what follows is that assessment of ‘authorization’ in GATS Art. VII:1 in the examination of GDPR Art. 45 and the adequacy decisions adopted pursuant to Directive 95/46 Art. 25 is that all EU adequacy decisions, including the invalidated EU–US Safe Harbor, EU–US Privacy Shield, and the new EU–US DPF, are based on authorization. This also builds on the interpretation of the Schrems II judgment adopted by the CJEU in July 2020 that further clarified the procedural elements required from the Commission in adequacy assessments. The EU–US adequacy decisions involve an additional layer of certification that complements the authorization.
What follows examines the definition of authorization in the context of the GATS. As with ‘standards or criteria’ (subsection 3.2), there is no case law or relevant WTO documentation on GATS Art. VII to provide further clarification. Here also the interpretation should be compared with definitions and practice under other provisions of the GATS or other WTO agreements and/or evaluated based on the ordinary meaning of the terms.
The Panel in US–Gambling covered that authorization in GATS Art. VI:3 requires a system for granting authorization to be in place.Footnote 67 This procedural clarification potentially also applies to Art. VII:1 as both provisions address authorization regarding the supply of a service. Moreover, the SDR Agreement paragraph 3 of Section II clarifies that authorization in Art. VI results ‘from a procedure to which an applicant must adhere to in order to demonstrate compliance’. The Commission has a specific procedural setting for granting a third country an adequacy decision.Footnote 68 In the light of US–Gambling and the SDR Agreement, the procedures for authorization are constituted by the exchange of information between the third country and the EU on the applicable domestic data protection laws of the third country, the changes and implementation of additional procedures or rules required by the Commission from the third country to meet the threshold of equivalence, together with the overall Commission's evaluation process. The adoption of an adequacy decision provides the authorization of services suppliers in the third country.
If the definition of ‘authorization’ of GATS Art. VI is not applicable to Art. VII:1, the ordinary meaning of authorization – ‘formal permission or approval; an instance of it’; ‘the action of making legally valid’Footnote 69 – does describe the implementation of adequacy decisions. These definitions could be used for interpretation to define ‘authorization’ in GATS Art. VII:1. The Commission's adoption of an adequacy decision by means of an implementing act pursuant to GDPR Art. 45(3) provides an automatic authorization to the service suppliers of a third country to process personal data from the EU without the service suppliers themselves having to implement additional safeguards, such as SCCs, BCRs, or derogations for cross-border data transfers from the EU. According to the Commission, when a third country has an adequacy decision with the EU, the service suppliers within the third country are only subject to the data protection rules applicable to them in that third country. This means, e.g., that Argentinian companies processing data from the EU independently, or working together with companies within the EU, or with their subsidiaries in the EU, do not need to adopt additional data protection rules in their contracts to operate. The Commission considers the adequacy decision as a grant that Argentinian laws and authorities require the implementation of all the necessary data protection rules from Argentinian companies, so data can move between the EU and Argentina without restrictions including onward transfers from Argentina to third countries.Footnote 70 Whereas the services suppliers processing cross-border personal data flows of Argentina, Canada, Israel, Japan, New Zealand, Korea, Switzerland, the UK, Uruguay, Andorra, Faroe Islands, Guernsey, Isle of Man, and Jersey operate based on this example, the EU–US adequacy decision authorization consists of two layers (authorization plus certification).
The three EU–US adequacy decisions, the Safe Harbor, the Privacy Shield, and DPF, have been established through a self-certification framework following a principles-based approachFootnote 71 due to limited data protection regulations in the US. Therefore, based on the Commission's assessment, self-certification was set up to meet the required ‘adequacy’ threshold. EU–US framework requires any service supplier in the US to self-certify on an annual basis that they follow the set principles to process personal data from the EU.Footnote 72 Only US companies that are compliant with the self-certification have the right to process cross-border personal data transfers from the EU. Other US companies need to implement other safeguards of Chapter V GDPR.
As stated above, recognition can be granted through ‘authorization, licensing or certification’. Even though the EU–US framework incorporates self-certification, it is not a standalone framework meeting the EU standards for granting ‘adequacy’. The self-certification forms one part of the authorization given by the Commission. There are two layers to ‘reach’ essentially equivalent level of data protection between the EU and US services suppliers: EU–US adequacy has been established based on the evaluation of the federal measures on data protection in the US to secure services suppliers access to EU personal data. This has required the US to make changes on the federal level and in addition the use of the self-certification framework for services suppliers had to be enforced. The two rulings of the CJEU on the Safe Harbor (Schrems) and Privacy Shield (Schrems II) show these dimensions. The self-certification principles were not challenged,Footnote 73 but the Privacy Shield, which was in place prior to the DPF, was invalidated due to inconsistencies in the US laws that meant they did not meet the EU threshold of an essentially equivalent level of data protection regarding (1) the use of proportionality in surveillance programs when processing data and (2) data subjects’ right to an effective remedy before a tribunal.Footnote 74
Even if the US would not have had to make any changes in its laws, the EU adequacy decision as established in Directive 95/46 Art. 25 and repealed by GDPR Art. 45 is not granted without authorization by the Commission. Therefore, the EU–US frameworks are an example of authorization that includes a certification as a condition to the authorization. In terms of GATS Art. VII definition of recognition, the difference between adequacy decisions given to Argentina, Canada, Israel, Japan, New Zealand, Republic of Korea, Switzerland, the United Kingdom, Uruguay, Andorra, Faroe Islands, Guernsey, Isle of Man, and Jersey compared to the US is that the US service suppliers are subject to an additional measure of self-certification in order to be granted the recognition and to be fully authorized, whereas the service suppliers in other countries are authorized directly through the adoption of the adequacy decision.
