Richard OUELLET, LY Van Anh, NGUYEN Ngoc Ha, HA Cong Anh Bao et Antoine COMONT (direction)

Personal Data Transfer

Précédent Up Suivant

Compatibility Between the GDPR and International Trade Law

CHU Trang Anh, DU Vu Quynh Anh and PHAM Quoc Hao

Abstract

The digital economy has revolutionized international trade, making the free flow of personal data a critical enabler for businesses and governments alike. However, the European Union’s General Data Protection Regulation (GDPR), with its stringent privacy requirements, poses significant legal challenges for cross-border data transfers, especially when trading with partners with less rigorous frameworks. The central research question of this paper is: Is the GDPR harmonized with international trade frameworks with regards to personal data transfer? To answer the research question, this paper first examines the provisions on personal data transfer of the GDPR and under international trade systems, particularly the General Agreement on Trade in Services (GATS) of the World Trade Organization (WTO). Through a comparative analysis methodology, this paper identifies key conflicts between GDPR and international trade regimes. While these trade regimes emphasize the liberalization of cross-border data flows, the GDPR may violate principles such as Most-Favored Nation Treatment, National Treatment and Market Access. However, such violations can be justified by general exceptions due to the necessity of protecting fundamental rights, particularly the right to privacy and personal data protection as recognized under EU law.
   
Keywords: Data transfer, data flow, GDPR, WTO law.

Résumé

L’économie numérique a révolutionné le commerce international, faisant de la libre circulation des données personnelles un facteur essentiel pour les entreprises comme pour les gouvernements. Toutefois, le Règlement général sur la protection des données (RGPD) de l’Union européenne, avec ses exigences strictes en matière de protection de la vie privée, pose d’importants défis juridiques aux transferts transfrontaliers de données, notamment dans le commerce avec des partenaires ayant des cadres réglementaires moins rigoureux. La problématique centrale de cette recherche est la suivante: le RGPD est-il harmonisé avec les cadres du commerce international en ce qui concerne le transfert de données personnelles? Afin de répondre à cette question, cette étude examine d’abord les dispositions relatives au transfert de données personnelles prévues par le RGPD et par les régimes commerciaux internationaux, en particulier l’Accord général sur le commerce des services (AGCS) de l’Organisation mondiale du commerce (OMC). À travers une méthodologie d’analyse comparative, cette étude identifie les principales divergences entre le RGPD et les régimes internationaux du commerce. Alors que ces régimes commerciaux mettent l’accent sur la libéralisation des flux transfrontaliers de données, le RGPD pourrait violer certains principes fondamentaux tels que le traitement de la nation la plus favorisée, le traitement national et l’accès au marché. Cependant, de telles violations peuvent être justifiées au moyen d’exceptions générales en raison de la nécessité de protéger les droits fondamentaux, notamment le droit au respect de la vie privée et à la protection des données personnelles reconnus par le droit de l’Union européenne.
   
Mots-clés : Transfert de données, flux de données, RGPD, droit de l’Organisation mondiale du commerce.

Cross-border flows of personal data play a significant role in the digital economy. While the free flow of such data brings substantial economic value, it also introduces significant risks to privacy and security. High-profile data breaches and privacy violations such as the unauthorized release of classified information by Julian Assange in 2010[1], Edward Snowden’s revelations about the surveillance program run by the U.S. National Security Agency in 2013[2], and the Facebook-Cambridge Analytica scandal in 2018[3] have all sounded the alarm bell for the global community. These incidents have not only highlighted the vulnerability of personal data but also the far-reaching consequences of its misuse, which can impact millions of individuals around the world.[4]

In response to increasing concerns on privacy, there has been a growing international consensus on the need for more stringent data protection. States recognize their obligations under various human rights treaties to protect individual rights, specifically the right to privacy, as delineated in the Universal Declaration of Human Rights,[5] and the International Covenant on Civil and Political Rights.[6] Reflecting this commitment, as of January 2025, 167 countries and self-governing jurisdictions and territories have enacted comprehensive data protection or privacy laws to safeguard personal data held by private entities.[7] This means that around 83% of the global population now lives in regions that are governed by such regulations, marking a significant step toward universalizing data protection standards.[8]

Within the European Union (EU), the GDPR represents a stringent approach to regulating the transfer of personal data outside the European Economic Area (EEA). The GDPR is grounded in the fundamental rights to the protection of personal data as established under Article 8(1) of the EU Charter of Fundamental Rights (CFR) and Article 16(1) of the Treaty on the Functioning of the EU.[9] However, ongoing discussions exist about whether GDPR’s data protection regime can harmonize with existing international trade regulations on personal data transfer.

1. GDPR on Personal Data Transfers

The GDPR was initially proposed by the European Commission (EC) in January 2012,[10] adopted on 27 April 2016, and finally became enforceable on 25 May 2018.[11] It replaced the outdated Directive 95/46/EC to strengthen data protection thanks to its extraterritorial application.[12] The GDPR is an omnibus and comprehensive document comprising 11 chapters, 196 recitals, 99 articles, and 88 pages.[13] It establishes rules for the protection of natural persons in the processing of personal data and for the free movement of such data.[14] The GDPR defines “personal data” as any information that relates to an identified or identifiable natural person, such as name, identification number, location data, or other factors relating to the identity of that natural person.[15] It is noteworthy that the GDPR does not prohibit the processing of personal data but only regulates, and sometimes limits, how personal data can legally be processed.[16] However, Article 9 of GDPR does establish certain prohibitions for the processing of special categories of personal data, or sensitive data, as exceptions.[17]

One of the defining features of the GDPR is its extensive territorial scope, which was designed to extend its protection beyond the physical borders of the EU. Article 3 of GDPR defines the territorial scope based on two main criteria: (1) the “establishment” criterion; and (2) the “targeting” criterion.[18] According to the “establishment” criterion under Article 3(1), any controller or processor established within the EU must comply with the GDPR for all its processing activities related to personal data regardless of whether the processing takes place in the EU or not.[19] The “targeting” criterion under Article 3(2) broadens the GDPR’s reach to include controllers or processors established outside the EU when they process personal data of natural persons who are in the EU.[20] This criterion applies if the processing activities are related to: (i) offering goods or services to such individuals in the EU, irrespective of whether a payment is required; and (ii) monitoring their behaviors as far as their behaviors take place within the EU.[21] The extraterritorial scope of GDPR presents jurisdictional challenges since entities outside the EU may find themselves subject to GDPR’s enforcement mechanisms, including penalties, when processing the data of EU’s residents in a manner not consistent with the GDPR .[22]

Following the extraterritorial scope, Chapter V of GDPR sets forth stringent requirements that govern the transfer of personal data to third countries or international organizations.[23] Chapter V aims at ensuring continued protections afforded to personal data when such data is transferred beyond the borders of the EU.[24] Accordingly, any transfer of personal data to entities whose processing of personal data is not regulated by GDPR, or where the processing might be inadequately protected even when GDPR applies extraterritorially, must only be conducted under the protective mechanisms specified under Articles 45, 46 and 49 of this chapter.[25]

Under Article 45, the EC evaluates whether a third country or an international organization offers an adequate level of data protection based on various factors such as the rule of law, respect for human rights, data protection rules, security measures, and the standards of enforcement including available legal remedies for data subjects.[26] If the assessment is positive, the EC may issue an adequacy decision, allowing personal data to flow from the EU to a third country or international organization without the need for additional safeguards.[27]

In case an adequacy decision has not been made, such transfers can still proceed under Article 46, provided that appropriate safeguards are implemented.[28] These safeguards can include legally binding and enforceable instruments between public authorities, standard data protection clauses adopted by the EC, binding corporate rules approved by competent authorities, or other commitments such as codes of conduct and certification mechanisms that ensure compliance with EU standards.[29]

In exceptional cases, where neither an adequacy decision nor appropriate safeguards are absent, Article 49 outlines specific derogations allowing for the transfer of personal data, such as for public interests, for the establishment, exercise or defence of legal claims, or to protect the vital interests of the natural persons.[30]

With the aforementioned features, the GDPR represents a significant advancement in data protection law, introducing robust measures to safeguard personal data within and beyond the EU.

2. WTO Law and Cross-Border Data Flows

The current regulation of cross-border data transfers under the WTO framework is primarily governed by the GATS, which covers both traditional services and digital trade. GATS does not categorically preclude governmental measures affecting cross-border data flows; rather, it permits members to adopt measures necessary to achieve legitimate public policy objectives.[31] In particular, Article XIV of GATS provides a general exception that allows members to implement measures aimed at protecting morals, public order, health, and privacy.[32] Specifically, Article XIV(c)(ii) clarifies that nothing in the Agreement shall be construed as preventing members from adopting or enforcing measures necessary to comply with domestic laws – including those related to the protection of individual privacy during the processing and transmission of personal data, as well as the security of records and personal accounts.[33] This provision enables states to establish legal controls over cross-border data transfers, provided that such measures pursue legitimate objectives and adhere to the WTO’s principle of non-discrimination.

