Canadian commentators have raised alarm over provisions relating to data localization and privacy in the United States Mexico Canada Agreement on international trade. The Washington Post dramatically announced that “Experts say USMCA frees Canadian data – but with unknown risks,” while Prof. Teresa Scassa authored an opinion piece for MacLean’s Magazine titled, “The USMCA locks Canada in on digital trade – and at a worrying time.”

Ensuring that Canada would not enact additional data localization laws was an express objective of the U.S. Trade Representative from the outset of the negotiations. Indeed, given the importance of the digital economy and U.S. interest in protecting global market shares of Google, Apple, Facebook and Amazon, it is hard to imagine a realistic scenario in which Canada did not concede this point. However, the USTR was not just concerned about everyday consumer data. The USTR had its sights set specifically on ensuring that data localization laws did not crop up in the financial services sector. Canada’s Office of the Superintendent of Financial Institutions is in the process of considering the implications of cloud computing to the financial services sector and one thing that the U.S. wanted to be certain of is that there would be no prohibition on cross-border data transfers.

The USTR had its sights set specifically on ensuring that data localization laws did not crop up in the financial services sector.

The USTR met its objective in ensuring that Canada conceded the data localization point. But that does not mean that Canada gave away the farm or that it no longer has regulatory autonomy, as some commentators seem to suggest. There is no doubt that Canada’s ability to enact barriers to trade through data protection laws has been constrained, but preventing barriers to trade is generally the point of a free trade agreement!

Certainly, it would be wrong to dismiss the concerns of advocates for data localization. There are very good reasons to require data about Canadians to remain in Canada. The government has a legitimate interest in protecting the data of its citizens and residents from misuse and there has yet to be a reliable method for Canadians to seek redress in the United States from misuse of data.

So, stepping back, how did Canada really do?

Sensitive government information

Canada has few laws expressly requiring data localization. The British Columbia Freedom of Information Protection of Privacy Act and the Nova Scotia Personal Information International Disclosure Act are frequently cited as examples. However, these laws apply to personal information in the custody or control of public bodies.

Are these types of laws protecting government information still permitted by the USMCA? Probably. Article 13.11 of the USMCA specifically states that “this Chapter is not intended to preclude a Party, or its procuring entities, from preparing, adopting or applying technical specifications required to protect sensitive government information, including specifications that may affect or limit the storage, hosting or processing of such information outside the territory of the Party.” “Sensitive information” is not defined.

No doubt the Canadian negotiators had the Treasury Board Secretariat’s IT Policy Implementation Notice in mind when negotiating the USMCA. The policy requires all sensitive electronic data under government control, that has been categorized as Protected B, Protected C or is Classified, to be stored in a Government of Canada-approved computing facility located within the geographic boundaries of Canada. Examples of Protected B data include medical information, information protected by solicitor-client or litigation privilege, and information received in confidence from other government departments and agencies.

The USMCA does not appear to require any change to that policy. A similar policy could be implemented by provinces concerned about the location of their data. Moreover, by leaving open the definition of sensitive government information, it is possible that localization requirements could also apply to Protected A data, which is defined as information that could cause injury to an individual, organization or government if it were improperly disclosed, such as addresses, age, race, date of birth, and unique identifiers such as social insurance number.

Financial services

As mentioned, data localization in the financial services area was a hot-button issue for the USTR. However, there is no evidence that it was a hot-button issue for Canadian financial institutions. OSFI might have cared to keep data in Canada but without a vocal partner in the Office of the Privacy Commissioner of Canada or the Canadian Bankers Association, there was very little pressure on the Canadian government to fight the U.S. on this point.

With little opposition, the USTR obtained two important concessions. First, Canada cannot require financial institutions to use computing facilities in Canada. There is a caveat. OSFI or other applicable financial regulatory authorities must be able to have “immediate, direct, complete and ongoing access to information processed or stored on computing facilities” used by the financial institution in the United States or Mexico. Second, OSFI or the applicable regulator must provide a financial institution with an opportunity to remediate a lack of access (to the extent practicable) before requiring the use of computing facilities in Canada.

