Between commodification and data protection: Regulatory models governing cross-border information transfers in regional trade agreements

Abstract The subject of this analysis is the role that regional trade agreements (RTAs) play in balancing between personal data commodification and protection of privacy and personal data, approached from the perspective of Karl Polanyi’s theory of double movement. We analyse provisions on cross-border information transfers and data protection in order to establish the models for balancing between the ideas of personal data commodification and social protection, understood as allowing for the use of measures that ensure privacy and personal data protection. Our analysis indicates that there are two general models concerning the liberalization of cross-border information transfers: one model restricts states’ ability to restrict data flows while the other is more open to such measures. Next, we identify three primary models governing how data protection is treated in the agreements that liberalize data flows: one that is based on the inclusion of substantive standards of protection in the content of the given agreement; one that uses international standards as a proxy for establishing certain level of protection; and one that is based on national data protection laws. Combining identified models of liberalizing data flows with identified models of ensuring data protection allows us to show that the inclusion of seemingly similar provisions on cross-border data transfers in various RTAs has resulted in developing several different models for balancing between commodification of personal data and data protection.


Introduction
In 1944, the Hungarian economist, lawyer, and political scientist Karl Polanyi published his work The Great Transformation. 1 In this book, he showed how the commodification of labour, land, and money *This research was funded by the National Science Centre, Poland (project number 2019/35/B/HS5/02107). Joanna Mazur is also supported by the Foundation for Polish Science (FNP).
We would like to thank the members of the Research Group on Law, Science, Technology & Society (LSTS) of the Vrije Universiteit Brussel who participated in the WRG session during which we presented this article for their insightful comments and questions, and prof.dr.Gloria González Fuster for providing us with the opportunity to present this work.We would also like to thank prof.dr.Renata Włoch for her comments and Łukasz Nawaro for his support in the process of identifying the relevant RTAs, namely, conducting the automated search in the database.initiated the process of marketization, understood as an expansion of free market mechanisms to areas previously regulated by different logic. 2 He called these three types of assetslabour, land, and money -'fictitious commodities', as they initially were not produced for the purpose of being sold. 3According to Polanyi's theory, the process of their marketization provoked a counter movement of social defenceone of social protection.The interplay between marketization and social protection Polanyi called 'double movement'. 4Nowadays, the fictitious commodities concept can include personal data 5 because with the development of the digital economy they have become subject to marketization, despite the fact that their initial character was not to be commodified and not to be a subject of market transactions. 6ur analysis focuses on the role that international economic law, and in particular RTAs, 7 play in the process of personal data commodification.On the one hand, this law is the regulatory framework that is supposed to facilitate data flow in a reaction to the tendency of restricting such transfers.As this framework refers also to the transfers of personal data, it supports the process of including them as a fictitious commodity in international trade (marketization).On the other hand, it is also law that establishes certain conditions concerning protections of privacy and personal data (social protection).Thus, even if the purpose of RTAs is not data and privacy protection, they constitute an element of regulatory framework governing this issue in international law and the manner in which they approach balancing between marketization and social protection influences the way in which individuals' rights can (or cannot) be protected by law. 8Moreover, while some of the RTAs include provisions concerning specific types of data flows (e.g., government information), they do not address issues such as freedom of information.Thus, it is possible that tension arises between this freedom, included in international human rights treaties, and the RTAs provisions, which lay ground for conditions for data transfers. 9owever, the focus of this text is on the models of balancing between the protection of the issues directly addressed by RTAs provisions, namely, free flow of data and data and privacy protection.
The reason to focus on RTAs is the fact that they constitute a dynamically developing and complex regulatory framework that is unique in its attempts to capture both the regulation of free 2 data flow and data and privacy protection.Detailed analysis of these provisions, along with answers to the questions to what extent this law enables including personal data in a commodified sphere of international trade and to what extent it provides tools for allowing the protection of data subjects, is vital in light of the plurilateral agreement on e-commerce currently negotiated within the World Trade Organization (WTO), through which regulation of both data protection and cross-border information transfers is expected. 10Thus, establishing what is the normative content of the provisions on these topics in RTAs and establishing what are the ways of balancing between allowing for data flows and ensuring data protection is vital for a better understanding of the possible tensions during the negotiations and their outcome.
Our analysis focuses on the provisions concerning the cross-border transfer of information present in 34 RTAs.To understand the role that international economic law plays in the double movement of the commodification of personal data, we confront the content of these provisions on cross-border information transfers with those concerning personal data protection.We use the method of doctrinal legal analysis supported by the process of coding the analysed provisions 11 in order to distinguish various ways in which these agreements strike a balance between the two sides of double movement.
The article is structured as follows.In Section 2, we describe the theoretical framework.In Section 3, we present the methods and sources on which we base our analysis.In Section 4, we characterize how the RTAs regulate the issue of cross-border transfer of information.Section 5 presents the results of the confrontation between the content on the provisions on data flows with the content of the provisions on data protection.In Section 6, we go back to Polanyi's theory in order to show how the analysed regulatory framework balances between commodification of data and social protection.The last section offers conclusions.