Nonetheless, any measures taken must satisfy two principal requirements: first, they must be implemented in strict accordance with the legal provisions consistent with GATS; and second, they must pass the “necessity test”.[34] As held in the US-Gambling, assessing necessity requires a multifactorial analysis that considers the importance of the public policy objective, the extent to which the measure contributes to achieving that objective, and its minimal impact on international trade.[35] Moreover, it is also essential to determine whether less trade-restrictive alternatives exist that could also achieve the desired objective.[36] Additionally, paragraph 5(d) of GATS Telecommunications Annex permits a member to adopt necessary measures to ensure the security and integrity of communications, provided that such measures are not applied arbitrarily, unfairly, or in a disguised manner intended to restrict trade in services.[37]

Although early practice and annex disciplines place financial services and telecommunications in the foreground, the scope of the GATS is economy-wide.[38] Where Members have scheduled commitments, GATS obligations can and do apply to services supplied through digital means.[39] Modes 1 and 2 readily capture online delivery and cross border consumption, and WTO adjudication has confirmed that electronically supplied services are within the Agreement.[40] In US – Gambling the reports treated the remote supply of gambling services as mode 1 and read market access commitments in a technology neutral manner.[41] The Appellate Body upheld findings that the United States had undertaken a mode 1 commitment for gambling and betting services and that its measures restricted the remote supply of those services. The reports also embraced a technology neutral reading of market access obligations.

Similar reasoning in China Electronic Payment Services shows how electronic delivery can be analyzed within existing schedules and classification lists even when service descriptions predate modern business models.[42] These cases support the proposition that many digital services fall under GATS where the Member’s schedule and the W 120 CPC scheme provide an anchor, although the age of those taxonomies continues to produce uneven commitments and uncertainty for cloud and platform services.[43] At the same time, measures that restrict cross border data flows such as data localization requirements may interfere with mode 1 commitments by foreclosing remote supply or imposing de facto local presence, potentially engaging Article XVI or Article XVII.[44] Such measures must then survive the applicable exceptions. General exceptions in Article XIV including public morals and privacy related objectives and security exceptions in Article XIV bis remain available subject to the strictures of the chapeau, and prudential space under the Financial Services Annex adds a separate defense for banking and insurance regulation.[45]

Finally, the multilateral moratorium on customs duties on electronic transmissions now extended until MC14 or 31 March 2026 continues to blur the line between duties on the act of transmission and charges related to content because Members have never agreed on a definition of electronic transmissions, which complicates any attempt to draw a clean boundary between taxes on content and the carriage of that content.[46]

3. Compatibility between GDPR and International Trade Law

Following the establishment of the EU’s legal framework for data protection, legal arguments arose concerning the potential inconsistency of the rules for transfers of personal data with the EU’s obligations under international trade law, particularly WTO law.

As previously articulated in Section 2, data and its processing constitute a service within the purview of GATS.[47] As a WTO Member, the EU is bound by the general obligations of GATS. However, the GDPR’s restrictive measures on personal data transfers have elicited challenges alleging violations of the principles of MFN Treatment, NT, and Market Access. These challenges contend that such violations are not justifiable under the general exceptions provided by Article XIV of GATS. Therefore, this section will examine whether the GDPR’s data protection measures contravene international trade obligations and whether such measures may be justified under exceptions.

3.1. Most-Favored-Nation Treatment

The principle of MFN is enshrined in Article II of GATS, establishing a general and unconditional principle of non-discrimination among Members and applying to all measures affecting trade in services. According to the MFN obligation, each Member shall accord “immediately and unconditionally” to services and service suppliers of any other Member treatment “no less favorable” than that accorded to services and service suppliers of any other Member.

In the case of the EU, the exemptions notified under the GATS predominantly relate to the communications, audiovisual and transport sectors, reflecting the overall trend among WTO Members. Nearly two-thirds of all MFN-inconsistent measures notified globally concern these sectors, with the largest number found in the audiovisual field, where Members, particularly EU Member States, have reserved preferential arrangements for co-production and cultural cooperation agreements. None of the publicly available schedules indicates the existence of any exemption concerning data-protection or cross-border data-transfer measures. On this basis, the GDPR operates as an EU-wide regulation of general application rather than a negotiated bilateral arrangement, it arguably falls outside these exemptions. Accordingly, the GDPR’s cross-border data-transfer regime remains prima facie subject to Article II of the GATS.

Where the MFN obligation applies, a potential inconsistency arises when the EU accords different treatment to “like” services or service suppliers based on the adequacy of their country’s data-protection regime. To determine whether the GDPR infringes upon the MFN obligation, one must prove: (1) the likeness of two or more services and service suppliers; and (2) the existence of less favorable treatment that adversely affects the conditions of competition.

Firstly, regarding the determination of likeness, the absence of jurisprudence under the WTO dispute settlement mechanism concerning the likeness of services related to data creates uncertainty about the applicable criteria.[48] Under Article II:1 of the GATS, the MFN obligation applies to “like services” and “like service suppliers,” and does not depend on whether a Member has undertaken specific commitments in a given sector. According to the Appellate Body, the concept of “likeness” is concerned primarily with the competitive relationship between services and service suppliers, which must be assessed on a case-by-case basis in light of the specific circumstances of the dispute.[49] In determining likeness, the Appellate Body has acknowledged that the analytical tools used in GATT jurisprudence, such as product characteristics, end use, and consumer preferences[50] may serve as a persuasive interpretive tool for assessing likeness under GATS. Accordingly, the characteristics of the services and suppliers, as well as consumers’ preferences regarding them, may all be relevant in determining whether they are “like”.[51] The underlying purpose of this comparison is to ascertain whether, and to what extent, the services and service suppliers are in a competitive relationship, as this serves as a prerequisite for determining whether the conditions of competition have been modified in breach of the “no less favourable treatment” requirement.[52] The reasoning in Argentina – Financial Services provides instructive guidance for the present discussion. In that case, Argentina adopted measures differentiating between service suppliers from “cooperative” and “non-cooperative” jurisdictions for tax-transparency purposes.[53] The Panel found the measures inconsistent with Article II:1 but refrained from conducting a full likeness analysis, finding it “extremely difficult” to assess whether Argentina’s access to tax information affected the characteristics of the services or consumer preferences.[54] It therefore presumed likeness on the ground that the distinction was “due to origin”.[55] On appeal, the Appellate Body clarified that likeness may be presumed only where a measure distinguishes exclusively on the basis of origin, the so-called “presumption approach”.[56] Therefore, the Appellate Body held that the Panel should not have presumed likeness and should instead have assessed the competitive relationship between the services and suppliers concerned.[57]

This distinction is particularly pertinent to the GDPR’s adequacy decision mechanism, which differentiates between third countries not by their national origin but by reference to the regulatory level of personal-data protection in their domestic legal framework. The differentiation thus arises from regulatory divergence rather than nationality. Similar to Argentina – Financial Services, where the regulatory environment governed Argentina’s access to tax information, the GDPR conditions the permissibility of data transfers on the adequacy of the foreign regulatory regime. It follows that the relevant comparison would be between services and service suppliers from jurisdictions deemed “adequate” and those from “non-adequate” jurisdictions. The question is whether the differences in their regulatory environments affect their competitive relationship to an extent that precludes a finding of likeness.

Although digital services such as cloud computing, data analytics, or online platforms, may be functionally similar across jurisdictions, the divergence in data-protection requirements may alter the legal and commercial conditions under which these services compete within the EU market. In this regard, while the criterion of consumer habits could, in principle, assist in assessing likeness, it remains highly subjective and context-dependent. Consumer expectations regarding privacy and data protection are considerably more pronounced within the European market than elsewhere, and what may hold true for consumers in other jurisdictions cannot be readily transposed to the EU context. The likeness analysis must therefore be approached with caution and assessed on a case-by-case basis, taking into account both the functional similarity of services and the regulatory context in which they operate.

Secondly, the element of less favorable treatment concerns whether a measure modifies the conditions of competition between like services and service suppliers. As affirmed by the Appellate Body in EC-Bananas III, that violations discrimination under Article II.1 may arise from both de jure and de facto differential treatment.[58] The key question is whether the measure at issue modifies the conditions of competition between like services and service suppliers. In this respect, the analysis must first establish the existence of prima facie differential treatment before considering whether it may subsequently be justified under the GATS.

The GDPR imposes restrictions on the transfer of personal data outside the EEA,[59] therefore initially, the GDPR requires that a third country obtain an adequacy decision from the EC as a prerequisite for personal data transfers.[60] Under Article 45, such a decision allows unrestricted data transfers to and from the EU for the third country’s services and service suppliers.[61] Conversely, services and service suppliers from WTO Members lacking an adequacy decision are precluded from transfers or must resort to alternative legal mechanisms prescribed in subsequent articles.[62] Even absent overt discrimination, the adequacy decision mechanism creates a prima facie presumption of less favorable treatment for those countries failing to meet the requisite protection standards.

In the case of services and service suppliers from WTO Members lacking an adequacy decision, or appropriate safeguards under Article 46 of GDPR, such entities are subjected to less favorable treatment compared to their counterparts from countries with adequacy decisions.[63] The application of appropriate safeguards imposes a greater burden than reliance on an adequacy decision.[64] The concept of “no less favorable treatment” in Article II of GATS focuses on altering the conditions of competition.[65] The implementation of Article 46 safeguards, which creates additional obligations and ongoing legal management, results in a competitive disadvantage for services and service suppliers from WTO Members without adequacy decisions, thus constituting less favorable treatment.[66]

Article 49 of GDPR permits personal data transfers to third countries through derogations in the absence of adequacy decisions or appropriate safeguards. In these instances, services and service suppliers are treated less favorably than those from countries with adequacy decisions.[67] The reliance on derogations creates a competitive disadvantage due to the additional compliance burdens. Services and service suppliers from countries with adequacy decisions enjoy unrestricted data transfers, resulting in less favorable treatment and a potential infringement of the MFN obligation under Article II of GATS.

