18.7.2023   

EN

Official Journal of the European Union

C 253/2

Summary of the Opinion of the European Data Protection Supervisor on the Recommendation for a Council Decision authorising the opening of negotiations for digital trade disciplines with the Republic of Korea and with Singapore

(2023/C 253/02)

(The full text of this Opinion can be found in English, French and German on the EDPS website https://edps.europa.eu)

On 14 April 2023, the European Commission issued a Recommendation for a Council Decision authorising the opening of negotiations for digital trade disciplines with the Republic of Korea and with Singapore

The objective of this recommendation is to authorise the Commission to open negotiations with the Republic of Korea and with Singapore to establish binding disciplines on trade in goods and services enabled by electronic means. These negotiations may cover cross-border data flows with trust, data localisation requirements and personal data protection.

The EDPS recalls that, as the protection of personal data is a fundamental right in the Union, it cannot be subject to negotiations in the context of EU trade agreements. Dialogues on data protection and trade negotiations with third countries can complement each other but must follow separate tracks. Personal data flows between the EU and third countries should be enabled by using the mechanisms provided under the EU data protection legislation. The EDPS recalls that in 2018, the Commission endorsed horizontal provisions for cross-border data flows and personal data protection in trade negotiations. The EDPS considers that these provisions reach a balanced compromise between public and private interests as they allow the EU to tackle protectionist practices in third countries in relation to digital trade, while ensuring that trade agreements cannot be used to challenge the high level of protection guaranteed by the Charter of fundamental rights of the EU and the EU legislation on the protection of personal data. The EDPS understands from the recommendation that the negotiations on data flows and data protection should be opened with a view to agree on provisions that are coherent with these horizontal provisions. For the sake of clarity, the EDPS recommends to make an express reference to these horizontal provisions.

In addition, as regards more specifically the Republic of Korea, the EDPS notes that this country has already been granted an adequacy finding by the Commission in 2021. Consequently, transfers of personal data from a controller or a processor in the European Economic Area (EEA) to organisations in the Republic of Korea covered by the adequacy decision may take place without the need to obtain any further authorisation. Therefore, the EDPS recommends to further explain why, despite the adequacy decision, further negotiations on cross-border data flows and data protection are considered to be necessary in the case of the Republic of Korea.

Furthermore, the EDPS understands the negotiating directives and the horizontal provisions as allowing, in duly justified cases, measures that would require controllers or processors to store personal data in the EU/EEA. The EDPS recalls that, together with the EDPB, he recently recommended that controllers and processors, established in the EU/EEA and processing personal electronic health data within the scope of the Commission’s proposal for a Regulation on the European Health Data Space, should be required to store this data in the EU/EEA, without prejudice to the possibility to transfer personal electronic health data in compliance with Chapter V GDPR. For the avoidance of doubt, the EDPS recommends to expressly clarify in the negotiating directives that the negotiated rules should not prevent the EU or the Member States from adopting, in duly justified cases, measures that would require controllers or processors to store personal data in the EU/EEA.

1.   INTRODUCTION

1.

 On 14 April 2023, the European Commission (‘the Commission’) issued a Recommendation for a Council Decision authorising the opening of negotiations for digital trade disciplines with the Republic of Korea and with Singapore (1) (‘the Recommendation’). An annex to the Recommendation details the directives for the negotiation of digital trade disciplines with the Republic of Korea and with Singapore and the proposed content of the rules and commitments (‘the Annex’).

2.

 The European Union (‘the EU’) has had a free trade agreement with the Republic of Korea since 2011 and a free trade agreement with Singapore since 2019. These free trade agreements provide for substantial commitments for trade in goods and services between the parties, but they do not include comprehensive rules on digital trade (2).

3.

 The EU and the Republic of Korea entered into a Digital Partnership on 28 November 2022 and in that context agreed non-binding Digital Trade Principles on 30 November 2022. The EU and Singapore entered into a Digital Partnership on 1 February 2023, and agreed non-binding Digital Trade Principles on 31 January 2023 (3).

4.

 The objective of the Recommendation is to authorise the Commission to open negotiations with the Republic of Korea and with Singapore to establish binding disciplines on trade in goods and services enabled by electronic means, in accordance with Article 218(3) and (4) TFEU.

5.

 The present Opinion of the EDPS is issued in response to a consultation by the Commission of 14 April 2023, pursuant to Article 42(1) of EUDPR (4).

5.   CONCLUSIONS

18.

 In light of the above, the EDPS makes the following recommendations:

(1)

to make an express reference to the fact that the negotiations on data flows and data protection should be opened with a view to agree on provisions that are coherent with the horizontal provisions for cross-border data flows and personal data protection in trade negotiations endorsed by the Commission in 2018.

(2)

to explain in a recital why, despite the adequacy decision granted to the Republic of Korea, further negotiations on cross-border data flows and data protection are considered to be necessary with this country.

(3)

to clarify, in the negotiating directives included in the annex to the Recommendation, that the negotiated rules should not prevent the EU or the Member States from imposing on controllers and processors, in duly justified cases, to store personal data in the EU/EEA.

(4)

to insert a reference to the EDPS consultation in a recital of the Council decision.

Brussels, 15 May 2023.

Wojciech Rafał WIEWIÓROWSKI

(1)  COM(2023) 230 final, https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1681472401391&uri=COM%3A2023%3A230%3AFIN

(2)  Recital 1 of the Recommendation.

(3)  Recital 2 of the Recommendation.

(4)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).