Commodification and social protection in regard to cross-border information transfers
While talking about data, there often appears tension between regulations concerning the free flow of data and data protection.The attempt to manage this tension is visible even in the title of the famous European Union (EU) legal act on data protection, General Data Protection Regulation (GDPR), 12 which regulates 'the processing of personal data and : : : the free movement of such data', or in the document expressing international political consensus on this issue, namely, the G20 Osaka Leaders' Declaration, which declares: 'Cross-border flow of data, information, ideas and knowledge generates higher productivity, greater innovation, and improved sustainable development, while raising challenges related to privacy, data protection, intellectual property rights, and security.' 13hese examples show that in light of the development of the digital economy there is an urge to combine these two impulses.Both require regulatory action.On the one hand, to facilitate cross-border information transfers, it is necessary to remove obstacles that may limit it (e.g., localization requirements 14 ) and, on the other hand, to ensure privacy and data protection, it is necessary to adopt regulatory standards in this area.In the Polanyian framework, facilitation of cross-border information transfers at the expense of privacy or data protection will be perceived as a step towards the commodification of personal data. 15It enables using personal data as a commodity that can be easily moved around the globe and processed in places where such operations are most profitable from the perspective of economic gains, while making it more difficult for an individual to enforce his or her rights in the area of data protection law.The countermovement to facilitation of cross-border data transfers entails strengthening the substantive and procedural rights of an individual, the protection of whose personal data shall be guaranteed the priority over ensuring free data flows (in Polanyian terms: social protection).
What is specific about the commodification of personal data is the fact that it concerns the most private spheres of the lives and behaviour of individuals and turns them into information used for gaining economic profits (e.g., through profiling of advertisement).This broadens the scope of assets subjected to commodification, analysed by Polanyi.Moreover, commodification of personal data on a global scale is technically easy, due to the use of digital infrastructures.This is why the countermovement based on regulating the limits for commodification by the regulatory framework is so important.In relation to data commodification, it happens both on the national and international level.However, while RTAs and more generally trade law intends to provide limits for the regulatory freedom of states, it is essential to find the right balance on this level before finding it on the national one.
As both commodification and social protection are general notions, what we attempt to do in our analysis is to identify specific regulatory solutions (e.g., the presence or lack of it in certain elements of the provisions) that support one of side of the double movement.Table 1 presents examples of the types of provisions (or elements of provisions) that support personal data commodification or social protection, understood as measures adopted in order to implement certain safeguards protecting individuals' rights in the process of personal data commodification.The purpose of this article is to fill the research gap concerning the mapping of various models of balancing between these two aspects of regulating data flows.
What needs to be stressed is that we do not present the various models as better or worse.We rather want to show that seemingly similar solutions included in the RTAs offer different approaches to models of balancing between ensuring free data flows and protecting personal data.

Sources and methods
While the existing literature either provides a general overview of the existing regulatory solutions in this area 16  adopted provisions.Such an approach is used as a measure to identify the means of balancing between the provisions facilitating data commodification and the provisions that support social protection based on such detailed analysis.The material selected for our research includes RTAs in which we identified the presence of provisions on cross-border information transfers 18 of a general character: they refer to the issue of movement of information or data in the digital environment.Therefore, we did not analyse agreements in which such provisions refer only to, e.g., financial services or only to personal data. 19We were able to identify 34 such RTAs that entered into force before 2 January 2023. 20To facilitate reading of this article, we collected all basic information, including links to the content of the agreements, in Table 2.In the text, we refer to the full title of the quoted agreement and then, if we cite a given agreement again, provide an abbreviation (in footnotes, we use only the abbreviation).
To identify the RTAs relevant for our analysis, we combined two methods.First, we relied on the identification of the relevant agreements in the Trade Agreements Provisions on Electroniccommerce and Data (TAPED) database. 21We selected agreements that the authors of the database coded as containing provisions on cross-border information transfers (or data transfers, or data flows) in their e-commerce chapter 22 and identified the agreements that, during the preparation of provisions liberalising cross-border information transfers (which include personal data) provisions enumerating substantive standards of privacy or personal data protection (substantive rights, procedural rights, institutional solutions) provisions which underscore that regulation concerning data protection should be treated as exception to the general rule liberalising data flows provisions referring to international standards of personal data protection as the level of protection that should be followed by the parties provisions which limit the possibilities of regulating privacy or data protection by referring to the conditions such as proportionality or necessity provisions which foresee the possibility of regulating data protection in domestic laws as a rule The articles containing regulation of data flow have various titles, e.g., 'Cross-Border Transfer of Information by Electronic Means', 'Cross-Border Information Flows', 'Free Flow of Data', 'Movement of Information', 'Cross-Border Data Flows'.For our terminological approach see Section 4, infra.Therefore, we excluded agreements whichlike the EU-Algeria Association Agreementrefer directly to data flow, but only in relation to the free movement of personal data (Art.45).

20
The set RTAs selected for the analysis includes one pair of agreements that was concluded between the same parties (SAFTA in 2016 and SADEA in 2020) and out of which both contained provisions on data flows (the latter substantially developed the regulatory framework concerning this issue).We include both of them as separate agreements in order to show how the approach to certain issues evolved.We also do not count PAAP 2015 as an agreement separate to PAAP, as it is the additional protocol to PAAP.However, it also substantially developed the solutions concerning data flows, thus, we include it as a separate document in our analysis.the analysis, were already legally binding.Second, we confronted the results of this search with the results of the application of automated text analysis conducted on the ToTA (Texts of Trade Agreements) database. 23We defined the sequences of characters 24 that appear in the provisions on data flows and we searched treaties for occurrences.Next, manually, we compared the results of this search with the results based on the TAPED query, and, finally, identified a set of 32 agreements which were subjected to the analysis presented below.Combining these two approaches allowed us to improve the results that would have been achieved if we had based our research only on one of these two sources.We were able to verify the timeline of adoption of the provisions on data flows in the RTAs more precisely (see Section 4).And, since TAPED includes RTAs both in English and in Spanish, we were able to include RTAs that are solely available in Spanish (ToTA collects the texts of RTAs available in English).Next, we added the most recent agreements (Regional Comprehensive Economic Partnership -RCEP and Digital Economy Partnership Agreement -DEPA), reaching the final set of 34 RTAs.The method of our analysis is based on an approach that reverses the processes used to create a database such as TAPED.While we selected material based on landscape mapping performed in order to create TAPED, we analysed it through the lens of a close reading of the relevant provisions.Our goal was to trace the various regulatory models present in the provisions, which even though they consider the same subject, quite often approach it in different ways.To achieve this aim we, again, used two different tools.First, we created a table in Excel that contained all the provisions relevant to our research as well as initial coding of the provisions.Second, we conducted the same process using Atlas.ti.This strategy allowed us to verify our approach to the initial coding by confronting it with the results achieved through the use of the Atlas.tisoftware.It should be stressed that the coding process served a different purpose than the coding in TAPED: instead of focusing on the similarities between the RTAs to check if they included a particular type of provision, we were looking for differences between these provisions to discover the various regulatory models present in the analysed RTAs.