Furthermore, the risk for discriminatory treatment arises from the possibility of bilateral negotiations between the EU and certain countries for sector-specific data transfer agreements.[68] Article 45(3) of GDPR grants the EC the authority to approve sectoral agreements with third countries, thereby tailoring data transfer regulations to specific industries and potentially leading to MFN violation.[69] The EU’s practice of adoption of adequacy decisions for special frameworks, such as the invalidated Decision 2000/520 (Safe Harbor) and Decision 2016/1250 (Privacy Shield), shows this.[70] The integration of adequacy decisions with special frameworks results in “more lenient treatment” compared to those third countries subject to a full adequacy assessment.[71] Notably, the EU-US Privacy Shield accorded the US preferential treatment vis-à-vis other third countries.[72] Moreover, the EC’s discretion to negotiate sectoral agreements with third countries lacking comprehensive data protection,[73] while withholding such agreements from similarly situated countries, further exacerbates MFN concerns.[74]

In this regard, the GDPR’s country-specific approach to cross-border data transfers presents a structural tension with the MFN obligation under Article II of the GATS. By limiting unrestricted personal data flows to those third countries deemed to offer “adequate” levels of protection under Article 45 of the GDPR, the EU effectively establishes a two-tiered framework among its trading partners. This practice, commonly referred to as “whitelist”, confers preferential treatment on a select group of countries, while subjecting others to more restrictive or burdensome transfer mechanisms. Although the EU’s reliance on adequacy decisions is grounded in the legitimate objective of safeguarding personal data, the resulting selective openness carries trade implications that GATS Article II was designed to avoid. In particular, services and service suppliers from non-adequate WTO Members face compliance costs and legal uncertainty not imposed on those from “adequate” jurisdictions. This distinction modifies the conditions of competition to the disadvantage of similarly situated service suppliers solely on the basis of origin, establishing the de facto MFN violation.

From a trade law perspective, such differentiated treatment appears difficult to justify under the MFN principle in the absence of an applicable exception, which should be more precisely explained in the next section on general exceptions. The competitive disadvantage imposed on excluded Members arises not from any failure to comply with WTO commitments, but from the EU’s unilateral regulatory determinations. As a result, the adequacy-based regime may be characterized as inherently discriminatory, even if indirectly so. Accordingly, any assessment of the GDPR’s compatibility with WTO law must eventually turn to the general exceptions under Article XIV of GATS, particularly the exception permitting measures necessary to protect the privacy of individuals in relation to the processing and dissemination of personal data. The crucial issue then becomes whether the GDPR satisfies the necessity and proportionality tests, and whether it is applied in a manner consistent with the chapeau of Article XIV, which prohibits arbitrary or unjustifiable discrimination between countries where conditions prevail.

3.2. National Treatment

The principle of NT, as enshrined in Article XVII of GATS, mandates that each WTO Member accord to the services and service suppliers of any other Member treatment no less favorable than that accorded to its own “like” domestic services and service suppliers. Similar to the analysis under MFN treatment, proving a violation of the NT principle requires: (1) the likeness of services and service suppliers; and (2) the existence of discriminatory treatment between domestic and foreign services and service suppliers.

Firstly, the issue of determining likeness has been addressed previously in Section 4.1.1.

Secondly, regarding the existence of discriminatory treatment, while scholars often argue that the GDPR’s personal data transfer provisions to third countries do not contravene the GATS’s NT obligation due to their non-discriminatory application to both domestic and foreign services and service suppliers, some contend that less favorable treatment can still occur.[75] Chapter V of GDPR categorizes third countries into two distinct groups: (i) those with an adequacy decision under Article 45, and (ii) those without such a decision.[76]

With respect to countries possessing an adequacy decision, Article 45 of GDPR allows for free flows of personal data for both foreign and domestic service suppliers. Foreign service suppliers established in a third country with an adequacy decision may utilize this legal mechanism to transfer personal data without any further authorization.[77] The absence of restrictions on the free flow of personal data between the EU and third countries with adequacy decisions ensures that the competitive conditions for domestic and foreign service suppliers are not adversely affected by the GDPR’s data transfer regulations when a third country has been granted an adequacy decision.[78] Thus, this scenario does not give rise to a violation of NT under Article XVII of GATS.[79]

Conversely, concerning countries lacking an adequacy decision, the safeguards under Article 46 of GDPR apply equally to domestic and foreign service suppliers regarding cross-border flows of personal data.[80] However, if these safeguards cannot be effectively implemented, a violation of the NT obligation under Article XVII of GATS may occur. In such circumstances, foreign suppliers will be subjected to less favorable treatment compared to domestic suppliers.[81] Notably, unlike suppliers within the EEA, foreign suppliers are precluded from utilizing legitimate business interests as a lawful basis for processing the personal data of European individuals because legitimate business interests are not recognized as a permissible ground for cross-border transfers within the GDPR.[82] This restriction is particularly significant for foreign services and service suppliers for whom cross-border personal data transfers are an indispensable operational element.[83] Thus, the absence of adequate safeguards under Article 46 of GDPR, which constitutes the violation of NT obligation may result in a disadvantage for foreign service suppliers, constituting a violation of the NT obligation as stipulated in Article XVII of GATS.

The derogations in Article 49 of GDPR are designed to apply equally to both foreign and domestic service suppliers. However, in practice, these derogations can disadvantage foreign service suppliers, owing to their reliance on cross-border personal data flows for providing cross-border services within the EU. A key determinant of less favorable treatment is a modification in competitive conditions. In the case of the contractual derogation under Article 49(1)(b) of GDPR, no significant modification in competitive conditions occurs because Article 49(1)(b) of GDPR merely requires foreign service suppliers to demonstrate that the data transfer is necessary for the performance of a contract (contract-based derogation).[84] The principles of purpose limitation and data minimization under Articles 5(1)(b) and 5(1)(c) of GDPR impose similar obligations on EU-based service suppliers. Moreover, the transparency requirements and general information obligations under Article 5(1)(a) and Article 13 of GDPR, including the obligation to provide information on data transfer risks, apply to both domestic and foreign service suppliers.[85] Therefore, it can be concluded that the EU’s data transfer regulations do not create significant discrimination in competitive conditions that favor domestic service suppliers in the case of contract-based derogation.

However, the situation differs with respect to the consent-based derogation under Article 49(1)(a) of GDPR. This derogation requires foreign service suppliers to obtain explicit consent from data subjects for data transfers, while EU-based service suppliers can base on the consent.[86] This distinction arises from the GDPR’s requirement for explicit consent in situations involving high data protection risks, such as international data transfers.[87] In this context, Footnote 10[88] to Article XVII:1 of GATS can be invoked, stating that commitments under Article XVII:1 of GATS do not require a WTO member to compensate for any inherent competitive disadvantage resulting from the foreign nature of the service or service supplier.[89] However, the Appellate Body in Argentina‑Financial Services emphasized that these inherent competitive disadvantages must be distinguished from the impact of measures on competitive conditions in the market.[90] In the case of the consent-based derogation, the requirement of “explicit consent”[91] is considered a form of de facto discrimination, as it creates an additional legal burden that applies only to foreign service suppliers.[92]

The additional requirement of “explicit consent” places foreign service suppliers at a disadvantage. “Explicit consent” requires a clear affirmative written statement,[93] creating an additional administrative and legal burden for service suppliers.[94] While it could be argued that this burden has only a minimal impact on competitive conditions, WTO jurisprudences did not recognize a de minimis standard for the NT obligation.[95] This means that any difference in treatment, however, can be considered a violation of the NT obligation.

The GDPR arguably results in a structural advantage for EU-based service suppliers over their non-EU counterparts, thereby giving rise to legitimate concerns under the NT obligation set forth in Article XVII of the GATS. While the GDPR purports to apply uniformly to all entities processing the personal data of EU residents, the regulatory burdens it imposes on foreign service suppliers, such as the requirement to incorporate standard contractual clauses or obtain authorization from supervisory authorities for data transfers, operate as additional compliance obligations from which EU service suppliers, by virtue of their location within the GDPR’s regulatory jurisdiction, are effectively exempt.

Although the GDPR is facially origin-neutral, its practical implementation renders the origin of the service supplier a de facto determinant of how freely that supplier may operate in the EU market. This form of indirect discrimination is precisely the type of competitive distortion that the NT obligation is designed to prevent. A foreign service supplier that is subject to restrictive and burdensome transfer mechanisms could reasonably assert that it is subject to less favorable treatment within the meaning of Article XVII of GATS, due to the altered conditions of competition. This asymmetry highlights an inherent tension between the EU’s legitimate objective of ensuring a high level of personal data protection and its obligation under WTO law to accord equal treatment to like services and service suppliers of other Members in committed sectors. Unless the differential regulatory impact of the GDPR can be justified under one of the general exceptions in Article XIV of GATS, its current structure may be incompatible with the EU’s NT commitments, as it effectively disadvantages foreign service suppliers solely on the basis of their place of establishment.

