Melbourne Journal of International Law
WTO-COMPLIANT PROTECTION OF FUNDAMENTAL RIGHTS: LESSONS FROM THE EU PRIVACY DIRECTIVE
CARLA L REYES[*]
Nation states often create legislative schemes regulating services industries in order to protect fundamental rights such as human life, economic security, or human security. World Trade Organization members are constrained in their creation of such regulatory schemes by their obligations under the General Agreement on Trade in Services (‘GATS’). WTO members raised concerns about such constraints even before the creation of GATS. As a result, GATS contains clauses specifically designed to allow members enough regulatory latitude to protect important domestic social interests, such as fundamental rights, while simultaneously liberalising trade in services. WTO jurisprudence interpreting these clauses, however, has called the robustness of this reserved power into question. Using the European Union’s attempt to protect the fundamental right to privacy through a WTO-compliant privacy directive as a case study, this article highlights important aspects of international trade law that policymakers should take into consideration when deciding how to protect fundamental rights through domestic regulation of trade in services.
The United States props up the financial services industry with massive inflows of public funds to maintain public order during the most extreme economic crisis the world has experienced in half a century. The US, France and the UK implement economic sanctions against Iran that reach further than those authorised by the United Nations in order to insist that Iran curb its nuclear proliferation program. As part of those sanctions, the three countries pass legislation discriminating against the service industries of World Trade Organization member states that continue to conduct business with Iran. These measures are defended as necessary to protect human life or as necessary for the protection of national security interests.
Arguably, economic security, human life and human security are each a matter of fundamental rights which nation states are obligated to preserve and protect for their citizenry. Because measures designed to preserve and protect these rights often involve regulation of trade in services, nation states may be constrained in their policy choices by commitments made as a member of the WTO in the General Agreement on Trade in Services (‘GATS’).
GATS recognises the dual aims of achieving ‘progressively higher levels of liberalization of trade in services’ and preserving ‘the right of Members to regulate … the supply of services within their territories in order to meet national policy objectives’. However, in negotiating GATS, WTO members raised concerns that because barriers to trade in services take different forms than barriers to trade in goods, liberalisation would inhibit the enactment of domestic regulations protecting important social interests. Despite GATS negotiators’ best attempts to provide members with regulatory latitude, schemes designed to protect fundamental rights may risk violating important international trade obligations. Even when a WTO member specifically relies on GATS exceptions, the unpredictability of the exceptions analysis as implemented by the WTO Dispute Settlement Body (‘DSB’) may leave the regulatory scheme at risk of sanction.
This article uses the European Union’s attempt to protect the right to privacy through a WTO-compliant privacy directive to uncover lessons for future initiatives to provide WTO-compliant protection of fundamental rights. Part II provides an introduction to the EU Privacy Directive, investigates whether it is
a GATS-covered measure and discusses the surrounding literature. Part III sets forth arguments for the Privacy Directive’s possible violation of the GATS’ most-favoured-nation (‘MFN’), domestic regulation, and market access obligations. Part IV examines whether the art XIV general exceptions provisions adequately preserve WTO members’ regulatory autonomy over issues of fundamental rights. The article concludes by highlighting areas in WTO jurisprudence that policymakers should take into consideration when crafting future regulatory schemes.
The right to privacy is a fundamental right in the EU. In order to firmly secure protection of this fundamental right, the EU has harmonised the level of personal data protection in its member states with the Privacy Directive. The Privacy Directive broadly defines personal data as ‘any information relating to an identified or identifiable natural person’, where ‘an identifiable person is one who can be identified, directly or indirectly’, and imposes restrictions on the processing and transfer of such data. In particular, art 25 prohibits the transfer of personal data to third countries unless those countries provide an adequate level of data protection. If the EU determines that a particular country inadequately protects data, EU member states must affirmatively prevent the transfer of personal data to that country. The Privacy Directive does not define the term ‘adequate’ but instead provides that determinations should be made on a
case-by-case basis. In making adequacy determinations, the European Commission is to consider ‘all the circumstances surrounding a data transfer operation or set of data transfer operations’.
Although art 25 intended adequacy determinations to be made on an individual basis, the Privacy Directive Article 29 Data Protection Working Party (‘Working Party’) and the European Commission have recognised that the growing volume of data transfers in international trade renders individualised assessments for each transfer impossible. As a result, the Working Party has undertaken a series of opinions on the general adequacy of third country data protection regimes. These opinions are then submitted to the European Commission, which has authority under the Directive to declare that a third country generally provides adequate or inadequate protection. When issuing opinions and adequacy determinations, the Working Party and the European Commission analyse two components of foreign country law: (1) ‘the content of the rules applicable’, and (2) ‘the means for ensuring their effective application’.
Since the Privacy Directive’s adoption in 1995, the European Commission has determined that the laws of nine states maintain an adequate level of data
protection: the Bailiwicks of Guernsey and Jersey, the Isle of Man, Argentina, Switzerland, and Hungary, The Faeroe Islands, and Andorra. The European Commission also decided that Israel provides an adequate level of data protection as to automated international transfers of personal data, or where non-automated transfers are subject to additional automated processing in Israel. And although the European Commission has not yet issued any decisions, the Working Party determined that New Zealand and Uruguay ensure an adequate level of data protection. Because the Working Party specifically found that the US inadequately protects data, the EU and the US Department of Commerce negotiated the Safe Harbor Agreement under which voluntarily participating entities earn a presumption of adequacy. Similarly, the
Working Party determined Canada potentially lacked adequate data protection, causing the European Commission to adopt a sector-by-sector approach to adequacy determinations in that country. The Working Party also refused to grant Australia a general adequacy finding, stating instead that ‘data transfers to Australia could be regarded as adequate only if appropriate safeguards [are] introduced’, such as those contained in Privacy Directive art 26. This is essentially equivalent to an inadequacy finding, and Australia has not yet negotiated a safe harbour agreement or other significant partial arrangement. 
Data transfers to the countries about which no adequacy determination has been made are not prohibited, but rather, transfers continue in the absence of any guidance. As a result, the national data protection authorities of each member state retain the responsibility to individually review transfers to such countries under one of the two administrative procedures open to them in art 25: prior authorisation or ex post facto verification. However, the Working Party recognises that the large number of daily data transfers will render detailed examination of every case impossible under either procedure. As a result, the adequacy provision in Privacy Directive art 25 creates a patchwork system of international data transfer, where some countries receive a general pass, others must negotiate for specific agreements, and still others operate in a middle area without knowing whether their domestic privacy protection regime will survive an adequacy determination.
Although trade in services had not historically formed part of the agenda for international trade liberalisation, policymakers approached the Uruguay Round in the 1980s with a new appreciation for the important role services play in the modern global economy. Their negotiating efforts at the Uruguay Round resulted in GATS, which provides a unique framework for WTO member obligations in services sectors. Under GATS, a member only obligates itself to provide market access and national treatment in those sectors which it has listed in its ‘schedule of specific commitments’, and even then, only to the extent indicated by the schedule. Essentially, members are free to choose the extent to which they are obligated to liberalise trade in services with respect to market access and national treatment.
The threshold issue for an analysis of the Privacy Directive under GATS is whether it is a GATS-covered measure. Canada — Autos dictates that:
two key legal issues must be examined to determine whether a measure is one ‘affecting trade in services’: first, whether there is ‘trade in services’ in the sense of art I:2; and, second, whether the measure in issue ‘affects’ such trade in services within the meaning of art I:1.
GATS defines ‘trade in services … as the supply of a service’ in one of four modes of supply: cross-border supply, consumption abroad, commercial presence and movement of natural persons. The first prong of the Canada — Autos test thus involves two separate inquiries: first, whether there is a service at issue, and second, whether the service occurs via one of the four modes of supply in art I:1.
To address the first inquiry under the Canada — Autos test, whether there is a service at issue, WTO members often rely on the GATS Service Sectoral Classification List (‘W/120’) and the UN Provisional Central Product Classification (‘CPC’) for categorising activities as goods or services. Under W/120, data processing activities are classified as being in the computer sector, under art I:1(B)(c) — ‘data processing services’. Under the CPC, ‘on-line information and/or data processing services’ fall in the computer-related services sector. The EU specifically recognises that online data processing is part of the computer services sector.
The second inquiry under the first prong of the Canada — Autos test is whether the service occurs via one or more of the four modes of supply in art I:2. The dearth of WTO disputes arising under GATS results in few definitions of the modes of supply; however, the panel in Mexico — Telecoms confirmed that cross-border services can encompass services which begin on one nation’s telecommunication network and terminate on another’s. Data processing, a computer service, often takes place remotely, beginning on one nation’s internet network and terminating on another. Given the finding of Mexico — Telecoms, data processing certainly falls within the cross-border supply mode of services. Furthermore, several commentators acknowledge that services provided via e-commerce will fall into either the cross-border or the consumption abroad mode of supply. E-commerce transactions necessarily involve the transfer of individual personal information such as IP addresses, shipping addresses, and credit card information. Therefore, to the extent e-commerce involves the provision of computer related services, those services would fall into both the cross-border and consumption abroad modes of supply. With the possibility that services involving the transfer, processing, and storing of personal data fit within two modes of supply, the first component of the Canada — Autos test is satisfied: the Privacy Directive regulates trade in services within the meaning of art I:2.
The second prong of the Canada — Autos test requires an examination of whether the Privacy Directive ‘affects’ trade in the types of services identified — services related to e-commerce and information processing services. The term ‘affecting’ in GATS reflects the intent that the agreement be given a broad reach. The Appellate Body has repeatedly relied upon the ordinary meaning of the term ‘affecting’, holding that it ‘implies a measure that has “an effect on”’. In the context of the General Agreement on Tariffs and Trade (‘GATT’) art III, the Appellate Body has determined that it is ‘wider in scope than such terms as “regulating” or “governing”’. The Privacy Directive, by its own terms, is meant ‘to ensure that the cross-border flow of personal data is regulated in a consistent manner’. As the term ‘affecting’ encompasses ‘regulating’, and the Privacy Directive is a measure adopted by the EU for the purpose of regulating data processing, which is a part of the computer-services sector, the Privacy Directive ‘affects’ trade in services within the meaning of art I:1 of GATS, and satisfies the second prong of the Canada — Autos test.
Since its adoption in 1995, commentators have been concerned with the possibility that the Privacy Directive violates WTO obligations. The EU itself seemed preoccupied with this possibility when adopting the Privacy Directive, noting in the preamble that ‘cross-border flows of personal data are necessary to the expansion of international trade [and] this Directive does not stand in the way of’ such trade’. As early as 1999 Gregory Shaffer argued that despite the US’ threats to challenge the Privacy Directive before the WTO, the EU would prevail for two primary reasons: (1) the Privacy Directive is not facially discriminatory, and thus does not violate the national treatment or MFN clauses of GATS; and (2) the Privacy Directive would be covered by art XIV(c)(ii). Professor Shaffer’s analysis, however, does not address the specific requirements of the national treatment clause, the MFN clause and the general exceptions set out in WTO jurisprudence. Furthermore, Professor Shaffer’s observation that the Privacy Directive is not facially discriminatory and is thus WTO-consistent has been rendered moot by the Directive’s subsequent uneven application and the Appellate Body finding in US — Gambling that discriminatory application is covered by GATS provisions in addition to facial discrimination.
Colin J Bennett challenges Professor Shaffer by noting that his argument rests on predictions that are impossible to verify, and counters with his own predictions that not only would the MFN clause of GATS art II be implicated, but that art VI:1’s provisions on domestic regulations are also relevant. Unfortunately, while noting that art VI:1 applies only to measures of general application and only in sectors for which members have undertaken specific commitments, Professor Bennett does not discuss whether the EU has made specific commitments in the services sector covering data processing, or whether the Privacy Directive constitutes a measure of general application.
Eric Shapiro delves into a much deeper substantive analysis of the Privacy Directive vis-a-vis EU–WTO obligations, arguing that either Hungary or Australia could bring allegations before the WTO DSB because the EU had favoured the US by creating the Safe Harbor Agreement, while continuing to hold Hungary and Australia to the higher standards contained in the Privacy Directive. Shapiro focuses, however, on the MFN clause, setting aside possible violations of the domestic regulation and market access provisions. Furthermore, the suggestion that Hungary’s challenge to the Privacy Directive under the MFN clause would prevail is problematic, since Hungary received a favourable adequacy determination, which actually gives it a more preferential status than the US.