Cross-border information transfers in international economic law
The analysed RTAs do not contain definitions of terms such as 'data transfer', 'information transfer', 'data flow', 'data', or 'information'.The only definition that appears in the analysed agreements (23 of them) related to the matters discussed in this text is the definition of 'personal data' or 'personal information'.In most of the agreements, this term is understood either as 'any information about an identified or identifiable natural person' (12 agreements 25 ) or as 'any information, including data, about an identified or identifiable natural person' (11 agreements 26 ).What is more telling is that the definitions repeated in various agreements are variations of these 23 W. Alschner, J. Seiermann and D. Skougarevskiy, 'ToTA: Texts of Trade Agreements', available at mappinginvestmenttreaties.com/rta/.
definitions, e.g., in Article 13.1 of the Indonesia-Australia Comprehensive Economic Partnership Agreement (IA-CEPA) agreement, which defines personal information as 'any information, including data or opinions, about an identified or identifiable natural person', adding opinions to the catalogue of the elements understood as personal information or Article 9.1(g) of Free Trade Agreement between the Democratic Socialist Republic of Sri Lanka and the Republic of Singapore (LKA-SGP), which defines personal data, not personal information, and therefore reverses the usual order of the elements of the definition ('any data, including information' instead of 'any information, including data').
These examples show us that the legal terminology describing the digital economy is still in the making.As we lack a definition of such terms as 'information' or 'data' itself, it is impossible to fully grasp the difference between their meanings.For the purposes of this analysis, it is enough to note that the provisions on cross-border transfers usuallyand contrary to, e.g., EU law, which refers to data transfer or data flowrefer to 'information' (except for the agreements to which the EU is a party).In the case of definitions of 'personal information', data is presented solely as a particular type of information.Thus, it may be assumed that the purpose of using the term 'information' is to cover the broad spectrum of information transfers, out of which the transfer of personal information is only one type (and personal data is only a type of personal information).In this article, we mostly use terms such as 'cross-border information transfer', 'cross-border data transfer' or 'flow' interchangeably, but, if it is significant in light of the given provision, we underscore such terminological aspects.
In this section, we describe the regulatory models adopted in RTAs that refer to this issue: (i) a model based on declaration of importance and the need of co-operation on this issue; (ii) a model based on liberalization in its two main variants, as well as the outliers that liberalize cross-border information transfers in an atypical manner. 27

Importance of co-operation
The first agreement 28 in which the provision on cross-border transfer of information appeared was the Dominican Republic-Central America-United States Free Trade Agreement (CAFTA-DR), 29 signed in 2004. 30The agreement, in Article 14.5 titled 'Cooperation', referred to the 27 Out of the analysed RTAs, three include provisions that foresee the need to consider regulation of cross-border information transfers in the future: (i) Art.13.11 of PAAP, which was in amended in 2015 with a protocol that changed the manner of regulation of this issue in this agreement; (ii) TCA, which includes substantive regulatory solutions concerning this issue (see Section 4.2.3, infra), and, next to them, Art.201(2), which concerns an assessment of the functioning of the adopted solutions; and (iii) Art.8.81 of the JEEPA, which is the only agreement that, except for establishing the need to discuss this matter in the future, does not contain any other substantive provision on this matter.Thus, we exclude this agreement from our analysis.

28
As there may be a significant difference between the date of signing the agreement and its entering into force, we decided to base the chronological order of the agreements on the date of their signing.29 Central America's countries that are parties to this agreement, are Costa Rica, El Salvador, Guatemala, Honduras, and Nicaragua.30 Mira Burri notes that the 'first agreement having such a provision is the 2006 Taiwan-Nicaragua FTA, where as part of the cooperation activities, the parties affirmed the importance of working "to maintain cross-border flows of information as an essential element to promote a dynamic environment for electronic commerce"'.-M.Burri, 'Data Flows and Global Trade Law', in M. Burri (ed.), Big Data and Global Trade Law (2021), 11 at 26.Our research indicates that the same provision was present already in CAFTA-DR signed in 2004, and Panama-Singapore FTA (PNM-SGP), signed more than three months before the Taiwan-Nicaragua FTA (TWN-NIC).For an explanation of how we made this finding, see Section 3, supra.Also, it is worth to note that the first agreement in which the relevant provisions are enforceable was signed after the publication of the major work on transborder data flows and privacy by C. Kuner, Transborder Data Flows and Data Privacy Law (2013), which shows the dynamic character of the development of international economic law in this regard.importance of 'working to maintain cross-border flows of information as an essential element in fostering a vibrant environment for electronic commerce' in the light of e-commerce development.Such a manner of addressing the issue of cross-border flows of informationeither merely noticing the importance of this phenomena or foreseeing the co-operation on this matterhas dominated in international economic law until 2014.Altogether, the provision that repeats the phrasing that first appears in CAFTA-DR is present in 15 agreements, 31 all of which were signed before 2016 (Table 3).
There are three agreements that mention the necessity of co-operation regarding data flows or stress their importance in a different way.First, the agreement between Hong Kong and New Zealand (HKG-NZL) signed in 2010 simply states that the parties agree to co-operate, among others, in respect to the maintenance of an open trading environment for the free flow of information and services. 32Second, the Singapore-Australia Digital Economy Agreement (SADEA), signed in 2020, states that the parties shall endeavour to co-operate on capacitybuilding in the region on issues including mechanisms to facilitate the cross-border transfer of information. 33The difference between these two agreements is that while in the case of HKG-NZL this provision is the only one that addressed the issue of information flows, SADEA contains a number of provisions dealing with this issue. 34Thus, a vague statement underscoring the intention to co-operate in this area has different significance in the agreement signed in 2010, and in the one signed in 2020, which includes specific solutions on regulation of free flow of information.The third outlier is the agreement between Singapore and the EU (EU-SGP), which, as the only one out of the identified RTAs, refers in one Article to, on the one hand, the importance of the free flow of information and, on the other hand, the need to protect intellectual property rights (IPRs). 35he common characteristic of this model is the lack of any obligation that would force the parties to undertake steps to ensure the free movement of information in a cross-border context.As they are phrased in purely aspirational language, they do not include any enforceable obligations. 36While the inclusion of this provision indicates the direction in which the parties declare their intent to follow (data commodification), it does not specify how such cross-border transfer of information should be protected from states' regulatory interventions.
The phrasing of the provision ('maintain cross-border flows of information') suggests that the flows are already taking place, and the parties' should either facilitate such transfer of information or avoid regulatory intervention.This, firstly, shows that even though this model does not constitute enforceable obligations for the parties to liberalize cross-border information transfers, it enhances the process of personal data commodification and underscores its importance for digital  The main solution belonging to a liberalizing regulatory model is discussed below.However, SADEA also implements a novelty in regard to cross-border information-transfer regulation in the RTAs, namely, the provision entitled 'Data innovation', which states, among others, that: '[t]he Parties shall endeavour to support data innovation through: (a) collaborating on data-sharing projects, including projects involving researchers, academics and industry, using regulatory sandboxes as required to demonstrate the benefits of the cross-border transfer of information by electronic means' -Art.26(2) SADEA.

