By Matthew Cunningham-Cook, who has written for the International Business Times, The New Republic, Jacobin, Aljazeera, and The Nation and has been a labor activist
On October 6, the European Court of Justice issued a sweeping ruling invalidating the existing cross-Atlantic data transfer agreement, putting the entire business model of companies like Facebook and Google at risk. The ruling gives data privacy regulators in individual EU states expansive powers to demand data localization from multinational tech firms. Observers noted that the Snowden revelations contributed to the decision, with EU judges looking unfavorable at the fact that the NSA had basically unfettered access to the data of EU citizens.
Lo and behold, just a month later comes a trade agreement that will make sure that Facebook and Google’s little legal problems in Europe won’t happen in. say, Australia, Japan, New Zealand or Canada.
To wit, from the TPP’s electronic commerce chapter:
Each Party shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.
Public Citizen as always had a good rundown, right after the TPP’s release. “The E-Commerce chapter has serious implications for online privacy,” said Peter Maybarduk, director of Public Citizen’s information society program. “The text reveals that policies protecting personal data when it crosses borders could be subject to challenge as a violation of the TPP.”
The Public Citizen press release also points out that “These TPP standards replicate language in World Trade Organization agreements under which tribunals have ruled against domestic policies in 43 of 44 challenges.”
But beyond the E-commerce chapter’s impact on Facebook and Google, which has been discussed, I’m interested in how there is no carveout for medical data. The TPP language means that insurers and other companies can take medical data across borders willy-nilly without any type of fear of running into pesky data privacy laws–like, say HIPAA, which protects personal health information from misuse.
This is particularly interesting in the case of Vietnam. A memo from the international law firm Russin and Vecchi states that:
Notwithstanding the existence of some privacy regulations that relate to healthcare services, certain gaps remain. Is a healthcare entity liable for a breach of a patient’s privacy by a doctor or medical worker employed by that entity? If yes, to what extent is the healthcare entity liable? May private information about a patient be stored, used and transferred within a healthcare entity and, if so, to what extent? Who may have access to a patient or his private information during a medical examination and/or treatment?
Basically a legal wild west for data, now in the TPP zone, being advertised as a great place for more IT offshoring.
It’s unfortunately widely accepted–even in the EU–that companies like Facebook and Google consider consumer data a commodity to be bought and sold. There is little variance across the world as to this fact. But medical data is a whole other area entirely, with a range of laws protecting medical privacy across the TPP zone. But what happens when medical data is transferred to another country? The EU’s Directive on Data Protection explicitly prohibits the offshoring of EU citizen data to countries with lower security standards. But HIPAA has none of the same protections–an overhaul of HIPAA to make its protections stronger could be prevented by TPP rules.
The Inspector General of the Department of Health and Human Services already found data protections sorely lacking in 2014, when it wrote: “For example, Medicaid agencies or domestic contractors who send [personal health information] offshore may have limited means of enforcing provisions of BAAs [business associate agreements] that are intended to safeguard PHI. Although some countries may have privacy protections greater than those in the United States, other countries may have limited or no privacy protections to support HIPAA compliance.”
So the short of it is this: medical data protection in the US is already poor compared to the EU, and TPP could preempt any effort to strengthen protections–sending any changes directly to an investor-state tribunal, where it is more likely than not to be overturned.
Yet another reason to oppose this truly awful, anti-people deal.