Written evidence submission from Law Society of Scotland (DTD0016)
Introduction
1. The Law Society of Scotland is the professional body for over 12,000 Scottish solicitors. With our overarching objective of leading legal excellence, we strive to excel and to be a world-class professional body, understanding and serving the needs of our members and the public. We set and uphold standards to ensure the provision of excellent legal services and ensure the public can have confidence in Scotland’s solicitor profession.
2. We have a statutory duty to work in the public interest, a duty which we are strongly committed to achieving through our work to promote a strong, varied and effective solicitor profession working in the interests of the public and protecting and promoting the rule of law. We seek to influence the creation of a fairer and more just society through our active engagement with the Scottish and United Kingdom Governments, Parliaments, wider stakeholders and our membership.
3. Our Trade Policy Working Group, Privacy Law Sub-Committee and other relevant policy committees welcome the opportunity to respond to the International Trade Committee’s Inquiry on Data and Digital Trade.[1] We have the following comments to put forward for consideration.
Response to questions
What are the main barriers faced by UK businesses engaging in digital trade?
4. “Digital trade” potentially covers a huge range of activities and there is no single accepted definition. It can include goods and services ordered over the internet for physical delivery, as well as goods and services provided virtually.
5. In either case, the most common legal barriers specific to digital trade are likely to arise in the form of data localisation requirements[2] and rules around international or “cross-border” transfers of data,[3] such as the requirement to seek permissions from data subjects or carry out risk assessments. The GDPR is an example of the latter situation, where although it is not mandatory for data to remain within the EU, a series of safeguards surround cross-border transfers.[4] While such rules pose a barrier to trade, under WTO law it is legitimate for countries to impose such rules where “necessary to secure compliance with laws or regulations which are not inconsistent with the provisions of this Agreement including those relating to…the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts…”.[5] However, some countries such as China, Russia and Australia (in relation to health data) operate more absolute rules around local storage requirements and/or bans on cross-border transfers.
6. In addition, the plethora of different data protection and privacy regimes in different countries creates regulatory fragmentation and can make it difficult for businesses to expand their offering to multiple overseas jurisdictions because of the compliance burden.
7. Other barriers to trade will impact digital trade in the same way as “traditional” or physical trade. These are likely to present themselves in the form of regulatory requirements or practical issues around availability of digital infrastructure, capacity of networks, the ability of businesses and consumers to access those networks, and the skills to maximise the opportunities on both sides of the trade relationship. Such rules may be found in areas such as cybersecurity, consumer protection and taxation.
8. As indicated above, it is possible for rules to be both barriers to trade and justified in the interests of legitimate public policy objectives. This is one of the main reasons why trade agreements increasingly go beyond the traditional realms of customs tariffs on goods, quotas and market access commitments to focus in on regulatory alignment and cooperation. In modern trade policy debates it is these “behind the border” issues, which most urgently require to be addressed.
9. That said, the potential for introducing customs tariffs on electronic transmissions is very much a live issue and could have a significant impact – and potentially pose a significant barrier – to digital trade. For this reason, WTO members agreed an e-commerce moratorium on duties on electronic transmissions, which has been renewed multiple times over the more than twenty years since its inception.
What opportunities does digital trade present for UK businesses?
10. It is difficult to quantify the opportunities which digital trade presents for UK businesses.
11. Businesses of all sizes have the potential to grow their customer base through though opportunities which digital trade presents to reach consumers and clients all over the world. The ability to provide goods and services remotely can provide time and cost efficiencies – for example by reducing the need to travel or set up physical premises for overseas operations.
12. The trend towards remote working – particularly across services industries – has of course been accelerated and expanded as a result of the coronavirus pandemic. The fact that so many businesses have adapted their operations in this way, may also change the way people source services and could further reduce the focus on physical proximity. This could also pave the way for more digital collaboration, which could also present an opportunity for UK businesses.
13. At the same time, a global marketplace in terms of opportunity, also means increased competition. In addition, even without a physical presence in an overseas jurisdiction, it will still be necessary to abide by local regulation – for example consumer laws – and digital trade may result in complex tax and accounting requirements, which will reduce the opportunities, particularly for smaller businesses.
Solicitors and the legal sector
14. The legal sector has a symbiotic relationship with most if not all other sectors and digital trade is no exception. Solicitors support all other sectors in their international trading relationships, facilitating imports and exports and both inward and outward investment. The ability to develop both digital and traditional industries presents a particular opportunity to attract inward direct investment to grow UK businesses with a view to expanding both domestic and international client bases. If this is to happen, it is important that professional advisers, such as solicitors, are free to provide services to overseas clients, for example providing legal advice and negotiating contract terms to ensure these transactions go ahead. Digital trade therefore presents opportunities for the legal sector in terms of generating both domestic and international client business.