35
Art. 8. 57(3) EU-SGP.We have not identified such a direct reference to IPRs in any other agreement.

36
Enforceability is understood as creating a clear legal obligation, which is not aspirational and can be legally enforced, which means that it has not been excluded from the dispute settlement system within a given RTA.For information about which of the analysed provisions are enforceable (phrased in a plain way and covered by the dispute-settlement procedure foreseen in a given RTA), see the last column in   economy.Secondly, the provision can be interpreted as an example of the marketization part of the double movement: the flows are already taking place and this liberalization is to be maintained.To curb its scope, it is necessary for the social protection element of double movement to be applied and, therefore, only provisions on data protection would provide the framework within which data flows could take place.

Liberalization
In 2007, another way of referring to cross-border transfer of information appeared in the Free Trade Agreement between the United States of America and the Republic of Korea (KOR-US).It was based on the statement that the parties 'shall endeavor to refrain from imposing or maintaining unnecessary barriers to electronic information flows across borders'. 37As its phrasing is stronger than in the RTAs described above, it may be perceived as the beginning of the strengthened and more direct liberalization trend, 38 which resulted in 19 agreements containing the provisions that aim to remove the barriers for data flow, all of which were signed between 2014 and 2020.Due to small but significant differences between them, we describe them as belonging to two main groups: (i) one which establishes free flow of data as a rule and foresees narrow exceptions, and (ii) one that underscores the importance of the space for national regulation of cross-border information transfers.Additionally, (iii) there are certain outliers which also foresee the liberalization of data flows.

Free flow of data as a rule and narrow exceptions
A sub-model of the liberalization model which prioritizes the free flow of data and leave little space for national regulation is present in three agreements: United States-Mexico-Canada Agreement (USMCA) 39 signed in 2018, Agreement between the United States of America and Japan Concerning Digital Trade (US-JAP) 40 signed in 2019, and Japan-UK Comprehensive Economic Partnership Agreement (UK-JAP) 41 signed in 2020.The provision is identical in the first two of these agreements and includes two elements: (i) the prohibition of prohibiting or restricting the cross-border transfer of information by electronic means, if this activity takes place as a part of conducting the business of a covered person (with a direct reference to transfers of personal information, as covered by this provision); (ii) foreseeing the possible exceptions implemented in order to achieve a legitimate public policy objective, as long as they are not applied in a manner that would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade, and are proportionate.Article 8.84(3) of UK-JAP adds a paragraph that states that this Article does not apply to government procurement, or information held or processed by or on behalf of a Party, or measures by a Party related to that information, including measures related to its collection.Such a sub-model of liberalizing cross-border transfer of information results in establishing, as a rule, free flow of data (thus, their commodification), and limits the states' possibilities to implement regulatory measures that would set the conditions for cross-border information transfers.Moreover, the USMCA and US-JAP agreements include a direct reference to the relationship between cross-border data flows and data protection.In Article 19.8(3) USMCA, the following statement underscores that restriction to data flows should be limited, even if they concern personal data: 'The Parties also recognise the importance of ensuring compliance with measures to protect personal information and ensuring that any restrictions on cross-border flows of personal information are necessary and proportionate to the risks presented.'The same statement was repeated in Article 15(4) of the US-JAP agreement.The presence of this provision indicates that ensuring freedom of cross-border data flows should be prioritized over developing data-protection regimes.Thus, when just the provisions on cross-border information transfers in the analysed RTAs are considered, these three agreements represent the sub-model that to the greatest extent favours personal data commodification.This sub-model restricts the states' powers to regulate issues concerning data protection to what is 'proportionate' and (or) 'necessary', therefore, limiting the possibilities of developing regulatory measures supporting the countermovement to data commodification.

