Cross-border data exchange
BDI’s position
Even though the OECD guidelines are not legally enforceable, due to their lack of legally binding character, the OECD initiative can be considered beneficial in principle. This is particularly true against the background of the fact that many relevant non-European core markets of German industry, such as the USA, South Korea, Japan and Australia, are members of the OECD and participate in these discussions. Against this background, work on cross-border data transfer should be continued in the relevant forums at OECD level. In doing so, the members of the OECD should be guided by the European level of data protection, as is to be found in particular in the DSGVO.
BDI’s recommendations Data flow is global, and global is also the business of German industry. The BDI advocates the creation of an international legal framework to regulate the cross-border exchange of data. National unilateral efforts should be avoided. Where global regulations are not set quickly and ambitiously enough, such as in the area of e-commerce at WTO level, regional and plurilateral initiatives must be taken. The results should be compatible with multilateral rules and gradually transferred to the global level. The same applies to bilateral initiatives with strategically important partners, such as the MERCO-SUR Association of States or Japan. The European Commission has embarked on a new path with the preparation of a horizontal chapter on data flow in the field of trade policy in summer 2018. The BDI welcomes this. However, the EU text appears too rigid, the comparable texts from the USMCA and CPTPP are more flexible and thus also facilitate law enforcement. Instead of working with an exhaustive list approach, it would be better if the EU's banned list were not exhaustive, in order to cover similar trade disruptive measures that are comparable in their effect to the four groups of cases already mentioned. The EU's full regulatory freedom to protect personal data prevents the agreements from being used effectively against restrictions on cross-border data traffic and localisation constraints in the partner countries. In practice, any restrictions could be justified on the pretext of these protective interests. It is important that the measures adopted to protect personal data are proportionate and not arbitrary. Moreover, the purpose of the state measure must be to pursue the protection of personal data. It is now important that the mechanisms underlying the texts are interoperable. The G20 countries recognised this in Osaka in June 2019 and called for interoperable systems to be created. The BDI welcomes this. The German industry needs legal certainty. This becomes clear again against the background of the EU adequacy decision. Should the EU Commission decide to revoke an Adequacy Decision, German industry calls on the decision-makers to thoroughly examine the conditions for revocation. Should the revocation actually be carried out, companies must be informed of the decision in a timely manner. In addition, the EU Commission must ensure that data continues to circulate across borders in a regulated manner and in accordance with the European DSGVO, for example through guarantees or general contractual clauses. In the area of data exchange legislation, binding law is more advantageous for companies because it creates legal certainty, which is important for electronic data exchange. However, soft law solutions are also important as they can be helpful for cooperation in global forums with key partners. In addition,
12