3.3. Market Access

Article XVI of GATS requires that each Member accord to services and service suppliers of any other Member treatment no less favorable than that provided for under the terms, limitations, and conditions agreed and specified in its schedule.[96] Market access as defined by Article XVI transcends mere market entry,[97] it encompasses the elimination of quantitative restrictions that impede a service supplier’s ability to provide services. It should be borne in mind that Article XVI:2 does not include non-quantitative measures.[98]

The Appellate Body in the US-Gambling clarified that an outright prohibition on the cross-border supply of services constitutes a “zero quota”, thereby violating market access commitments.[99] Such ruling affirms that WTO Members cannot circumvent their obligations by imposing direct or indirect barriers to service provision.[100]

In the context of digital services, Article XVI is crucial because it ensures that market access commitments apply equally to cross-border and commercial-presence modes.[101] This implies that where a WTO Members has undertaken commitments in data-related sectors, it may not impose quantitative restrictions on the supply of digital services, such as data processing or hosting within those sectors. However, the application of Article XVI to the digital domain presents analytical challenges.

The GDPR, notably Articles 45-49, does not impose an explicit numerical limitation on service suppliers. Instead, it establishes a conditional framework governing cross-border personal data transfer. Article 45 authorises transfers only to jurisdictions recognised as providing an adequate level of protection, while Articles 46 and 49 permit transfers subject to appropriate safeguards or limited derogations. This conditionality, although restrictive, does not equate to a prohibition on cross-border supply: foreign suppliers may continue to provide services within the EU, either by localising data storage or by employing the legal mechanisms available under the Regulation.

Nevertheless, such conditionality can indirectly affect the operation of market-access commitments. When EU data transfer regulations restrict cross-border flows of personal data, foreign service suppliers are compelled to localize data storage and processing within the EU’s territorial boundaries. This localization mandate creates a significant barrier to the provision of cross-border services. For instance, cloud computing services,[102] social media platforms,[103] and Internet of Things (IoT)[104] applications frequently rely on cross-border personal data transfers to deliver services effectively. In practice, an inability to transfer data as required may limit a supplier’s ability to deliver its service across borders, thereby modifying the conditions under which market-access commitments are realised.

While the GDPR does not impose an outright ban on data transfers, its operation nonetheless introduces a conditional regime. Transfers of personal data from the EU to third countries are permitted only where adequate safeguards are in place, such as standard contractual clauses or binding corporate rules. This conditionality serves as a regulatory safety valve: as long as a foreign service supplier can utilize one of the available legal mechanisms, the EU arguably avoids imposing a quantitative restriction on data flows. This structure reflects a conscious legislative design to remain within the bounds of Article XVI obligations.

However, the equilibrium is fragile. If a third country’s data protection framework is deemed so deficient that no legal mechanism, e.g. standard clauses, supplementary measures, or otherwise, can ensure compliance, the GDPR may effectively prohibit data transfers to that jurisdiction. In such cases, the privacy imperative of the GDPR collides with the EU’s market access obligations. The result is a de facto “zero quota” on the supply of digital services by providers from that jurisdiction, particularly where those services rely fundamentally on cross-border data flows. Such concern is more than theoretical. In jurisdictions lacking adequate legal frameworks or the technological and administrative infrastructure necessary to meet the GDPR’s stringent requirements, service suppliers may find themselves entirely excluded from the EU market. The practical consequence is the nullification of market access commitments, in violation of Article XVI:2 as interpreted by the Appellate Body in US-Gambling.[105] In this regard, while the GDPR’s current operation may avoid constituting a formal breach of Article XVI, the risk of non-compliance remains latent. Enhanced regulatory enforcement, judicial interpretations, or policy shifts could render the conditional framework effectively prohibitive. Any incidental breach of market access resulting from the application of privacy measures would, in such cases, require justification under the general exceptions provision in Article XIV of the GATS.

3.4. General Exceptions

GATS establishes general exceptions for Member States to justify its inconsistent measures with GATS.[106] The critical question is whether the EU can invoke the exception under Article XIV(c)(ii) of GATS to justify the prima facie violations of its obligations.

The Appellate Body in WTO jurisprudence, has consistently applied a three-pronged approach. Accordingly, a WTO Member invoking such protection must: (i) identify the laws and regulations with which the challenged measure is intended to secure compliance, and prove that; (ii) those laws and regulations are not inherently inconsistent with WTO law; and (iii) that the challenged measure is designed to secure compliance with those laws or regulations.[107] Under this framework, the EU can persuasively argue that: (i) adequacy decisions under Article 45 of GDPR and the safeguards outlined in Article 46 of GDPR are designed to ensure compliance with the GDPR and to protect the fundamental right to personal data protection as enshrined in Article 8 of the EU CFR;[108] (ii) the GDPR and the right to personal data protection under Article 8 of CFR are consistent with WTO law. The Panel in the Argentina-Financial Services affirmed that “a Member’s law shall be deemed to be consistent with the WTO unless and until proven otherwise”.[109] Moreover, the Appellate Body further clarified that “there may be circumstances in which the GATS-inconsistency of certain provisions of a legal instrument could affect or taint the GATS-consistency of other parts of the same instrument or of the instrument as a whole”.[110] Following the AB’s reasoning, while provisions of GDPR on personal data transfers potentially violate WTO obligations, as previously demonstrated, such instances of inconsistency do not invalidate the GDPR in its entirety;[111] (iii) as previously established, adequacy decisions are meticulously designed to ensure compliance with the right to data protection under Article 8 of CFR.

Secondly, to justify the inconsistency with WTO law, it is imperative to demonstrate that the EU’s GDPR framework constitutes a “necessary” measure. The Appellate Body in Argentina-Financial Services emphasized that the greater the contribution of a measure to its pursued objective, the more readily it will be deemed necessary.[112] The Appellate Body also clarified that a measure is deemed necessary “if there were no alternative measure consistent with the General Agreement, or less inconsistent with it”.[113] In Brazil-Retreaded Tyres, the Appellate Body articulated a two-step methodology for determining whether a measure is “necessary”.[114] Applying this framework to the GDPR, the first step involves assessing the “relative importance” of the personal data protection objective pursued by the GDPR, in comparison to all of the interests set out in Article XIV of GATS, including “the protection of the privacy of individuals in relation to the processing and dissemination of personal data” under Article XIV(c)(ii).[115] The second step mandates that the dispute settlement body conduct an analysis of other factors, which typically include the measure’s contribution to its objective. In China-Publications and Audiovisual Products, the Appellate Body clarified that a Member State choosing to implement a restrictive measure must ensure that the measure is carefully calibrated to achieve its objective.[116]

After examining the necessity test, the crucial consideration is the existence and feasibility of alternative measures. At this juncture, the burden of proof shifts to the claimant, and the EU can rebut any arguments that such alternatives are not “genuine alternatives” or “reasonably available”.[117] The Panel in US-Spring Assemblies opined that a measure cannot be deemed necessary if there is an alternative measure that the regulating Member could reasonably be expected to adopt, and that alternative measure is not inconsistent with other GATT provisions.[118] The Appellate Body in US-Gambling further clarified that measures proposed by the complainant are not reasonably available if they impose excessive costs, present technical difficulties, or fail to meet the level of protection chosen by the defending Member.[119] However, the Appellate Body in China-Publications and Audiovisual Products emphasized that mere additional costs or burdens are insufficient to demonstrate that a proposed alternative measure is “not reasonably available”.[120] Furthermore, any measure proposed by the complainant must meet the level of protection or enforcement chosen by the defending Member.

Based on the reasoning of the WTO DSB in its jurisprudence, the argument can be advanced to demonstrate that the GDPR is a necessary measure for the protection of privacy under Article XIV(c)(ii) of GATS.

The Lisbon Treaty recognized the right to personal data protection as a fundamental right, having sui generis binding effect, as enshrined in Article 8 of CFR and Article 16 of the Treaty on the Functioning of the EU. This right, distinct from mere privacy, is an autonomous right demanding “effective and adequate” protection as mandated by the Court of Justice of the European Union (CJEU).[121] This legal obligation compels the EU to establish a comprehensive legal framework, with the GDPR serving as the linchpin for effective implementation. The CJEU has repeatedly affirmed the paramount importance of data protection, even prioritizing it over other fundamental rights in certain contexts, particularly in data transfers outside the EEA. In the cases of Schrems I, Schrems II, and the Opinion on the EU-Canada PNR Agreement,[122] the Court establishes that data transfers to third countries can lead to unacceptable restrictions on this fundamental right. In the absence of equivalent protection in the recipient country, the risk of uncontrolled surveillance, collection, or use of personal data is palpable, threatening the integrity of this right. Hence, the CJEU mandated that any mechanism facilitating data transfers outside the EU must ensure effective and comprehensive protection, prioritizing data protection over freedom of business or expression.

The necessity of GDPR is further validated by the EU’s necessity test. A measure restricting fundamental rights is legitimate only if it pursues a legitimate aim, is proportionate, and lacks less intrusive alternatives. The GDPR fulfills these criteria. It implements the fundamental right to data protection, imposes only necessary restrictions, and lacks viable alternatives that maintain equivalent control. The CJEU’s rulings in Schrems I and Schrems II, which invalidated Safe Harbor and Privacy Shield, underscore this point. The Snowden revelations further solidified the CJEU’s stringent stance, necessitating equivalent protection or effective remedies for data subjects in third countries. Without the GDPR, data protection would be a hollow right, vulnerable to abuse.

Even if a measure meets the substantive requirements of Article XIV(c)(ii), it must also satisfy the introductory clause (chapeau). In particular, the chapeau prohibits measures constituting (i) arbitrary or unjustifiable discrimination between countries where the same conditions prevail, and (ii) disguised restriction on international trade.[123] As the Appellate Body clarified in US – Gasoline and reaffirmed in EC – Seal Products, the question focuses on the application of a measure rather than its stated purpose. The design, architecture, and revealing structure of a measure, including both substantive and procedural requirements, are examined to determine whether its administration undermines the balance between Members’ right to regulate and their obligations under the GATS.