As can be seen from this brief review of the prior literature analysing whether the Privacy Directive is GATS-compliant, commentators intuitively believe the Privacy Directive violates WTO obligations, but will be justified by the exceptions. However, most of the literature was written early in the Privacy Directive’s existence, and engages in analysis without the benefit of subsequent Working Party reports and European Commission adequacy determinations. Further, analysis of the Privacy Directive and the EU’s GATS obligations was undertaken prior to US — Gambling, the first thorough treatment of GATS obligations by the Appellate Body. After the decision, scholarly literature emerged arguing that the result of the dispute highlights several important problems with GATS. One critique argues that the unique GATS use of specific commitments for market access and national treatment obligations results in misunderstandings among member states, even as to the nature of their own schedule of commitments. A second critique focuses on the unpredictable nature of exceptions analysis undertaken by the Appellate Body. In particular, it remains unclear when a measure proven to be for one of the specifically listed reasons under GATS art XIV will survive the ‘necessary’ test or satisfy the requirements of the chapeau. For example, the Appellate Body imported the ‘necessary’ test in US — Gambling from Korea — Beef, a GATT case, in spite of a WTO Secretariat paper warning that the term ‘necessary’ may not retain the same meaning in every WTO-covered agreement. Thus, it is important that an analysis of whether the Privacy Directive is GATS-compliant be revisited to account for the new developments in both the EU administration of Privacy Directive art 25 adequacy determinations and WTO jurisprudence. The outcome of such an analysis has implications for policymakers seeking to implement regulatory schemes protecting other areas of fundamental rights, and can provide important lessons for future endeavours.
By enacting the Privacy Directive, the EU may have violated three separate GATS obligations: the MFN obligation of art II, the requirements for domestic regulations in art VI and the market access obligations of art XVI. Although appearing facially non-discriminatory, the EU Working Party’s guidelines and opinions setting forth the proper application of the Privacy Directive give cause for greater concern. Furthermore, the Working Party’s shift from adequacy determinations of individual transfers to adequacy determinations in relation to countries, without delineating proper timelines or application procedures for all WTO member countries, creates a potential art VI violation. Finally, because of the commitments the EU made in its GATS schedule, art 25 adequacy determinations implemented on a country-by-country basis may constitute a zero quota in violation of art XVI.
The MFN obligation is designed to discourage WTO members from granting special treatment to third countries. It is thought that when countries enact discriminatory trade preferences, the most efficient market suppliers may be blocked from the market, resulting in ‘wasteful trade diversion’. Reflecting this economic theory, the MFN obligation of art II applies ‘generally to all measures covered by GATS irrespective of the question whether an MFN obligation has been inscribed in a Member’s Schedule’.
Although modelled after the MFN obligation contained in GATT art I:1, GATS art II has a wider scope than its GATT counterpart. The Appellate Body in Canada — Autos set forth the test for establishing a violation of art II: compare the treatment afforded by one member to services and service suppliers of any other member with the treatment of like services and service suppliers of any other country. This comparison should be undertaken with a view to determining whether the first group received less favourable treatment than the second group. That test leaves two issues unresolved: (1) what constitutes ‘like services and service suppliers’, and (2) what constitutes ‘no less favourable’ treatment? As to the first issue, the determination of like services, it is unclear whether the inquiry must be to the likeness of both services and service suppliers, or if only the likeness of the service supplied is relevant. However, the panel in EC — Bananas III held ‘that, in [their] view, at least to the extent that entities provide these like services, they are like service suppliers’, suggesting that only the likeness of the service is relevant.
As to the second issue, the concept of ‘no less favourable’ treatment is not borrowed from GATT art I:1, but rather from the GATT national treatment obligation. As a result, WTO member states are unable to rely on the rich GATT jurisprudence interpreting this term in order to understand GATS art II:1. In fact, the Appellate Body in EC — Bananas III confirmed that the meaning of the phrase in GATS art II:1 is different from its meaning in GATT art III:4, and that prior jurisprudence interpreting the phrase in that context is ‘not necessarily relevant to the interpretation of art II of GATS’. The Appellate Body did provide some guidance on the meaning of the term, indicating that GATS art II addresses both de jure and de facto discrimination. This has lead many to question whether the only way to satisfy the GATS MFN obligation is to provide exactly the same treatment to each state.
To be successful, a GATS art II challenge to Privacy Directive art 25 adequacy determinations must prove that the EU has afforded the services and service suppliers of one WTO member treatment less favourable than that afforded to the like services and service suppliers of another country. Hypothetically, Australia, which received a negative adequacy determination, could challenge the Privacy Directive art 25 adequacy determinations on two separate grounds. First, Australia could argue that Australian data services and service suppliers have been afforded less favourable treatment than the like data services and service suppliers from other countries with Working Party determinations of inadequate data protection standards, such as the US and Canada. Secondly, Australia could argue that Australian data services and service suppliers have been afforded less favourable treatment than like data services and service suppliers from those countries for which adequacy remains undetermined.
In both arguments, Australia must demonstrate the likeness of Australian data processing services and service suppliers. The Privacy Directive places restrictions on all services involving data processing, and prohibits transfers of personal data to any service supplier in a country with inadequate data protection standards, like Australia. Practically speaking, this means that an Australian-based search engine processing personal data for the purposes of providing user-customised internet information services is prohibited from receiving transfers of personal data from the EU, while the US-based Google could receive such transfers under the Safe Harbor Agreement, despite the fact that they are like search engines providing the same customised internet information services. The same could be said for an Australian-based Internet Service Provider (‘ISP’) as compared to a South Korean-based ISP which provide exactly the same services.
Under the EC — Bananas III test, which focuses on the likeness of the services under the traditional GATT rubric, a search engine’s end use is to find information on the internet, regardless of the country in which the entity is based. Search engines fall under the same service sector classification of ‘on-line information and database retrieval’ in W/120 and CPC 7523, irrespective of nationality, and the properties and nature of search engines do not vary significantly enough to negate their likeness. This is supported by the fact that the EU considers all search engines to be sufficiently similar so as to be uniformly subject to the requirements of the Privacy Directive, rather than providing entity specific applications of the Privacy Directive. Given this analysis, an Australian challenge based on denial of transfers to search engines would certainly withstand the EC — Bananas III likeness test.
As to ISPs, these entities would satisfy the first factor of the EC — Bananas III test because the end use of an ISP’s service is to help the internet user interface with website content providers on the internet, regardless of the origin of the ISP. As to the other factors, all ISPs fall under the same service sector classification — data transmission services in CPC 7523 — and their properties and nature do not vary enough from ISP to ISP to negate the first two factors. A finding that ISPs provide ‘like’ services is supported by the fact that the EU uniformly applies the requirements of the Privacy Directive to ISPs rather than providing for entity-specific application of its provisions.
Having established the likeness of services and service suppliers that might be implicated in a dispute regarding Privacy Directive art 25 adequacy determinations, the inquiry now turns to whether Australia has been afforded treatment less favourable with respect to those services than other countries. The Privacy Directive intended case-by-case approval for all transfers to third countries regarding whether the data protections surrounding that specific transfer were adequate. Such a system would have provided uniform treatment to each and every transfer, and stripped Australia, the hypothetical complainant, of its GATS art II claims. However, the country-by-country adequacy determinations instituted by the Working Party and the European Commission to replace the transfer-by-transfer adequacy determinations is susceptible to two separate claims of ‘treatment less favourable’: (1) countries deemed inadequate by the Working Party and European Commission receive less favourable treatment than inadequate countries which negotiated safe harbours or other partially-adequate arrangements, and (2) all inadequate and partially-adequate countries, including those with safe harbour arrangements, receive less favourable treatment than those nations for whom no adequacy determination has been made.
In the first scenario, Australia’s challenge rests on the fact that similarly situated countries receive safe harbour or partially-adequate arrangements while Australia remains barred from receipt of personal data transfers from the EU, effectively shutting its services and service suppliers out of the EU market. Given the Appellate Body’s determination in EC — Bananas III that GATS art II addresses both de jure and de facto discrimination, some have argued that only identical treatment can satisfy the provision. If true, the difference in treatment between the US, Canada and Australia certainly constitutes less favourable treatment. Even if the ‘no less favourable’ treatment standard does not require identical treatment, the purpose of MFN obligations is to ensure that no WTO member receives more burdensome treatment than other countries in the same service sector. Australia’s inadequacy finding operates to prohibit all transfers of personal data to entities based in Australia. This is certainly more burdensome than the treatment afforded to the US, despite its inadequacy finding, through the Safe Harbor Agreement. The Privacy Directive fails to satisfy either meaning of the term ‘no less favourable’ treatment.
In the second scenario, Australia’s challenge rests on the fact that not all countries have been subjected to the requirements of Privacy Directive art 25 to the same extent. Only 14 adequacy determinations have been undertaken since the Privacy Directive’s enactment. That leaves the other 149 countries outside the EU free to flout the art 25 prohibition. Article 25 facially prohibits transfers going to a country without a positive adequacy determination, whether because an investigation actually revealed the data protection standards there are inadequate or because no investigation has yet been undertaken. However, the country-by-country adequacy scheme was undertaken precisely because that facial requirement was ineffective, allowing many transfers of personal data to third countries without adequate protection standards. Countries that have not yet undergone an adequacy investigation continue to operate under the old scheme, which the EU recognises is easily evaded.
The failure of the EU Commission and the Working Party to undertake adequacy determinations of every country thus constitutes treatment less favourable to those countries subjected to the process and found inadequate. Other countries with similarly inadequate data protection standards routinely receive data transfers under the old system while Australia receives none, Canada receives transfers in certain sectors but not others, and the US receives transfers only under the Safe Harbor Agreement. Necessarily, this fails the ‘identical treatment’ understanding of the MFN provision. It also fails the ‘no treatment more burdensome’ understanding of the MFN provision, as services and services suppliers in Australia, Canada and the US are certainly more burdened than those countries that would fail an adequacy determination if one was undertaken, but which have not yet undergone an investigation. This analysis reveals that, in fact, the Privacy Directive art 25 adequacy determinations may be in violation of GATS art II.
Article VI:1 requires that measures of general application are applied in a reasonable, impartial and objective manner. This requirement aims to improve the consistency and predictability of administrative decisions by preventing the arbitrary and biased application of measures to foreign service suppliers. It is important to note that art VI:1 applies only to measures of general application, a term for which WTO jurisprudence provides two complementary definitions: measures affecting ‘an unidentified number of economic operators’ and measures covering ‘a range of situations or cases, rather than being limited in their scope of application’. The panel has held that art VI:1 embodies the principles of consistency and predictability, which inform interpretation of the other paragraphs of art VI.
Article VI:2 requires WTO members to establish or maintain procedures for reviewing administrative decisions affecting trade in services. Although GATS does not require that the procedure take any specific form, to satisfy the requirement of art VI:2, the reviewing body must have the authority to review both the underlying facts and the legal determinations made by the administrative agency. When a service supplier is required to receive authorisation to engage in trade, art VI:3 requires administrative agencies to keep the supplier informed of the status of the application and communicate any decision within a reasonable time. In US — Gambling, the panel pointed out that art VI:3 provides transparency and due process. Article VI:6 requires that procedures for verifying professional competence be available in professional services sectors. Notably, arts VI:1, VI:3, and VI:6 apply only to sectors of services for which a WTO member has made specific commitments. This aspect of the domestic regulation provisions in GATS is different from its counterpart in GATT art X, which applies to all the measures specified therein.
The Privacy Directive might be vulnerable to challenge under the obligations of arts VI:1 and VI:3. First, the Privacy Directive is a measure of general application, rendering it subject to the provisions of art VI:1. The Privacy Directive is not limited in its scope of application, but rather, applies to all transfers and processing of personal data. Accordingly, the Privacy Directive covers ‘a range of situations or cases’ as required by the EC — Selected Customs Matters test. Although the Privacy Directive only applies to personal data, rather than all data, Privacy Directive art 2(a) defines personal data very broadly, so that the range of situations or cases to which the Directive applies is not meaningfully limited. In fact, the Working Party has interpreted the definition of personal data to encompass everything from telephone numbers to internet protocol addresses. As a result, the definition of personal data does not render the Privacy Directive any less a measure of general application, as it remains possible to say that the Directive applies to ‘an unidentified number of economic operators’. Secondly, the EU has made specific commitments in the data processing services sector, specifically listing ‘none’ for Mode 1 and Mode 2. As a result, the Privacy Directive is subject to the provisions of arts VI:1, VI:3 and VI:6, at least with regard to cross-border supply and consumption abroad.
