Consequences and implications

This hypothetical application helps to illustrate how the compliance of EU data protection law would be assessed under the GATS agreement. It demonstrates how GATS obligations and commitments, as well as available justifications, would be applied in a dispute chal- lenging a measure of EU data protection law.

A principle distinction has to be made in whether the measure being challenged for its GATS compliance belongs to EU data protection legislation or Member States’ national data protection laws on the one hand, or on the other hand, to implementation measures by the Commission or national data protection authorities.

Through this application it has been possible to refute a number of potential violations of the GATS, for example regarding market access, and to show the important contribu- tion of the GATS justification on economic integration for justifying a third country’s potential differential treatment in relation to an EU/EEA Member State.

It has also been possible to identify a conceivable infringement of GATS MFN treat- ment obligations by EU rules on the transfer of personal data to third countries, as they are found in Chapter IV of the DPD. The derogations available to services and service suppliers of a third country that does not ensure an adequate level of protection could provide weight against a violation. Should a violation be found, the measure would have to pass the admittedly complex test of GATS Article XIV (c) in order for it to be justified.

It must be conceded that the general exceptions in GATS Article XIV can be invoked in order to preserve a WTO member’s right to regulate. GATS Article XIV(c) can justify a GATS non-compliant measure that is “necessary to secure compliance with laws or regulations” in relation to “the protection of the privacy of individuals in relation to the processing and dissemination of personal data”.

While GATS Article XIV provides for the horizontal justification of a GATS non-com- pliant measure, its unambiguity as an affirmative defence can reasonably be doubted, in particular with a view to the legal tests that must be performed in order to meet the requirements of “necessary”, its circumstantial application, and WTO adjudicating bodies’ discretion.

The requirement in GATS Article XIV(c) that the invoked laws or regulations (with which a measure secures compliance) are themselves “not inconsistent” with GATS 159 Reyes (fn. 103), pp. 25, 34.

160 In WTO case US – Gambling (fn. 104) the Appellate Body found one inconsistency in US law with the challenged prohibition of remote gambling services, which, as a result, disqualified the measure from being justified under the chapeau of GATS Article XIV, para. 369.

161 Kuner (fn 132), p. 15f. Risk III Reliance on contractual safeguards and derogations in relation to transfer of personal data to third countries in relation to national security (strong) Personal data transfers can be based on contrac- tual safeguards and derogations, but these facilities cannot protect against third countries’ surveil- lance laws and disclosure authority.

commitments seems inconspicuous in view of substantive provisions of EU data protec- tion law, with which the rules on transfer of personal data to third countries secure compliance.

If the rules on transfer of personal data to a third country of the DPD are the subject of a WTO DSS procedure and the inconsistency with the GATS cannot be justified, the EU would have to repeal or modify the measure in order to comply with the GATS. The GATS-inconsistency of one provision does not render other provisions of the same law or regulation GATS-inconsistent.162 _{The legal consequences of a ruling by a WTO adju-} dicating body are not automatic, but would require EU action.

Moreover, a WTO member that did not succeed in obtaining an adequacy decision by the Commission could make a plausible claim against the EU for infringing GATS MFN treatment and domestic regulation. In the hypothetical event that a WTO adjudi- cating body finds that the implementation and administration of EU rules on personal data transfers to third countries violates the GATS, and that such a violation cannot be justified under the GATS Article XIV(c)(ii) exception, the consequences are fairly confined to the implementation of EU data protection law.

For example, in order to rectify a violation of the GATS, or to satisfy the necessity test and the chapeau of Article XIV(c)(ii), the Commission would have to modify its practice of conducting adequacy assessments of third countries’ adequate level of protection.

Unreasonable delay in the implementation of a WTO adjudicating body’s decision on the part of the EU does not yield severe practical repercussions. The main aim of the WTO’s DSS is the elimination of WTO-inconsistent and trade-restrictive measures, and not punishment of the breaching Member State. Still, retaliation could amount to substan- tial countermeasures at the discretion of the complaining party.163

162 WTO Panel Report, Argentina – Financial Services (fn. 147), paras 7.622, 7.625. 163 Van der Bossche and Zdouc (fn. 71), p. 202f.