In conclusion, EU adequacy ‘standards’ authorize services suppliers in 15 third countries to process EU personal data. Among these, the EU–US adequacy decision (one of the 15 currently in force) further requires US services suppliers to obtain certification. Both authorization and certification may serve as bases for recognition under GATS Art. VII:1.
The foregoing establishes that EU adequacy decisions meet the criteria for recognition as outlined in the first sentence of GATS Art. VII:1. To fully understand the EU's approach to recognition, it is essential to examine the form this recognition takes under the second sentence of GATS Art. VII:1. This provides insight into the complexity of the process involved, which can occur through ‘harmonization or otherwise’ (subsection 3.4) and the manner in which recognition is granted (subsection 3.5). How the EU grants adequacy and provides a comprehensive examination of all countries deemed adequate by the EU illustrates the need for fostering discussions among WTO members at the multilateral level to assess whether the growing multiplicity of adequacy frameworks sufficiently protects personal data and whether this diversity ensures the frameworks fulfill their intended role effectively and whether adequacy frameworks warrant greater international attention.
3.4 Achieving Recognition ‘Through Harmonization or Otherwise’: the Specificity of EU Adequacy Decisions
The phrase ‘may be achieved through harmonization or otherwise’ and the possibility of recognition being ‘based upon an agreement or arrangement with the country concerned or … accorded autonomously’, as stated in the second sentence of GATS Art. VII:1, underscores the flexible options available to WTO members. This is intended to foster further harmonization of domestic regulations regarding trade in services. The analysis demonstrates that the EU adequacy decisions align with the second sentence, and it is likely that other WTO members adequacy frameworks align with it as well. However, the intricate and potentially opaque process the EU employs for adequacy determinations, while achieving a high degree of compatibility, requires additional clarification, since the lack of transparency in the assessment process can lead to discrimination against other WTO members.
EU adequacy decisions are granted based on ‘essential equivalence’. The Commission authorizes personal data transfers to a third country based on an adequacy decision when the third country ensures: ‘by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of the regulation, read in the light of the Charter [of Fundamental Rights of the European Union].’Footnote 75
The Commission's assessment does not lead to any changes in the data protection rules within the EU, although a third country might be required to change internal procedures of its authorities, add or create new functions, or make other modifications to its laws and operations to be ‘essentially equivalent’ with the EU's requirements. For example, based on the on-going assessment of Brazil's adequacy, specific tasks of its recently established supervisory authority have been created to meet the conditions the Commission has discussed with the Brazilian National Data Protection Authority (ANPD).Footnote 76 Therefore, establishing ‘essential equivalence’ can require a level of harmonization between the data protection rules applicable in the third country and the EU. In the global practice of recognition agreements, ‘essential harmonization’ is often used. Trachtman defines it as ‘the extent that a general minimum standard can be agreed in a legislative context’.Footnote 77 Even though EU equivalence might require a rather high standard, there is the process of agreeing on a level of data protection that must be achieved between the EU and the third country that shows the services suppliers are operating based on almost the same grounds in the two jurisdictions. The wording of GATS Art. VII:1 ‘through harmonization or otherwise’ also leaves room for interpretation for its exact scope, as it is in the case for ‘standards and criteria’ in its first sentence. Additionally, the second sentence uses ‘may’ instead of ‘shall’. There is no indication that essential equivalence cannot be used as a means to achieve recognition.Footnote 78 What is not straightforward to understand about the EU's equivalence assessment is how it conducts the weighing and balancing of applicable rules in third countries. As additional clarifications are necessary to ensure compliance with the non-discrimination requirements, this issue is further addressed in subsection 4.1.2, which mandates equal treatment for all WTO members in the EU's adequacy assessment. However, regarding the question as to whether EU's equivalenceFootnote 79 assessment can be the basis to achieve recognition, subsection 3.4 illustrates that GATS Art. VII:1 applies.
3.5 Adoption of Adequacy Decisions Based on an Agreement/Arrangement or …Accorded Autonomously
The legal form of EU adequacy decisions plays a critical role in shaping global data protection standards. This subsection examines the EU, the 15 countries with an EU adequacy decision, and others that have informed the EU of their recognition of its framework. Data were gathered through a review of legislative frameworks, one guiding document from the Commission,Footnote 80 and exchanges with the Commission and WTO Secretariat representatives. While the analysis clarifies existing practices, it raises questions about how WTO members should notify their recognition (GATS Art. VII:4), especially since such notifications often omit details regarding the form.Footnote 81 Moreover, the diverse adequacy frameworks (Table 2) highlight the need for greater transparency and coordination to mitigate global regulatory entanglements and promote a more consistent approach to data protection.
