[bestbits] TPP: Vietnam, Malaysia Temporarily Shielded From Some E-Commerce Disputes

[Burcu Kilic]

Vietnam, Malaysia Temporarily Shielded From Some E-Commerce Disputes
Posted: November 11, 2015
Inside US Trade

Updated: Vietnam and Malaysia have secured time-limited moratoriums preventing other Trans-Pacific Partnership (TPP) countries from initiating a dispute settlement case even if the two Southeast Asian nations fail to uphold key provisions of the agreement's chapter on electronic commerce, including the obligation not to restrict data flows.

The moratoriums, contained in Article 14.18 of the Electronic Commerce chapter of TPP, provide both Malaysia and Vietnam with a free pass from dispute settlement for two years after the date of entry into force of TPP with regard to requirements for parties not to discriminate against "digital products" and to allow the free movement of data across their borders. Those obligations are established in Articles 14.4 and 14.11, respectively.

Separately, Vietnam also secured a two-year escape from dispute settlement with regard to Article 14.13 of the e-commerce chapter, which prohibits governments from requiring network servers to be located within their territory -- a type of measure referred to by industry critics as a "localization" barrier to trade.

All of these moratoriums apply only to the "existing measures" of Vietnam and Malaysia, meaning any more restrictive measures they put in place could be challenged under TPP dispute settlement during the two-year period.

Some congressional Democrats view the moratoriums as a "pretty decent outcome," since Malaysia and Vietnam will still have to abide by the specified obligations from day one, the length of the moratoriums is not particularly long, and the language limits the moratoriums to existing measures, according to a House Ways & Means Committee staffer.

The two-year moratorium is shorter than Vietnam had originally sought<http://insidetrade.com/node/143547>. It had previously pushed for a five-year window during which it would be able to shelter itself from state-to-state disputes brought under certain provisions of the e-commerce chapter. U.S. lawmakers and business groups, in response, pushed U.S. trade negotiators to resist such exemptions.

TPP parties also appear to have left space for some restrictions on data flows in the e-commerce chapter. In the negotiations, Singapore had sought assurances that it could block content for "moral" reasons, while Australia wanted to ensure its law requiring personal health data to be stored domestically would not violate the rules.

Paragraph two of Article 14.11 establishes the general rule that data flows should not be restricted. It states that TPP parties "shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person."

But there is an exception to this broad obligation. Paragraph three of Article 14.11 reads: "Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 2 to achieve a legitimate public policy objective, provided that the measure: (a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and (b) does not impose restrictions on transfers of information greater than are required to achieve the objective."

In addition, the scope of the entities for whom the cross-border data flow obligation applies is limited in the definition of a "covered person" in the text. A covered person is defined as an investor or covered investment under the Investment chapter, or a service supplier under the Cross-Border Trade in Services chapter, but it does not include a "financial institution" or a "cross-border financial service supplier of a Party." A footnote to the text states that for Australia, a covered person also does not include a credit reporting body.

The prohibition on localization of servers in Article 14.3 also excludes the financial services sector, by way of this definition. The financial services chapter of TPP includes an obligation for countries to allow transfers of financial data, but does not have any provisions on server localization -- meaning the sector effectively has fewer rights under TPP, something that industry representatives have lashed out at<http://insidetrade.com/node/150920>.

Paragraph two of Article 14.3 reads: "No Party shall require a covered person to use or locate computing facilities in that Party's territory as a condition for conducting business in that territory." But paragraph three of this article contains the same exception language as is found in the article on data flows.

The other article for which both Malaysia and Vietnam secured a moratorium on dispute settlement is Article 14.4, which stipulates that no party shall accord "less favourable treatment to digital products created, produced, published, contracted for commissioned or first made available on commercial terms in the territory of another Party, or to digital products of which the author, performer, producer, developer or owner is a person of another Party, that it accords to other like digital products."

Both the data flow and server localization provisions in TPP are new developments in U.S. trade policy. The U.S.-Korea free trade agreement gave a nod to the significance of cross-border data flows -- saying that parties "shall endeavor to refrain from imposing or maintaining unnecessary barriers to electronic information flows across borders" -- although it is non-binding.

TPP's e-commerce chapter also differs from its predecessors -- the e-commerce chapters found in the U.S.-Korea FTA and the U.S.-Australia FTA -- in other important ways.

Another significant departure from those bilateral agreements can be found in Article 14.8, paragraph two, which requires that each TPP member adopt or maintain a legal framework to protect personal information of users of electronic commerce. Neither KORUS nor the Australia FTA has such a provision.

Article 14.8 paragraph two reads, "each Party shall adopt or maintain a legal framework that provides for the protection of the personal information of the users of electronic commerce. In the development of its legal framework... each Party should take into account principles and guidelines of relevant international parties."

In a footnote to the text, both Brunei and Vietnam are essentially given a blanket exemption from this requirement, until they actually put such a framework in place -- after which they must simply maintain it. A separate footnote states that a party may comply with this obligation "by adopting or maintaining measures such as a comprehensive privacy, personal information or personal data protection laws, sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy."

The U.S. does not have a comprehensive data privacy law on the books -- a fact that was central to the European Union's determination that the U.S fails to provide "adequate" protection for personal data. But it does have area-specific privacy laws and the ability to enforce voluntary arrangements through the Federal Trade Commission.

The TPP also includes rules on "unsolicited commercial electronic messages," or spam. Article 14.14 of TPP's e-commerce chapter requires parties to "adopt or maintain measures" which requires supplies of such messages to allow recipients to prevent future reception of those messages, require the consent of recipients to receive such messages, or otherwise minimize the amount of unsolicited commercial electronic messages recipients receive.

The TPP e-commerce chapter contains obligations relating to the treatment of source code not found in either of the bilaterals. Article 14.17 stipulates that parties cannot require the transfer of, or access to software source code as a condition of import, sale, distribution or use. There is an exception for instances in which the software is used for "critical infrastructure" or release of the source code is required by patent applications, granted patents or is required by a judicial authority in relation to patent disputes.

TPP also includes a number of non-binding provisions on cooperation, saying the parties "shall endeavour to" work to assist small and medium enterprises in the use of e-commerce, and exchange information on personal information protection, security in electronic communications, consumer access to products and services offered online, and other topics.

The next Article in TPP's e-commerce chapter, 14.16, focuses on cybersecurity cooperation, an issue not mentioned in KORUS nor the Australia-U.S. FTA. 14.16 reads "parties recognise the importance of: (a) building the capabilities of their national entities responsible for computer security incident response; and (b) using existing collaboration mechanisms to cooperate to identify and mitigate malicious intrusions or dissemination of malicious code that affect the electronic networks of the Parties."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.igcaucus.org/pipermail/bestbits/attachments/20151113/08693387/attachment.htm>