Why International Investment Law is not violated by the GDPR
In her recent blog article, Vishaka Ramesh claims that International Investment Law is violated by Data Protection Principles around the world, supporting her thesis in particular with rules set out by the General Data Protection Regulation of the European Union (GDPR). In her opinion, principles like Data Minimization and Localization are likely to infringe generally accepted principles of investment law, such as the fair and equitable standard of treatment of aliens. While focusing on these possible violations of International Investment Law by Data Protection Law, she does not — in our opinion — sufficiently consider justifications of such regulations, in particular the value of data protection for fundamental rights.
International Investment Law and the tension with public welfare interests
The level of protection in investment law varies according to the legal basis or the treaty. For the infringement of rights, it is less important which abstract right might be affected but which concrete assurances were given via treaties by the states to investors. Also, an application of an investment protection treaty requires an actual investment in a host state. Accepting such an investment only because the Internet can be accessed worldwide, at least theoretically, certainly leads too far.
Vishaka Ramesh lists in her article three rights which could be violated by data protection regulations: The fair and equitable treatment principle (FET), the prohibition of arbitrary and discriminatory measures and the prohibition of unlawful expropriation.
As blurred as the FET principle is, the manifold interpretation attempts have in common that only legitimate expectations of an investor are protected. It is questionable whether an investor can legitimately expect that its business, built on the processing of personal data enjoying worldwide protection by human and fundamental rights, will not be subject to regulation. In particular, the FET standard does not protect against any type of regulation.
The prohibition of arbitrary and discriminatory treatment protects foreign investors from being treated less favorably than nationals because of their nationality. This principle plays only a minor role in the application of the International Investment Law; it protects against worse — not against equal treatment.
The concept of property in international law is very broad. Whether measures that interfere with property rights are also indirect expropriations, depends on their intensity. Property is not directly taken away by data protection regulations, these rules are rather establishing a new regime for the handling of data. It is doubtful whether they can demonstrate the intensity of indirect expropriations.
Furthermore, data protection rules can also be lawful if they qualify as expropriation. They would be justified in the public interest and — in general — have to be adequately compensated. But even if it is assumed that data protection rules violate the rights of investors in individual cases, this does not necessarily result in an obligation to pay compensation. More recent BITs (see e.g. Art. 16.2 EU-Japan EPA, Art. 23.2 CETA), in particular, contain a right to regulate which may justify interferences with the investors’ rights. Whether this will lead in the long run to a test of proportionality, as popular as it may be among German experts in international law, remains to be seen.
Data Protection in Public International Law
In consequence, not every state regulation that restricts the expectations of an investor also violates their rights. For the evaluation of the proportionality of a measure it is important to take into account its importance for the public interest. Data Protection Laws are the consequence of the states’ obligation in International Human Rights Law to protect and ensure the right to privacy of all individuals within its territory and subject to its jurisdiction [see inter alia Art. 17 ICCPR, Art. 8 ECHR, Arts. 7 and 8 CFREU]. This duty is not only a negative obligation to refrain from interfering with an individuals’ privacy, but also a positive obligation to implement measures protecting this right against private interferences. In modern times, these measures are Data Protection Laws. These do not, as the denomination might suggest, protect data. Instead, they are protecting the individual human right to privacy. Consequently, Data Protection Laws apply only while processing personal data, not data in general. While the economic importance of (personal) data in a digitalized world is increasing — “data is the new oil” —, so does the potential of abuse. Big data analysis gives states, but also private entities, the possibility to manipulate the life of individuals in an unprecedented, subtle way.
Interferences in International Investment Law by Data Protection Law: The GDPR
When accessing the legitimacy of a possible interference with the right to property of digital enterprises, this extra-ordinary relevance of data protection must be taken into account. Vishaka Ramesh points out that the principle of data localization violates International Investment Law as it disproportionately affects foreign companies and therefore constitutes an illegitimate discrimination. First of all, it should be noted that International Investment Law aims above all at the equal treatment of domestic and foreign investors. The requirement of data localization stipulates that data must be stored within one country, regardless of whether it is a domestic or foreign investor. Secondly, the principle of data localization — as implemented in the GDPR — is not absolute. Art. 45 GDPR allows explicitly the transfer of personal data to a third country (outside the EU) if the country ensures “an adequate level of protection.” The elements which need to be taken into account by the Commission while evaluating the question of adequacy — inter alia the rule of law, respect for human rights, access of public authorities to personal data etc. — show that data localization is not a method of promoting the local economy, but a safeguard to ensure the protection of the human right to privacy. This is also highlighted by the fact that the Commission already attested several States such an adequacy. Last but not least, the implementation of the principle of data localization was not at all unpredictable. Already the former EU Data Protection Directive of 1995 (a time when neither Facebook nor Google existed) knew in its Art. 25 the necessity of an adequate level of protection of personal data in third countries when transferring data outside the EU.
Furthermore, it is doubtful if the legal implementation of the principle of data minimization is even an interference with the right to property. In particular, data minimization aims to stop storing data that is no longer needed or has never been needed. Can such data about persons really be the property of another? Regarding its future application it must be pointed out that digital enterprises of course do not own the personal data of individuals which might have been given to them under different legal circumstances at some point in the future.
Besides that, what goes for data localization is also true for data minimization: Already the former EU Data Protection Directive made it in Art. 6 (1) lit. c clear that personal data must not be “excessive in relation to the purposes for which they are collected” and even the GDPR with its very concrete wording of data minimization in Art. 5 (1) lit. c was in force two years before it had to be applied (see Art. 99).
Summarizing all the aforementioned, it might be true that Data Protection Law can theoretically, if extra-ordinarily excessive, discriminatory and unforeseeable, violate International Investment Law. In the very concrete case of the GDPR, it does surely not. The principles challenged by Vishaka Ramesh are neither new nor excessive in their impact on foreign investors. The truly big change of the GDPR, the possibility of painful fines, is not a change of substantive law but supports only the enforceability of a legal framework which exists in its basic structure since decades.
Erik Tuchtfeld studies law at the Heidelberg University Faculty of Law. He is a research assistant at the Max Planck Institute for Comparative Public Law and International Law.
Lars Borchardt is a practicing lawyer in the field of Environmental Law at Taylor Wessing, Hamburg. Furthermore, he is a PhD candidate at the Chair of Public and International Law (BVR Professor Andreas Paulus) of the Georg-August-University of Göttingen, Germany. His thesis has the title “The German nuclear phase-out as a legitimacy test for International Investment Law”.
Cite as: Erik Tuchtfeld and Lars Borchardt, “Why International Investment Law is not violated by the GDPR”, Völkerrechtsblog, 5 November 2018, doi: 10.17176/20181106-100851-0.