Table 2. Mutual/bilateral recognition: EU ‘data adequate’ countries recognizing the EU/EEA and EU ‘data adequate’ countries
Source: Own compilation based in part on interviews with Commission staff.
Recognition under GATS Art. VII:1 ‘may be based upon an [1] agreement or [2] arrangement with the country concerned or may be accorded [3] autonomously’, but no official definitions for these terms exist. According to the WTO Secretariat,Footnote 82 based on the negotiations of the GATS, an ‘arrangement’ typically refers to unilateral recognition, while an ‘agreement’ presupposes the involvement of two (or more) parties and some form of reciprocal treatment.Footnote 83 Marchetti and Mavroidis clarify that recognition can occur either mutually/bilaterally or unilaterally by one country.Footnote 84 Krajewski states that ‘agreement or arrangement with the country concerned’ is considered as mutual recognition and when ‘accorded autonomously’ this is unilateral or autonomous recognition.Footnote 85 Therefore, there are different definitions currently used and none is confirmed in WTO case law.
The EU has granted adequacy decisions under Directive 95/46 Art. 25(6) to Switzerland, Canada, Argentina, Guernsey, Isle of Man, Jersey, Andorra, Faroe Islands, Israel, Uruguay, New Zealand; and under GDPR Art. 45(3) to Japan, the UK, Korea, and the US. Based on the definitions provided by the WTO Secretariat, these decisions constitute an arrangement between two countries – as the EU has not made legislative changes and requires only the third country to adapt its domestic data protection rules. While the recognition is granted unilaterally, it is not done autonomously, as it involves extensive discussions between the parties that takes years and has a bilateral nature to it.Footnote 86
As other WTO members adopt adequacy decisions, it is important to analyze the legislative frameworks of countries with EU adequacy decisions. Some EU decisions could be viewed as bilateral arrangements, while others appear as mutual agreements. This distinction depends on how reciprocal treatment is defined, underscoring the need for greater clarity in determining what constitutes an ‘agreement’ under GATS Art. VII:1.
Of the 15 EU ‘adequate countries’, 13 have incorporated ‘adequacy’ as a tool for transfers into their own data protection laws (Table 2). In 11 cases, this could lead to mutual recognition of data protection rules between the EU and Switzerland,Footnote 87 Israel, Argentina, Uruguay, the UK,Footnote 88 Andorra, Faroe Islands, Guernsey, Jersey, Isle of Man, and Japan.Footnote 89 Conversely, for Canada, New Zealand, Korea and the US the EU grants unilateral recognition through a bilateral arrangement. Notably, New Zealand and Korea have recently incorporated data transfer mechanisms into their legislation;Footnote 90 however, these have not yet been extended to the EU. In contrast, Canada and the US lack legislative tools to establish adequacy as a mechanism for transfers to third countries. Interestingly, Colombia, despite not having an EU adequacy decision, has autonomously recognized the EU/EEA and all EU ‘data adequate’ countries as adequate.Footnote 91
The EU has not referred to its adequacy decisions as recognition according to GATS Art. VII:1. However, they have referred to an adequacy decision, using the terms mutual arrangement, and to their adequacy assessment as autonomous and unilateral. There is one press release regarding the EU–Japan adequacy framework that mentions it as a ‘mutual adequacy arrangement’ and highlights that both countries recognize ‘each other's data protection systems as equivalent’.Footnote 92 Regarding the UK's adequacy assessment, the Commission described it as autonomous and unilateral.Footnote 93 However, the UK was involved in this assessment and recognizes the EU also as adequate to their data protection framework (Table 2).
It is important to highlight that if EU adequacy decisions were to be considered unilateral or autonomous recognition, based on Krajewski's definition he argues that notifications under GATS Art. VII:4 are not applicable.Footnote 94 The notification obligation in paragraph 4 refers to ‘agreements or arrangements of the type referred to in paragraph 1’. It is true that the wording leaves some ambiguity, but it is not clear that autonomously accorded recognition is excluded. Furthermore, WTO members have notified unilateral recognition.Footnote 95 Even if it were to be excluded as this subsection addresses, there are (1) no official definitions of ‘agreement’, ‘arrangement’, and ‘accorded autonomously’, (2) 11 out of 15 EU adequate countries also consider the EU as an adequate country. The latter means there is some form of reciprocal treatment of each other's requirements. In any case, the author argues that as the adequacy assessment involves legislative changes in the third country and that there is cooperation between the EU and the third country for years before it establishes an arrangement, and potentially in 11 out of 15 cases it establishes an agreement. Furthermore, the WTO Secretariat definition supports this line of argumentation. Therefore, notifications need to be provided.
While subsection 3.5 shows that some ambiguity exists regarding the exact reference to the form of the adequacy frameworks, the key issue lies in understanding how these frameworks interact and how they should be addressed moving forward either within or outside of the WTO. Notifications to the CTS are essential to ensure transparency and consistency, and, as addressed in section 4, are also necessary to comply with the non-discrimination requirement if recognition is granted through an agreement or arrangement. This need is underscored by the growing web of potential compatibility and complexity created by these frameworks, as shown in Table 2.
