Cross-Border Data Transfers in Financial Services: The EU’s New Regulatory Approach
Over the past year, the European Commission has generated an ever-expanding number of legislative proposals designed to make Europe “fit for the digital age”, in the words of Commission President Ursula von der Leyen. International attention has focused most on two that would affect how large digital platform companies offer their services within the EU – the Digital Services Act and the Digital Markets Act– and on a third (the Data Governance Act[i]) that would establish a complex regulatory regime for the transfer of government-held non-personal data to third countries.
Less noticed, outside of specialist circles, have been Commission proposals to reform existing EU sectoral regulations in light of changes wrought by digital technologies. A prime example is the proposal for a regulation on digital operational resilience for the financial sector (DORA) introduced in September 2020 and now making its way through the EU’s legislative process. Several provisions of this complex regulation threaten the ability of ICT companies lacking a business presence in the EU to provide services for EU financial entities including data processing and data transfers.
Financial regulators across the globe first began to worry about the dispersal of bank-related data across national borders in the aftermath of the 2008 global financial crisis. In the ensuing decade, use of ICT services in the financial sector has only grown – for example in remote banking – and concern has shifted primarily to the potential impact of systemic vulnerabilities.[ii]
In the years following 2008, the EU adopted legislation that “primarily strengthened the financial resilience of the EU financial sector, only addressing ICT risks indirectly in some areas.” [iii] However, “ICT risks nevertheless continue to pose a challenge to the operational resilience, performance and stability of the EU financial system,”[iv] the Commission believes. EU member states began to adopt piecemeal digital operational resilience rules to fill the gap, now leading the Commission to propose a level of harmonization across the Union. Several provisions in DORA are aimed specifically at ensuring harmonized regulatory oversight of third-party ICT providers, some of whom may be located outside the EU.
Although DORA would not directly restrict cross-border data transfers between banks and third-party ICT providers, several of its provisions nevertheless would lead to that result indirectly, by limiting banks’ use of third-party providers’ services if they are supplied from outside the EU. This article explores the nature of the restrictions, and the questions they raise under non-discrimination obligations contained in international trade law. One provision appears ripe for challenge under the EU’s WTO and bilateral obligations for services trade.
Regulating Third-Party ICT Service Providers Under DORA
The new framework, which is set forth in the “Managing of ICT Third-Party Risk” chapter of DORA,[v] has several objectives: establishing rules for how EU-based financial entities must monitor risks arising from their use of third-party ICT providers; imposing certain limitations on EU-based financial entities’ outside contractual relations; and vesting harmonized oversight powers in financial regulators.
Three provisions would have an impact outside the EU. The first, Article 26(2), would impose special obligations on a financial entity in the European Union whose contracts with an ICT third-party service provider established in the EU allow that EU-based ICT provider to sub-contract critical or important functions to another ICT provider established in a non-EU third country. In that circumstance, the EU financial entity must assess whether and how “potentially long or complex chains of sub-contracting may impact their ability to fully monitor the contracted functions and the ability of the competent authority to effectively supervise the financial entity in that respect.”[vi] The EU-based financial entity must pay particular attention to foreign law to which the sub-contractor is subject, including data protection law. Although an ICT sub-contractor’s foreign status is not per se disqualifying, the provision does appear to establish a presumption that choice of such a foreign-based entity is a complicating factor for an EU-based financial entity.[vii]
A second provision deals with ‘critical’ ICT third-party service providers, which are defined in terms of their size, systemic importance, and indispensability; the major US cloud service providers that do business in Europe likely would fall into this category.[viii] Article 28(9) proposes an absolute bar: “Financial entities shall not make use of an ICT third-party service provider established in a third country that would be designated as critical…if it were established in the Union.”[ix] A company falls into this category if it not only is not legally established in the EU, but also “has not set up business/presence in the Union.”[x] In other words, financial entities in the EU may not utilize companies without business presence in the EU for critical ICT services.
