For example, the question of data flows—specifically the flow of European citizens’ personal data to the US—is at the heart of disputes over the EU’s proposed Data Retention rules, the Safe Harbouragreement, and TTIP. Here’s what Article 2.1 of TISA’s e-commerce annexe would impose upon its signatories: “No Party may prevent a service supplier of another Party from transferring, [accessing, processing or storing] information, including personal information, within or outside the Party’s territory, where such activity is carried out in connection with the conduct of the service supplier’s business.”
What that means in practice, is that the EU would be forbidden from requiring that US companies like Google or Facebook keep the personal data of European citizens within the EU—one of the ideas currently being floated in Germany. Article 9.1 imposes a more general ban on requiring companies to locate some of their computing facilities in a territory: “No Party may require a service supplier, as a condition for supplying a service or investing in its territory, to: (a) use computing facilities located in the Party’s territory.”
Article 6 of the leaked text seems to ban any country from using free software mandates: “No Party may require the transfer of, or access to, source code of software owned by a person of another Party, as a condition of providing services related to such software in its territory.” The text goes on to specify that this only applies to “mass-market software,” and does not apply to software used for critical infrastructure. It would still prevent a European government from specifying that its civil servants should use only open-source code for word processing—a sensible requirement given what we know about the deployment of backdoors in commercial software by the NSA and GCHQ.
But the latest leak has revealed more. The agreement would also prohibit countries from enacting free and open source software mandates. Although “software used for critical infrastructure” is already carved out from this prohibition (and so is software that is not “mass market software”, whatever that means), there are other circumstances in which a country might legitimately require suppliers to disclose their source code.
For example, one step that might be considered to improve the dire state of security of consumer routers might be to require that they be supplied with source code, so that their security could be more broadly reviewed, and third parties could contribute patches for critical vulnerabilities. Although that may sound radical, this is already required for many routers because they are based on software covered by the GNU General Public License. TISA would prohibit any such national initiative.
As in the TPP, and expanding on the earlier leaked draft, TISA also includes a prohibition on laws that require service providers to host data locally, which some countries have used to protect sensitive personal information, such as health data, from being snooped upon on foreign soil. There are arguments for and against such laws, and it is inappropriate that a secretive international agreement such as TISA should preempt these important debates.
The agreement would also require countries to introduce anti-spam laws. Although spam is bad, that doesn’t necessarily make anti-spam laws good. In practice such laws have generally been ineffective at best, and ripe for abuse at worst. As such, we believe that it would be a legitimate choice for a country to decide not to tackle this blight through legislation—a choice that TISA would remove from them.
When is the government going to learn that such treaties and agreements are not going to do a damn thing to stop the very actions the member countries are attempting to control?