Underscoring the importance of the space for national regulation of cross-border information transfers
Even though the most common type of provision liberalizing cross-border transfer of information was formed during the negotiations of Trans-Pacific Partnership, 42 the first signed agreement including this type of provision was PAAP 2015.Since then, it was included in nine other agreements. 43This sub-model of regulating cross-border information transfers begins with (i) the recognition 'that each Party may have its own regulatory requirements concerning the transfer of information by electronic means'.What follows, is (ii) allowing the cross-border transfer of information by electronic means when this activity is for the conduct of the business of a covered person (with a direct reference to transfers of personal information, as covered by this provision 44 ).The last paragraph (iii) foresees the possible exceptions implemented in order to achieve a legitimate public policy objective, 45 as long as they do not constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade 46 and are proportionate, 47 or are necessary for the protection of its essential security interests. 48his sub-model of regulating the free flow of data raises certain doubts, due to its ambiguous structure.The provision starts with providing the states with the power to regulate cross-border data flow (thus, limiting commodification by being able to establish the conditions for crossborder transfers of information) but follows to ensure the necessity to allow the free flow of data, to which the exceptions not only should be interpreted narrowly but also should fulfil the conditions enumerated in the provision (thus, ensuring the broad scope of commodification as a rule, to which limits should be perceived as exceptions).Such structure of the provisions undermines the significance of the first paragraph, which enables states to set the regulatory conditions for cross-border information transfers.In chronological order: Art.13.11 PAAP 2015; Art.8.10 CHL-URY; Art. 13 SAFTA; Art.11.6 ARG-CHL; Art.9.9 LKA-SGP; Art.13.11 AUS-PER; Art.14.11 CPTPP; Art.10.12 BRA-CHL; Art.13.11 IA CEPA; Art.11.7 A-HKFTA; Art.4.3 DEPA; Art.12.15 RCEP; Art.23 SADEA (which replaced SAFTA).This model has been also used in not yet in force Digital Economy Agreement between the United Kingdom of Great Britain and Northern Ireland and the Republic of Singapore (Art.8.61-F), available at assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1060050/CS_Singapore_1.2002_UK_Singapore_Digital_Economy_Agreement.pdf as well as UK-Ukraine Digital Trade Agreement (agreement explainer available at www.gov.uk/government/publications/uk-ukraine-digital-trade-agreement-agreementexplainer/uk-ukraine-dta-agreement-explainer#data-flows).

44
Except for CHL-ARG, BRA-CHL, and RCEP which do not contain such an element.

45
Except for CHL-URY, which contains the same elements, however, in reversed order, with the reference to the national legislation at the end.Let us examine the hypothetical example of a situation in which one of the parties decides to adopt a strict data protection regulation that would address the conditions on which cross-border information transfers can take place by, e.g., implementing the adequacy decision mechanism 49 .Although it seems to be in line with the content of the first paragraph, it may be scrutinized as a measure that hampers the free flow of data foreseen in the second paragraph, and therefore be subject to the control as an exception based on the third paragraph.The necessity or the proportionality of such a solution is doubtful as it is possible to consider less intrusive (especially from the point of view of international trade) regulatory measures that would ensure the adequate level of data protection.Thus, despite the theoretical possibility of regulating conditions of information transfers in national legislation, such measures could be perceived as an infringement of the RTA's provisions.As a result, this sub-model does not significantly differ from the previous one, also favouring personal data commodification.

Outliers
Next to the above-described KOR-US agreement, there are two other outliers that establish different ways of liberalizing cross-border information transfers.First, Tratado de Libre Comercio entre los Estados Unidos Mexicanos y la República de Panamá (MEX-PAN), signed in 2014 (thus, before all the typical liberalizing agreements), in Article 14.10 reads: Each Party shall allow its persons and the persons of the other Party to transmit electronic information, from and to its territory, when required by said person, in accordance with the applicable legislation on the protection of personal data and taking into consideration international practices.
In terms of providing the space for national regulation, the provision foresees such a possibility regarding legislation on personal data.Considering the implementation of exceptions to the overall liberalization of data flows, the provision does not invoke them directly, however, it enables referring to the general exceptions on the basis of Article XIV of the General Agreement on Trade in Services (GATS).Thus, the possibility of invoking public policy goals, including measures that are 'necessary to secure compliance with laws or regulations which are not inconsistent with the provisions of this Agreement including those relating to the protection of the privacy of individuals in relation to the processing and dissemination of personal data', 50 exists.
The second outlier is the Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part (TCA), which uses the type of provision on cross-border data flows that the EU considers as a template for its currently negotiated agreements. 51n comparison to the approach adopted in the above-described RTAs, the way that cross-border data flows are regulated in this agreement is limited, but also more concrete.It refers to the prohibition of restricting cross-border data flows by specific measures, namely, requiring the use of computing facilities or network elements in the party's territory for processing or requiring the localization of data in the party's territory for storage or processing.The content of this provision is therefore more similar to the provisions present in some of the RTAs, which are titled 'Location of Computing Facilities' 52 than to the provisions on cross-border information transfers.This type of provision may be read not only as a data flow facilitator but also as a link between the provisions on data flow and those prohibiting data localization. 53he type of provision on cross-border data flows that is present in the TCA, which addresses particular barriers instead of the general ones, seems to be more focused on ensuring the possibility of social protection (understood as leaving the space for regulation on, e.g., data protection) than invoking general exceptions in typical liberalizing provisions on cross-border information transfer.It does not allow for general commodification, but rather set the limits for it, by indicating only specific barriers that should be removed.It also is in line with the EU's attempt to shape its RTAs in a manner that allows for more space for realizing its policy in regard to data protection.The liberalizing models described above could lead to undermining EU's rules on data transfers, based, among others, on adequacy decisions.The differences between liberalizing approach and the approach of the EU, which is focused on addressing only particular barriers to data flows, are especially relevant in the light of the way in which the exceptions are interpreted in international economic law.