No textual reason is offered for this restriction. One presumes that the Commission considers the ICT provider’s incorporation or business presence in an EU member state as a sufficient legal basis for a European financial regulator to exercise jurisdiction over the ICT provider and demand data from it, if necessary. At the same time, the drafters were expressly at pains to stress what the local establishment provision is not – a data localization requirement. As an introductory recital to the legislation states: “The requirement of legal incorporation in the Union of ICT third-party service providers which have been designated as critical does not amount to data localization since this Regulation does not entail any further requirement on data storage or processing to be undertaken in the Union.”[xi] This emphatic statement appears to have been inserted at a late stage of drafting, after an explicit requirement that third-party ICT providers store data within the EU was removed from earlier versions.
Additionally, Article 31(1)(d) of the regulation would empower financial oversight regulators to recommend future measures addressing risks resulting from chains of ICT third-party contractors. An ICT provider established in the EU could be advised not to conclude further sub-contracts if the sub-contractor is established in a third country and would perform critical or important work on behalf of the financial entity.[xii] The prospect of such a power being invoked thus hangs over the heads of ICT third-party contractors already established in the EU, and it may force them into additional due diligence requirements for further outsourcing.
DORA From the Perspective of International Trade Law
The Commission’s proposal discriminates among ICT third-party service providers on the basis of their nationality, most clearly in Article 28(9). The EU is a member of the World Trade Organization (WTO) and party to bilateral trade agreements containing rules on treatment of such companies. This section looks first at relevant WTO law and jurisprudence, and then at the EU’s new generation of bilateral agreements protecting the cross-border provision of services, to ascertain whether DORA runs afoul of those international obligations.
The General Agreement on Trade in Services (GATS), part of the body of WTO law, is the governing multilateral legal framework. WTO members commit to accord national treatment, among other obligations, to services and service providers of any other member.[xiii] Members do so, however, only to the extent they have agreed in sector-specific schedules. The EU has undertaken full commitments to provide national treatment for third country providers of computer and related services (CRS), a category which would likely cover the ICT service providers addressed in the DORA proposal.
There is little WTO case-law applying the GATS obligations to ICT services, however. One of the few cases involved a complaint brought by the United States against China for a legal requirement preventing foreign suppliers of electronic payment services from conducting payment card transactions in China denominated in Chinese currency.[xiv] The WTO’s dispute settlement panel ruled that China’s restrictions on third country providers violated its national treatment obligations.
The conclusion reached in the China – Electronic Payment Services case would appear to apply equally to a provision of EU law discriminating on the basis of nationality against non-EU ICT third-party service providers offering their services to financial institutions in EU territory. Article 28(9) DORA entails nationality-based discrimination because it would deny a ‘critical’ ICT third-party service provider that is established in a third country and lacks a business presence in the EU the opportunity to obtain contracts from a financial entity in the EU. In a case of such potential discrimination, it is necessary to determine whether one of the exceptions also included in GATS applies. Although none of the general exceptions set forth in GATS Article XIV are obviously applicable in these circumstances, several are broadly drawn, including the one most likely, for measures relating to “the prevention of deceptive and fraudulent practices or to deal with the effects of a default on services contracts.”[xv]
DORA’s discrimination against critical ICT third-party service providers without business links in the EU conceivably could be viewed as serving a broad regulatory anti-fraud rationale, although it would be a novel invocation of that general exception. A party invoking an exception also must meet other prerequisites. It must demonstrate that the measure in question is not “a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade in services….”[xvi] These requirements, set out in the chapeau to Article XIV, are intended to be rigorous, and they often loom large in the thinking of WTO members contemplating reliance on a general exception.
The closest litigated precedent comes from a case brought against financial, tax, foreign exchange and registration measures that Argentina had imposed on services and service suppliers from certain countries that did not exchange information with it for the purposes of fiscal transparency.[xvii] The WTO’s Appellate Body rejected Argentina’s invocation of the general exception for prevention of deceptive and fraudulent practices, finding that its government had failed to meet the non-arbitrariness criterion of the Article XIV chapeau.
The Appellate Body also examined – and rejected – Argentina’s claim that two of its measures, which fell within the scope of the separate obligations contained in the GATS Annex on Financial Services, could be justified by the exception contained in that Annex allowing measures taken “for prudential reasons”.[xviii] Unlike Argentina, the EU would not be able to invoke the GATS prudential exception in a challenge to DORA, because Article 28(9) DORA affects the cross-border supply of ICT (or ‘computer and related’) services and not financial services.