4. Non-Discriminatory Implementation of EU Adequacy Decisions: Can GATS Art. VII Resolve WTO Law Compliance Challenges?
Given that EU adequacy decisions constitute recognition, they must comply with the non-discrimination requirement in GATS Art. VII paragraphs 3 and 2. This section covers this and unaddressed issues that arise from the in-depth analysis of the EU's adequacy framework that call for a reassessment of previous research on their compliance with GATS Art. II:1 MFN treatment. It concludes that, as these decisions fall under GATS Art. VII:1, which includes its own non-discrimination requirement, the interpretation of adequacy frameworks and their alignment with GATS Art. II:1 must be reconsidered. This analysis should also encourage other WTO members to notify their domestic adequacy frameworks.
The analysis highlights a contradiction in the literature. Krajewski argues GATS Art. VII paragraphs 2 and 3 are not applicable if recognition is unilateral or autonomous.Footnote 96 However, paragraph 3 is a criterion set in paragraph 1 that applies to all forms of recognition, while paragraph 2 explicitly states that ‘[w]here a Member accords recognition autonomously, it shall accord adequate opportunity for any other Member to demonstrate that education, experience, licenses, or certification obtained or requirements met in that other Member's territory should be recognized’. Hence, paragraphs 2 and 3 apply to any type of recognition.
The threshold required in GATS Art. VII differs from the general non-discrimination requirements of GATS Art. II. WTO members have the right to implement high standards to protect values and rights. The WTO members are required to apply those measures to all WTO members unconditionally and immediately, ensuring that like services and service suppliers from any member are not treated less favorably than those from any other member (MFN treatment in GATS Art. II:1). The non-discrimination requirement in GATS Art. VII:3 is not the same as GATS Art. II:1 and establishes a certain deviation.Footnote 97 GATS paragraph 2 of Art. VII clarifies the scope of paragraph 3: it requires an ‘adequate opportunity’ for all WTO member(s) to accede to a recognition agreement or to be granted the right to ‘negotiate comparable ones’. Therefore, a WTO member has the right to evaluate, assess, and discuss with other WTO members the requirements of their recognition agreements or arrangements before deciding whether compatibility can be achieved. This sets a different timeline and conditionality compared to the MFN treatment and allows a WTO member to recognize WTO members that meet their requirements compared to others that do not, or to find an alternative set-up.
Based on the above, the discussion in this section addresses two questions that arise in the context of the EU's adequacy decisions and GATS Art. VII:3. Subsection 4.1 examines whether, when a country is considered adequate, the different formats of EU adequacy decisions are permissible under GATS Art. VII:3. Subsection 4.2 analyzes whether, when a country is not deemed adequate, the use of other ‘tools’ under GDPR Chapter V complies with the non-discrimination obligation of GATS Art. VII:3. GATS Art. II:1 is addressed in both subsections in relevant parts. Subsection 4.3 highlights the situation regarding notifications of adequacy decisions and examines other aspects of the interplay between GATS Art. VII, Art. II:1, and general exceptions.
Subsections 4.1 and 4.2 illustrate that the applicability of GATS Art. VII:3 to EU adequacy decisions changes the analysis under GATS Art. II:1. Specifically, Art. VII permits the simultaneous use of different frameworks – such as varying types of EU adequacy frameworks (e.g., the adequacy decisions for the US and Canada compared to others that are ‘traditional’ EU adequacy decisions) – and the coexistence of an EU adequacy decision in one country alongside, for instance, the EU's standard contractual clauses for service suppliers in another.
4.1 Comparing Existing EU Adequacy Decisions Within the Context of GATS Art. VII:3
4.1.1 EU–US and Canada's Adequacy Compared to EU's ‘traditional’ Adequacy Decisions
The EU's use of varying adequacy frameworks with differing scopes (e.g., Canada), sectors, and different implementation mechanisms (e.g., the US) to ensure the same level of personal data protection, as explained in sections 2 and 3 above, could be consistent with GATS Art. VII:3.
GATS Art. VII:2 states that an adequate opportunity has to be granted for negotiating a recognition arrangement. If it is not possible to negotiate accession to the same framework, then an adequate opportunity must be provided to negotiate a comparable one. EU practices in adequacy recognition arrangements demonstrate the use of comparable adequacy frameworks, with the EU–US adequacy frameworks and Canada's adequacy decision serving as key case studies.Footnote 98
As addressed in subsection 3.3, Mishra analyzes the EU–US Privacy Shield in the context of GATS Art. VII. She gives an example on the obligation to allow other countries to negotiate comparable frameworks to the EU–US Privacy Shield, which is the threshold to be consistent with paragraphs 2 and 3.Footnote 99 The EU must provide the possibility for other third countries to negotiate a comparable framework to the EU–US framework, and failure to do so without plausible reasons would constitute a violation as discussed by Mishra. The EU cannot impose higher standards to one country than to another. Although there is no available information on whether another country has requested a similar framework to that of the US, any refusal to implement a similar framework would require a clear and objective rationale. What is important about the EU–US data transfer frameworks, a novel analysis of this paper, is that the EU–US framework itself is already a comparable framework negotiated as an adequacy decision in contrast to other ‘traditional’ EU adequacy decisions: the EU–US framework needs to be evaluated under GATS Art. VII alongside with other adequacy decisions in place (see Table 1).