Regulatory models concerning cross-border transfer of information in RTAs in light of international economic law's notions concerning the possibility to invoke exceptions
What is common to the provisions that establish the free flow of data as a rule and those that leave more space for national legislation is ensuring the free flow of cross-border transfer of information, including personal information.These two sub-models differ in what is stressed in their content.The first one focuses on the need to ensure the free flow of information (commodification), while the second one explicitly refers to the parties' ability to set their own regulatory requirements concerning this issue.Thus, the second sub-model leaves more space for national regulation concerning the conditions on which cross-border information transfers can take place.This potentially supports social protection, especially in the case that no substantive standards of protection are foreseen in the given agreement.
In both these models, the social protection part of the double movement depends heavily on the interpretation of the exceptions related to public policy objectives.In terms of exceptions to free data flow, which may be foreseen by the states, the approach in both liberalizing sub-models seems to be the same: they should be interpreted strictly and may not lead to arbitrary or unjustifiable discrimination.However, the level of leniency in assessment of compliance of national measures new-zealand/eu-new-zealand-agreement/text-agreement_en) as well as in the text proposed by the EU of the EU-Australia agreement (policy.trade.ec.europa.eu/eu-trade-relationships-country-and-region/countries-and-regions/australia/eu-australiaagreement/documents_en in Digital Trade chapter, Art.5), and EU-Tunisia agreement (policy.trade.ec.europa.eu/eu-traderelationships-country-and-region/countries-and-regions/tunisia/eu-tunisia-dcfta-documents_en in Digital Trade chapter, Art.5), which are under negotiation.For in-depth study of the roots of differences in the EU's approach in comparison to the USA's see S. Yakovleva, 'Privacy Protection(ism): The Latest Wave of Trade Constraints on Regulatory Autonomy', (2020) 74 University of Miami Law Review 416 (see also her PhD thesis, S. Yakovleva, Governing cross-border data flows (2021), available at = dare.uva.nl/search?identifier = cf54d2a9-cd41-42c2-94f1-24c81f8a3abd).

53
As data localization requirements are often seen as one of the most important barriers to digital trade and economy, see N. Mishra, 'Privacy, Cybersecurity, and GATS Article XIV: A New Frontier for Trade and Internet Regulation?', (2020) 19 World Trade Review 341; Svantesson, supra note 14.
with data flow requirements used by potential adjudicators remains unclear, as there is no consistent interpretation in the so far delivered case law. 54oth sub-models refer to notions well-established in international economic law, as, firstly, the legitimate public policy objective.Even though this notion has not been a part of the General Agreement on Tariffs and Trade (GATT) or GATS, it is well-established in international economic law. 55The concept of legitimate public policy creates a broader scope for exceptions compared to the catalogues included in Article XX of GATT, 56 and Article XIV of GATS, which is usually considered as able to encompass goals such as consumer protection or cybersecurity. 57At the same time, it means that the party invoking an exception is obliged to prove that a measure is non-protectionist and non-discriminatory.Potential adjudicators would also have to assess which public policy objectives are sufficiently important to justify restrictions on data flow. 58On the one hand it gives potential adjudicators some space for assessment, as there is no closed catalogue of the public policy objectives that can be achieved, as in GATT and GATS. 59On the other hand, in order to be invoked such a public policy aim needs to be 'ascertainable', which is understood as being objectively assessed and non-protectionist. 60It forces them to explicitly assess which of these goals is more important. 61econdly, both models refer to measures that are 'necessary'.It is one of the most important conditions for invoking exceptions in economic law.Necessity tests, which were developed by numerous judgments of the WTO panels and Appellate Body, 62 require assessment of whether there is a common interest for protected goals, which includes the assessment of the extent to which the measure contributes to the realization of the objective, and the extent to which the measure is restrictive. 63One can assume that the interpretation of the necessity in provisions related to data flows would be similar to the test used in the WTO law.It means that assessment of compliance of regulations on data protection requires, as WTO's Appellate Body stated, '"weighing and balancing" a series of factors, including the importance of the objective, the contribution of the measure to that objective, and the trade-restrictiveness of the measure', 64 which does not provide a clear answer on whether data protection may supersede data flow.Whereas there might be space for friendly and lenient interpretation that would enable invoking exceptions related to 'public policy objectives' which may be interpreted as encompassing various aims, there are also some concerns that the notion is too vague and leaves space for questioning specific measures.
Thirdly, there also are other well established requirements concerning exceptions in trade agreements ('means of arbitrary or unjustifiable discrimination or a disguised restriction on trade'), which are, on the one hand, typical for trade agreements' provisions on transfers of goods or services, but, on the other hand, their interpretation still raises a lot of controversies.In the case of goods, it is easier to compare the regulatory requirements that refer to the national and to foreign products.In the case of the requirements regarding data flows, such comparisons are more difficult.Therefore, the reference to notions well-established in international economic law in relation to the free flow of data can lead to even more controversies and doubts.