A weakness of the GATS, concluded in 1994, is that it contains no general protection for international data transfers, which is often a vital consideration for ICT service providers. Only with respect to financial services providers did WTO Members allow for commitments on data transfers. The Understanding on Commitments in Financial Services bars members that have implemented this Understanding in their services schedules, which includes most EU member states, from taking measures “that prevent transfers of information or the processing of financial information, including transfers of data by electronic means…where such transfers of information…are necessary for the conduct of the ordinary business of a financial service supplier.”[xix] However, these commitments could not be directly relied upon in a case involving computer and related services.
In sum, it appears that a challenge could be brought to the bar Article 28(9) imposes on EU financial institutions from contracting with critical ICT third-party providers established outside the EU. The EU’s burden in defending this measure would be all the greater since it offers no express rationale for the prohibition, and parties invoking exceptions have the burden of proof under WTO practice. Such a case nevertheless would pose challenges, since the structure of WTO Members’ services schedules does not reflect the contemporary ICT world, the distinctions drawn between ICT and financial service providers are no longer crystal-clear, and relevant precedent from the GATS dispute settlement process is very limited.
A look at the obligations that the EU has undertaken to accord national treatment to providers of ICT services through its bilateral free trade agreements (FTAs) leads to the same conclusion about DORA. For example, its 2017 Comprehensive Economic and Trade Agreement with Canada (CETA) guarantees a Canadian supplier of critical ICT services the right to offer its services to EU financial institutions. If barred from doing so by Article 28(9) of DORA, Canada would appear to have recourse to pursue a claim of discrimination on the company’s behalf via CETA’s dispute settlement mechanism.[xx] The EU also has assumed similar national treatment obligations towards providers of cross-border ICT services in its recent FTAs with the United Kingdom[xxi], Japan[xxii] and Singapore[xxiii].
The United States sought to establish similar rules with the European Union through the Transatlantic Trade and Investment Partnership (TTIP) negotiations. The abandonment of those talks at the outset of the Trump Administration means that WTO rules are the only ones applicable for US ICT service providers in the European Union.
US FTAs take a broadly similar approach to those of the European Union by prohibiting nationality-based discrimination with respect to cross-border provision of ICT services. The chapter on cross-border services trade of the US-Mexico-Canada Agreement (USMCA), for example, contains an obligation to provide national treatment.[xxiv] Its digital trade chapter goes a step further, specifically guaranteeing cross-border transfers of information for business purposes.[xxv] A government may, however, impose limitations on data transfers in order to achieve a “legitimate public policy objective,” if it does so in accordance with the previously-noted WTO conditions, i.e. avoidance of arbitrary or unjustifiable discrimination or a disguised restriction on trade, and tailoring of the restriction to the least extent necessary. [xxvi]
The USMCA’s separate financial services chapter contains a provision suggesting that trade negotiators grappled with the regulatory dilemma that underlies the EU’s DORA proposal. Article 17.18 acknowledges that financial regulators need “immediate, complete, and ongoing access” to information on financial institutions, “including information underlying the transactions and operations of such persons.”[xxvii] A USMCA Party may not require a financial institution to localize data as a condition of doing business in another party’s territory, however, so long as the other party’s financial regulators have access to the needed information if located outside the regulator’s territory.[xxviii] Although this obligation only applies to financial institutions themselves – and not to their cross-border ICT service providers – it is a promising concept for balancing the interests of banking regulators and the business models of ICT providers.
As Europe’s financial sector turns increasingly to third party ICT providers to manage its operations, digital operational resilience has become a timely subject for regulation. The European Commission has included in the proposed DORA provisions that would require special scrutiny of non-EU service providers, and, in one situation, simply prohibit such companies’ activities if they do not have a business presence within the European Union. But by failing clearly to articulate the regulatory reasons for these nationality-based requirements, the Commission has invited speculation that it may be favoring EU-based providers for competitive reasons.