However, this doesn’t mean that Canada has ceded its ability to regulate. Canadian regulators still have three important powers that are expressly conceded by the United States.

First, the notes to Article 17.21 suggest that Canadian regulators could require that financial services institutions to obtain prior authorization from their regulator to designate particular enterprises as recipients of information. It is uncertain what this may mean in practice. One possible scenario is that OSFI might require pre-approval to send data to a cloud computing provider in the United States. This would allow OSFI to ensure standardization of contractual terms and technical requirements and to monitor concentration risk if financial services institutions are all using the same provider.

Second, the notes to Article 17.21 also suggest that OSFI or the applicable regulator retains the power to adopt or maintain measures relating to business continuity planning practices with respect to the maintenance and the operation of computing facilities. This seems to leave the door open for OSFI to adopt more robust regulatory requirements with respect to the use of cloud computing services in the financial services sector.

Finally, Canada retains the ability to adopt or maintain measures to protect personal privacy and the confidentiality of individual records and accounts. This preserves the ability of OSFI and the Office of the Privacy Commissioner of Canada to impose privacy measures, such as an encryption requirement that requires the financial institution to hold the key in Canada.

Digital trade

The USTR also succeeded in prohibiting data localization in digital trade generally. Canada has agreed that it will not require businesses to use or locate computing facilities in Canada as a condition for conducting business in Canada. In addition, Canada has agreed that it will not prohibit or restrict the cross-border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business.

However, even here, Canada managed to preserve a measure of regulatory autonomy. Canada is free to adopt or maintain a measure that restricts international data transfers if it is “necessary to achieve a legitimate public policy objective” provided the measure meets two criteria. First, the measure cannot be applied in a manner that would be arbitrary or unjustifiable discrimination or a disguised restriction on trade. Second, the measure cannot be greater than necessary to achieve the objective.

This is entirely consistent with Canada’s current approach to data transfers under PIPEDA. Canada has used the same rules for intra-country transfers as for international transfers. The focus is on the protection of the data in the custody of the recipient rather than the location of the recipient. The carveout in the USMCA permits the government to enact more stringent requirements on data transfers provided that these apply to domestic and U.S.-Mexico recipients as well.

But there is more. At the end of Article 19.8, there is a hint of potentially more to come. Canada, the U.S. and Mexico expressly stated that they “recognize that the APEC Cross Border Privacy Rules system is a valid mechanism to facilitate cross-border information transfers while protecting personal information.” It may be possible for Canada to require compliance with the CBPR system as part of international data transfers. For more on the CBPR, see the IAPP’s GDPR matchup: The APEC Privacy Framework and Cross-Border Privacy Rules and Joshua Harris's piece from Oct. 10. 

The missing piece

Overall, Canada appears to have ensured that it retains some regulatory freedom even if it conceded the data localization point as a general principle. It would be unfair to criticize the Canadian government for conceding data localization given the context in which it was negotiating and the fact that it is, after all, a free-trade agreement. Requiring data to be kept in Canada would be a major impediment to trade.

However, if there is a missing piece, it is the lack of a strong, accessible mechanism for Canadians to obtain redress in the event of misuse of their data. There is a general commitment in Article 19.14 to cooperate with respect to enforcement and compliance regarding personal information protection. There is also a general commitment in Article 32.8 for parties to “endeavor to adopt non-discriminatory practices in protecting natural persons from personal information protection violations occurring within its jurisdiction.” But there is little in the way of a substantive commitment to ensure that Canadians have a direct ability to seek redress, although the CBPR system could provide an answer.

If the government becomes serious in modernizing PIPEDA, the USMCA has carved out the available paths to improve privacy protections for Canadian data transferred to the U.S. and Mexico.

Top image: From Wikipedia.