In light of these concerns, what has been suggested in the literature is that: : : : clarifying the scope of 'legitimate public policy objective' with an illustrative list will be helpful.For example, the list should specify that cybersecurity, privacy, online consumer protection and protecting public order qualify as "legitimate public policy objectives".Further, the exceptions available under Article XIV and Article XIVbis GATS should clearly remain applicable for examination of data restrictive measures.For example, a WTO member should remain free to restrict data flows or require data localisation if it is necessary for achieving compliance with domestic laws, for protecting public morals or maintaining public order, or to protect essential security interests. 65ile laws and regulations relating to 'the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts' are explicitly allowed under Article XIV(c)(iii) of GATS, they are also subjected to the above-described condition of necessity.Due to the narrow interpretation of the exceptions available under GATS in international economic law, their significance for the states' ability to implement restrictions concerning cross-border information transfers may be limited.
Therefore, it is justified to shift from the question of the potential impact of the general exceptions in international economic lawwhich are subjected to the condition of necessityto the question whether the adopted agreements support the view of accepting data protection as a public policy objective?In order to examine this issue, it is necessary to scrutinize how these RTAs define the relation between the states' right to regulate personal data protection and their obligation to ensure the free flow of data.
Interesting limitations to this interpretation are foreseen in RCEP.Its footnote 14 to Article 12.15(3)(a) foresees the competence for the parties to decide what is a necessary, legitimate public policy objective that can justify implementing exceptions to cross-border data flows: 'For the purposes of this subparagraph, the Parties affirm that the necessity behind the implementation of such legitimate public policy shall be decided by the implementing Party.'This shows a possibility of including instructions concerning an interpretation of an agreement that goes against the narrow reading of exceptions in the content of the agreement itself.However, the example of RCEP simultaneously illustrates that leaving space for national regulation may not unequivocally serve the purpose of protecting rights of individuals.Article 12.15(3)(b) foresees the possibility for the states to adopt or maintain 'any measure that it considers necessary for the protection of its essential security interests.Such measures shall not be disputed by other Parties'. 66Thus, it is possible to implement measures, e.g., limiting rights of data subjects, based on the national security exception, which cannot be disputed by other parties of the agreement.The example of RCEP, thus, shows the ambivalence of granting the states more freedom in regard to the implementation of the national regulation.
5. Cross-border data flows vs. data protection in international economic law For the analysis of the ways in which RTAs address the question of balancing between ensuring cross-border data flows and data protection, we selected a set of agreements that contain provisions introducing a certain level of liberalization of cross-border information transfers.This choice is motivated by the fact that the first type of provisions on cross-border information transfers (discussed in Section 4.1) merely mentions the importance of this issue and, due to its aspirational phrasing, is not enforceable.Thus, our initial set for analysis in this section included 19 agreements.Out of this set, KOR-US does not contain any specific provisions on personal information, except for a brief remark in Article 15.8 on cross-border information flows, that the parties 'acknowledg[e] the importance of protecting personal information'.We include both the South Asian Free Trade Area (SAFTA) and the Singapore-Australia Digital Economy Agreement (SADEA) in order to show the evolution that took place due to the adoption of the more recent agreement.Thus, our final set for the analysis includes 18 RTAs. 67e identified ten elements of provisions on data protection that appear in the analysed agreements (Table 4).Two types of these provisions concern the issue of sharing (or exchanging) and publishing information on data protection laws.While these types of obligations may prove useful from the perspective of data subjects and the companies that look for the relevant information, they do not bring anything to the issue of balancing between data protection and cross-border information transfers.Similarly, the recognition of benefits that data protection laws bring to customers in the digital environment as well as the provisions on promotion of compatibility of regulatory solutions implemented by the parties do not directly address the issue of balancing between the facilitation of cross-border data flows and ensuring data protection.Based on the remaining six types of identified provisions, we identified three main models of regulating the interplay between data protection and cross-border information flows, which we discuss below.4).Thus, international standards should be considered as a basis for such a national legal framework, and therefore, indirectly create substantive standards that should be obeyed by the states.Such an interpretation can be confirmed by Article 8.7(2) of the CHL-URY agreement, which, by reference to international standards, indicates the principles listed above as substantive standards of protection.Moreover, as the domestic regulations on data protection can be questioned as non-compliant with data-flow requirements by the other parties of a given agreement, there might be the need to invoke exceptions to justify them.In such cases, international standards may be much easier to defend as meeting a necessity test.While some of the agreements do not specify what shall be understood under the obligation that 'each Party should take into account principles and guidelines of relevant international bodies', two of the agreements refer in more detail to this issue.USMCA 73 and SADEA 74 provide examples of the APEC Privacy Framework (SADEA specifies APEC Cross-Border Privacy Rules -CBPR) and the OECD Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (USMCA specifies that it refers to the 2013 version).These references to guidelines and documents that do not have legally binding force prove that they are nonetheless important for forming substantive standards of protection.