The literature suggests two competing standards for analysis under art VI:1. Under the first standard, art VI:1 imposes a substantive proportionality requirement through the concept of ‘reasonableness’. In discussions relating to GATS art VI:4, a proportionality requirement is thought to mean that the requirements imposed by the measure cannot be disproportionate to the objective pursued. The test often ‘requires a balancing exercise between the trade restrictiveness of a measure and the policy objective’. In this case, the objective of the Privacy Directive adequacy determinations is to secure compliance with the protections for personal data secured by the rest of the Privacy Directive. Clearly, the protection of a right such as privacy in personal data is an important objective. However, the art 25 prohibition on transfers to inadequate third countries is the most restrictive means available for achieving this objective, and the EU has used less restrictive means, such as the Safe Harbor Agreement or partial-adequacy determinations. As a result, the EU may face difficulty in overcoming an art VI:1 challenge under this standard.
Under the second suggested standard, art VI:1 only applies to the administration of the Privacy Directive. Even under this less stringent obligation, the Privacy Directive, as actually administered, also faces significant difficulty. The Privacy Directive facially requires that adequacy determinations be administered on a transfer-by-transfer basis, however, the Working Party and European Commission apply a country-by-country administrative approach instead, claiming that the original scheme proved unworkable for national data protection authorities due to the volume of daily transfers to third countries. The EU will face difficulty in explaining why the administration of fourteen country determinations is reasonable given the 149 other countries that continue to operate in the absence of determinations. To show that the administration is impartial, the EU must explain why countries like the Isle of Man and Jersey underwent an adequacy determination while larger technological trading partners like Japan, South Korea, and India have not. Whether the Privacy Directive art 25 adequacy determinations survive art VI:1 under either test depends on the quantum of proof the EU offers in defence of its process. Notably, however, the difference between the tests seems to have relatively little effect on the analysis.
The Privacy Directive may also be vulnerable to an art VI:3 challenge. GATS art VI:3 dictates that when service suppliers are required to receive authorisation to engage in trade, they be kept informed of their application status. Under the Privacy Directive, data processing service suppliers must receive authorisation in the form of an adequacy determination. To the extent that countries initially determined to provide inadequate data protection standards remain uninformed of opportunities to rectify that status, and countries for which no determination has been undertaken remain uninformed of an investigation timeline, the Privacy Directive art 25 determinations may violate GATS art VI:3.
The market access provisions contained in GATS art XVI are among the main tools for liberalising trade in services used by the GATS framework. Because WTO member states feared liberalisation of trade in services, they agreed to provide flexibility in market access obligations by making the requirements of art XVI dependent upon a member’s schedule of specific commitments. Article XVI:1 imposes ‘a general prohibition on according less favourable treatment to foreign services and service suppliers than that provided for in a Member’s Schedule’. Thus, the commitments in a member’s schedule constitute minimum market access guarantees. Article XVI:2 contains an exhaustive list of six types of market access restrictions that are prohibited unless a member lists them in their schedule under market access. The six types of restrictions listed in art XVI:2 include origin-neutral quantitative restrictions (art XVI:2(a)–(d)), limitations on the forms of establishment (art XVI:2(e)) and limitations on the participation of foreign capital (art XVI:2(f)).
In US — Gambling, Antigua argued that the US prohibition on the cross-border supply of gambling and betting services violated the US’ commitment to provide full market access in relation to those services — as indicated by its prescription of ‘[n]one’ in the relevant part of its schedule — by effectively imposing a zero quota in violation of art XIV:2(a) and XVI:2(c). Both the panel and the Appellate Body agreed with Antigua. Ultimately the US — Gambling dispute set forth the following rule:
a measure prohibiting the supply of certain services where specific commitments have been undertaken is a limitation … within the meaning of Article XVI:2(c) because it totally prevents the services operations and/or service output through one or more or all means of delivery that are included in mode 1. In other words, such a ban results in a ‘zero quota’ on one or more or all means of delivery included in mode 1.
With regard to art XVI:2(a), the panel and Appellate Body found that a zero quota is also ‘a limitation “on the number of service suppliers in the form of numerical quotas” within the meaning of Article XIV:2(a)’.
The US — Gambling dispute further affected the market access obligations in two ways: (1) the panel set forth a theory about the relationship between arts XVI:1 and XVI:2 which the Appellate Body did not confirm or deny, and (2) the responding party was held accountable for an interpretation of its schedule that it did not support. As to the first issue, the panel intimated that art XIV:2 exhausts the types of market access restrictions prohibited by art XIV:1. This interpretation has been severely critiqued. However, as the Appellate Body neither confirmed the interpretation nor expressly overruled it, it is unclear whether the panel interpretation or the alternative interpretations set forth by scholars will prevail in the next market access dispute. As to the second issue, the US — Gambling Appellate Body found that the US had scheduled specific commitments in the gambling and betting services sector, despite the US’ claims to the contrary.
Privacy Directive art 25 may constitute a zero quota in violation of GATS art XVI and the market access commitments made by the EU in its schedule. The EU’s scheduled market access commitment for the data processing services sub-sector reads ‘[n]one’. In other words, the EU ‘has undertaken to provide full market access, within the meaning of Article XVI, in respect of the services included within the scope’ of its commitment in relation to the data processing services subsector, and ‘[i]n so doing, it has committed not to maintain any of the types of measures listed in the six sub-paragraphs of Article XVI:2’. Like the US prohibition on the remote supply of gambling and betting services, the Privacy Directive prohibition on cross-border transfers of personal data to inadequate third countries is vulnerable to a zero quota challenge. A prohibition on transfers to the hypothetical complainant Australia, for example, represents a ‘[limitation] on the number of service suppliers … in the form of [a] numerical [quota]’ under art XVI:2(a), and a ‘[limitation] on the total number of service operations or on the total quantity of service output … in the form of [a] [quota]’ under art XVI:2(c) as regards Australian services suppliers.
When trade in services was placed on the Uruguay Round negotiating agenda, one of the key concerns of WTO member states was that GATS would unduly interfere with the sovereign ability of members to implement domestic social policy. Unsurprisingly, the original drafters of General Agreement on Tariffs and Trade 1947 (‘GATT 1947’) had similar concerns and included art XX, entitled General Exceptions, to allow states to implement measures that would otherwise be GATT-inconsistent if undertaken when necessary to ‘protect public morals’, ‘protect human, animal or plant life or health’, or secure compliance with WTO-consistent laws and regulations, among other reasons. Similarly, GATS contains art XIV, entitled General Exceptions. Modelled after GATT art XX, GATS art XIV provides exceptions for measures undertaken when necessary to: ‘protect public morals or … maintain public order’, and ‘protect human, animal or plant life or health’. Because the ‘[r]egulation of services does not respond to exactly the same needs as the regulation of goods’, GATS art XIV specifically provides for measures relating to the protection of fair competition, privacy, and taxation while GATT art XX does not. Nevertheless, when interpreting GATS art XIV, the Appellate Body in US — Gambling used the traditional GATT exceptions analysis, which requires that the measure be undertaken for one of the enumerated purposes, be necessary, and satisfy the requirements of the chapeau. In doing so, the Appellate Body tightened the flexible policy space available for creating WTO-compliant regulatory schemes that also protect fundamental rights.
General exceptions analysis under GATS follows a two-tiered approach. First, the measure must ‘[fall] within the scope of one of the paragraphs of Article XIV’. To satisfy this first tier of analysis, the measure must both have been undertaken for one of the enumerated purposes and the measure must have the ‘required nexus … between the measure and the interest’ designated by the term ‘necessary to’. Then, under the second tier, the measure must satisfy the requirements of the chapeau. There are two main critiques of this analysis, both of which are heightened concerns in the GATS context: the analysis of the term ‘necessary’ and the use of the chapeau.
In US — Gambling, the only WTO dispute to fully address a claim under GATS art XIV, the Appellate Body stated ‘at the outset, that the standard of “necessity” provided for in the general exceptions provision is an objective standard’. The Appellate Body then described the necessity analysis as a ‘weighing and balancing’ test which ultimately looked to ‘whether a WTO-consistent alternative measure which the member concerned could “reasonably be expected to employ” is available, or whether a less WTO-inconsistent measure is “reasonably available”’. The first step in the weighing and balancing is ‘an assessment of the “relative importance” of the interests or values furthered by the challenged measure’. The Appellate Body then determines two additional factors: ‘the contribution of the measure to the realisation of the ends pursued by it; [and] the restrictive impact of the measure on international commerce’. The latter two factors should also be determined for the possible alternatives offered by the complainant as more WTO-compliant. These factors should then be compared between the challenged measure and the proposed alternative measures, in light of the importance of the interests underlying the challenged measure. The weighing and balancing occurs at this point, when comparing the measures and taking into account the interests at stake. In the end, the necessity test can be summed up as a requirement ‘that there be no “reasonably available” WTO-consistent alternative’.
This description of the necessity test was wholly imported by the Appellate Body from the GATT context, specifically relying on Korea — Beef. The Appellate Body imported the GATT necessity test after confirming the panel’s decision that GATT art XX jurisprudence is relevant in the GATS art XIV context because of the ‘textual and conceptual similarities between the two provisions’, and the encouragement from the Appellate Body in EC — Bananas III to use GATT jurisprudence in adjudicating GATS claims when ‘the obligations are essentially of the same type’. Just prior to the Appellate Body’s decision in US — Gambling, however, the WTO Working Party on Domestic Regulations strongly warned against this very type of wholesale importation of the necessity test, stating:
each WTO provision was to be interpreted in its proper context, and in light of the object and purpose of the relevant agreement, in spite of some similarities between the different provisions containing necessity tests. In other words, it was not possible to automatically assume that an interpretation of a necessity test in one agreement might be transferable to another agreement.
The Working Party’s warning reflects long standing practice within WTO jurisprudence. For example, when interpreting GATT art XX exceptions, the Appellate Body in US — Gasoline stated that each paragraph may call for different level of ‘necessity’. Furthermore, the Appellate Body in Mexico — Soft Drinks overruled the panel’s interpretation of GATT art XX(d) because the panel improperly based its interpretation on the US — Gambling interpretation of GATS art XIV(a). The Appellate Body deemed such reliance improper because the US — Gambling interpretation of ‘necessary’ occurred in a context wholly different than that at issue in the Mexico — Soft Drinks case.
The fact that the US — Gambling panel and Appellate Body ignored the strong warning of the WTO Secretariat and broke with prior Appellate Body decisions to keep GATT and GATS necessity test interpretation separate is likely to have a negative impact on one of the twin aims of GATS: the preservation of WTO members’ right to enact domestic regulations designed to protect important social interests. In particular, ‘[t]he examination of whether or not a measure is “necessary” … has proved to be a crucial step in panel practice’, as many measures pursuing one of the legitimate aims of the general exceptions article fail the necessity test, depriving the WTO member of their right to regulate in areas of important social concern. Some scholars, however, defend the necessity test as ‘a flexible concept that, if applied properly, may protect rather than curtail regulatory diversity’. For example, Thomas Cottier, Panagiotis Delimatsis and Nicolas F Diebold argue that flexibility is built into the test in connection to the importance of the value pursued by the measure, and contend that decisions such as EC — Asbestos demonstrate that a value such as the protection of human life and health which is ‘vital and important in the highest degree’ can justify a total prohibition that prevents life-threatening health risks. Ultimately, perhaps, only future application of GATS art XIV can demonstrate whether the necessity test imported from GATT jurisprudence truly is flexible enough to uphold the twin aims of GATS, or if, as is so often the case in the GATT context, measures will routinely fail for lack of necessity. An in-depth analysis of the Privacy Directive under GATS art XIV provides one avenue for testing the necessity test critique.
The general exceptions provisions of both GATT and GATS contain a chapeau that imposes substantive obligations. These additional obligations ‘seek to ensure that rights granted to derogate from WTO obligations to achieve non-economic policy goals are not applied in an abusive manner’. Although the panel in US — Gambling did not need to interpret the chapeau in order to settle the dispute, it provided an interpretation in order ‘to assist the parties in resolving the underlying dispute’. In doing so, the panel endorsed the use of the Appellate Body’s prior interpretations of GATT art XX chapeau analysis as the basis for GATS art XIV chapeau analysis. The Appellate Body did not overturn or correct the panel’s use of GATT jurisprudence to interpret GATS art XIV.
The Appellate Body generally reads the chapeau as containing three prohibitions: ‘first, arbitrary discrimination between countries where the same conditions prevail; second, unjustifiable discrimination between countries where the same conditions prevail; and third, a disguised restriction on international trade’. These standards are cumulative in nature. In seeking to justify a measure under the chapeau the respondent must demonstrate both that the measure is not discriminatory on its face and that it is applied consistently as between domestic and foreign suppliers. The respondent may establish these facts with evidence regarding the overall number of service suppliers and the patterns of enforcement.
