In October 2015, the Court of Justice of the European Union (CJEU) invalidated the Safe Harbour data protection framework, because it failed to provide an essentially equivalent protection of EU citizens and residents’ personal data in the United States. The Court confirmed that cross-border data transfer frameworks need robust privacy and personal data protection safeguards.
According to Foundation for a Free Information Infrastructure (FFII)’s analysis, CETA is not compatible with the Charter of Fundamental Rights of the European Union (EU).
After the conclusion of the CETA negotiations, the EU legal services conducted a legal review of the trade agreement (so-called “legal scrubbing”). However, this process did not bring the CETA text into line with the Court’s Safe Harbour ruling. This incompatibility means that our privacy and data protection rights are under threat. This is particularly relevant as Canada is a member of the “Five Eyes” arrangement, a group of countries committed to (suspicionless) mass surveillance.
CETA contains a general exception (Article 28.3 (2)), which is argued to be there to reserve policy space. This general exception, however, contains multiple strict conditions. In only two of 45 World Trade Organisation cases (Article XX of the General Agreement on Tariffs and Trade (GATT) and Article XIV of the General Agreement on Trade in Services (GATS), states successfully invoked similar provisions.
Regarding privacy, the general exception additionally contains the condition that EU laws on which measures to protect personal data would be based must not be inconsistent with other provisions of CETA (Article 28.3 (2)(c)). To put it simply, the general exception that should allow the EU to act to protect our privacy does not allow the EU to act contrary what is agreed in CETA. This concession would become obligatory and therefore, if adopted, CETA would de facto be placed above the EU Charter of Fundamental Rights.
The FFII analysis gives a specific example of such a concession in CETA, which can be found in Chapter 13 (Financial Services). Under CETA, Article 13.15 establishes that the EU and Canada have to allow a financial institution or a cross-border financial service supplier to transfer information across borders. The related privacy standard is weaker than the one in EU law. For instance, it contains the condition that each Party needs to provide “adequate safeguards to protect privacy”, which international arbitrators do not have to read in the light of the Charter of fundamental rights (as the EU Court of Justice does). This is particularly relevant as CETA contains two international dispute settlement mechanisms. In short, the privacy safeguard set in Article 13.15 (2) falls short of the one in the Court’s Safe Harbour decision.
As a result, if adopted, CETA would create an international obligation with a lower privacy standard. Conflicts over obligations in trade agreements are decided by international trade and investment arbitrators, not by supreme or human rights courts. CETA gives financial institutions a carve out from regular privacy enforcement. CETA gives financial institutions a “status aparte.”
Negotiations behind closed doors and a failed legal scrubbing have led to a text that is not compatible with the Charter of Fundamental Rights of the European Union.