To determine whether a measure constitutes arbitrary or unjustifiable discrimination, three cumulative elements must be satisfied: (i) the measure results in discrimination; (ii) such discrimination is arbitrary or unjustifiable in character; and (iii) it occurs between countries where the same conditions prevail.[124] Discrimination becomes arbitrary or unjustifiable when the distinction between Members bears no rational relationship to the declared policy objective or, worse, contradicts it.[125] A disguised restriction on trade arises when a measure that is formally within the terms of an exception is applied in a manner that conceals protectionist intent, thereby undermining the balance that Article XIV seeks to preserve.[126]

Applied to the GDPR, this requirement underscores that adequacy decisions and transfer mechanisms must operate in a transparent, objective, and consistent manner. While the framework established under Articles 45–49 appears neutral and principles-based, potential discrimination may arise if countries with comparable data-protection standards are treated differently, or if adequacy determinations are influenced by political or economic considerations rather than the substantive level of protection. Such differentiation would lack a rational connection to the GDPR’s stated objective of safeguarding personal data and could therefore amount to arbitrary or unjustifiable discrimination within the meaning of the chapeau.

To ensure conformity with the chapeau, the design, structure, and process of adequacy determinations must remain consistent, evidence-based, and equally accessible to all third countries capable of meeting equivalent protection standards. Procedural transparency, objective criteria, and the periodic review mechanism provided under Article 45(3)-(5) function as safeguards against arbitrary application. Where these mechanisms are applied in good faith and without extraneous influence, the GDPR’s external data-transfer regime would likely satisfy the non-discrimination requirement under the chapeau of Article XIV.

Accordingly, while the GDPR may give rise to prima facie inconsistencies with GATS, it can be justified under Article XIV(c)(ii) as a necessary and proportionate measure for protecting the fundamental right to personal data protection. Its structured approach, flexible mechanisms, transparent criteria, and consistent application provide a strong basis for WTO compliance. This interpretation affirms that WTO law does not mandate regulatory dilution in the pursuit of trade liberalization but instead accommodates legitimate, well-founded public policy objectives such as privacy, provided they are implemented in a manner that respects core trade principles.

Conclusion

In conclusion, this paper has examined the intricate balance between the GDPR of the EU and the obligations imposed by international trade law, particularly the GATS of the WTO. The stringent provisions of the GDPR, aimed at safeguarding personal data, often stand at odds with the liberalizing objectives of international trade frameworks, which emphasize the unfettered flow of data across borders. Although the GDPR’s measures pose potential conflicts with WTO principles such as Most-Favored-Nation Treatment and National Treatment, these can be justified under the general exceptions allowed for the protection of privacy under Article XIV of the GATS. To achieve a harmonious integration of data protection and trade liberalization, a continuous and dynamic dialogue between international entities and the EU is crucial to ensure that both economic efficiency and the protection of fundamental rights are effectively balanced.

Bibliography

Agreements

General Agreement on Trade in Services, 15 April 1994, 1869 UNTS 183, 33 ILM 1167 (entered into force 1 January 1995) [GATS].

Annex on Telecommunications to the General Agreement on Trade in Services, WTO Doc LT/UR/A-1B/S/Annex 3 (15 April 1994).

International Documents

International Covenant on Civil and Political Rights, 19 December 1966, 999 UNTS 171 (entered into force 23 March 1976) [ICCPR].

Universal Declaration of Human Rights, GA Res 217A (III), UNGAOR, 3rd Sess, Supp No 13, UN Doc A/810 (1948) 71.

WTO, “Cross-Border Trade in Services: Mode 3 Investment”, online: WTO www.wto.org/english/tratop_e/serv_e/cbt_course_e/c1s3p1_e.htm.

Legislations

EC, Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC on the adequacy of the protection provided by the Safe Harbour Privacy Principles, [2000] OJ, L 215/7.

EC, Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC on the adequacy of the protection provided by the EU-U.S. Privacy Shield, [2016] OJ, L 207/1.

EC, Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final.

EC, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), [2016] OJ, L 119/1 [GDPR].

Cases

Schrems v Data Protection Commissioner (Schrems I) (Case C-362/14), ECLI:EU:C:2015:650 (Court of Justice of the European Union).

Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others (Joined Cases C-293/12 and C-594/12), ECLI:EU:C:2014:238 (Court of Justice of the European Union).

Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others (Joined Cases C-203/15 and C-698/15), ECLI:EU:C:2016:970 (Court of Justice of the European Union).

Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen (Joined Cases C-92/09 and C-93/09), ECLI:EU:C:2010:662 (Court of Justice of the European Union).

Draft Agreement between Canada and the European Union on the Transfer of Passenger Name Record Data (Opinion 1/15), ECLI:EU:C:2017:592 (Court of Justice of the European Union).

United States – Restrictions on Imports of Sugar and Sugar-Containing Products (Complaint by the European Communities) (1983), GATT Doc L/5333, 30th Supp BISD (1984) 107 (Panel Report).

United States – Section 337 of the Tariff Act of 1930 (1988), GATT Doc L/6439, 36th Supp BISD (1990) 345 (Panel Report).

European Communities – Regime for the Importation, Sale and Distribution of Bananas (EC – Bananas III) (1997), WTO Doc WT/DS27/AB/R (Appellate Body Report), online: WTO docsonline.wto.org.

Japan – Taxes on Alcoholic Beverages (Japan – Alcoholic Beverages II) (1996), WTO Doc WT/DS8/AB/R, WT/DS10/AB/R, WT/DS11/AB/R (Appellate Body Report), online: WTO docsonline.wto.org.

United States – Measures Affecting the Cross-Border Supply of Gambling and Betting Services (US – Gambling) (2005), WTO Doc WT/DS285/R (Panel Report), online: WTO docsonline.wto.org.

Brazil – Measures Affecting Imports of Retreaded Tyres (Brazil – Retreaded Tyres) (2007), WTO Doc WT/DS332/AB/R (Appellate Body Report), online: WTO docsonline.wto.org.

European Communities – Measures Affecting Asbestos and Asbestos-Containing Products (EC – Asbestos) (2001), WTO Doc WT/DS135/AB/R (Appellate Body Report), online: WTO docsonline.wto.org.

Korea – Measures Affecting Imports of Fresh, Chilled and Frozen Beef (Korea – Various Measures on Beef) (2001), WTO Doc WT/DS161/AB/R, WT/DS169/AB/R (Appellate Body Report), online: WTO docsonline.wto.org.

Argentina – Measures Relating to Trade in Goods and Services (Argentina – Financial Services) (2015), WTO Doc WT/DS453/R (Panel Report), online: WTO docsonline.wto.org.

Canada – Certain Measures Affecting the Automotive Industry (Canada – Autos) (2000), WTO Doc WT/DS139/R, WT/DS142/R (Panel Report), online: WTO docsonline.wto.org.

China – Certain Measures Affecting Electronic Payment Services (2012), WTO Doc WT/DS413/R (Panel Report), online: WTO docsonline.wto.org.

China – Measures Affecting Trading Rights and Distribution Services for Certain Publications and Audiovisual Entertainment Products (China – Audiovisual Products) (2010), WTO Doc WT/DS363/R (Panel Report), online: WTO docsonline.wto.org.

Colombia – Indicative Prices and Restrictions on Ports of Entry (Colombia – Ports of Entry) (2009), WTO Doc WT/DS366/R (Panel Report), online: WTO docsonline.wto.org.

United States – Customs Bond Directive for Merchandise Subject to Anti-Dumping/Countervailing Duties (US – Shrimp (Thailand)) (2008), WTO Doc WT/DS343/R (Panel Report), online: WTO docsonline.wto.org.

Government Documents

European Data Protection Board, Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3) (22 November 2019).

European Data Protection Board, Guidelines 2/2018 on Derogations of Article 49 under Regulation 2016/679 (25 May 2018).

European Data Protection Board, Guidelines 5/2021 on the Interplay between the Application of Article 3 and the Provisions on International Transfers as per Chapter V of the GDPR (14 December 2023).

Article 29 Data Protection Working Party, Guidelines on Consent under Regulation 2016/679, WP 259 rev 01 (28 November 2017, as last revised and adopted on 10 April 2018).

Books

Keller, Pascale. European and International Media Law: Liberal Democracy, Trade, and the New Media (Oxford: Oxford University Press, 2011).

Matsushita, Mitsuo, Thomas J Schoenbaum, Petros C Mavroidis & Michael Hahn. The World Trade Organization: Law, Practice, and Policy, 3rd ed (Oxford: Oxford University Press, 2015).

Munin, Nitsan. Legal Guide to GATS (Alphen aan den Rijn: Kluwer Law International, 2010).

Naef, Tobias. Data Protection without Data Protectionism: The Right to Protection of Personal Data and Data Transfers in EU Law and International Trade Law (Cham: Springer, 2023), DOI: 10.1007/978-3-031-19893-9.

Van den Bossche, Peter & Werner Zdouc. The Law and Policy of the World Trade Organization, 4th ed (Cambridge: Cambridge University Press, 2017).

