Data protection principles around the world
Do they violate international investment law?
There has been a recent surge in the proliferation of data protection regulations globally, the most recent example of which is the General Data Protection Regulation. Since data protection laws across the world have become increasingly extra-territorial in their reach, there is a higher propensity for foreign entities to be affected by them. This piece will therefore seek to examine the principles of Data Localisation and Data Minimisation, incorporated in a number of national data protection laws, to determine whether they violate international investment law.
Given that personal data is considered an important asset for both individuals and companies, this piece shall endeavour to evaluate the abovementioned principles against the threshold of expropriation and the fair and equitable standard of treatment. It is generally accepted under international law that the property of aliens cannot be taken, be it for a public purpose or not, and such taking may also be the result of regulatory action.
To determine whether entities in the digital economy such as online retail, consumer finance and media enterprises can be protected under investment law, the widely-used parameters of the Salini case, comprising of economic contribution, specific duration of performance, and an undertaking of risk (Salini v. Morocco at para 52) may be relied upon. These requirements are given a wider interpretation as plausibly encompassing economic activity of any kind, and have been extended to digital enterprises and online platforms as well. The rationale for this call to include digital enterprises within the ambit of international agreements lies in the increasing significance of intangible assets, such as intellectual property, which may be established even in the absence of physical infrastructure. Such enterprises also meet the condition of a contribution to the economy of the host-state (Ceskoslovenska Obchodni Banka at para 64), given their substantial positive impact. Furthermore, a physical presence in the territory of the host-state is not mandatory, even for traditional investments (Fedax v. Venezuela at para 41).
Data Localisation
Data Localisation requires that information originating from a particular country be stored on servers located within that country and involves strict controls over cross-border movement of information. Data Localisation laws have been in place for a considerable period of time in China, and have recently been implemented in Vietnam as well. Such measures not only have a negative impact across all industries but also significantly impair foreign investments, and have been opposed by trade groups before the US Congress.
The concept of indirect expropriation states that the loss in economic value is a significant determinant of expropriation (Tecmed at para 15). In particular, studies conducted on individual businesses relying solely on cloud computing show both immediate and long-term losses in economic value as a result of Data Localisation. Enterprises in the small and medium sector face the maximum disadvantage, due to their primary dependence on the borderless nature of the internet without the need for physical infrastructure. Financial institutions would also be impacted since preventing financial information from being processed on the cloud would not only significantly raise costs, but also make fraud detection harder.
Although Data Localisation laws might be enacted in national interest, the obligation to pay compensation for an expropriatory regulatory measure is not extinguished merely because it is enacted for the benefit of society (Santa Elena v. Costa Rica, at para 72). Furthermore, the element of discrimination is also indicative of an expropriation. Data Localisation measures, by putting foreign entities at an obvious disadvantage compared to their local counterparts, can be classified as discriminatory, especially in the context of multinational enterprises seeking to transfer information within the same entity across borders. In such circumstances, Data Localisation would likely amount to an illegal expropriation.
Data Minimisation
Data Minimisation states that only a minimum amount of data must be collected, and that data that is no longer considered essential must be deleted. The implementation of this principle may result in a huge economic burden since potential uses often cannot be identified at the time of collection. Firms operating in the financial sector, particularly credit referencing firms, would be prevented from accessing adequate financial information required to assess creditworthiness, which is a crucial function. The insurance industry provides another instance of this, where revenue depends upon the quality and adequacy of personal data available, which is hampered by Data Minimisation.
International law recognises a minimum standard for the treatment of aliens (that is independent of treatment meted out to the State’s own citizens) which would be violated in the event that any act or omission by the State impairs either the procedural or the personal rights of an alien. The standard of according fair and equitable treatment to alien investors is established as a general principle of law, according to which any act by the State that affects the predictability and the stability of a legal regime and thereby negatively impacts a foreign investment would be unlawful.
Another determinant of the breach of the fair and equitable standard of treatment is the inconsistency of the legal framework and the disproportionality of the impact on foreign investors. The impact of Data Minimisation measures can be disproportionate, since it often leads to a loss in the contextualisation of data, which greatly diminishes its value. Furthermore, the costs of applying this principle universally outweigh its benefits by failing to recognise the positive contribution that retaining data has. In particular, it hinders research and analysis, which would negatively affect advancements in areas of public importance such as healthcare. The GDPR provides an instance of limiting the use of this principle by carving out exceptions for public research. It is thus important to consider the impact of Data Minimisation before applying it indiscriminately.
Data protection is extremely important, given the constant flow of information in the 21st century. Nonetheless, while implementing such legislations, the economic impact and the rights of various parties involved must be balanced. While it is important to protect and respect informational privacy, care must be taken to ensure that international law is not violated in the process.
Vishaka Ramesh is an undergraduate student in the five-year B.A., LL.B. (Hons.) Course at the NALSAR University of Law, Hyderabad.
Cite as: Vishaka Ramesh, “Data Protection Principles Around the World. Do They Violate International Investment Law?”, Völkerrechtsblog, 8 October 2018, doi: 10.17176/20181008-111554-0.