How does the regulation of digital trade impact consumers?
15. The GATS does not specifically refer to consumer law, although as noted above, it does expressly grant members the ability to safeguard the rights of individuals (and therefore consumers) in terms of data protection and privacy. However, FTAs will often make reference to requirements of consumer law, often in conjunction with competition law – see for example Chapter 11 of the UK-Japan CEPA. Such chapters tend to require the Parties to operate domestic competition law systems. The link between the two areas is often recognised in the text eg “Each Party recognises the importance of consumer protection policy and enforcement to creating efficient and competitive markets and enhancing consumer welfare.”[6]
16. While competition might appear to govern market dynamics in the sense of the ability of businesses to enter or compete in a market and therefore be concerned very much with commercial entities, the two are very much interrelated. The UK’s regulatory model evidences this as the primary competition regulator – the Competition and Markets Authority – also has significant consumer protection duties and powers. We note that the CMA has recently received UK Government funding to create a dedicated Digital Markets Unit to focus on this area. The impact on consumers will, of course, depend on the rules introduced, but we would hope to see regulation which facilitates digital business, including international digital business (and therefore trade), while also protecting and promoting the interests of consumers. Current policy issues which the CMA is considering which span both areas include, for example, algorithmic pricing and unfair ranking and design. (See also comment on net neutrality rules below.)
17. Regulators across the world are grappling with regulation of eCommerce to ensure that consumers are protected where necessary, while also trying to avoid stifling innovation and creativity, which would bar consumers from accessing goods and services they need or want. References to “a digital world without borders” are common and as the concept of trade increasingly moves away from assumptions of a physical-world foundation, domestic legislation increasingly impacts upon trade. To some extent regulation of digital business is therefore also regulation of digital trade and the impact on consumers will depend on the individual priorities of the regulators or governments in question.
What approach(es) should the UK take to negotiating digital and data provisions – including those concerning the free flow of data, protection for personal data, net neutrality, data localisation, and intellectual property– in its future trade agreements?
18. We believe it is possible both to facilitate digital trade and to protect personal data and privacy. This should be the UK’s overarching objective in future trade agreements. In practice this is likely to require regulatory cooperation and the agreement of standards of protection, necessitating not only robust rules but effective enforcement.
19. Provisions on the free flow of data are to be welcomed. It is also important to note that large volumes of data are not personal data and therefore do not raise privacy/data protection concerns. It is important to ensure free flows of data and break down barriers to flows of data which are protectionist in nature. Efforts in this area should take account of both legal and practical barriers – in the latter context, for example, considering standards to facilitate or enhance interoperability to maximise the potential of digital business channels.
20. Data localisation measures may be legitimate in the interests of protecting citizens’ personal information. However, the UK should seek to take an evidence-based approach to ensure that data localisation rules do not present unjustified barriers to trade and seek to challenge rules which are in fact protectionist measures “in disguise”.
21. Protection for personal data should be at the heart of UK trade policy and there are opportunities for the UK to take a proactive role in achieving global consensus on the need for protection, which would pave the way for free flows of personal data, without raising concerns around the impact on individuals.
Overall net neutrality rules should achieve greater market entry options and more open competition but in certain instances, they may also be viewed as a constraint on trade.
22. Intellectual property protections play an important role in trade. Most aspects of IP are not specific to data and digital trade – but it is also one in which best efforts to build consensus and encourage a collaborative approach are likely to yield greater returns for UK businesses.
23. Within the sphere of IP, forced technology transfer rules imposed by regulators are perhaps of particular relevance to digital trade. Domestic regulators may require businesses to share for example details of algorithmic equations or source code with domestic regulators for the purposes of competition or privacy regulation. Where this remains confidential, then the integrity of the businesses’ intellectual property will not be compromised, but occasionally concerns arise that this sharing of commercially sensitive information will be used to benefit domestic industries. In other contexts, technology transfer will occur organically and may be considered a benefit of trade – particularly where the transfer delivers new skills or understanding in the context of economic development.