There are misconceptions about the EU–US adequacy framework. The GDPR, like Directive 95/46, does not specify how an adequacy decision should be structured. The Commission has stated that the adequacy framework allows for a combination of GDPR Chapter V ‘tools’ to establish ‘adequacy’ with the EU–US frameworks serving as examples of this approach.Footnote 100 While not all national supervisory authorities view this as an adequacy decision, because it is based on standard contractual clauses (SCCs), the Commission has always defined the EU–US framework as adequacy decisions as it is a data transfer mechanism set up between countries.Footnote 101 The three EU–US frameworks are not ‘typical’ Art. 25 Directive 95/46 and Art. 45 GDPR adequacy decisions. The CJEU judgements confirm how these decisions are structured as adequacy decisions through the application of appropriate safeguards to service suppliers agreed upon the EU and the US. Furthermore, the CJEU has not challenged the use of these SCCs in establishing ‘adequacy’. The linkage is also legally evident when reading the references to Art. 25 Directive 95/46 and now Art. 45 GDPR in the three adequacy decisions with the US. These three frameworks represent a ‘comparable’ framework to a ‘traditional’ adequacy decision that does not require additional criteria to be fulfilled by the service suppliers because the data protection regulation of the third country is covering already those elements, and the implementation and enforcement of these rules meets the threshold of essential equivalence.
Furthermore, the adequacy decision with Canada demonstrates that it was not feasible to implement an adequacy decision applicable to all service suppliers within Canada, as the threshold of essentially equivalent level of protection would not be met.Footnote 102 Consequently, only commercial organizations are recognized by EU adequacy decisions, illustrating that EU adequacy decisions include alternative implementations in line with GATS Art. VII paragraphs 2 and 3.
The flexibility provided by the possibility to negotiate recognition in different ways when WTO members cannot all meet the same standards allows more options for cooperation. The comparison of the different adequacy decisions adopted by the EU shows that there are alternatives available. Therefore, if the EU provides the possibility for all WTO members to assess the compatibility of their data protection regimes with the EU's, then it is in line with the non-discrimination requirement.
However, the analysis also shows that consistency with GATS Art. VII necessitates a review of the procedural elements in the EU adequacy review mechanism, which differ between adequacy decisions adopted under Directive 95/46 and those under the GDPR. This may require an amendment to GDPR Art. 45 to ensure compliance with GATS Articles VII:3 and II:1.
4.1.2 Potential Discrimination between the Countries Subject to EU Adequacy Decisions
In practice, concerns have been raised regarding the Commission's assessment for the implementation of an adequacy decision. To provide adequate opportunity to all WTO members to negotiate EU adequacy, the assessment of essential equivalence must be clear. India has highlighted to the CTS that the Commission is unable to explain what the exact standards are that need to be met to satisfy the criteria for adequacy.Footnote 103 This could possibly violate GATS Art. VII:3 as it would not provide the ‘adequate opportunity’ to be recognized if the requirements of the assessment were unknown (GATS Art. VII:2). This would create ‘means of discrimination’ (GATS Art. VII:3). The Adequacy Referential adopted by the EDPB is publicly available on the adequacy assessment.Footnote 104 These guidelines should ensure the same objective analysis for each country applying for an adequacy decision. However, there is no publicly available guidance to understand the possibility to be recognized based on different frameworks that the EU adequacy decisions establish as discussed in section 3 (self-certification, sector-specific application or applicable to any data processing in any service sector); even though here also the Adequacy Referential should be applicable. The Commission must ensure that its procedures are clarified in a clear step-by-step approach for the right determination of the ‘comparable’ recognition agreement/arrangement to the extent possible, if granting an adequacy decision would not be an option. Additionally, as the EDPB provides an opinion to the Commission on the adequacy of the third country subject to adequacy talks, the EDPB opinions have also raised concerns about compatibility and the Commission does not publish an analysis afterwards to clarify how they have further addressed the points raised by the EDPB or considered them as not necessary to meet the essentially equivalent threshold. The Commission must be transparent on the differences when one threshold is met and when another is not. This has to be secured to be in accordance with GATS Art. VII:3.