Substantive standards of protection as a threshold for balancing between data protection and cross-border transfer of information
Simultaneously, six agreements contain a footnote that provides details on how the party can comply with the obligation of adopting or maintaining national regulation concerning privacy: For greater certainty, a Party may comply with the obligation in this paragraph by adopting or maintaining measures such as a comprehensive privacy, personal information or personal data protection laws, sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy. 75aw that the parties consider 'adequate' (LKA-SGP) for this purpose.Moreover, US-JAP includes a provision that obliges the parties to ensure 'that any restrictions on cross-border flows of personal information are necessary and proportionate to the risks presented', which, in light of the interpretation of the terms such as 'necessary' and 'proportionate' in international economic law, may be perceived as a limitation for the development of personal data-protection framework, which should be adjusted to the needs of ensuring cross-border information transfers.
An outlier in this group is BRA-CHL agreement.On the one hand, it does not include any substantive standards or references to international standards concerning data protection.On the other hand, it is more developed than LKA-SGP and US-JAP provisions, as it refers to, e.g., non-discrimination and the need to develop security measures for data protection.Despite these references, it eventually relies on the national regulations and, therefore, belongs to this model.

Between commodification and social protection of personal data and privacy
The balance between commodification and social protection in the analysed RTAs is shaped as a result of the cross between two axes.One describes the way in which the given RTA presents data flows: as subjected to data protection rules (TCA); as subjected to national regulations which have to follow the conditions enumerated in the given RTA (e.g., CHL-URY, CPTPP, AUS-PER); or as a priority (USMCA, UK-JAP, US-JAP).The second axis shows how RTAs approach the issue of data and privacy protection: whether they include references to substantive standards concerning data protection; refer to international standards in this regard; rely on national regulation; or foresee limitations concerning national regulations.What is evident from our study is that there is more than one model of approaching this balance and that even the agreements focused strictly on the regulation of digital economy provide examples of various perspectives on this issue (e.g., DEPA significantly differs in this regard from US-JAP, even though both of these RTAs are digital trade agreements).
Table 5 shows that almost all of the RTAs which include the general provisions on data flows (except for the TCA which represent different model of provisions on this topic) are built on a contradiction.On the one hand, they leave some space for national regulation to ensure data and privacy protection.On the other hand, they treat this regulation either as an exception to the general liberalization of data flows (USMCA, UK-JAP, US-JAP), or invoke conditions concerning the way in which national regulations should be formed (conditions which will limit the states' possibilities in regard to ensuring privacy and data protectionas explained in Section 4.2.4).In light of this paradox the references to substantive standards concerning data protection and privacy may be interpreted as a limitation which does not establish a minimum standard of protection but rather constitutes the highest level of protection which would be considered as allowed under these RTAs.
An example of this strategy is the balance formed by the provisions in the USMCA.On the one hand, it foresees certain substantive standards of protection and directly indicates mechanisms that can be used for personal data transfers.On the other hand, the USMCA contains a provision that allows only necessary and proportionate restrictions concerning cross-border data flows.Thus, any attempt at adopting regulatory requirements regarding personal data transfers that would diverge from the standards described in USMCA could be challenged as not proportional and not necessary.As a result, the USMCA leaves more space for personal data commodification and next to none for the development of social protection mechanisms.
A similar problem can be indicated in regard to the model which refers to the international standards while providing certain space for national regulation.On the one hand, as it does not explain what should be understood under international standards, the model seems to allow for a substantial personal data commodification.On the other hand, it is possible to argue that the developments of international standards in this regard 78 can be used by the states to justify the implementation of stronger safeguards for data and privacy protection.It remains to be seen what kind of standards will be considered as justifiable under this model of balancing between data flow and data and privacy protection.

Conclusions
The strategy present in some of the RTAs to generally liberalize the flow of data without providing specific safeguards concerning personal data protection is problematic in light of a human-rights based approach to data and privacy protection.As Kristina Irion notes in the context of the abovementioned G20 Osaka Leaders' Declaration on the free flow of data: The endorsement of "Data Free Flow with Trust" perfectly encapsulates the influential narrative of innovation, growth and development associated with cross-border data flow Table 5. Various models of balancing between ensuring data protection and facilitating data flows.Thick black rectangle marks the RTAs which include limitations concerning the possibility to invoke exceptions.Dotted line marks the RTAs which include mechanisms for data transfers.SAFTA is in grey, as it was replaced with SADEA.TCA is bolded, as it includes an alternative approach to the regulation of data flows Polanyi and the Writing of "The Great Transformation"', (2003) 32 Theory and Society 275; F. L. Block and M. R. Somers, The Power of Market Fundamentalism: Karl Polanyi's Critique (2014); J. Beckert, 'The Great Transformation of Embeddedness: Karl Polanyi and the New Economic Sociology', in C. Hann and K. Hart (eds.),Market and Society: The Great Transformation Today (2009), 38; A. Buğra and K. Ağartan (eds.),Reading Karl Polanyi for the Twenty-First Century: Market Economy as a Political Project (2007); J. R. Stanfield, 'The Institutional Economics of Karl Polanyi', (1980) 14 Journal of Economic Issues 593.

10
Which is confirmed by the leaked file of the text of the e-commerce plurilateral agreement negotiated under the WTO, see World Trade Organization, 'Electronic Commerce Negotiations: Consolidated Negotiating Text' (leaked), available at www. bilaterals.org/IMG/pdf/wto_plurilateral_ecommerce_draft_consolidated_text.pdf.On the literature suggesting the possible developments in this area see A. D. Mitchell and N. Mishra, 'Regulating Cross-Border Data Flows in a Data-Driven World: How WTO Law Can Contribute', (2019) 22 Journal of International Economic Law 389; A. D. Mitchell and N. Mishra, 'WTO Law and Cross-Border Data Flows: An Unfinished Agenda', in M. Burri (ed.), Big Data and Global Trade Law (2021), 83.For news on the recent developments see the WTO's website, available at www.wto.org/english/tratop_e/ecom_e/joint_statement_e.htm.11 For an explanation of the methods and source see Section 3, infra.12 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with regard to the Processing of Personal Data and on the Free Movement of Such Data, and repealing Directive 95/ 46/EC (General Data Protection Regulation), OJ 2016 L 119/1.13 G20, 'G20 Osaka Leaders' Declaration', available at www.consilium.europa.eu/media/40124/final_g20_osaka_leaders_declaration.pdf.
or focuses on selected examples of RTAs, 17 our work presents an in-depth analysis of 14 See D. Svantesson, 'Data Localisation Trends and Challenges: Considerations for the Review of the Privacy Guidelines', (2020) OECD Digital Economy Papers, No. 301, OECD Publishing, Paris.15 Another term to describe this phenomenon is 'appropriation' of privacy or personal data.See A. Strowel, 'Big Data and Data Appropriation in the EU', in T. Aplin (ed.), Research Handbook on Intellectual Property and Digital Technologies (2020), 107; T. H. Engström, 'Corporate Appropriation of Privacy: The Transformation of the Personal and Public Spheres', (1997) 7 Ethics & Behavior 239.
Council of Europe Convention 108+ (Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, CETS No. 223).

Table 1 .
Examples of the elements or the types of provisions that strengthen either commodification of personal data or their protection

Table 2 .
For a further explanation of the general concept of enforceability, see H. Horn, P. C. Mavroidis and A. Sapir, 'Beyond the WTO?An Anatomy of EU and US Preferential Trade Agreements', (2010) 33 The World Economy 1565.

Table 3 .
Types of provisions on cross-border data-transfers (own elaboration).The provisions which are to a certain extent diverge from the dominating model are commented with italics Types of provisions on cross-border data-transfers

Table 4 .
Types of provisions on data protection in RTAs which contain provisions on liberalisation of cross-border information transfers (own elaboration).Italics in the column 'Relation to data flow : : : ' mark the RTAs provisions that were discussed in section 4 Types of provisions on data protection in the agreements which include provisions on liberalisation of cross-border data flows