Chapters and Journal Articles

Keller, Bakare, Seun Solomon et al, “Data Privacy Laws and Compliance: A Comparative Review of the EU GDPR and USA Regulations” (2024) 5:3 Computer Science & IT Research Journal 536, DOI: 10.51594/csitrj.v5i3.859.

Baxevani, Theodora. “GDPR Overview” (2019), online: www.researchgate.net/publication/333560686_GDPR_Overview.

Burri, Mira. “Cross-Border Data Flows and Privacy in Global Trade Law: Has Trade Trumped Data Protection?” (2023) 39:1 Oxford Review of Economic Policy 85, online: ssrn.com/abstract=4349797.

Hestermeyer, Holger P & Laura Nielsen. “The Legality of Local Content Measures Under WTO Law” (2014) 48:4 Journal of World Trade 553.

Islam, Md Toriqul. “A Brief Introduction to the Right to Privacy: An International Legal Perspective” (1 February 2022), online: Hauser Global Law School Program, New York University www.nyulawglobal.org/globalex/Right_To_Privacy_International_Perspective.html.

Kuner, Christopher. “International Agreements, Data Protection, and EU Fundamental Rights on the International Stage: Opinion 1/15, EU–Canada PNR” (2018) 55 Common Market Law Review 857.

Lee-Makiyama, Hosuk. “Cross-Border Data Flows in the Post-Bali Agenda” in Simon J Evenett & Alejandro Jara, eds, Building on Bali: A Work Programme for the WTO (London: CEPR Press, 2013) 163.

Lyon, David. “Surveillance, Snowden and Big Data” (2014) 1:1 Big Data & Society 1.

Marelli, Massimo. “Transferring Personal Data to International Organizations under the GDPR: An Analysis of the Transfer Mechanisms” (2024) 14:1 International Data Privacy Law 19.

Mitchell, Andrew D & Jarrod Hepburn. “Don’t Fence Me In: Reforming Trade and Investment Law to Better Facilitate Cross-Border Data Transfer” (2017) 19 Yale Journal of Law and Technology 209.

Mitchell, Andrew D & Neha Mishra. “Data at the Docks: Modernizing International Trade Law for the Digital Economy” (2020) 20:4 Vanderbilt Journal of Entertainment & Technology Law 1073.

Mitchell, Andrew D & Neha Mishra. “WTO Law and Cross-Border Data Flows: An Unfinished Agenda” in Mira Burri, ed, Big Data and Global Trade Law (Cambridge: Cambridge University Press, 2021) 83.

Ni, Kuei-Jung. “Can the CPTPP’s Digital Format on Data Flows Serve a Role Model for the WTO?” (2024) 58:6 Journal of World Trade 989, online: kluwerlawonline.com/journalarticle/Journal+of+World+Trade/58.4/TRAD2024048.

Saluzzo, S. “Cross Border Data Flows and International Trade Law: The Relationship Between EU Data Protection Law and the GATS” (2017) 31:4 Diritto del Commercio Internazionale 807.

Terpan, Fabien. “Article 52 of the Charter of Fundamental Rights: A Framework for the Limitation of Rights?” (2018) 3 European Papers 1091, online: https://tinyurl.com/mtppphr8.

Tuthill, L Lee. “Cross-Border Data Flows: What Role for Trade Rules?” in Research Handbook on Trade in Services (30 September 2016) 357.

Velli, Federica. “The Issue of Data Protection in EU Trade Commitments: Cross-border Data Transfers in GATS and Bilateral Free Trade Agreements” (2019) 4:3 European Papers 881, online: https://tinyurl.com/2d7hrf3p.

Yakovleva, Svetlana & Kristina Irion. “The Best of Both Worlds? Free Trade in Services, and EU Law on Privacy and Data Protection” (2016) European Data Protection Law Review 20.

Wojtan, B. “The New EU Model Clauses: One Step Forward, Two Steps Back?” (2011) 1:1 International Data Privacy Law 76.

Reports and Working Papers

Digital Trade Alliance. “Cross-border Data Flows and Free Trade Agreements” (5 January 2024), online: dtalliance.org/2024/01/05/cross-border-data-flows-and-free-trade-agreements/.

Global Data Alliance. “Frequently Asked Questions: Trade Rules on Cross-Border Data Transfers” (8 February 2023), online: globaldataalliance.org/wp-content/uploads/2023/02/02082023gdafaqtraderulescbdt.pdf.

International Economic Law Perspectives. “Data Flows, Obligations & Exceptions in the EU–New Zealand FTA” (March 2024), online: https://tinyurl.com/yauasdz8.

Mattoo, Aaditya & Joshua P Meltzer. International Data Flows and Privacy: The Conflict and its Resolution, World Bank Policy Research Working Paper No 8431 (7 May 2018), online: ssrn.com/abstract=3175036.

Mattoo, Aaditya & Ludger Schuknecht. Trade Policies for Electronic Commerce, World Bank Development Research Group Working Paper No 2380 (2000), online: documents.worldbank.org/curated/en/164411468767105932/pdf/multi-page.pdf.

Mishra, Neha. “Cross Border Data Flows in WTO Law: Moving Towards an Open, Secure and Privacy Compliant Data Governance Framework” (April 2020), online: spicyip.com/.

WTO, Working Programme on Electronic Commerce: The Economic Benefits of Cross-Border Data Flows – Communication from the United States, WTO Doc S/C/W/382 (17 June 2019).

Theses

Zhang, Zhen. “Personal Data Protection within WTO’s Trade Framework” (Master’s thesis, University of Amsterdam) [unpublished].