The Commission has further specified what criteria it takes into consideration to determine whether adequacy should be pursued. These criteria are additional to Art. 45(2) GDPR requirements of an adequacy assessment together with the Adequacy Referential. It considers: (1) ‘the extent of the EU's (actual or potential) commercial relations with a given third country, including the existence of a free trade agreement or ongoing negotiations’; (2) ‘the extent of personal data flows from the EU, reflecting geographical and/or cultural ties’; (3) ‘the pioneering role the third country plays in the field of privacy and data protection that could serve as a model for other countries in its region’; (4) the overall political relationship with the third country in question, in particular with respect to the promotion of common values and shared objectives at international level.Footnote 105
It is common that in recognition arrangements certain characteristics play a role. Marchetti and Mavroidis observed this in their analysis of recognition notifications to the CTS.Footnote 106 These criteria could be considered subjective in terms of compliance with the non-discrimination requirements. Therefore, the EU must be able to further clarify to WTO members how these criteria ensure that an objective assessment is conducted in the adequacy assessments. It is important to note that the EU has established adequacy decisions with both FTA partners and WTO members that do not have an FTA with the EU. This demonstrates the openness of the EU's adequacy framework in relation to WTO law, and it is beneficial for this openness to be maintained and followed by other WTO members through notifications to the CTS of their personal data ‘adequacy’ frameworks. There is a need for transparency in adequacy assessments not only within the EU but also among other countries using these frameworks, and GATS Art. VII provides the appropriate basis for this.Footnote 107
Besides the arguments on the clarity of the EU adequacy assessment on setting up comparable adequacy frameworks, there is a need to address the procedural differences applicable to adequacy decisions adopted under Art. 25(6) Directive 95/46 and Art. 45(6) GDPR. Art. 45(3) GDPR sets up a review mechanism that did not exist under Art. 25 Directive 95/46. A review needs to be conducted ‘at least every four years’. This obligation has not been extended to the EU adequacy decisions adopted under Art. 25(6) Directive 95/46 (Argentina, Canada, Israel, New Zealand, Switzerland, Uruguay, Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey)Footnote 108 whereas a first review of the Japan's adequacy decision has been adopted and there will be a review for Korea, the UK, and the new EU–US DPF.
The Commission has made oral statements (e.g., in May and July 2022) that a review on the adequacy decisions adopted under Directive 95/46 would be done, but the Commission published its review only in January 2024. It took more than five years after the GDPR entered into force in May 2018. There is no clear justification why the review can be conducted for Directive 95/46 Art. 25(6) adequacy decisions based on a different timeline that exceeds the timeline applicable to adequacy decisions adopted under GDPR Art. 45(3). For Argentina, Canada, Israel, New Zealand, Switzerland, Uruguay, Andorra, Faroe Islands, Guernsey, Isle of Man, and Jersey there is no rule of a review of ‘at least every four years’ compared to, e.g., Japan where the review of the adequacy decision was set within two years after its entry into force.Footnote 109 Hence, currently better conditions for cross-border data transfers are set for Art. 25(6) Directive 95/46 adequacy decisions. This constitutes discrimination under GATS Art. VII:3.
Additionally, the Commission is not required to consult the EDPB for the review of Directive 95/46 decisions whereas this is a requirement for adequacy decisions adopted under the GDPR. Even though the Commission's review of the 11 adequacy decisions adopted under Directive 95/46 states that different relevant bodies were consulted including the EDPB,Footnote 110 this is not the same (and does not provide the same transparency) as involving three EDPB representatives for the review of the EU–Japan adequacy decision.Footnote 111 Compatibility and transparency would be better ensured by applying the same procedures to both Directive 95/46 and GDPR adequacy decisions. The procedural inconsistencies in the review mechanism of EU's adequacy decisions represent a challenge to GATS Articles VII:3 and II:1. Here reviews are not subject to the same standard and the costs for the reviews could be higher for the US, Korea, Japan, and the UK having a decision in place after 2018 compared to Argentina, Canada, Israel, New Zealand, Switzerland, Uruguay, Andorra, Faroe Islands, Guernsey, Isle of Man, and Jersey having a decision in force prior to 2018.
4.2 The Impact of EU Adequacy on Countries with vs. without a Decision in the Context of GATS Art. VII:3
GDPR Chapter V sets a framework of different ‘tools’ that can be used for cross-border data transfers as addressed in section 2: adequacy decisions providing the highest level of certainty for service suppliers compared to the use of, e.g. standard contractual clauses or approved code of conduct.Footnote 112 Irion and Yakovleva state that ‘the use of adequacy findings violates the principle of most-favored-nation treatment by giving disparate treatment to transfers of personal data to countries that have received an adequacy finding, as opposed to those that have not’.Footnote 113 Mattoo and Meltzer, and Mishra argue that the applicability of EU adequacy decisions to service suppliers gives an advantage compared to service suppliers that are subject to other appropriate safeguards resulting in a less favorable treatment that violates the MFN treatment.Footnote 114 One reason is that it becomes less costly for service suppliers when an adequacy decision is in place compared to service suppliers subject to appropriate safeguards. EU adequacy decisions give an advantage to service suppliers of country A that are subject to an adequacy decision compared to service suppliers that are in country B without an applicable adequacy decision required to apply other GDPR safeguards. GATS Art. VII allows this type of differentiation and does not constitute a violation with GATS Art. II:1 if recognition is granted in accordance with GATS Art. VII paragraphs 2 and 3. If the EU adequacy decisions constitute recognition, WTO members that are not essentially equivalent will have to implement other safeguards if they do not negotiate adequacy or a similar framework with the EU. This is a benefit that recognition agreements create, and it is legitimate.Footnote 115
When comparing the different types of ‘tools’ such as adequacy decisions and SCCs, it is important to bear in mind that adequacy talks are not without their own costs.Footnote 116 The governments choice to enter adequacy talks with the EU means that the third country is carrying the financial burden on behalf of their service suppliers. Furthermore, in situations where a third country is in the process of adequacy talks, legally the service suppliers are supposed to implement other data transfer tools (appropriate safeguards) in accordance with Chapter V GDPR until the adequacy decision comes into force. The Commission's evaluation considers the costs of implementing an adequacy decision: if there is a limited amount of data transfers between the EU and the third country, it might not be economically reasonable to go through the adequacy process as the short-term and long-term expenses should be taken into consideration. If a third country has a limited number of companies that have access to personal data from the EU, then it might be less costly for the third country to support the companies in their implementation of, for example, Commission's SCCsFootnote 117 rather than engaging in negotiations with the EU. This also shows why alternative approaches should be encouraged in GATS context, and GATS Art. VII:1 provides the necessary framework for it.
