UK-Japan Comprehensive Economic Partnership Agreement

The UK-Japan Comprehensive Economic Partnership Agreement has concerning provisions relating to data protection and digital trade.

Data Protection

These clauses echo the text in the Comprehensive and Progressive Agreement for Trans-Pacific Partnership which the UK intends to join.

Clauses on legal approaches

Chapter 8, on Trade in services, investment liberalisation and electronic commerce contains the following in Section F: Electronic commerce (Articles 8.70 to 8.86).[1]

ARTICLE 8.80

5. Recognising that the Parties may take different legal approaches to protecting personal information, each Party should encourage the development of mechanisms to promote compatibility between these different regimes. These mechanisms may include the recognition of regulatory outcomes, whether accorded autonomously or by mutual arrangement, or broader international frameworks. To this end, the Parties shall endeavour to exchange information on any such mechanisms applied in their jurisdictions and explore ways to extend these or other suitable arrangements to promote compatibility between them.

To this end, each Party shall adopt or maintain a legal framework that provides for the protection of the personal information of the users of electronic commerce. [1] In the development of its legal framework for the protection of personal information, each Party should take into account principles and guidelines of relevant international bodies.

Footnote 1: For greater certainty, a Party may comply with the obligation in this paragraph by adopting or maintaining measures such as a comprehensive privacy, personal information or personal data protection laws, sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy.[2]

Clauses on the free flow of data

ARTICLE 8.84

Cross-border transfer of information by electronic means

1. A Party shall not prohibit or restrict the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.

2. Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 1 to achieve a legitimate public policy objective, provided that the measure:

(a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and
(b) does not impose restrictions on transfers of information greater than are required to achieve the objective.

3. This Article does not apply to:

(a) government procurement; or
(b) information held or processed by or on behalf of a Party, or measures by a Party related to that information, including measures related to its collection.[3]

Future compatibility

ARTICLE 8.80 Personal information protection

5. Recognising that the Parties may take different legal approaches to protecting personal information, each Party should encourage the development of mechanisms to promote compatibility between these different regimes. These mechanisms may include the recognition of regulatory outcomes, whether accorded autonomously or by mutual arrangement, or broader international frameworks. To this end, the Parties shall endeavour to exchange information on any such mechanisms applied in their jurisdictions and explore ways to extend these or other suitable arrangements to promote compatibility between them.[4]

Data localisation

ARTICLE 8.85 Location of computing facilities

1. A Party shall not require a covered person to use or locate computing facilities in that Party's territory as a condition for conducting business in that territory.

2. Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 1 that are necessary to achieve a legitimate public policy objective, provided that the measure is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade.

3. This Article does not apply to:

(a) government procurement; or
(b) information held or processed by or on behalf of a Party, or measures by a Party related to that information, including measures related to its collection.[5]

Analysis of the data protection clauses

The clauses in 8.80, and footnote, providing for data protection frameworks to be in place make it clear that a wide range of regimes should be recognised as adequate and “safe”. the formula reflects the wording of Pacific rim trade arrangements; “sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy” accomodates the position of the USA. The Agreement therefore commits the parties to regarding US privacy laws (sector specific orvoluntary but legally enforceable) as acceptable and equivalent approach.

Article 8.84 commits the parties, on this basis, to enabling the free flow of data across borders, including personal data. This means that the Agreement aims to ensure that data can flow from the UK to Japan and its trading partners, in particular the USA.

Data Adequacy with Japan

The European Union’s Japan Adequacy decision includes provisions to prevent data from being transferred under voluntary agreements such as APEC CBPR. The Agreement states that these are “do not guarantee the required level of protection”.[6]

It appears that UK has concluded an Adequacy agreement with Japan, according to the ICO’s website:

Specific UK arrangements have now been confirmed regarding the recent EU adequacy decision for Japan. This secures the necessary protections for UK data as well as EU data, so that data can continue to flow from the UK to Japan. [7]

The UK is leaving the arrangements as-is for now, but future intentions and impacts of these clauses remain unclear.