  1. US Department of Justice, News Release, “WikiLeaks Founder Pleads Guilty and Is Sentenced for Conspiring to Obtain and Disclose Classified National Defense Information” (25 June 2024), online: www.justice.gov/archives/opa/pr/wikileaks-founder-pleads-guilty-and-sentenced-conspiring-obtain-and-disclose-classified.
  2. David Lyon, “Surveillance, Snowden and Big Data” (2014) 1:1 Big Data & Society 1 at 1, online: www.researchgate.net/publication/266064951_Surveillance_Snowden_and_Big_Data.
  3. Ikhlaq ur Rehman, “Facebook-Cambridge Analytica data harvesting: What you need to know” (2019) Library Philosophy and Practice, online: digitalcommons.unl.edu/cgi/viewcontent.cgi?article=5833&context=libphilprac.
  4. Md Toriqul Islam et al, Data Protection Law in Asia (2018) 8:4 IDPL 338.
  5. Universal Declaration of Human Rights, GA Res 217a (III), UNGAOR, 3rd Sess, Supp No 13, UN Doc A/810 (1948) 71, Article 12.
  6. International Covenant on Civil and Political Rights, 19 December 1966, 999 UNTS 171 (entered into force 23 March 1976), Article 17.
  7. David Banisar, “Banisar, David, National Comprehensive Data Protection/Privacy Laws and Bills 2025” (28 Jan 2025), online: dx.doi.org/10.2139/ssrn.1951416.
  8. Ibid.
  9. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) [2016] OJ L 119:1 (hereinafter “GDPR”), Preambles, para.1.
  10. European Commission, Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COM (2012) 11 final.
  11. GDPR, supra note 9 at Article 99(2).
  12. Theodora Baxevani, “GDPR Overview” (2019), online: www.researchgate.net/publication/333560686_GDPR_Overview.
  13. Md Toriqul Islam, “A Brief Introduction to the Right to Privacy: An International Legal Perspective” (1 February 2022), Hauser Global Law School Program, New York University at 16, online: www.nyulawglobal.org/globalex/Right_To_Privacy_International_Perspective.html.
  14. GDPR, supra note 9 at Article 1(1).
  15. GDPR, supra note 9 at Article 4(1).
  16. Tobias Naef, Data Protection without Data Protectionism: The Right to Protection of Personal Data and Data Transfers in EU Law and International Trade Law (Cham: Springer, 2023) at 33, DOI: 10.1007/978-3-031-19893-9.
  17. GDPR, Article 9(1) prohibits the processing of sensitive data: Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited. Article 9(2) contains a list of exceptions when paragraph 1 of this Article does not apply.
  18. European Data Protection Board (EDPB), Guidelines 3/2018 on the Territorial Scope of the GDPR (Article 3) (22 November 2019) at 4, online: www.edpb.europa.eu/.
  19. GDPR, supra note 9 at Article 3(1).
  20. GDPR, supra note 9 at Article 3(2); Recital 14.
  21. Ibid.
  22. Seun Solomon Bakare, Adekunle Oyeyemi Adeniyi, Chidiogo Uzoamaka Akpuokwe & Nkechi Emmanuella Eneh, “Data Privacy Laws and Compliance: A Comparative Review of the EU GDPR and USA Regulations” (2024) 5:3 Computer Science & IT Research Journal at 536, online: 10.51594/csitrj.v5i3.859.
  23. GDPR, supra note 9 at Article 44.
  24. Massimo Marelli, “Transferring Personal Data to International Organizations under the GDPR: An Analysis of the Transfer Mechanisms” (2024) 14:1 Int’l Data Priv L 19; See also: EDPB, Guidelines 5/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (14 December 2023) at 5, online: www.edpb.europa.eu/.
  25. Ibid.
  26. GDPR, supra note 9 at Article 45(1)-(2).
  27. GDPR, supra note 9 at Article 45(3).
  28. GDPR, supra note 9 at Article 46(1).
  29. GDPR, supra note 9 at Article 46(2).
  30. GDPR, supra note 9 at Article 49(1).
  31. General Agreement on Trade in Services, 15 April 1994, 1869 UNTS 183, 33 ILM 1167 (entered into force 1 January 1995) (hereinafter “GATS”), Article XIV; See also: Neha Mishra, “Cross Border Data Flows in WTO Law: Moving Towards an Open, Secure and Privacy Compliant Data Governance Framework” (April 2020), online: spicyip.com/2020/04/cross-border-data-flows-in-wto-law-moving-towards-an-open-secure-and-privacy-compliant-data-governance-framework.html.
  32. Ibid.
  33. GATS, Article XIV allows for measures that are: (a) “necessary to protect public morals or to maintain public order”; (b) “necessary to protect human, animal or plant life or health;” or (c) “necessary to secure compliance with laws or regulations which are not inconsistent with the provisions of this Agreement including those relating to… the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.” See also Andrew D Mitchell & Neha Mishra, “WTO Law and Cross-Border Data Flows: An Unfinished Agenda” in Mira Burri, ed, Big Data and Global Trade Law (Cambridge: Cambridge University Press, 2021) 83 at 112.
  34. Panel Report, United States Measures Affecting the Cross-Border Supply of Gambling and Betting Services (US-Gambling), WTO Doc WT/DS285/R (adopted 20 April 2005) at para.6.538.
  35. Ibid, para.305.
  36. Ibid.
  37. Annex on Telecommunications, General Agreement on Trade in Services, WTO Doc LT/UR/A-1B/S/Annex 3 (15 April 1994), para.5(d) states: “[A] Member may take such measures as are necessary to ensure the security and confidentiality of messages, subject to the requirement that such measures are not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade in services.”
  38. Andrew D Mitchell & Neha Mishra, “Data at the Docks: Modernizing International Trade Law for the Digital Economy” (2020) 20:4 Vand J Ent & Tech L 1073.
  39. World Trade Organization, “Cross-border Trade in Services: Mode 3 Investment”, https://www.wto.org/english/tratop_e/serv_e/cbt_course_e/c1s3p1_e.htm accessed 10 October 2025.
  40. L Lee Tuthill, “Chapter 14: Cross‑Border Data Flows: What Role for Trade Rules?” in Research Handbook on Trade in Services (30 September 2016) 357 at 382.; See also Holger P Hestermeyer & Laura Nielsen, “The Legality of Local Content Measures Under WTO Law” (2014) 48:4 J World Trade 553 at 588.
  41. US – Gambling, paras. 373-375.
  42. Panel Report, China – Certain Measures Affecting Electronic Payment Services, WT/DS413/R (16 July 2012) at paras 7.587-7.601.
  43. Aaditya Mattoo & Sacha Wunsch-Vincent, Pre-empting Protectionism in Services: The GATS and Outsourcing, World Bank Policy Research Working Paper 3237 (March 2004), online: https://www.piie.com/sites/default/files/publications/papers/wunsch0204.pdf accessed 10 October 2025.
  44. Hosuk Lee-Makiyama, “Cross-Border Data Flows in the Post-Bali Agenda” in Simon J Evenett & Alejandro Jara, eds, Building on Bali: A Work Programme for the WTO (London: CEPR Press, 2013) 163 at 164.
  45. Aaditya Mattoo & Ludger Schuknecht, Trade Policies for Electronic Commerce (World Bank Development Research Group, Working Paper No 2380, 2000) at 4, online: documents.worldbank.org/curated/en/164411468767105932/pdf/multi-page.pdf accessed 1 March 2025.
  46. David E. Bond, Richard Eglin, Neeraj Rajan Sabitha, Ian Saccomanno, “WTO Extends E-Commerce Tariff Moratorium as Broader Negotiations Continue”, (March 2024), online: https://www.whitecase.com/insight-alert/wto-extends-e-commerce-tariff-moratorium-broader-negotiations-continue. See also Andrenelli, Andrea & López González, Javier, “Understanding the scope, definition and impact of the WTO e-commerce moratorium”, (March 2024), online: https://cepr.org/voxeu/columns/understanding-scope-definition-and-impact-wto-e-commerce-moratorium?utm.
  47. Section 2. WTO Law and Cross-Border Data Flows.
  48. Federica Velli, “The Issue of Data Protection in EU Trade Commitments: Cross-border Data Transfers in GATS and Bilateral Free Trade Agreements” (2019) 4:3 European Papers 881 at 885, online: www.europeanpapers.eu/en/system/files/pdf_version/EP_EF_2019_I_022_Federica_Velli_00325.pdf.
  49. Appellate Body Report, Argentina – Measures Relating to Trade in Goods and Services, WT/DS453/AB/R (adopted May 9, 2016), paras. 6.25-6.26 (Argentina-Financial Services); Rolf H. Weber & Rika Koch, Relevance of WTO Law for Financial Services: Lessons from “Argentina Financial Services”, 2 SCHWEIZERISCHE ZEITSCHRIFT FÜR WIRTSCHAFTS-UND FINANZMARKTRECHT/SZW [SWISS J. FOR ECON. & FIN. MKT. LAW/SZW] 163, 169 (2017) (Ger.).
  50. Appellate Body Report, Japan Taxes on Alcoholic Beverages (Japan Alcoholic Beverages II), WTO Doc WT/DS8/AB/R, WT/DS10/AB/R, WT/DS11/AB/R (adopted 4 October 1996) at para.6.22.
  51. ABR, Argentina Financial Services, para. 6.32.
  52. ABR, Argentina Financial Services, para. 6.4
  53. ABR, Argentina Financial Services, paras. 5.1-5.29.
  54. Panel Report, Argentina – Measures Relating to Trade in Goods and Services, WTO Doc. WT/DS453/R (adopted May 9, 2016), paras. 7.179 and 7.184.
  55. Ibid paras. 7.166-7.184.
  56. ABR, Argentina Financial Services, paras. 6.35 and 6.52.
  57. Ibid para. 6.61.
  58. Appellate Body Report, European Communities Regime for the Importation, Sale and Distribution of Bananas (EC Bananas III), WTO Doc WT/DS27/AB/R (adopted 25 September 1997) at paras 229-234; Panel Report, European Communities Regime for the Importation, Sale and Distribution of Bananas (EC Bananas III), WTO Doc WT/DS27/R/ECU (adopted 22 May 1997) at paras 7.349, 7.384, 7.396. Both the Panel and the Appellate Body found a violation of Art. II GATS based on the de facto asymmetric effect of origin-neural provisions.
  59. GDPR, supra note 9 at Article 44.
  60. GDPR, supra note 9 at Article 45.
  61. Velli, supra note 59 at 884-885; Naef supra note 16 at 290-291.
  62. Naef, supra note 16 at 290.
  63. Naef, supra note 16 at 291.
  64. B Wojtan, “The New EU Model Clauses: One Step Forward, Two Steps Back?” (2011) 1:1 Int Data Priv L 76 at 76-80; See more at Naef supra note 16 at 291.
  65. Appellate Body Report, Argentina Measures Relating to Trade in Goods and Services (Argentina Financial Services), WTO Doc WT/DS453/AB/R (adopted 9 May 2016) at para.6.105; EC Bananas III supra note 63 at paras 244, 246, 248; Peter Van den Bossche & Werner Zdouc, The Law and Policy of the World Trade Organization, 4th ed (Cambridge: Cambridge University Press, 2017) at 570-571; Mitsuo Matsushita, Thomas J Schoenbaum, Petros C Mavroidis & Michael Hahn, The World Trade Organization: Law, Practice, and Policy, 3rd ed (Oxford: Oxford University Press, 2015) at 571; Nitsan Munin, Legal Guide to GATS (Alphen aan den Rijn: Kluwer Law International, 2010) at 118-120; Rüdiger Wolfrum, “WTO-Services” in Rüdiger Wolfrum, Peter-Tobias Stoll & Clemens Feinäugle, eds, WTO-Trade in Services, Max Planck Commentaries on World Trade Law (Leiden: Martinus Nijhoff, 2008) 71 at 87; Naef, supra note 16 at 291.
