How the TPP could impact regulation of everything from cars to medical devices

The Trans-Pacific Partnership, a mammoth deal the Obama administration finished negotiating last month, doesn’t just deal with trade in physical goods. It also establishes a number of new rules governing how countries from Canada to Vietnam regulate the digital economy.

Like most parts of the TPP, the new rules on electronic commerce largely reflect the priorities of US industry — in this case, large technology companies. Most of these rules — including protections for the free flow of information, a ban on requiring information to be hosted locally, and restrictions on taxes for digital goods — seem sensible.

But the TPP also contains a major provision with implications for how governments can regulate “smart” products — potentially everything from cars to medical devices — in an increasingly software-intensive world. On its face, the rule doesn’t seem to have very much to do with trade at all.

It’s worth asking whether it makes sense for these kinds of rules to be determined by a trade deal that was negotiated in secret and might remain in force for decades. If rules that seem sensible today become outdated in a decade or two, it won’t be easy for the US or other countries to back out.

Like other recent trade deals, the TPP is a vehicle for helping powerful US interests write the rules of the global economy. With US technology firms becoming increasingly powerful in Washington — and increasingly influential at the Office of the US Trade Representative, which negotiates trade deals — it’s not surprising that the TPP included many provisions favored by US technology companies.

US technology companies have prospered on the free and open internet. So US negotiators sought — and got — language guaranteeing that TPP member countries will not impede the free flow of information across national borders.

Major technology companies such as Yahoo and Microsoft also worry that they could be forced to locate servers locally within each country where they do business. Some countries like to impose this type of requirement because it’s easier to regulate servers that are physically located within their territory. However, these requirements can be a big burden for companies that do business in dozens of countries around the world, and if such data localization requirement become commonplace, it could undermine the internet’s character as a seamless global network.

The TPP gives internet providers remedies against these localization requirements. Under the TPP, no country can require that servers be located within the country in order to provide online services there. On the other hand, countries are allowed to regulate server locations if they do so for a “legitimate public policy objective” and the regulations are narrowly focused on that objective.

While some countries — such as China — require data localization for authoritarian reasons, others do it in an attempt to protect their citizens’ privacy. The Canadian legal scholar Michael Geist, for example, has warned that the TPP could force the provinces of British Columbia and Nova Scotia to modify privacy laws requiring certain types of data to be stored locally.

The TPP also requires countries to participate in the fight against spam. They must either provide mechanisms for recipients to unsubscribe from spam messages or require spammers to seek the consent of recipients before sending out spam.

Perhaps the most controversial of the TPP’s e-commerce requirements is language protecting the confidentiality of software source code. Source code is to computer programs what blueprints are to buildings — they provide the technical details necessary to understand and modify how software works. For this reason, many software companies treat source code as closely guarded secrets.

Industry groups such as the Information Technology Industry Council worry that government agencies could use source code disclosure rules as a method of industrial espionage on behalf of homegrown software firms. A government could require American companies such as Microsoft or Adobe to disclose their source code and then hand it off to local companies to help them produce knockoff versions of their products.

When I asked the ITIC for examples of this problem, it wasn’t able to name any among TPP countries. But it said this has been a problem in Indonesia, a country in the region that might want to join the TPP in the future.

The objective of preventing industrial espionage seems reasonable, but this requirement could also hamper legitimate regulatory efforts. Take Volkswagen’s emissions scandal as an example. Volkswagen’s vehicles had special software to detect when it was in a testing facility and modify the car’s behavior emit less pollution.

There are many ways regulators could try to detect this kind of cheating. But one possibility would be for the Environmental Protection Agency to require carmakers to disclose the source code for onboard software for certain key components. Auditing this source code could not only help detect cheating but could also help investigators identify other flaws in vehicle emissions systems.

Another example: Medical devices such as pacemakers increasingly include embedded software that could have bugs or even be vulnerable to hacking. While source code audits are not currently part of the Food and Drug Administration’s process for approving medical devices, we might want to make that a part of the process in the future.

Breathalyzers are a third example. These machines for catching drunk drivers are increasingly likely to be digital devices powered by software, and there’s an active debate about whether defendants have a right to access the source code for these devices to see if they might be making diagnostic mistakes.

Of course, reasonable people can disagree about whether source code disclosure makes sense in any of these specific cases. But as software affects more aspects of our lives, it seems likely that there will be at least some cases where access to source code will help regulators do their jobs. Permanently barring governments from mandating source code disclosure seems shortsighted.

To be fair, it’s possible the TPP will provide an exception that could allow regulators to access source code in some cases. The e-commerce chapter is subject to a provision of the 1994 GATT agreement that allows countries to adopt measures that are necessary to protect human life and health. We don’t know how broadly this exception would apply. Opponents of disclosure might argue that access to source code wasn’t strictly necessary for protecting health and safety.

The broader question is whether it makes sense to settle questions like this in a trade treaty at all. Traditionally, questions about how to regulate air pollution and medical device safety have rested with our elected representatives in Congress.

Deals like the TPP effectively curtail Congress’s authority, potentially committing the country to abide by its rules for decades to come. That deprives us of the option to change our minds about the propriety of source code disclosure or data localization rules in the future. Even if the rules seem sensible today, we may come to regret them in the future.