24. We also welcome digital provisions covering other issues, including e-Signatures/e-Authentication and affirming the potential for digital creation of contracts along the lines set out in the UK-EU Trade and Cooperation Agreement (TCA). For example, Article DIGIT.10 includes provisions on the conclusion of contracts by electronic means. The parties must ensure that domestic law “neither creates obstacles for the use of electronic contracts nor results in contracts being deprived of legal effect and validity solely on the ground that the contract has been made by electronic means.” However, this is subject to certain exceptions such as legal representation services, services of notaries public, contracts that require witnessing in person, contracts that establish or transfer rights in real estate and contracts requiring by law the involvement of courts, public authorities or professions exercising public authority and contracts governed by family law or by the law of succession.
See also Annex on International transfers, regulatory cooperation, the GDPR and the TCA.
What does the UK-Japan Agreement indicate about the UK’s approach to digital trade and data provisions in future trade negotiations?
25. The UK-Japan Agreement is encouraging in enhancing the digital trade and data provisions, which had previously existed for UK-Japan trade relations under the EU-Japan EPA. However, it would be difficult to draw firm conclusions from a single agreement. At the same time, we understand that this is an approach which it is intended will be replicated in future agreements. It indicates a desire to achieve ambitious digital trade and data provisions, in line with other international agreements, which address this topic.
What approach should the UK take towards renewing the WTO’s moratorium on customs duties on electronic transmissions?
26. We support the WTO’s moratorium on customs duties on electronic transmissions and believe the UK has an opportunity to play a proactive role in these discussions. In the longer term, it would be helpful to reach a permanent agreement among members in the interests of stability and certainty.
What objectives should the UK have when negotiating digital and data provisions during its accession to the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP)?
27. The UK will be constrained in its ability to seek concessions from other parties to the CPTPP as their commitments have already been negotiated.
28. The question therefore turns on the UK’s offer and any exclusions or exceptions to protect UK interests.
29. We note that both Japan and Canada participate in the CPTPP and maintain partial adequacy decisions to support data transfers for the EU. A key negotiating priority should be to ensure that UK commitments do not conflict with EU adequacy requirements, which could threaten the UK’s competitive position in relation to international data flows between the EU and the UK. Japanese and Canadian schedules may be instructive in this regard.
Will the global increase in digital trade affect the environment in a positive or negative way? What steps can be taken to mitigate any negative environmental impacts of increased digital trade?
30. We do not have any data on this question.
What domestic and international law is relevant to the Government’s approach to digital trade?
31. It would be impossible to record a comprehensive inventory of all the potential domestic and international law relevant to the Government’s approach to international trade.
32. Domestic legislation: as noted above, the UK’s rules on personal data protection are set out in the Data Protection Act 2018. Currently the UK position aligns with that of the EU as regulated by the GDPR. However, data protection legislation alone will not be the only factor of interest to foreign governments and businesses seeking to understand and assess the UK framework. Legislation such as the Investigatory Powers Act will also be taken into consideration.
33. Similarly, the UK Government will need to assess domestic legislation in other countries and take this into account when seeking to negotiate trade agreements with new potential partners.
34. WTO legal framework: the WTO agreements – most obviously the GATS, General Agreement on Tariffs and Trade (GATT), Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS) and Information Technology Agreement (ITA) are all of clear relevance to the Government’s approach to digital trade. Joint Statement initiatives – notably that on eCommerce – offer the potential for the UK to support more ambitious commitments by interested parties. The WTO’s dispute settlement arrangements are also an important issue and seeking to find a way forward from the dispute settlement “crisis” should form part of the UK’s WTO priorities if the organisation is to remain relevant, including in relation to resolving disputes around digital trade.
35. Free trade agreements and specific digital agreements: UK agreements and those entered into by negotiating partners may impact on what it is possible to achieve in any given agreement. Agreements generally can also provide useful precedents in terms of the level of ambition which a partner may be willing to sign up to and also in assessing global best-practice and suggested negotiating text. Ensuring consistency of wording across UK treaties so far as possible, is also likely to give stakeholders greater clarity as to how obligations should be interpreted.
36. International laws and treaties: a broad spectrum of other international treaties are likely to be relevant to developing UK trade policy and directing the UK’s approach to trade negotiations, including those aspects which relate to digital trade. Agreements relating to intellectual property (such as Berne Copyright Convention and World Intellectual Property Organisation Copyright Treaty), telecommunications (such the International Telecommunications Union agreements) and cybersecurity (eg the Council of Europe Convention on Cybercrime (or Budapest Convention)) are likely to be of particular relevance to digital trade.