Cottier, Delimatsis and Diebold critique the Appellate Body for analysing measures ‘without developing generally applicable and abstract rules’, despite the frequency with which it engages in interpreting the chapeau. As a result, ‘the WTO adjudicating bodies have a wide discretion when applying these elements’. The Appellate Body’s approach to the chapeau seems to emphasise providing the WTO DSB with flexibility in upholding the object and purpose of the chapeau — the prevention of abuse of the exceptions. Unfortunately, the wide discretion given to the panel and the Appellate Body in making such determinations results in WTO members’ reduced ability to predict the outcome of the application of the chapeau to any given measure.
The Privacy Directive was undertaken for the purpose of safeguarding ‘fundamental rights and freedoms, notably the right to privacy’. Prior to the Appellate Body decision in US — Gambling, scholars noted that the GATS general exceptions specifically provide for privacy concerns and assumed that the Privacy Directive would qualify under GATS art XIV(c)(ii). However, the US — Gambling case revealed that even when a measure is found to be undertaken for a purpose specifically enumerated in the GATS exceptions, it may nevertheless fail to comply with other requirements of art XIV. The Privacy Directive thus provides a useful test case for uncovering the ability of GATS art XIV to protect fundamental rights given the recent jurisprudence. In order to satisfy the first tier of exceptions analysis, the Privacy Directive must have been undertaken for the purpose of ‘the protection of the privacy of individuals’ within the meaning of art XIV(c)(ii), and be ‘necessary’ for the privacy protection. Secondly, the Privacy Directive must be found to be consistent with the chapeau.
The first prong of the exceptions analysis requires a determination that the challenged measure addresses, or is designed to address, ‘the particular interest of the relevant paragraph’. In order to address the particular interest contained in GATS art XIV(c)(ii), the Privacy Directive must both ‘secure compliance’ with other laws and regulations designed to protect individual privacy in data processing, and those other ‘laws or regulations’ must be GATS-consistent. In other words, the Privacy Directive must ‘relate directly to [laws or regulations] which [are themselves] GATS-consistent’.
In Mexico — Soft Drinks, the Appellate Body held that ‘laws and regulations’ means:
rules that form part of the domestic legal system of a WTO member, including rules deriving from international agreements that have been incorporated into the domestic legal system of a WTO member or have direct effect according to that WTO member’s legal system.
The EU enacted the Privacy Directive in order to harmonise the data protection law of its member states. As such, the Privacy Directive provisions on processing personal data set forth ‘a basic structure, with more or less detailed provisions, to which Member States must conform’. In this way, the binding obligation contained in Privacy Directive art 25 to prohibit data transfers to inadequate third countries enforces the laws of EU member states protecting individual privacy in data processing. Because of their specific mention in GATS art XIV(c)(ii), laws and regulations protecting individual privacy with relation to data processing are considered GATS-consistent per se. Thus, the national data protection laws and regulations of EU member states constitute ‘other’ laws and regulations that are GATS-consistent — satisfying the initial requirement of GATS art XIV(c)(ii).
The Privacy Directive must now be analysed under the ‘securing compliance’ portion of GATS art XIV(c)(ii). WTO jurisprudence makes clear that in order for the challenged measure to be seen as securing compliance with other laws and regulations, it must ‘enforce “obligations” contained in the laws and regulations and not merely ensure achievement of the goals of those laws and regulations’. Thus, to come within the art XIV(c) enforcement exception, art 25 of the Privacy Directive must aim at enforcing the obligations of other WTO-consistent laws and regulations protecting the privacy of individuals in relation to the processing of personal data. The Working Party has stated that the purpose of the art 25 prohibition on transfers of data to third countries with inadequate data protection is to prevent circumvention or abuse of the privacy protection laws instituted by EU member states pursuant to the Privacy Directive. The adequacy determinations analyse the law of third countries with the aim of discerning whether it contains the minimum requirements for the protection of individual privacy with relation to data processing. The adequacy requirement thus seeks meaningful enforcement of the obligations of data protection laws of EU member states conforming to the processing requirements of the Privacy Directive. As such, Privacy Directive art 25 is a measure designed to secure compliance with other GATS-consistent laws and regulations.
Having determined that Privacy Directive art 25 is designed to address the particular interest of securing compliance with other GATS-consistent laws and regulations protecting individual privacy in data processing, the next inquiry under exceptions analysis is whether Privacy Directive art 25 is ‘necessary’ to achieve that interest. The Appellate Body has interpreted the term ‘necessary’ three times in the GATT general exceptions context, and once in the GATS general exceptions context. As the only definition of ‘necessary’ under GATS relates to a provision wholly different from the protection of privacy and personal data, a preliminary issue in the analysis of the Privacy Directive under art XIV(c)(ii) requires a determination of whether the term ‘necessary’ should be given the same meaning as it retains in art XIV(a).
The answer to this inquiry lies within the US — Gambling analysis itself. First, it is noteworthy that GATT art XX(a) has never been interpreted. Instead, the Appellate Body in US — Gambling imported the ‘necessary’ test from Korea — Beef, which dealt with GATT art XX(d), the provision for securing compliance with other WTO-consistent laws. Notably, GATS art XIV(c) is the GATS provision on securing compliance with otherwise WTO-consistent laws, and art XIV(c)(ii) simply specifies that laws relating to the privacy in data processing are among those falling under art XIV(c). It thus seems logical that if the term ‘necessary’ retains its meaning in the public moral exception, it certainly retains its meaning in the enforcement exception provision, the very type of provision for which the analysis was originally created. The fact that GATT does not contain a specific provision on privacy in data processing does not alter the meaning of ‘necessary’ as it relates to measures which ‘secure compliance with laws or regulations which are not inconsistent with the provisions of this agreement’, but rather reflects the fact that the types of social regulation which might otherwise interfere with the trade in goods, namely those relating to customs enforcement, monopolies, intellectual property, and deceptive trade practices, are not the same as those which might otherwise interfere with an agreement on trade in services, namely deception and fraud in service contracts and privacy protection in data processing.
Having established that it is appropriate to use the US — Gambling necessity test for GATS art XIV(a) in an analysis of GATS art XIV(c), the issue becomes whether the Privacy Directive survives it. Under the weighing and balancing test of US — Gambling, an analysis of the Privacy Directive begins by identifying the relative importance of the interest it is designed to protect: individual privacy with relation to data protection. The EU understands the right to privacy as one of a person’s ‘fundamental rights and freedoms’. Furthermore, the International Covenant on Civil and Political Rights states that ‘[n]o one shall be subjected to arbitrary or unlawful interference with his privacy’, and the United Nations considers privacy in personal data of sufficient importance to issue Guidelines concerning Computerized Data Files. In this way, individual privacy with relation to personal data is an interest of relatively great importance.
Next, the weighing and balancing test requires an inquiry into (1) the extent to which Privacy Directive art 25 actually secures compliance with laws protecting privacy in the realm of data processing, and (2) the impact Privacy Directive art 25 imposes on international trade in computer-services. As to the first element, the prohibition on data transfers to inadequate third countries seeks to prevent circumvention of the data processing principles embodied in the rest of the Privacy Directive. The Privacy Directive contemplates that adequacy determinations would be made on a case-by-case basis for individual transfers or groups of transfers. Unfortunately, the computer-services sector has grown significantly since the adoption of the Directive so that no member state is capable of individually analysing each transfer of data from their borders. This is especially the case because the Working Party has interpreted the scope of the Directive to include a broad variety of data under the heading of personal data — everything from generally agreed upon data, such as names and phone numbers, to more controversial data, such as IP addresses. As a result, the EU turned to the use of general adequacy decisions. However, only fourteen such decisions have been made, giving eleven nations a finding of adequacy, two, Canada and the US (through the Safe Harbor Agreement) an adequacy finding in certain sectors, and one, Australia, an inadequacy finding. This leaves EU member states without guidance on 149 countries with which computer-services trade continues on a daily basis. Whereas EU member states do not transfer data to Australia based on the general inadequacy finding, they are left to attempt individual assessments of transfers to the 154 other countries, any number of which could also have inadequate standards of data protection.
As to the second element, findings of inadequacy have a generally negative impact on trade. For example, those entities in the computer-services sector not covered by the US Safe Harbor Agreement, the computer-services sector in Australia, and the computer-services sectors in Canada not engaged in commercial activities are each forbidden from receiving data transfers from EU member states. As a result, businesses in these countries face higher costs of business and constrained business opportunities. Furthermore, inadequacy findings tend to increase transaction costs of seeking information that would be readily available in the absence of such a finding, and reduces business productivity when the information is not available through other means.
The next step in the US — Gambling analysis of the term ‘necessary’ is to identify alternative measures that are more consistent with GATS. First, the Privacy Directive could have provided for restricted data transfers to inadequate third countries, rather than imposing a full prohibition. In fact, the Organisation for Economic Co-Operation and Development (‘OECD’) issued Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980, which instructs OECD members to only restrict, rather than prohibit, data flows to third countries when seeking to enforce domestic privacy legislation. Second, the Privacy Directive could have provided a lower standard than that of ‘adequacy’ to determine when data transfers to third countries should be prohibited, so as not to unduly burden international computer-services trade. It has been suggested that although the Privacy Directive calls for ‘adequacy’ of data protection in third countries, it really seeks ‘equivalency’ of EU data protection in third countries. This is borne out in the EU–US trans-border data flow context, where transfers to the US only take place under the Safe Harbor Agreement, which the EU negotiated to provide equivalent standards. In comparison to this stringent definition and application of ‘adequacy’, the Guidelines concerning Computerized Personal Data Files use a standard of ‘comparable safeguards for the protection of privacy’ when contemplating the appropriateness of data transfers to third countries. A third less trade-restrictive alternative is to require computer-services technologies themselves to use technical solutions to ‘[incorporate] data protection within the infrastructure’s architecture’. The idea is that technical solutions may themselves ‘arbitrate divergences in national laws’. The Working Party recognised this possibility on two occasions. Some suggest that the World Wide Web Consortium’s ‘Platform for Privacy Preferences’ initiative could be used to enforce data protection law ‘if server-based filtering can be used to identify and protect against deviations from a jurisdiction’s mandatory rules’. A second proposal for using technology to enforce data protection law is to use intelligent agents ‘to protect against the secondary use of stored personal information’. In this way, the technology used to transfer data across borders could itself be used to bridge the gap between the EU and inadequate third countries, a less trade restrictive alternative than prohibiting the transfers altogether.
Under the weighing and balancing test, the ‘restrict’ rather than ‘prohibit’ option will alter the balance with regard to the negative impact on trade, while the ‘comparable’ rather than ‘adequate/equivalent’ standard will alter the balance with regard to both the extent to which the Privacy Directive secures enforcement and the negative impact on trade. Similarly, using technology itself to enforce data protection laws would both increase compliance and decrease the impact on international trade in computer-services. An Appellate Body examining the issue may very well determine that the Privacy Directive fails to achieve the appropriate nexus to the securing enforcement interest in GATS art XIV(c) because it is not ‘necessary’ in light of other less GATS-inconsistent measures which would better achieve compliance and have less negative trade impact. On the other hand, the Appellate Body generally defers to a member state’s determination that a particular level of compliance with other laws and regulations is ‘necessary’, and may find the Privacy Directive’s adequacy provisions are necessary to secure compliance, despite evidence to the contrary. As a result, this analysis next turns to the fate of the Privacy Directive under the chapeau.
If the Privacy Directive satisfies the necessity test, the EU would next be required to demonstrate that the Privacy Directive art 25 adequacy determinations do not constitute arbitrary or unjustifiable discrimination or impose a disguised restriction on trade. To overcome the first hurdle of arbitrary or unjustifiable discrimination the EU must demonstrate that Privacy Directive art 25 is not applied in such a way that ‘(i) results in discrimination (ii) which is arbitrary or unjustifiable in character and (iii) occurs between countries where like conditions prevail’. Privacy Directive art 25 is applied through country adequacy determinations. The adequacy determinations do result in discrimination, as transfer of personal data to service suppliers from some countries (such as Australia) is prohibited, while transfer of personal data to service suppliers in other countries (such as the US, Canada and South Korea) continues despite an adverse adequacy determination or in the absence of any determination at all. The question then becomes, under the second element, whether the discrimination is arbitrary or unjustifiable.
The second prong may be applied differently depending on the circumstances. The discrimination which occurs as between Australia and Canada, for example, is neither arbitrary nor unjustifiable, as it is a result of increased efforts by Canada to reach partial-adequacy which were not undertaken by Australia. Demonstrating, on the other hand, that the discrimination between Australia and the US is neither arbitrary nor unjustifiable, will prove more difficult. The EU must demonstrate why the Safe Harbor Agreement negotiated with the US was not similarly offered to Australia. That agreements were negotiated with some WTO members while the art 25 prohibition was unilaterally applied to other WTO members without negotiation resembles the circumstances in US — Shrimp where the US ‘unilaterally applied its import prohibition without engaging in negotiations with some members, while it did with others’. The Appellate Body felt that such action served to ‘heighten the disruptive and discriminatory influence of the import prohibition and underscore its unjustifiability’. Perhaps the most difficult challenge for the EU will lie in proving that the daily transfer of personal data to service suppliers in countries such as South Korea, which have not undergone any adequacy determination whatsoever, does not render the adverse adequacy determinations issued to other countries arbitrary and unjustifiable. This type of discrimination resembles the action by the US in affording countries different amounts of time for compliance with the measure in US — Shrimp, which according to the Appellate Body, constituted unjustifiable discrimination.