If data flows are liberalised, this may not be compatible with EU data protection. The result could be that the UK would need to mirror arrangements between Japan and the EU in order to segregate data and prevent it from being transferred unlawfully.

Technical Protection Mechanisms

Clauses relating to TPMs are concerning as they do not provide for exeptions to allow cicumvention in certain specific circumstances, such as for interoparability or the right to repair hardware devices.

Chapter 14 contains provisions on Intellectual Property. Copyright provisions are in Articles 14.8 to 14.19.

ARTICLE 14.18 Technological protection measures

Each Party shall provide adequate legal protection and effective legal remedies against the circumvention of effective technological measures that are used by authors, performers or producers of phonograms in connection with the exercise of their rights under the laws and regulations of the Party and that restrict acts, in respect of their works, performances or phonograms, which are not authorised by the authors, performers or producers of phonograms concerned or permitted by the laws and regulations of the Party.[8]

Source code and algorithms

ARTICLE 8.73 Source code

1. A Party shall not require the transfer of, or access to, source code of software owned by a person of the other Party, or the transfer of, or access to, an algorithm expressed in that source code, as a condition for the import, distribution, sale or use of that software, or of products containing that software, in its territory.

2. This Article shall not preclude a regulatory body or judicial authority of a Party, or a Party with respect to a conformity assessment body, from requiring a person of the other Party:

(a) to preserve and make available[1] the source code of software, or an algorithm expressed in that source code, for an investigation, inspection, examination, enforcement action or judicial proceeding, subject to safeguards against unauthorised disclosure; or
(b) to transfer or provide access to the source code of software, or an algorithm expressed in that source code, for the purpose of imposing or enforcing a remedy granted in accordance with that Party's law following an investigation, inspection, examination, enforcement action or judicial proceedings.

3. This Article does not apply to:

(a) the voluntary transfer of, or granting of access to, source code, or an algorithm expressed in that source code, by a person of the other Party, such as in the context of a freely negotiated contract or government procurement;[2] or
(b) services supplied or activities performed in the exercise of governmental authority.


[1] The Parties understand that this making available shall not be construed to negatively affect the status of the source code of software, or an algorithm expressed in that source code, as a trade secret.

[2] For greater certainty, voluntary transfer or granting of access in the context of a government procurement includes transfer or access for the purpose of any upgrades to, and scaling or modification of, software containing source code.


4. For greater certainty, this Article shall not prevent a Party from adopting or maintaining measures1 inconsistent with paragraph 1, in accordance with:

(a) Article 1.5, Article 8.3 and Article 8.65; or
(b) Article III of the GPA, as incorporated by Article 10.1.

Cryptology

ARTICLE 8.86 Commercial information and communication technology products that use cryptography [1]

[1] For greater certainty, this Article does not affect the rights and obligations of a Party under Article 8.73.

1. A party shall not require a manufacturer or supplier of a commercial ICT product that uses cryptography, as a condition of the manufacture, sale, distribution, import or use of the commercial ICT product, to:

(a) transfer or provide access to any proprietary information relating to cryptography, including by disclosing a particular technology or production process or other information, for example, a private key or other secret parameter, algorithm specification or other design detail, to that Party or a person in the territory of that Party;
(b) partner or otherwise cooperate with a person in the territory of that Party in the development, manufacture, sale, distribution, import or use of the commercial ICT product; or
(c) use or integrate a particular cryptographic algorithm or cipher.

2. This Article shall not preclude a regulatory body or judicial authority of a Party from requiring a manufacturer or supplier of a commercial ICT product that uses cryptography:

(a) to preserve and make available1 any information to which subparagraph 1(a) applies for an investigation, inspection, examination, enforcement action or judicial proceeding, subject to safeguards against unauthorised disclosure; or
(b) to transfer or provide access to any information to which subparagraph 1(a) applies for the purpose of imposing or enforcing a remedy granted in accordance with that Party's competition law following an investigation, inspection, examination, enforcement action or judicial proceedings.