Both Mattoo and Meltzer and Mishra also consider the EU requirement of local presence of service suppliers as a violation of GATS Art. II:1 for appropriate safeguards (BCRs, SCCs) compared to adequacy.Footnote 118 This requirement also applies to adequacy decisions. Adequacy decisions are subject to Articles 6, 9, and 28 GDPR: simply put, when an adequacy decision is in place the service suppliers do need to follow the GDPR. Even though this is not how the Commission has presented it, this is how the supervisory authorities in the EU countries interpret it. The differences about local presence are linked to whether the service suppliers are data controllers or data processors. It is true that the practice is clearer about the dynamic of a data controllers located in the EU and data processor processing that data outside the territory of the EU compared to a situation where the data controller is located abroad. The EDPB has been preparing guidelines on this, although they have not been published yet and some uncertainty remains. Furthermore, it is not clear how the Commission addresses this in the adequacy talks. According to the GDPR an adequacy decision is not supposed to create a discrepancy on the rules on local presence.
4.3 The Importance of Notifying Adequacy Decisions and Additional Remarks on the Interplay between GATS Art. VII, General Exceptions and Art.II:1
Furthermore, Saluste argues that, in the context of GATS Art. II:1, the transition from Directive 95/46 to the GDPR provided an advantage to the third countries subject to an adequacy decision, compared to the rest of the world.Footnote 119 This issue would not have arisen if the EU had notified its adequacy decisions as recognition agreements. Such notifications are an obligation under GATS Art VII:4, ensuring the transparency needed for other WTO members to initiate adequacy discussions, if relevant for their service suppliers, or to request information from the EU to better understand the GDPR framework for cross-border data transfers for the use of other ‘tools’. Nevertheless, the EU can still provide the notifications. Currently, notifications to the CTS are extremely limited, and efforts should be made to enhance transparency, which remains an issue regarding many WTO members.
Notifications of adequacy decisions would help to further clarify the EU framework and its application. Currently, any interested WTO member that would wish to enter into adequacy talks with the EU needs to individually contact the Commission to understand what the criteria are, what must be demonstrated, and what procedures apply. Such information could instead be presented by the Commission to the CTS. The Commission has committed to international cooperation according to Art. 50 GDPR, requiring it to ‘engage relevant stakeholders in discussion and activities aimed at furthering international cooperation in the enforcement of legislation for the protection of personal data’.Footnote 120
Privacy scholars, experts, as well as discussions between the Commission's Directorates and the European Parliament, have revealed skepticism and misunderstanding about the role of WTO in these discussions. While the WTO (CTS) need not be the forum for expanding efforts to mutually recognize data protection regimes and pursue greater convergence in regulation – GATS Art. VII:5 states that cooperation should take place in the most appropriate setting – notifications to the CTS can only support efforts to facilitate trade in services and potentially improve actual personal data protection. Therefore, the WTO members could also address whether there is another forum where their domestic technical experts on privacy could convene, should they prefer not to use the CTS for this purpose to be transparent and clear regarding their use of standards. It is important to explore ways to foster open dialogue, ensuring that countries feel encouraged, rather than threatened, by transparency of their data adequacy frameworks. Given that a significant number of WTO members have already engaged in open discussions on privacy within the context of the Joint Statement Initiative, there is a clearer case for ensuring that data adequacy frameworks are formally notified in accordance with their obligations under GATS Art. VII:4, to enhance international cooperation and understanding.
In sum, there are elements the EU still needs to clarify and address, potentially requiring modifications. This does not preclude the EU from complying with its WTO obligations while maintaining the standards deemed necessary to secure personal data protection. If a dispute were to arise concerning the EU's adequacy framework and a violation were found, the EU's notifications of its adequacy framework as recognition could support its justification of the violation under GATS Art. XIV. This is based on Trachtman's (2014) analysis of equivalence, recognition, and GATS Art. XIV, discussed below. The examination of the WP29 documents on cross-border data transfers indicated that the Commission acknowledges that restrictions on cross-border data transfers would require invoking GATS Art. XIV if any violations were to occur.Footnote 121 This would certainly require invoking the justification of Art. XIV:(c)(ii) covering ‘the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts’. The EU might also invoke subparagraph (a) on the protection of public morals.Footnote 122
Based on the criteria of Art. XIV(a) and XIV(c), both are subject to the ‘necessity test’. Trachtman argues that to meet the necessity requirement of GATS Art. XIV the choice of using equivalence as a basis for any assessment might require it to be established through recognition.Footnote 123 Therefore, it might be that for the EU adequacy decision to be found compatible with GATS Art. XIV(a) or (c)(ii) in case of a violation of another provision of the GATS, the EU adequacy decisions framework has to exist as recognition under GATS Art. VII:1 and requires the notification of the adequacy decisions in accordance with GATS Art. VII:4. Before concluding, another element to highlight is the potential need to examine the existence of ‘like’ service suppliers as part of the non-discrimination test in the event of a dispute. GATS Art. VII does not refer to like service suppliers. Although it provides a procedural exception to GATS Art. II, it does not provide a substantive one. Therefore, ‘likeness’ could be addressed based on GATS Art. II:1 in the context of GATS Art. VII:3. The author argues that the applicable rule to likeness is originFootnote 124 as the distinction of service suppliers is tied to the equivalence (‘likeness’) of applicable data protection rules across different territories.Footnote 125 Even if a panel were to find that determining ‘likeness’ is challenging in cases of cross-border data transfers between different service suppliers, if they do not consider origin as the basis for the likeness test,Footnote 126 this does not affect the fact that, based on the above analysis, ‘data adequacy’ frameworks, such as EU adequacy decisions, can fall under the definition of GATS Art. VII:1 and should be notified according to GATS Art. VII:4.