  66. S Saluzzo, “Cross Border Data Flows and International Trade Law: The Relationship Between EU Data Protection Law and the GATS” (2017) 31:4 Diritto del Commercio Internazionale 807 at 821.
  67. Naef, supra note 16 at 292.
  68. GDPR, supra note 9 at Article 45(3); Carla Reyes, “WTO-Compliant Protection of Fundamental Rights: Lessons from the EU Privacy Directive” (2011) 12:1 Melb J Int’l L at 155 online: ssrn.com/abstract=2610921; Aaditya Mattoo & Joshua P Meltzer, International Data Flows and Privacy: The Conflict and its Resolution, World Bank Policy Research Working Paper No 8431 (7 May 2018) at 781, online: /ssrn.com/abstract=3175036.
  69. Zhen Zhang, Personal Data Protection within WTO’s Trade Framework (Master’s Thesis, University of Amsterdam) at 11.
  70. Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the Safe Harbour Privacy Principles and related frequently asked questions issued by the US Department of Commerce, [2000] OJ L 215/7; Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield, [2016] OJ L 207/1; Fabien Terpan, “Article 52 of the Charter of Fundamental Rights: A Framework for the Limitation of Rights?” (2018) 3 European Papers 1091 at 1105, online: www.europeanpapers.eu/.
  71. Svetlana Yakovleva & Kristina Irion, “The Best of Both Worlds? Free Trade in Services, and EU Law on Privacy and Data Protection” (2016) European Data Protection Law Review at 20; European Commission, “European Commission and United States Joint Statement on Transatlantic Data Privacy Framework” (25 March 2022), online: ec.europa.eu/commission/presscorner/detail/en/IP_22_2087; European Commission, “Questions & Answers: EU-U.S. Data Privacy Framework” (7 October 2022), online:
    ec.europa.eu/commission/presscorner/detail/en/qanda_22_6045.
  72. Pascale Keller, European and International Media Law: Liberal Democracy, Trade, and the New Media (Oxford: Oxford University Press, 2011) at 352-353; Yakovleva & Irion, supra note 62 at 203.
  73. Velli, supra note 59 at 886.
  74. Ibid.
  75. Yakovleva & Irion, supra note 62 at 204.
  76. Velli, supra note 59 at 886.
  77. Naef, supra note 16 at 318.
  78. Velli, supra note 59 at 886.
  79. Ibid.
  80. Naef, supra note 16 at 319.
  81. Ibid.
  82. Svetlana, supra note 71 at 13.
  83. Naef, supra note 16 at 319.
  84. Naef, supra note 16 at 321.
  85. Naef, supra note 16 at 321.
  86. The derogation in Article 49(1)(b) GDPR also covers data transfers that are necessary for the implementation of pre-contractual measures taken at the data subject’s request. This part of the derogation in Article 49(1)(b) GDPR is of lesser interest here.”, Footnote 186, Naef supra note 16 at 152.
  87. European Data Protection Board (EDPB), Guidelines 2/2018 on Derogations of Article 49 under Regulation 2016/679 (25 May 2018) at 6.
  88. Footnote 10: “Specific commitments assumed under this Article shall not be construed to require any Member to compensate for any inherent competitive disadvantages which result from the foreign character of the relevant services or service suppliers.
  89. Naef, supra note 16 at 321.
  90. Argentina Financial Services, supra note 77 at para.6.104.
  91. Article 49(1)(a): the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.
  92. Naef, supra note 16 at 322; Article 29 Data Protection Working Party, Guidelines on Consent under Regulation 2016/679, WP 259 rev 01 (28 November 2017, as last revised and adopted on 10 April 2018) at 18.
  93. The Article 29 of Guidelines on consent under Regulation 2016/679 stated that [a]n obvious way to make sure consent is explicit would be to expressly confirm consent in a written statement. Where appropriate, the controller could make sure the written statement is signed by the data subject, in order to remove all possible doubt and potential lack of evidence in the future.
  94. Naef, supra note 16 at 322.
  95. Panel Report, Canada Certain Measures Affecting the Automotive Industry (Canada-Autos), WTO Doc WT/DS139/R, WT/DS142/R (adopted 19 June 2000) at para.10.84 (on Article III:4 GATT); Panel Report, China Measures Affecting Trading Rights and Distribution Services for Certain Publications and Audiovisual Entertainment Products (China Audiovisual Products), WTO Doc WT/DS363/R (adopted 19 January 2010) at para. 7.1537.
  96. Van den Bossche and Zdouc, supra note 77 at 517-521; Matsushita et al., supra note 77 at 593-603; Munin, supra note 77 at 183-206; P Delimatsis & M Molinuevo, “Article XVI GATS” in Rüdiger Wolfrum, Peter-Tobias Stoll & Clemens Feinäugle, eds, WTO-Trade in Services, Max Planck Commentaries on World Trade Law (Leiden: Martinus Nijhoff, 2008) 367 at 369-386.
  97. Van den Bossche & Zdouc, supra note 77 at 518; Munin, supra note 77 at 183; Delimatsis and Molinuevo, supra note 101 at 369.
  98. Ibid at 6.318; US Gambling, supra note 34 at para.215.
  99. US Gambling, supra note 34 at para.232; US-Gambling, supra note 34 at para.6.330-6.332 (Panel); Delimatsis and Molinuevo, supra note 101 at 378.
  100. Van den Bossche and Zdouc, supra note 77 at 601-603; Delimatsis and Molinuevo, supra note 101 at 381.
  101. Third Party Written Submission of the European Communities, supra note 100 at para.46.
  102. Naef, supra note 16 at 311; World Trade Organization, Working Programme on Electronic Commerce: The Economic Benefits of Cross-Border Data Flows-Communication from the United States, WTO Doc S/C/W/382 (17 June 2019) at 61.
  103. Ibid at 62; Naef, supra note 16 at 313.
  104. WTO, Working Programme on Electronic Commerce, supra note 107 at 187.
  105. US Gambling, supra note 34 at 238, 251-252; Velli supra note 59 at 887.
  106. GATS, Article XIV.
  107. Argentina Financial Services, supra note 77 at paras 7.595-7.596, referring to Panel Report, Colombia Indicative Prices and Restrictions on Ports of Entry (Colombia Ports of Entry), WTO Doc WT/DS366/R (adopted 27 April 2009) at para.7.514 (on Article XX GATT); Panel Report, United States Customs Bond Directive for Merchandise Subject to Anti-Dumping/Countervailing Duties (US Shrimp (Thailand)), WTO Doc WT/DS343/R (adopted 1 August 2008) at para.7.174 (on Article XX GATT); and Appellate Body Report, Korea Measures Affecting Imports of Fresh, Chilled and Frozen Beef (Korea-Various Measures on Beef), WTO Doc WT/DS161/AB/R, WT/DS169/AB/R (adopted 10 January 2001) at para.157 (on Article XX GATT).
  108. Article 8 Protection of Personal Data: 1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority.
  109. Argentina Financial Services, supra note 77 at para. 7.625.
  110. Argentina Financial Services, supra note 77 at para. 6.201.
  111. Yakovleva & Irion supra note 62 at 206; Naef supra note 16 at 333 & footnote 520.
  112. Argentina Financial Services, supra note 77 at para.6.234 with reference to Korea Various Measures on Beef supra note 112 at para.163 (on Article XX GATT).
  113. Appellate Body Report, European Communities Measures Affecting Asbestos and Asbestos-Containing Products (EC Asbestos), WTO Doc WT/DS135/AB/R (adopted 5 April 2001) at para.171 (on Article XX GATT), referring to Korea Various Measures on Beef supra note 112 at para.166 (on Article XX GATT), in which the Appellate Body expressly affirmed the standard set forth by the panel in GATT Panel Report, US Section 337 of the Tariff Act of 1930, para.5.26 (on Article XX GATT).
  114. Appellate Body Report, Brazil-Measures Affecting Imports of Retreaded Tyres (Brazil-Retreaded Tyres), WTO Doc WT/DS332/AB/R (adopted 17 December 2007).
  115. Zhang, supra note 69 at 19.
  116. China Publications and Audiovisual Products, supra note 100 at para.310.
  117. Zhang, supra note 69 at 21.
  118. Panel Report, United States Restrictions on Imports of Sugar and Sugar-Containing Products-Complaint by the European Communities (Spring Assemblies), (26 May 1983) GATT Doc L/5333-BISD 30S/107 at para.58.
  119. US Gambling, supra note 34 at para.308.
  120. China Publications and Audiovisual Products, supra note 100 at para.310.
  121. Joined Cases C-92/09 and C-93/09, Volker und Markus Schecke GbR and Hartmut Eifert v Land Hessen, ECLI:EU:C:2010:662 at paras 77 and 86; Joined Cases C-293/12 and C-594/12, Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others, ECLI:EU:C:2014:238 at paras 51 and 52; Joined Cases C-203/15 and C-698/15, Tele2 Sverige AB v Postoch telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others, ECLI:EU:C:2016:970 at paras 96 and 103; Case C-362/14, Maximillian Schrems v Data Protection Commissioner (Schrems I), ECLI:EU:C:2015:650 at para.92; Opinion 1/15, Draft Agreement between Canada and the European Union on the Transfer of Passenger Name Record Data (CJEU), ECLI:EU:C:2017:592 at para.140.
  122. Christopher Kuner, “International Agreements, Data Protection, and EU Fundamental Rights on the International Stage: Opinion 1/15, EUCanada PNR” (2018) 55 CML Rev 857 at 858.
  123. Appellate Body Report, United States Import Prohibition of Certain Shrimp and Shrimp Products, WT/DS58/AB/R, 6 November 1998 (hereinafter “ABR, US – Shrimp”), [150].
  124. ABR, US – Shrimp, supra note 71, [150].
  125. ABR, Brazil – Retreaded Tyres, para. 232.
  126. ABR, US – Gasoline, supra note 48, [25].


Laisser un commentaire

Titre de la publication Nouveaux enjeux, nouveaux acteurs, nouvelles dynamiques : vers une nouvelle mondialisation économique ? New Challenges, New Actors, New Dynamics: Towards a New Global Economic Order?
Sous-titre de la publication Actes du colloque étudiant 2025 2025 Student Conference Proceedings
Auteur Richard OUELLET, LY Van Anh, NGUYEN Ngoc Ha, HA Cong Anh Bao et Antoine COMONT (direction)
Titre du chapitre Personal Data Transfer
Sous-titre du chapitre Compatibility Between the GDPR and International Trade Law
Auteur du chapitre CHU Trang Anh, DU Vu Quynh Anh and PHAM Quoc Hao
Date avril 22, 2026
Nombre de pages 662
ISBN livre imprimé 9781917723596
ISBN ebook 9781917723602
DOI 10.55778/ts917723596
Droit d'auteur2026

TeseoPress

Le contenu de cette publication est de la responsabilité exclusive de leur/s auteur/s.