3. Notwithstanding paragraph 4 of Article 8.70, this Article applies to commercial ICT products [2]

(a) a Party's law enforcement authorities requiring service suppliers using encryption to provide access to encrypted and unencrypted communications pursuant to that Party's legal procedures;
(b) the regulation of financial instruments;

that use cryptography. This Article does not apply to:

(c) a requirement that a Party adopts or maintains relating to access to networks, including user devices, that are owned or controlled by that Party, including those of central banks;
(d) measures by a Party adopted or maintained pursuant to supervisory, investigatory or examination authority relating to financial service suppliers or financial markets; or
(e) the manufacture, sale, distribution, import or use of a commercial ICT product that uses cryptography by or for a Party.
[1[ The Parties understand that this making available shall not be construed to negatively affect the status of any proprietary information relating to cryptography as a trade secret.
[2] For greater certainty, for the purposes of this Article, a commercial ICT product does not include a financial instrument.

Enforcement measures

Other enforcement provisions are in Section C, and Enforcement in the digital environment is dealt with in Article 14.59.

Concerns in this section would focus on the possibilities of introducing “general monitoring” measures similar to Article 17 of the recent EU Copyright Directive.

ARTICLE 14.51 Injunctions

Each Party shall ensure that, if a judicial decision finds an infringement of an intellectual property right, its judicial authorities may issue an injunction aimed at prohibiting the continuation of the infringement against the infringer as well as, where appropriate, against a third party1 over whom the relevant judicial authority exercises jurisdiction and whose services are used to infringe an intellectual property right.[1]

Note 1 For the purposes of this Article, a Party may provide that a "third party" includes an intermediary.

ARTICLE 14.58 Criminal procedures and penalties

Each Party shall provide for criminal procedures and penalties to be applied at least in cases of wilful trademark counterfeiting or copyright or related rights piracy on a commercial scale. [1]

Note 1 For the purposes of this Sub-Section, acts carried out on a commercial scale include at least those carried out as commercial activities for commercial advantage or financial gain.

ARTICLE 14.59 Enforcement in the digital environment

1. The Parties shall ensure that enforcement procedures, to the extent set forth in Sub-Sections 2 and 5, are available under its law so as to permit effective action against an act of infringement of intellectual property rights which takes place in the digital environment, including expeditious remedies to prevent infringement and remedies which constitute a deterrent to further infringements.

2. Each Party shall take appropriate measures to limit the liability of, or remedies available against, online service providers for intellectual property rights infringement by the users of their online services or facilities, where the online service providers take action to prevent access to the materials infringing intellectual property rights in accordance with the laws and regulations of the Party.

3. Further to paragraph 1, each Party's enforcement procedures shall apply to the infringement of copyright or related rights over digital networks, which may include the unlawful use of means of widespread distribution for infringing purposes, and to the infringement of trademarks, including through electronic commerce platforms and social media. These procedures shall be implemented in a manner that avoids the creation of barriers to legitimate activity, including electronic commerce, and, consistent with that Party's law, preserves fundamental principles such as freedom of expression, fair process and privacy.

4. Each Party shall endeavour to promote cooperative efforts within the business community to effectively address trademark and copyright or related rights infringement while preserving legitimate competition and, consistent with that Party's law, preserving fundamental principles such as freedom of expression, fair process and privacy.

5. A Party may provide, in accordance with its laws and regulations, its competent authorities1 with the authority to order an online service provider to disclose expeditiously to a right holder information sufficient to identify a subscriber whose account was allegedly used for infringement, where that right holder has filed a legally sufficient claim of trademark or copyright or related rights infringement, and where such information is being sought for the purpose of protecting or enforcing those rights. These procedures shall be implemented in a manner that avoids the creation of barriers to legitimate activity, including electronic commerce, and, consistent with that Party's law, preserves fundamental principles such as freedom of expression, fair process and privacy.

6. The Parties shall, as appropriate, promote the adoption of measures to enhance public awareness of the importance of respecting intellectual property rights and the detrimental effect of intellectual property rights infringement. This may include cooperation with the business community, civil society organisations and right holder representatives.

Note 1 For the purposes of this Article, "competent authorities" may include the appropriate judicial, administrative or law enforcement authorities under the laws and regulations of a Party.

References