As to the third prong, discrimination does occur between countries where like conditions prevail — the US, Canada and Australia were all given generally inadequate determinations, and countries for which no determination has been undertaken should be presumed inadequate until determined otherwise. As a result, Privacy Directive art 25 determinations would likely be found to result in arbitrary or unjustifiable discrimination between countries where like conditions prevail, rendering them incompatible with a strict reading of the chapeau’s requirements.
On the other hand, the Appellate Body has given itself wide discretion in the application of the requirements of the chapeau by refusing to create a generally applicable standard and insisting on a case-by-case analysis. Given this level of unpredictability, it remains conceivable that because the Privacy Directive art 25 adequacy determinations are designed to protect such a fundamental right as privacy in personal data that it will not be construed as a violation of the GATS art XIV chapeau. Given that the twin aims of GATS specifically reserve the right of WTO members to regulate important domestic social interests while simultaneously undertaking to liberalise trade in services, the EU should not be forced to risk forfeiture of an important and elaborate regulatory scheme at the discretion of the Appellate Body in applying the chapeau. The EU, along with the other WTO member nations, negotiated GATS with the expectation of predictability in obligations. While the analysis of the Privacy Directive under the chapeau points to a clear prediction of incompatibility, the discretion reserved to the Appellate Body in this area renders the prediction less than concrete, undermining the usefulness of GATS art XIV as a tool for WTO members in balancing trade obligations with important domestic regulatory prerogatives and agendas.
An analysis of the Privacy Directive under GATS uncovered that although GATS obligations are generally clear and understandable, even in the new and complex context of internet-based services, the possibility that any given measure will withstand GATS exceptions analysis is unpredictable, no matter how important the value pursued by the measure in question. The Privacy Directive, for example, seeks to protect a fundamental right to privacy. Arguably the EU knew that Privacy Directive art 25 adequacy determinations might violate their GATS obligations, especially given the specific commitments made in the computer-services sub-sector. In deciding to protect a fundamental right, however, the EU is entitled, per the terms of GATS itself, to rely on the general exceptions in art XIV, which even specifically provide for measures securing compliance with laws designed to protect privacy in personal data. Unfortunately, the latitude given to the WTO DSB in interpreting the general exceptions may allow a challenge to the Privacy Directive to overcome the EU’s reliance on GATS art XIV(c)(ii). Ultimately, despite GATS’ promise to reserve WTO members’ right to create domestic regulatory schemes protecting important social interests, the application of the main provision preserving that right, the GATS art XIV general exceptions, is rendered unpredictable by the necessity test and the chapeau, leaving members in the very position that caused concern early in negotiations — that GATS obligations could inhibit their ability to protect important domestic interests, such as the fundamental right to privacy in personal data.
The case study of the Privacy Directive hints at some important lessons for policymakers in WTO member countries attempting to protect certain fundamental rights through the regulation of service industries. In particular, it will be important that, unlike the initial students of the Privacy Directive, policymakers recognise that reliance on a purpose specifically enumerated in art XIV does not guarantee justification of the measure under that provision. An in-depth analysis of necessity and the chapeau must be undertaken before a WTO member country can be even cautiously confident that the regulatory scheme is WTO-consistent. Additionally, the Privacy Directive case study reveals that even a regulatory scheme that is facially WTO-consistent when enacted can mutate into a WTO-inconsistent measure if the implementing agency fails to consider the effects of their chosen method of application of the measure on international trade obligations. To protect fundamental rights with a WTO-consistent regulatory scheme, policymakers must be attentive to international trade obligations both during the enactment of the legislation and throughout the life of the program.
[*] JD, LLM in International and Comparative Law, MPP (Duke). I would like to thank my husband, Mario C Reyes, for his unconditional love and support.
 Marrakesh Agreement Establishing the World Trade Organization, opened for signature 15 April 1994, 1869 UNTS 183 (entered into force 1 January 1995) annex 1B (‘General Agreement on Trade in Services’) (‘GATS’).
 Ibid Preamble.
 Council Directive 95/46, on the Protection of Individuals with regard to the Processing of Personal Data and the Free Movement of Such Data  OJ L 281/31 (‘Privacy Directive’). The directive issued by the European Council ‘shall be binding as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods’: Treaty Establishing the European Community, opened for signature 25 March 1957, 298 UNTS 11 (entered into force 1 January 1958) art 249, as amended by Treaty of Amsterdam Amending the Treaty of the European Union, the Treaties Establishing the European Communities and Certain Related Acts, opened for signature 2 October 1997  OJ C 340/1 (entered into force 1 May 1999).
 Convention for the Protection of Human Rights and Fundamental Freedoms, opened for signature 4 November 1950, 213 UNTS 222 (entered into force 3 September 1953), as amended by Protocol No 14 to the Convention for the Protection of Human Rights and Fundamental Freedoms, opened for signature 13 May 2004, CETS No 194 (entered into force 1 June 2010) art 8; see also Virginia Boyd, ‘Financial Privacy in the United States and the European Union: A Path to Transatlantic Regulatory Harmonization’ (2006) 24 Berkeley Journal of International Law 939, 956.
 Privacy Directive  OJ L 281/31, art 2(a). In particular, when a person can be identified ‘by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’ the data is personal. The administrative body mandated to act as the data protection authority for the EU is the Article 29 Data Protection Working Party (‘Working Party’): at art 29 (creating the Working Party); see also at arts 30–1 (detailing the Working Party’s responsibilities). The Working Party has established a broad test for determining when information qualifies as personal data, namely, that it be: (1) any information, (2) relating to, (3) an identified or identifiable, (4) natural person: Article 29 Data Protection Working Party, ‘Opinion 4/2007 on the Concept of Personal Data’ (Report WP 136, European Commission, 20 June 2007) 6–24 (detailing the specific requirements for meeting each of the four criteria).
 Privacy Directive  OJ L 281/31, art 25(1).
 Ibid art 25(4); see also Paul M Schwartz, ‘European Data Protection Law and Restrictions on International Data Flows’ (1995) 80 Iowa Law Review 471, 487.
 Gregory Shaffer, ‘Globalization and Social Protection: The Impact of EU and International Rules in the Ratcheting Up of US Privacy Standards’ (2000) 25 Yale Journal of International Law 1, 21.
 Privacy Directive  OJ L 281/31, art 25(2). In particular, the Commission is to evaluate the following factors:
the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.
 Article 29 Data Protection Working Party, ‘Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive’ (Working Document WP 12, European Commission, 24 July 1998).
 The Working Party undertakes its investigations at the request of the European Commission at the beginning of what is referred to as the ‘comitology procedure’. How the European Commission chooses a country for an adequacy investigation is unknown.
 Privacy Directive  OJ L 281/31, art 25(6).
 For the purposes of evaluating the content adequacy of a foreign country’s laws, the Working Party has laid out required content principles: purpose limitation, data quality and proportionality, transparency, security, rights of access, rectification and opposition, and restrictions on onward transfers: Article 29 Data Protection Working Party, ‘Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive’, above n 10, 6. The Working Party also requires additional principles for three specific types of data processing: sensitive data, direct marketing, and automated individual decision: at 6–7.
 Ibid 5. With regard to the adequacy of procedural and enforcement mechanisms, the Working Party requires: (1) the ability to ensure a ‘good level of compliance’ through the ‘existence of effective and dissuasive sanctions’, (2) the provision of support and help to individual data subjects through a rapid, effective and cost manageable ‘institutional mechanism allowing independent investigation of complaints’, and (3) the availability of appropriate redress through monetary compensation and other punitive sanctions when appropriate: at 7.
 Commission Decision of 21 November 2003 on the Adequate Protection of Personal Data in Guernsey  OJ L 308/27, art 1.
 Commission Decision of 8 May 2008 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequate Protection of Personal Data in Jersey  OJ L 138/21, art 1.
 Commission Decision of 28 April 2004 on the Adequate Protection of Personal Data in the Isle of Man  OJ L 151/48, art 1 (‘Isle of Man Decision’).
 Commission Decision of 30 June 2003 Pursuant to Directive 95/45/EC of the European Parliament and of the Council on the Adequate Protection of Personal Data in Argentina  OJ L 168/1, art 1.
 Commission Decision of 26 July 2000 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequate Protection of Personal Data Provided in Switzerland  OJ L 215/1, art 1.
 Commission Decision of 26 July 2000 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequate Protection of Personal Data Provided in Hungary  OJ L 215/4, art 1.
 Commission Decision of 5 March 2010 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequate Protection of Personal Data Provided in the Faeroe Islands  OJ L 58/17, art 1.
 Commission Decision of 19 October 2010 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequate Protection of Personal Data Provided in Andorra  OJ L277/27, art 1.
 Commission Decision of 31 January 2011 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequate Protection of Personal Data by the State of Israel with regard to Automated Processing of Personal Data  OJ L 27/39, art 1.
 Article 29 Data Protection Working Party, ‘Opinion 11/2011 on the Level of Protection of Personal Data in New Zealand’ (Report WP 182, European Commission, 4 April 2011) 15
 Article 29 Data Protection Working Party, ‘Opinion 6/2010 on the level of protection of personal data in the Eastern Republic of Uruguay’ (Report WP 177, European Commission, 12 October 2010) 20.
 Article 29 Data Protection Working Party, ‘Opinion 10/2006 on the Processing of Personal Data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT)’ (Report WP 128, European Commission, 22 November 2006) 21.
 US Department of Commerce, Safe Harbor Privacy Principles (21 July 2000) Export.gov <http://www.export.gov/safeharbor/eu/eg_main_018475.asp> (‘Safe Harbor Agreement’). The European Commission specifically determined that the level of data protection provided by the Safe Harbor Agreement ensures adequate protection ‘for all the activities falling within the scope of’ the Privacy Directive when ‘implemented in accordance with the guidance provided by the frequently asked questions … issued by the US Department of Commerce on 21 July 2000’: Commission Decision of 26 July 2000 Pursuant to Directive 95/46/ 2000/520/EC of the European Parliament and of the Protection Provided by the Safe Harbor Privacy Principles and Related Frequently Asked Questions Issued by the US Department of Commerce  OJ L 215/7, art 1.
 Article 29 Data Protection Working Party, ‘Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive’, above n 10, 26.
 Specifically, the European Commission found that Canada, while not generally meeting the adequacy standard, provides adequate data protection in the field of Canadian commercial activities: Commission Decision of 20 December 2001 Pursuant to Directive 95/46/EC of the European Parliament and of the Council on the Adequate Protection of Personal Data Provided by the Canadian Personal Information Protection and Electronic Documents Act  OJ L 2/13, art 1. Furthermore, with regards to processing and transfer of ‘advance passenger information’ and ‘passenger name record data’ between airline carriers and the Canada Border Services Agency, the EU negotiated an agreement providing exemptions to compliant entities: Council Decision of 18 July 2005 on the Conclusion of an Agreement between the European Community and the Government of Canada on the Processing of API/PNR Data  OJ L 82/14, annex.
 Article 29 Data Protection Working Party, ‘Opinion 3/2001 on the Level of Protection of the Australian Privacy Amendment (Private Sector) Act 2000’ (Report WP 40, European Commission, 26 January 2001) 6.
 Australia does have an agreement with the EU regarding passenger name record data — a very narrow exception to an otherwise complete inadequacy finding. See Council Decision of 30 June 2008 on the Signing, on Behalf of the European Union, of an Agreement between the European Union and Australia on the Processing and Transfer of European Union-Sourced Passenger Name Record (PNR) Data by Air Carriers to the Australian Customs Service  OJ L 213/47.
 Article 29 Data Protection Working Party, ‘Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive’, above n 10, 27.
 Privacy Directive  OJ L 281/31, art 25.
 Article 29 Data Protection Working Party, ‘Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive’, above n 10, 26.