37. Soft law: in practice, international industry standards can be both influential and potentially extremely helpful in reducing trade barriers and facilitating trade. Interoperability is vital in ensuring digital trade functions properly and will be relevant across all industries as the trend towards increasing use of technology continues. Whether formally adopted or used as guidelines to enhance consistency they can be used to address some of the less legalistic barriers to trade and therefore should not be underestimated or forgotten. The International Standards Organisation is a good example of a body whose work should be considered in this context.
Annex - International transfers, regulatory cooperation, the GDPR and the TCA
38. The experience of the General Data Protection Regulation (GDPR) may be instructive in considering policy issues which may arise in the context of international data flows/data transfers and regulatory collaboration. As noted above, the GDPR sets particular requirements with regard to data transfers to countries outside the EU.
39. Under the terms of the TCA, the UK currently enjoys a temporary “adequacy” status for up to six months (ie until 30 June 2021), under which its data protection regime is recognised as being of a sufficiently high standard. This is unsurprising given that the GDPR applied to the UK law as an EU Member State and the law has not been changed since.[7] However, the UK is still to be awarded the more “permanent” adequacy status, likely to alleviate the regulatory burden which will otherwise attend EU to UK personal data transfers. The award of an adequacy decision is therefore extremely important to future UK-EU trade.
40. The recent decision in the “Schrems II” case[8] before the Court of Justice of the European Union illustrates both the importance of an adequacy finding, and the fact that even a Commission decision may not be a cast-iron guarantee of the UK’s suitability as a personal data transfer destination. The decision concerned transfers to the US, previously thought to be permitted under the EU-US “Privacy Shield” adequacy decision. However, the shield was found wanting and accordingly declared invalid because the CJEU was not satisfied with procedural protections around access to data by national authorities and due to the lack of rights that EU data subjects have in the US. They therefore concluded that the shield was invalid.
41. While transfers to the US are not expressly forbidden, companies seeking to transfer personal data there must use supplementary measures which may take the form of contractual, organisational or technical measures - in addition to protecting transfers under standard contractual clauses or binding corporate rules. Even then data controllers are still required to assess the risks of transfer to the US as a whole. It may therefore be that transfers to the US face a high bar in practice – either because the risk of personal information being accessed is too high or the compliance assessment is too complicated to complete. Smaller organisations with fewer resources are likely to find this more challenging. The decision therefore demonstrates how transfers to the UK would be considered if the UK were a standard third country with no adequacy decision in place[9] and in particular if the UK Government decided to change data protection law going forward.
42. Secondly, the judgement highlights the fact that assessment of data protection laws alone may be insufficient as the CJEU’s concerns pertained to US surveillance programmes. In terms of the UK’s own adequacy finding, legislation beyond the Data Protection Act 2018 – notably the Investigatory Powers Act 2016– may also be relevant.
43. Lastly, because the GDPR has, in recent years, been adopted as a blueprint by other countries seeking to update their own domestic data protection regimes, decisions at an EU level around the way in which the GDPR is interpreted, may be highly influential in other parts of the world. This is an issue to which the UK must remain alive in considering its domestic approach and in seeking to reach international agreements regarding the free flow of personal data which is so important to many aspects of international trade.
February 2021
[1] https://committees.parliament.uk/committee/367/international-trade-committee/news/137928/digital-trade-and-data-inquiry-launched/
[2] Ie rules that require certain types of data to be stored on local servers or otherwise prevent data being transferred outside the country
[3] NB In an EU context, “cross-border transfers of data” refer to intra-EU transfers and “international data transfers” refer to transfers to third countries. However, the term “cross-border” appears in a more general context in trade agreements such as the UK-Japan CEPA, CPTPP and USMCA. In this response we therefore use “cross-border” in this general sense, however the term “international transfers” is used in referring to EU arrangements to ensure that there is no confusion with the EU-specific usage of “cross-border”.
[4] Prior to EU withdrawal, the UK has implemented the GDPR in domestic UK law through the Data Protection Act 2018 and therefore the rules in the UK and EU currently run in parallel.
[5] See Article XIV (c)(ii) of the GATS https://www.wto.org/english/docs_e/legal_e/26-gats_01_e.htm
[6] See UK-Japan CEPA Chapter 11, Article 11.7(1)
[7] As a regulation the GDPR was directly applicable in UK law, however, Member States were required to establish a system for penalties on a domestic basis. The UK went further than this, explicitly incorporating the GDPR in the Data Protection Act 2018. Unlike other EU Regulations which form part of retained EU law, the rules therefore appear in specific legislation.
[8] CJEU judgment C-311/18 “Schrems II”
[9] See further Brexit, Schrems II and international data transfers | Law Society of Scotland (lawscot.org.uk)