Like this article? rabble is reader-supported journalism. Chip in to keep stories like these coming.
The Trouble with the TPP continues this week with a series of posts on the TPP and privacy. The inclusion of privacy within the TPP has been touted by governments as one of the benefits of the agreement, but the privacy provisions are so weak as to move global privacy backwards, weakening emerging international standards and locking countries into rules that restrict their ability to establish additional privacy safeguards.
While some have questioned the concerns associated with privacy and the TPP by arguing that it is it a trade agreement, not a privacy treaty, the reality is that the commercial importance of big data has never been greater.
Indeed, it is odd to see some emphasize the importance of increased, harmonized intellectual property protections but simultaneously express satisfaction with bare minimum privacy protections that provide companies with a patchwork of rules and consumers without standardized protections. Personal information is a critical part of e-commerce and the need for public confidence in privacy protections alongside corporate certainty about their rights and obligations with the personal information they collect should be beyond debate.
For most TPP countries, the starting point for privacy protection is a national privacy law modelled on the OECD privacy principles. In fact, the majority of the TPP, including Canada, Mexico, Peru, Australia, New Zealand, Malaysia, Japan, and Singapore, have national privacy laws (Chile is developing a privacy law).
Moreover, many of these countries have privacy or data protection commissioners with some form of enforcement powers as well as additional rules on issues such as mandatory disclosure of security breaches (overview of Latin America rules, Asia rules). The key exception is the United States, which does not have an omnibus privacy law nor a privacy commissioner, relying instead on FTC enforcement of privacy policies.
Rather than setting the TPP privacy bar at having a national privacy law based on the OECD principles, the agreement weakens the shift toward a minimum standard of privacy protection. Article 14.8 looks promising with respect to privacy protection:
"each Party shall adopt or maintain a legal framework that provides for the protection of the personal information of the users of electronic commerce. In the development of its legal framework for the protection of personal information, each Party should take into account principles and guidelines of relevant international bodies"
Unfortunately, the provision is subject to a footnote that effectively eviscerates the requirement for a privacy legal framework:
"For greater certainty, a Party may comply with the obligation in this paragraph by adopting or maintaining measures such as a comprehensive privacy, personal information or personal data protection laws, sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy."
The footnote effectively means that the TPP's privacy requirements can be met without the need for any privacy law at all. Enforcing voluntary undertakings isn't a privacy law, it's an anti-fraud approach that requires companies to be truthful about their privacy promises. If the law does not feature specific requirements for the consent, use, and disclosure of personal information, it isn't a privacy law.
The TPP weakens global privacy protections by failing to establish a minimum privacy law standard and then makes matters worse by limiting the ability for member countries to establish some additional safeguards. More on those limitations throughout the coming week.
This piece originally appeared on Michael Geist's blog and is reprinted with permission.
Photo: flickr/ Josh Hallett