 Notably, there are also possible exceptions to the general prohibition on transfers of personal data to countries with inadequate data protection under the Privacy Directive: Privacy Directive  OJ L 281/31, art 26. However, the Working Party interprets these exceptions very narrowly, so that it is difficult to ascertain when third countries may rely on the exceptions in making particular transfers: see Article 29 Data Protection Working Party, ‘Working Document on a Common Interpretation of Article 26(1) of Directive 95/46/EC of 24 October 1995’ (Working Document WP 114, Working Party, 25 November 2005) 7 (noting that exceptions from a general rule ‘must be interpreted restrictively’). For example, data transfers for the purpose of discovery in trans-border litigation are particularly problematic and there is an ongoing debate regarding when transfers for discovery purposes fall within the exceptions. For a detailed analysis of the US discovery–EU Privacy Directive conflict and a review of the surrounding literature, see Carla L Reyes, ‘The US Discovery–EU Privacy Directive Conflict: Constructing a Three-Tiered Compliance Strategy’ (2009) 19 Duke Journal of Comparative and International Law 357.
 Panagiotis Delimatsis, International Trade in Services and Domestic Regulations: Necessity, Transparency, and Regulatory Diversity (Oxford University Press, 2007) 11.
 For a succinct and readable explanation of the GATS framework, see generally Trade in Services Division, World Trade Organization Secretariat, A Handbook on the GATS Agreement (Cambridge University Press, 2005).
 Bernard Hoekman, ‘The General Agreement on Trade in Services’ in John H Jackson, William J Davey, and Alan O Sykes Jr, Legal Problems of International Economic Relations: Cases, Materials and Text on the National and International Regulation of Transnational Economic Relations (Thompson West, 5th ed, 2008) 942, 944.
 Ibid 946.
 Appellate Body Report, Canada — Certain Measures Affecting the Automotive Industry, WTO Doc WT/DS139/AB/R, WT/DS/142/AB/R, AB-2000-2 (31 May 2000)  (‘Canada — Autos’).
 GATS art I:2.
 Ibid art I:2(a)–(d); see also Trade in Services Division, World Trade Organization Secretariat, above n 38, 5.
 Shin-Yi Peng, ‘Trade in Telecommunications Services: Doha and Beyond’ (2007) 41 Journal of World Trade 293, 293 n 1:
Although optional, most Members follow the W/120 classification system, whose 160 sub-sectors are defined as aggregates of the more detailed categories contained in the United Nations provisional Central Product Classification (‘CPC’). Thus CPC categories help clarify the scope of the commitments actually undertaken under the GATS, and most Members list the corresponding CPC numbers when scheduling their GATS commitments.
 GATS Services Sectoral Classification List, WTO Doc MTN.GNS/W/120 (10 July 1991) (Note by the Secretariat) 2 (‘W/120’).
 W/120, WTO Doc MTN.GNS/W/120, 3 citing United Nations Statistics Division, Provisional Central Product Classification, UN Doc ST/ESA/STAT/SER.M/77 (1991) (‘CPC’).
 Classification in the Telecom Sector under the WTO–GATS Framework, WTO Doc TN/S/W/27, S/CSC/W/44 (10 February 2005) (Communication from the European Communities) (‘EC Telecom Classification’). At this juncture, it is appropriate to note that there exists some debate in the literature regarding a possible mode of supply problem for internet services thought to be covered by GATS. The debate is significant enough that it merits a brief discussion here, using the EU as a test case. It has been argued that under the W/120 classification, data processing may fall under either the telecommunication services sector or the computer-related services sector: Peng, above n 44, 298. However, the EU stipulated that data processing forms part of the computer-related services sector: EC Telecom Classification, WTO Doc TN/S/W/27, S/CSC/W/44. In its schedule of commitments, the EU has listed ‘none’ in both Mode 1 and Mode 2 for data processing services (‘2(B)(c)’) corresponding to the computer-related services sector (‘CPC 843’) heading: European Communities and Their Member States: Schedule of Specific Commitments, WTO Doc GATS/SC/31 (15 April 1994) 32 (‘EU Schedule’). The EU failed to alter these listings despite four subsequent revisions to its schedule: see The European Community and Its Member States: Schedule of Specific Commitments — Supplement 1, WTO Docs GATS/SC/31/Suppl.1 (28 July 1995); European Community and Its Member States: Schedule of Specific Commitments — Supplement 2, GATS/SC/31/Suppl.2 (28 July 1995); European Communities and Their Member States: Schedule of Specific Commitments — Supplement 3, GATS/SC/31/Suppl.3 (11 April 1997); European Communities and Their Member States: Schedule of Specific Commitments — Supplement 4, GATS/SC/31/Suppl.4 (26 February 1998).
Furthermore, there is some indication that even if the EU schedule had differentiated between Mode 1 and Mode 2 in the Data Processing Services sector, analysis of the legislative and administrative history surrounding the Privacy Directive would resolve the issue without altering the EU’s expectations. The Privacy Directive itself indicates that it is concerned with regulating the ‘cross-border flows of personal data’: Privacy Directive  OJ L 281/31, Preamble para 6. The Working Party has also consistently described the Privacy Directive as being applicable to cross-border processing of personal data: Article 29 Data Protection Working Party, ‘Opinion 1/2008 on Data Protection Issues Related to Search Engines’ (Report WP 148, European Commission, 4 April 2008) 11; Article 29 Data Protection Working Party, ‘Working Document on Determining the International Application of EU Data Protection Law to Personal Data Processing on the Internet by Non-EU Based Sites’ (Working Document WP 56, Working Party, 30 May 2002) 7–9. Finally, if the Privacy Directive did not regulate cross-border supply of data processing services, the art 25 adequacy determinations would neither be necessary for the EU nor objectionable to other WTO members. This author expects that, upon closer examination, other ‘modes of supply problems’ would similarly dissipate.
 Panel Report, Mexico — Measures Affecting Telecommunications Services, WTO Doc WT/DS24/R (2 April 2004) [7.45] (‘Mexico — Telecoms’).
 María Verónica Pérez Asinari, ‘The WTO and the Protection of Personal Data: Do EU Measures Fall within GATS Exception? Which Future for Data Protection within the WTO E-Commerce Context?’ (Paper presented at 18th BILETA Conference: Controlling Information in the Online Environment, London, 2003), noting that the cross-border and consumption abroad modes of supply ‘would certainly involve e-commerce examples’. See also Metka Stare, ‘The Scope for E-Commerce in Central European Countries’ Services Trade’ (2003) 23 Service Industries Journal 27, 29 (‘the main issue is whether e-commerce in services should be treated as mode 1 or as mode 2’).
 IP addresses fulfil the four-pronged test for personal data set forth in the Privacy Directive: see Article 29 Data Protection Working Party, ‘Working Document: Processing of Personal Data on the Internet’ (Working Document WP 16, Working Party, 23 February 1999) (‘The use of the infrastructure is often directly based on the processing of personal data, such as certain Internet Protocol addresses’ (emphasis added)); Article 29 Data Protection Working Party, ‘Working Document: Privacy on the Internet — An Integrated Approach to On-Line Data Protection’ (Working Document WP 37, Working Party, 21 November 2000) 11 (‘Internet Access Providers usually seem to systematically “log” the date, time, duration and dynamic IP address given to the Internet user in a file. As long as it is possible to link the logbook to the IP address of a user, this address has to be considered as personal data’). For more on the development of IP addresses as personal data under the Privacy Directive, see Joseph Cutler and Carla Reyes, ‘Was That Your Computer Talking to Me? The EU and IP Addresses as “Personal Data”’ (2008) 13 Cyberspace Lawyer 1.
 Appellate Body Report, Canada — Autos, WTO Doc WT/DS139/AB/R, WT/DS142/AB/R, , quoting Appellate Body Report, European Communities — Regime for the Importation, Sale and Distribution of Bananas, WTO Doc WT/DS27/AB/R, AB-1997-3 (9 September 1997)  (‘EC — Bananas III’).
 Marrakesh Agreement Establishing the World Trade Organization, opened for signature 15 April 1994, 1867 UNTS 3 (entered into force 1 January 1995) annex 1A (‘General Agreement on Tariffs and Trade 1994’) (‘GATT’).
 Appellate Body Report, Canada — Autos, WTO Doc WT/DS139/AB/R, WT/DS142/AB/R, , quoting Appellate Body Report, EC — Bananas III, WTO Doc WT/DS27/AB/R, .
 Privacy Directive  OJ L 281/31, Preamble para 8 (emphasis added).
 Ibid Preamble para 56.
 Gregory Shaffer, ‘The Power of EU Collective Action: The Impact of EU Data Privacy Regulation on US Business Practice’ (1999) 5 European Law Journal 419, 425–6. GATS art XIV reads:
Nothing in this Agreement shall be construed to prevent the adoption or enforcement by any Member of measures: … (c) necessary to secure compliance with laws or regulations which are not inconsistent with the provisions of this Agreement including those relating to: … (ii) the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts …
 See generally above nn 11–35.
 Appellate Body Report, United States — Measures Affecting the Cross-Border Supply of Betting and Gambling Services, WTO Doc WT/DS285/AB/R, AB-2005-1 (7 April 2005) (‘US — Gambling’); see below Part III. Although Professor Shaffer makes identical arguments and predictions in an article published in 2000, his analysis contains the same difficulties: Shaffer, ‘Globalization and Social Protection’, above n 8, 46–55.
 Colin J Bennett, ‘Information Policy and Information Privacy: International Arenas of Governance’  Journal of Law, Technology and Policy 385, 405.
 Ibid 404.
 See generally Eric Shapiro, ‘All Is Not Fair in the Privacy Trade: The Safe Harbor Agreement and the World Trade Organization’ (2003) 71 Fordham Law Review 2781.
 Ibid 2783.
 In that dispute, Antigua and Barbuda brought a complaint against the US alleging that 18 USCA § 1084 (2011) (‘the Wire Act’), 18 USCA § 1952 (2011) (‘the Travel Act’) and 18 USCA § 1955 (2011) (‘the Illegal Gambling Business Act’) violated GATS obligations: at . The Appellate Body found that the US made specific commitments in its schedule regarding gambling and betting services; that the three challenged measures provided less favourable treatment than committed to in the schedule; and that, as a result, the US was in violation of its GATS art XVI:2 obligations on market access: at . The Appellate Body further found that the measures did not fall within the public morals exception of GATS art XIV(a) because they failed to conform with the chapeau: at –. A second case decided by a WTO Panel, Mexico — Telecoms, did involve certain questions of GATS interpretation, but focused most centrally on the Annex on Telecommunications and the interpretation of country Reference Papers, rather than on GATS obligations and member schedules: see Panel Report, Mexico — Telecoms, WTO Doc WT/DS024/R.
 Federico Ortino, ‘Treaty Interpretation and the WTO Appellate Body Report in US — Gambling: A Critique’ (2006) 9 Journal of International Economic Law 117, 119–32. Specifically, Ortino argues that the US — Gambling report’s reliance on the common intentions of the member states raises ‘serious concerns of certainty, stability and security’: at 147; see also Douglas A Irwin and Joseph Weiler, ‘Measures Affecting the Cross-Border Supply of Gambling and Betting Services (DS 285)’ (2008) 7 World Trade Review 71, 73.
 Irwin and Weiler, above n 65.
 For a discussion of the ‘necessary test’ see below Part III(A)(1).
 The chapeau of GATS art XIV reads:
Subject to the requirement that such measures are not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade in services …
 Appellate Body Report, US — Gambling, WTO Doc WT/DS285/AB/R, .
 Appellate Body Report, Korea — Measures Affecting Imports of Fresh, Chilled and Frozen Beef, WTO Doc WT/DS161/AB/R, WT/DS169/AB/R, AB-2000-8 (11 December 2000)  (‘Korea — Beef’).
 GATT/WTO Dispute Settlement Practice Relating to Article XX, Paragraphs (b), (d) and (g) of GATT, WTO Doc WT/CTE/W/53/Rev.1 (26 October1998) (Note by the Secretariat — Revision)  (‘Secretariat Note on Article XX’); see also Irwin and Weiler, above n 65, 107, arguing that the Appellate Body’s use of the necessity test in US — Gambling leaves out an important aspect of the Korea — Beef test, rendering it more unpredictable.
 Rüdiger Wolfrum, ‘Article II GATS: Most-Favoured-Nation Treatment’ in Rüdiger Wolfrum, Peter-Tobias Stoll and Clemens Feinäugle (eds), WTO: Trade in Services (Martinus Nijhoff, 2008) 71, 76.
 Kevin Kennedy, ‘GATT 1994’ in Patrick Macrory, Arthur Appelton and Michael Plummer (eds), The World Trade Organization: Legal, Economic and Political Analysis (Springer, 2005) vol 1, 89, 100.
 Wolfrum, above n 72, 72.
 Ibid 74, noting that GATT art I:1 applies only to ‘customs duties, methods of levying such duties, rules and formalities in connection with importation and exportation, and matters referred to in Art III:2 and III:4 GATT 1994’, while GATS art II applies to ‘any measure covered by the agreement’.