As a result, the EU could face discrimination claims under international trade law. It has committed to provide national treatment for ICT services under the GATS and several bilateral FTAs, and the exceptions to these obligations do not neatly fit the potential regulatory rationale in DORA. Since the EU legislature is at an early stage of considering the Commission’s DORA proposal, there is still time to address these issues.
Indeed, it appears that reservations about these dimensions of the Commission’s DORA proposal have begun to surface as legislative scrutiny commences in the Council, composed of member state representatives, and the European Parliament. Several important European financial jurisdictions, including Luxembourg, have proposed amendments to avoid the effect of excluding major foreign ICT providers from the European financial services market, and one of the parliamentary rapporteurs on the legislation has voiced similar concerns.[xxix]
In sum, the proposed DORA legislation needs at a minimum to better articulate how the proposed limitations on third party ICT providers located outside its territory comport with non-discrimination obligations in trade law or may be justified by relevant exceptions. The EU also should consider if there are better paths that can respect cross-border data flows as well as the interests of financial regulation. The importance of cross-border data transfers in the financial sector deserves further reflection in Brussels.
These statements are attributable only to the authors, and their publication here does not necessarily reflect the view of the Cross-Border Data Forum or any participating individuals or organizations.
[i] These legislative proposals are well-discussed in ‘European Digital Sovereignty’: Successfully Navigating Between the ‘Brussels Effect’ and Europe’s Quest for Strategic Autonomy by Theodore Christakis :: SSRN
[ii] Commission Staff Working Document, Executive Summary of the Impact Assessment Accompanying COM (2020) 595, September 24, 2020.
[iii] Proposal for a Regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (DORA), COM (2020) 595, Explanatory Memorandum.
[v] Id., Chapter V.
[vi] Id., Article 26(2).
[vii] Instructing EU-based financial entities to ensure compliance with data protection obligations at the level of their foreign ICT sub-contractors reflects a logic similar to that of the EU’s General Data Protection Regulation (GDPR). Article 28(4) GDPR requires data processors to ensure that their sub-processors contractually adhere to GDPR protections.
[viii]DORA, supra, Article 28(2).
[ix] Id., Article 28(9).
[x] Id., Article 3(19).
[xi] Id., Recital 58.
[xii] Id., Article 31(1)(d)(iv).
[xiii] General Agreement on Trade in Services (GATS), Article XVII (National Treatment). The GATS Agreement forms Annex IB of the Marrakesh Agreement Establishing the World Trade Organization, April 15, 1994.
[xiv] WTO Panel report, China – Certain Measures Affecting Electronic Payment Services, WT/DS413/R, adopted August 31, 2012.
[xv] Id., Article XIV(c)(i) (General Exceptions). Another exception, Article XIV(a), allows measures necessary to “maintain public order,” invokable only where a genuine and sufficiently serious threat is posed to one of the fundamental interests of society. Article XV sets forth ‘essential security’ exceptions, but these are viewed as relating to military and other aspects of national security.
[xvi] Id., Article XIV, Chapeau.
[xvii] WTO Appellate Body Report and Panel Report, Argentina – Measures Relating to Trade in Goods and Services, WT/DS453/AB/R and WT/DS453/R, adopted May 9 2016.
[xviii] GATS Annex on Financial Services, paragraph 2.
[xix] WTO Understanding on Commitments in Financial Services, paragraph B.8.
[xx] Comprehensive Economic and Trade Agreement between the European Union and Canada (CETA), September 21, 2017, Article 9.3.
[xxi] Trade and Cooperation Agreement Between the European Union and the United Kingdom of Great Britain and Northern Ireland, December 31, 2020, Article SERVIN 3.4.
[xxii] Agreement Between the European Union and Japan for an Economic Partnership, February 1, 2019, Article 8.16.
[xxiii] Free Trade Agreement Between the European Union and the Republic of Singapore, November 21, 2019, Article 8.6.
[xxiv] Agreement between the United States of America, the United Mexican States, and Canada (USMCA), July 1, 2020, Article 15.3.
[xxv] Id., Article 19.11.
[xxvii] Id., Article 17.18.
[xxix] “EU banking cloud rules see digital and financial regulatory cultures collide,”Jack Schickler and Mathew Newman, MLex, February 5, 2021.