5. Conclusion
Art. VII of the General Agreement on Trade in Services (GATS) establishes criteria for members of the WTO seeking to establish mutual/bilateral recognition for regulatory regimes affecting trade in services. There has been an exponential rise in domestic regulations on data protection leading to a fragmentation in the use of data protection standards globally.Footnote 127 Bilateral and plurilateral regulatory cooperation in the field of data protection is increasingly prevalent but is not reflected in notifications to the WTO. The EU's GDPR currently sets the highest standards on personal data protection. The EU also has the longest standing framework in place to assess the compatibility of EU and third countries’ data protection regimes.
The examination of state-to-state cooperation on data protection regimes in light of GATS Art. VII, with a focus on EU adequacy decisions suggests a reassessment is called for of data adequacy arrangements under the GATS and the solutions that Art. VII upholds. Art. VII protects the right of states to regulate and to choose their level of standards according to their values/rights while its notifications provide an open forum for discussions on regulatory cooperation. This well-established practice serves all through transparency on domestic measures. The literature on EU adequacy decisions has mainly been critical, arguing such decisions are discriminatory by giving an advantage to service suppliers of countries deemed to be ‘adequate’. In this paper, I argue that the procedures used to assess adequacy by the EU to protect the fundamental rights of EU citizens can coexist in compliance with the GATS commitments as it falls within the scope of GATS Art. VII:1 and can meet the requirements of paragraph 3 of Art. VII.
EU adequacy decisions are recognition agreements/arrangements in trade in services according to GATS Art. VII:1. This is because they have extensive applicability to service suppliers across multiple modes of supply, and, because recognition through the use of ‘standards or criteria’ leaves a broad policy space for WTO members to define the applicable rules that can be considered for recognition agreements, including EU adequacy decisions. Moreover, EU ‘traditional’ adequacy decisions are granted through authorization, with the EU–US adequacy frameworks additionally including certification that is established through authorization given by the Commission. Authorization and certification are covered by GATS Art. VII:1. EU adequacy assessments consist of a comparison of applicable rules in two jurisdictions that achieves recognition through ‘essential equivalence’. GATS Art. VII:1 allows a variety of means to be used to achieve recognition, including equivalence. Both unilateral and mutual recognition of ‘adequacy’ of a third country are covered by GATS Art. VII:1. Finally, the analysis of the requirements of GATS Art. VII:3 on non-discrimination in the light of EU's implementation of adequacy decisions and alternative tools for cross-border data transfers under Chapter V GDPR shows that a balance between the protection of rights and openness in trade can be achieved under GATS Art. VII. This is relevant for all the emerging data transfer mechanisms, not just the EU adequacy framework.
The fact that GATS Art. VII:1 can be applied to EU adequacy framework is not only important in the context of understanding the EU adequacy framework in WTO law but it also implies that other WTO members should notify their recognition of data protection rules impacting service suppliers. The notifications of adequacy decisions could improve regulatory cooperation in data protection. While notifications to the WTO do not magically solve the fragmentation issue, the transparency and openness regarding standards can contribute to further convergence, supporting implementation of data protection standards globally by offering a tangible path toward strengthening privacy protection in the context of personal data processing.
The current fragmented approaches to addressing cross-border data transfers in FTAs and DEAs only add to the confusion about applicable standards lacking clarity and pathways toward harmonization. The arguments put forward in this paper are relevant for all WTO members. As many states use data adequacy frameworks and data protection standards, they should be regarded as central to the GATS Art. VII:1 requirements to inform all WTO members about their frameworks. Doing so could help identify opportunities for expanding the coverage of such frameworks to more countries and better inform policymakers of the alternative approaches to reducing the trade costs of different regulatory regimes for data protection.
Acknowledgement
I am deeply grateful to Prof. Bernard Hoekman, Prof. Petros Mavroidis, Prof. Deirdre Curtin, and the WTO Secretariat for comments, discussions, and suggestions on earlier drafts. Also, a big thank you to the staff of the EU institutions and the EU national data protection authorities that have very patiently answered to all my questions.
Open access