 Appellate Body Report, Canada — Autos, WTO Doc WT/DS139/AB/R, WT/DS142/AB/R, .
 Ibid; see also Wolfrum, above n 72, 80.
 Wolfrum, above n 72, 85.
 Panel Report, EC — Bananas III, WTO Doc WT/DS27/R/USA (22 May 1997) [7.346].
 In fact, the language ‘no less favourable’ is used in the national treatment articles of both the General Agreement on Tariffs and Trade 1947 and GATS: General Agreement on Tariffs and Trade, opened for signature 30 October 1947, 55 UNTS 194 (entered into force 1 January 1948) art III:4 (‘GATT 1947’) (‘The products of the territory of any contracting party imported into the territory of any other contracting party shall be accorded treatment no less favorable than that accorded to like products of national origin’). GATS art II:1 reads:
With respect to any measure covered by this Agreement, each Member shall accord immediately and unconditionally to services and service suppliers of any other Member treatment no less favourable than it accords to like services and service suppliers of any other country.
 Appellate Body Report, EC — Bananas III, WTO Doc WT/DS27/AB/R, .
 Ibid .
 Wolfrum, above n 72, 88.
 GATS art II; see also above nn 74–8 and accompanying text.
 At the time of writing, negotiations between the EU and Australia for an Australian safe harbour were underway. If this should come to pass, this argument would no longer be valid for Australia, but would be valid for another country deemed to lack adequate data protection standards under Privacy Directive art 25.
 Regardless of whether the current negotiations for an Australian safe harbour are successful or not, Australia will retain the right to raise this second challenge, as safe harbour provisions (such as those between the US and EU) are more onerous than the free pass afforded to countries that have not yet undergone adequacy determinations. As a result, this argument also remains a viable option for the US and Canada.
 W/120, WTO Doc MTN.GNS/W/120, 3 citing CPC, UN Doc ST/ESA/STAT/SER.M/77.
 See Article 29 Data Protection Working Party, ‘Opinion 1/2008 on Data Protection Issues Related to Search Engines’, above n 47.
 CPC, UN Doc ST/ESA/STAT/SER.M/77.
 See Article 29 Data Protection Working Party, ‘Working Document: Privacy on the Internet — An Integrated Approach to On-Line Data Protection, above n 50, 21–3.
 See above nn 80–3 and accompanying text.
 GATS art VI captures those regulations which are neither discriminatory on their face nor market restrictive in the traditional sense, but which nevertheless impede trade in services. There are six sub-sections in art VI. Of those, arts VI:4–5 apply only to measures for which it could not reasonably have been expected that the time specific commitments would be listed in the schedules. As the Privacy Directive was enacted just one year after the listing of the EU’s specific commitments (the Privacy Directive was enacted in 1995 and the EU schedule was submitted to the WTO in 1994, when GATS became effective), it could have reasonably been expected that the time specific commitments would be listed in the EU schedule. This renders a discussion of these provisions beyond the scope of this article. Instead, this section will focus on an analysis of art VI:1–3 and art VI:6 by first introducing the provisions, and then providing an analysis of the Privacy Directive under each provision.
 Panagiotis Delimatsis, ‘Due Process and “Good” Regulation Embedded in the GATS — Disciplining Regulatory Behaviour in Services through Article VI of the GATS’ (2007) 10 Journal of International Economic Law 13, 28.
 Panel Report, United States — Restrictions on Imports of Cotton and Man-Made Fibre Underwear, WTO Doc WT/DS24/R (9 November 1996) [7.65] (‘US — Underwear’); see also Appellate Body Report, US — Underwear, WTO Doc WT/DS24/AB/R, AB-1996-3 (10 February 1997) .
 Panel Report, European Communities — Selected Customs Matters, WTO Doc WT/DS315/R (16 June 2006) [7.116] (‘EC — Selected Customs Matters’). The Appellate Body has further clarified that GATT art X:1’s reference to ‘of general application’ is not meant to include specific transactions or specific shipments: Appellate Body Report, European Communities — Measures Affecting the Importation of Certain Poultry Products, WTO Doc WT/DS69/AB/R, AB-1998-3 (13 July 1998) , .
 Panel Report, EC — Selected Customs Matters, WTO Doc WT/DS315/R, [7.431] n 742.
 Markus Krajewski, ‘Article VI GATS: Domestic Regulation’ in Rüdiger Wolfrum, Peter-Tobias Stoll and Clemens Feinäugle (eds), WTO: Trade in Services (Martinus Nijhoff, 2008) 165, 173–4.
 Panel Report, US — Gambling, WTO Doc WT/DS285/R (10 November 2004) [6.432].
 See GATS arts VI:1, VI:3, VI:6. See also Delimatsis, above n 37, 97.
 Delimatsis, above n 31, 97.
 See above nn 95–6.
 Privacy Directive  OJ L 281/31, art 2(a):
‘personal data’ shall mean any information relating to an identified or identifiable natural person … an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
 Article 29 Data Protection Working Party, ‘Opinion 4/2007 on the Concept of Personal Data’, above n 5, 12–4, 16–7.
 Thus fulfilling the US — Underwear standard: see Panel Report, US — Underwear, WTO Doc WT/DS24/R [7.65].
 EU Schedule, WTO Doc GATS/SC/31, 32.
 Joel P Trachtman, ‘Lessons for the GATS from Existing WTO Rules on Domestic Regulation’ in Aaditya Mattoo and Perre Sauvé (eds), Domestic Regulation and Service Trade Liberalization (Oxford University Press, 2003) 66; Joel P Trachtman, ‘Negotiations on Domestic Regulation and Trade in Services (GATS Article VI): A Legal Analysis of Selected Current Issues’ in Ernst-Ulrich Petersman (ed), Reforming the World Trading System — Legitimacy, Efficiency, and Democratic Governance (Oxford University Press, 2005) 205, 211.
 This is the EU’s definition of proportionality in the necessity context: Domestic Regulation: Necessity and Transparency, WTO Doc S/WPDR/W/14 (1 May 2001) (Communication from the European Communities and Their Member States) .
 Markus Krajewski, National Regulation and Trade Liberalization in Services (Kluwer Law International, 2003) 143.
 Article 29 Data Protection Working Party, ‘Opinion 4/2007 on the Concept of Personal Data’, above n 5, 5.
 It is a fundamental right according to the EU, and even GATS itself recognises the importance of the objective in art XIV: see GATS art XIV(c)(ii).
 Panel Report, US — Gambling, WTO Doc WT/DS285/R, [6.432]; see also Jan Wouters and Dominic Coppens, ‘GATS and Domestic Regulation: Balancing the Right to Regulate and Trade Liberalization’ in Kern Alexander and Mads Andenas (eds), The World Trade Organization and Trade in Services (Martinus Nijhoff, 2008) 207, 218.
 Privacy Directive  OJ L 281/31, art 25.
 Article 29 Data Protection Working Party, ‘Opinion 4/2007 on the Concept of Personal Data’, above n 5, 26.
 Panagiotis Delimatsis and Martin Molinuevo, ‘Article XVI GATS: Market Access’ in Rüdiger Wolfrum, Peter-Tobias Stoll and Clemens Feinäugle (eds), WTO: Trade in Services (Martinus Nijhoff, 2008) 367, 369.
 Ibid 371. GATS art XVI:1 reads:
With [r]espect to market access through the modes of supply identified in Article I, each Member shall accord services and service suppliers of any other Member treatment no less favourable than that provided for under the terms, limitations and conditions agreed and specified in its Schedule.
 Delimatsis and Molinuevo, above n 114, 371, citing Aaditya Matoo, ‘National Treatment in the GATS, Corner-Stone or Pandora’s Box?’ (1997) 31 Journal of World Trade 1, 107, 11.
 Uruguay Round — Group of Negotiations on Services — Scheduling of Initial Commitments in Trade in Services, WTO Doc MTN.GNS/W/164 (3 September 1993) (Explanatory Note) ; Panel Report, US — Gambling, WTO Doc WT/DS285/R, [6.298]; see also Panel Report, Mexico — Telecoms, WTO Doc WT/DS204/R, [7.357]–[7.358], [7.361]–[7.362], confirming the exhaustive nature of the list in XVI:2 by confirming that temporal limitations do not constitute market access limitations under that article. According to Delimatsis and Molinuevo, the chapeau of Article XVI:2 further confirms the exhaustive nature of the list contained therein with the statement ‘that “the measures which a Member shall not maintain or adopt … are defined as” the measures described by lit a–f’: ibid 375.
 The chapeau of art XVI:2 reads:
In sectors where market-access commitments are undertaken, the measures which a Member shall not maintain or adopt either on the basis of a regional subdivision or on the basis of its entire territory, unless otherwise specified in its Schedule …
 GATS arts XVI:2(a)–(d) read:
a) limitations on the number of service suppliers whether in the form of numerical quotas, monopolies, exclusive service suppliers or the requirements of an economic needs test;
b) limitations on the total value of service transactions or assets in the form of numerical quotas or the requirement of an economic needs test;
c) limitations on the total number of service operations or on the total quantity of service output expressed in terms of designated numerical units in the form of quotas or the requirement of an economic needs test;
d) limitations on the total number of natural persons that may be employed in a particular service sector or that a service supplier may employ and who are necessary for, and directly related to, the supply of a specific service in the form of numerical quotas or the requirement of an economic needs test …
 GATS art XVI:2(e) reads: ‘measures which restrict or require specific types of legal entity or joint venture through which a service supplier may supply a service’.
 GATS art XVI:2(f) reads: ‘limitations on the participation of foreign capital in terms of maximum percentage limit on foreign shareholding or the total value of individual or aggregate foreign investment’. For the division of the list into these three categories, see Delimatsis and Molinuevo, above n 114, 375–90.
 Appellate Body Report, US — Gambling, WTO Doc WT/DS285/AB/R, .
 Ibid , quoting Panel Report, US — Gambling, WTO Doc WT/DS285/R, [6.355].
 Panel Report, US — Gambling, WTO Doc WT/DS285/R, [6.338]; ibid ,  (citations omitted).
 Appellate Body Report, US — Gambling, WTO Doc WT/DS285/AB/R, [6.298].
 Delimatsis and Molinuevo, above n 114, 390–2
 Appellate Body Report, US — Gambling, WTO Doc WT/DS285/AB/R, .
 EU Schedule, WTO Doc GATS/SC/31, 32.
 Appellate Body Report, US — Gambling, WTO Doc WT/DS285/AB/R, .
 GATS art XVI:2(a).
 Ibid art XVI(2)(c).
 At this juncture, it is appropriate to note that there exists a debate in the literature regarding whether a WTO member’s schedule should be interpreted as a unilateral act or as the common intention of all the WTO members. Testing the debate with the Privacy Directive, it becomes apparent that either interpretation provides identical results — the Privacy Directive governs data processing services, which fall under the computer services sector in the 1(B)(c) heading of W/120: W/120, WTO Doc MTN.GNS/W/120, 2. The common intention of the parties is reflected in the fact that data processing is specifically listed as part of the computer sector, and specified as being part of CPC 843, which under the CPC falls under the computer-related services sector. The unilateral intention of the EU confirms that this is the appropriate classification, given that the EU specifically recognises that online data processing is part of the computer services sector: EC Telecom Classification, WTO Doc TN/S/W/27/S/CSC/W/44. Thus, with regard to the Privacy Directive, an application of both the unilateral interpretation of the schedule and the ‘common understanding’ interpretation of the schedule results in the EU committing to a listing of ‘none’ with regard to data processing. While not every context in which this issue arises will arrive at the same result, this author proposes that detailed case-by-case analysis of the appropriate interpretive method is more appropriate than applying either the common understanding or unilateral act approach across the board because upon further examination, as here, many of these issues will dissolve into non-issues.
 Geza Feketekuty, ‘Trade in Professional Services: An Overview’ (1986) 1 University of Chicago Legal Forum 1, 4 (‘The argument for free service trade is not an argument for the non-observance of local regulations designed to protect the public’); see generally Delimatsis, above n 37, 85, noting that GATS ‘aims to minimize the negative trade effects of all governmental regulatory barriers, while preserving Members’ right to regulate their economies to meet legitimate national policy objectives’. This is also reflected in the dual aims of GATS.
 Opened for signature 30 October 1947, 55 UNTS 194 (entered into force 1 January 1948) (‘GATT 1947’).
 Ibid art XX(a).
 Ibid art XX(b).
 Ibid art XX(d).
 Thomas Cottier, Panagiotis Delimatsis and Nicolas F Diebold, ‘Article XIV GATS: General Exceptions’ in Rüdiger Wolfrum, Peter-Tobias Stoll and Clemens Feinäugle (eds), WTO: Trade In Services (Martinus Nijhoff, 2008) 287, 290.
 GATS art XIV(a).
 Ibid art XIV(b).
 Cottier, Delimatsis and Diebold, above n 138, 292.
 GATS art XIV(c)(i).
 Ibid art XIV(c)(ii).
 Ibid art XIV(d)–(e).
 Appellate Body Report, US — Gambling, WTO Doc WT/DS285/AB/R, .
 Ibid .
 Ibid , quoting Appellate Body Report, Korea — Beef, WTO Doc WT/DS161/AB/R, WT/DS169/AB/R, .
 Ibid .
 Ibid .
 Ibid . It is said that the stringency of this standard ‘reflects the shared understanding of Members that substantive GATS obligations should not be deviated from lightly’.
 Cottier, Delimatsis and Diebold, above n 138, 292–3, citing Panel Report, US — Gambling, WTO Doc WT/DS285/R, [6.448]; Appellate Body Report, US — Gambling, WTO Doc WT/DS285/AB/R, .
 Ibid, citing Appellate Body Report, EC — Bananas III, WTO Doc WT/DS27/AB/R, .
 Report on the Meeting Held on 3 December 2003, WTO Doc S/WPDR/M/24 (22 January 2004) (Note by the Secretariat) ; see also Secretariat Note on Article XX, WTO Doc WT/CTE/W/53/Rev.1.
 Appellate Body Report, United States — Standards for Reformulated and Conventional Gasoline, WTO Doc WT/DS2/AB/R, AB-1996-1 (29 April 1996) 17–8 (‘US — Gasoline’).
 Appellate Body Report, Mexico — Tax Measures on Soft Drinks and Other Beverages, WTO Doc WT/DS308/AB/R, AB-2005-10 (6 March 2006)  (‘Mexico — Soft Drinks’).
 Secretariat Note on Article XX, WTO Doc WT/CTE/W/53/Rev.1, .
 Cottier, Delimatsis and Diebold, above n 138, 316.
 Ibid, citing Appellate Body Report, European Communities — Measures Affecting Asbestos and Asbestos-Containing Products, WTO Doc WT/DS135/AB/R, AB-2000-11  (‘EC — Asbestos’).
 Cottier, Delimatsis and Diebold, above n 138, 321.
 Panel Report, US — Gambling, WTO Doc WT/DS285/R, [6.566].
 See ibid [6.571]; see also Cottier, Delimatsis and Diebold, above n 138, 321.
 Appellate Body Report, US — Gambling, WTO Doc WT/DS285/AB/R, –.
 Appellate Body Report, US — Gasoline, WTO Doc WT/DS2/AB/R, 22; see ibid . With regard to arbitrary and unjustifiable discrimination, a measure will fail the scrutiny of the chapeau if it does not satisfy each of the elements of the following test from US — Shrimp: ‘the application of the measure (i) results in discrimination (ii) which is arbitrary or unjustifiable in character and (iii) occurs between countries where like conditions prevail’: Cottier, Delimatsis and Diebold, above n 138, 322 (emphasis altered) (citing Appellate Body Report, US — Shrimp, WTO Doc WT/DS58/AB/R, ; Appellate Body Report, US — Gasoline, WTO Doc WT/DS2/AB/R, 23; Panel Report, US — Gambling WTO Doc WT/DS285/R, [6.578]). With regard to a disguised restriction on trade, WTO jurisprudence interpreting this standard is generally lacking, however the Appellate Body has provided several guidelines: (1) ‘disguised trade restriction’ is a term covering arbitrary and unjustifiable discrimination as well as other measures: ibid 25; (2) concealed or unannounced restrictions can constitute a disguised restriction on trade: Cottier, Delimatsis and Diebold, above n 138, 325; see also Secretariat Note on Article XX, WTO Doc WT/CTE/W/53/Rev.1, ; (3) a measure will be found abusive under this standard of the chapeau if it ‘is in fact only a disguise to conceal the pursuit of trade-restrictive objectives [not listed in GATT art XX]’: Panel Report, EC — Asbestos, WTO Doc WT/DS135/R (18 September 2000) [8.236].
 Appellate Body Report, US — Gambling, WTO Doc WT/DS285/AB/R, .
 Ibid .
 Ibid .
 Cottier, Delimatsis and Diebold, above n 138, 322.
 Ibid 323.
 See Secretariat Note on Article XX, WTO Doc WT/CTE/W/53/Rev.1, ; see also ibid 323 (‘[T]he WTO adjudicating bodies have wide discretion when applying these elements’).
 Privacy Directive  OJ L 281/31, Preamble para 2.
 Shaffer, ‘Globalization and Social Protection’, above n 8, 50–2. Furthermore, Shaffer makes predictions about the way the Privacy Directive will comply with the rest of GATS art XIV requirements without the benefits of the last eight years of development of adequacy procedures and determinations by the Working Party and the European Commission. The new information about the details of the EU adequacy regime calls for a new, more thorough analysis of art XIV.
 Appellate Body Report, US — Gambling, WTO Doc WT/DS285/AB/R,  (concluding that the US measures do not satisfy the requirements of the chapeau).
 Cottier, Delimatsis and Diebold, above n 138, 295 (citing Appellate Body Report, Mexico — Soft Drinks, WTO Doc WT/DS308/AB/R, ; Appellate Body Report, US — Shrimp, WTO Doc WT/DS58/AB/R, ).
 Panel Report, US — Gambling, WTO Doc WT/DS285/R, [6.538]; see also Panel Report, US — Gasoline, WTO Doc WT/DS2/R, [6.33].
 Cottier, Delimatsis and Diebold, above n 138, 307.
 Appellate Body Report, Mexico — Soft Drinks, WTO Doc WT/DS308/AB/R, .
 Schwartz, above n 7, 481 n 69 (‘The Directive speaks of the need for “Community action to approximate” the data protection law of Member States. … The notions of the “approximation” and “harmonization” of national law are synonymous’); see also Privacy Directive  OJ L 281/31, Preamble; see generally George A Bermann et al, Cases and Materials on European Community Law (West Publishing, 1993) 430.
 Bermann et al, above n 184, 430.
 Cottier, Delimatsis and Diebold, above n 138, 306–7.
 Ibid 307 (citing Panel Report, US — Gambling, WTO Doc WT/DS285/R, [6.538]; Appellate Body Report, US — Gasoline, WTO Doc WT/DS2/AB/R, [6.33]).
 See Peter J Hustinx, ‘European Data Protection Supervisor, Adequate Protection — Opinion 6/99 of the Article 29 Working Party Revisited’ in Attila Péterfalvi (ed), Ten Years of DP & FOI Commissioner’s Office (The Office of the Parliamentary Commissioner for Data Protection and Freedom of Information, 2006) 251, 252.
 Article 29 Data Protection Working Party, ‘Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive’, above n 10.
 Appellate Body Report, Korea — Beef, WTO Doc WT/DS161/AB/R, WT/DS169/AB/R; Appellate Body Report, EC — Asbestos, WTO Doc WT/DS135/AB/R; Appellate Body Report, Dominican Republic — Measures Affecting the Importation and Internal Sale of Cigarettes, WTO Doc WT/DS302/AB/R, AB-2005-3 (25 April 2005) (‘Dominican Republic — Cigarettes’).
 Appellate Body Report, US — Gambling, WTO Doc WT/DS285/AB/R.
 John H Jackson, William J Davey and Alan O Sykes Jr, Legal Problems of International Economic Relations: Cases, Materials and Text on the National and International Regulation of Transnational Economic Relations (Thompson West, 5th ed, 2008) 592.
 Appellate Body Report, US — Gambling, WTO Doc WT/DS285/AB/R, ; see also Korea — Beef, WTO Doc WT/DS169/AB/R, –.
 GATS art XIV(c).
 Ibid; GATT 1947 art XX(d).
 Privacy Directive  OJ L 281/31, Preamble para 2; see also Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, opened for signature 28 January 1981, ETS No 108 (entered into force 1 October 1985) Preamble – art 1:
Considering that it is desirable to extend the safeguards for everyone’s rights and fundamental freedoms, and in particular the right to the respect for privacy, taking account of the increasing flow across frontiers of personal data undergoing automatic processing … [art 1] The purpose of this convention is to secure in the territory of each Party for every individual, whatever his nationality or residence, respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data relating to him (‘data protection’).
 International Covenant on Civil and Political Rights, opened for signature 16 December 1966, 999 UNTS 171 (entered into force 23 March 1976) art 17.
 Louis Joinet, Special Rapporteur, Revised Version of the Guidelines for the Regulation of Computerized Data Files, UN ESCOR, 46th sess, Agenda Item 14, UN Doc E/CN.4/1990/72 (20 February 1990).
 Article 29 Data Protection Working Party, ‘Transfers of Personal Data to Third Countries: Applying Articles 25 and 26 of the EU Data Protection Directive’, above n 10, 5.
 Ibid 26.
 Article 29 Data Protection Working Party, ‘Opinion 4/2007 on the Concept of Personal Data’, above n 5, 6–24; see also Cutler and Reyes, above n 50.
 Shaffer, ‘The Power of EU Collective Action’, above n 57, 433.
 Shaffer, ‘Globalization and Social Protection’, above n 8, 18.
 Directorate for Science, Technology and Industry, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (23 September 1980) Organisation for Economic Co-Operation and Development  <http://www.oecd.org/document/18/0,3343,en_2649_34255_1815186_1_1_1_1,00.html> .
 David Raj Nijhawan, ‘The Emperor Has No Clothes: A Critique of Applying the European Union Approach to Privacy Regulation in the United States’ (2003) 56 Vanderbilt Law Review 939, 954; but see Schwartz, above n 7, 483–8.
 See Safe Harbor Agreement, above n 28.
 Joinet, above n 198, 3.
 Joel R Reidenberg, ‘Resolving Conflicting International Data Privacy Rules in Cyberspace’ (2000) 52 Stanford Law Review 1315, 1356.
 Working Party on the Protection of Individuals with regard to the Processing of Personal Data, ‘Recommendation 1/99 on Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware’ (Recommendation WP 17, European Commission, 23 February 1999); Article 29 Data Protection Working Party, ‘Opinion 1/98: Platform for Privacy Preferences (P3P) and the Open Profiling Standard (OPS)’ (Report WP 11, European Commission, 16 June 1998).
 The World Wide Web Consortium, The Platform for Privacy Preferences 1.0 (P3P1.0) Specification (2 November 1999) The World Wide Web Consortium (‘W3C’) <www.w3.org/TR/1999/WD-P3P-19991102>.
 Reidenberg, above n 209, 1356–7, citing Working Party on the Protection of Individuals with regard to the Processing of Personal Data, ‘Recommendation 1/99 on Invisible and Automatic Processing of Personal Data on the Internet Performed by Software and Hardware’, above n 211; Joel R Reidenberg, ‘The Use of Technology to Assure Internet Privacy: Adapting Labels and Filters for Data Protection’ (1997) 3 Lex Electronica <http://www.lex-electronica.org/articles/v3-2/reidenbe.html> .
 Reidenberg, above n 209, 1357, citing International Working Group on Data Protection in Telecommunications, ‘Common Position on Intelligent Software Agents’ (Common Position, International Working Group on Data Protection in Telecommunications, 29 April 1999); J J Borking, BMA van Eck and P Siepel, ‘Intelligent Software Agents: Turning a Privacy Threat into a Privacy Protector’ (Joint Report, Ontario Information and Privacy Commissioner and Netherlands Registratiekamer, 1999) <http://www.ipc.on.ca/images/Resources/up-isat.pdf> .
 Donald H Regan, ‘The Meaning of “Necessary” in GATT Article XX and GATS Article XIV: The Myth of Cost-Benefit Balancing’ (2007) 6 World Trade Review 347, 348. Regan argues that although subsequent Appellate Body reports pay lip-service to the official Korea — Beef weighing and balancing test, they generally follow another statement set forth by the Appellate Body in Korea — Beef: ‘the principle that a Member pursuing some legitimate domestic goal is entitled to choose for itself the level of achievement of that goal’, citing Appellate Body Report, Korea — Beef, WTO Doc WT/DS161/AB/R, WT/DS169/AB/R, , .
 In fact, it has been argued that the Appellate Body has precisely done this in each of its decisions to interpret and apply the term ‘necessary’: Korea — Beef, EC — Asbestos, US — Gambling, and Dominican Republic — Cigarettes; see generally ibid.
 Cottier, Delimatsis and Diebold, above n 138, 322.
 Ibid 323.
 Appellate Body Report, US — Shrimp, WTO Doc WT/DS58/AB/R, .
 Cottier, Delimatsis and Diebold, above n 138, 323.