News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Perspectives | How did Canada fare on privacy in the USMCA? Related reading: Why CBPR recognition in the USMCA is a significant development for privacy

rss_feed

""

""

Canadian commentators have raised alarm over provisions relating to data localization and privacy in the United States Mexico Canada Agreement on international trade. The Washington Post dramatically announced that “Experts say USMCA frees Canadian data – but with unknown risks,” while Prof. Teresa Scassa authored an opinion piece for MacLean’s Magazine titled, “The USMCA locks Canada in on digital trade – and at a worrying time.”

Ensuring that Canada would not enact additional data localization laws was an express objective of the U.S. Trade Representative from the outset of the negotiations. Indeed, given the importance of the digital economy and U.S. interest in protecting global market shares of Google, Apple, Facebook and Amazon, it is hard to imagine a realistic scenario in which Canada did not concede this point. However, the USTR was not just concerned about everyday consumer data. The USTR had its sights set specifically on ensuring that data localization laws did not crop up in the financial services sector. Canada’s Office of the Superintendent of Financial Institutions is in the process of considering the implications of cloud computing to the financial services sector and one thing that the U.S. wanted to be certain of is that there would be no prohibition on cross-border data transfers.

The USTR had its sights set specifically on ensuring that data localization laws did not crop up in the financial services sector.

The USTR met its objective in ensuring that Canada conceded the data localization point. But that does not mean that Canada gave away the farm or that it no longer has regulatory autonomy, as some commentators seem to suggest. There is no doubt that Canada’s ability to enact barriers to trade through data protection laws has been constrained, but preventing barriers to trade is generally the point of a free trade agreement!

Certainly, it would be wrong to dismiss the concerns of advocates for data localization. There are very good reasons to require data about Canadians to remain in Canada. The government has a legitimate interest in protecting the data of its citizens and residents from misuse and there has yet to be a reliable method for Canadians to seek redress in the United States from misuse of data.

So, stepping back, how did Canada really do?

Sensitive government information

Canada has few laws expressly requiring data localization. The British Columbia Freedom of Information Protection of Privacy Act and the Nova Scotia Personal Information International Disclosure Act are frequently cited as examples. However, these laws apply to personal information in the custody or control of public bodies.

Are these types of laws protecting government information still permitted by the USMCA? Probably. Article 13.11 of the USMCA specifically states that “this Chapter is not intended to preclude a Party, or its procuring entities, from preparing, adopting or applying technical specifications required to protect sensitive government information, including specifications that may affect or limit the storage, hosting or processing of such information outside the territory of the Party.” “Sensitive information” is not defined.

No doubt the Canadian negotiators had the Treasury Board Secretariat’s IT Policy Implementation Notice in mind when negotiating the USMCA. The policy requires all sensitive electronic data under government control, that has been categorized as Protected B, Protected C or is Classified, to be stored in a Government of Canada-approved computing facility located within the geographic boundaries of Canada. Examples of Protected B data include medical information, information protected by solicitor-client or litigation privilege, and information received in confidence from other government departments and agencies.

The USMCA does not appear to require any change to that policy. A similar policy could be implemented by provinces concerned about the location of their data. Moreover, by leaving open the definition of sensitive government information, it is possible that localization requirements could also apply to Protected A data, which is defined as information that could cause injury to an individual, organization or government if it were improperly disclosed, such as addresses, age, race, date of birth, and unique identifiers such as social insurance number.

Financial services

As mentioned, data localization in the financial services area was a hot-button issue for the USTR. However, there is no evidence that it was a hot-button issue for Canadian financial institutions. OSFI might have cared to keep data in Canada but without a vocal partner in the Office of the Privacy Commissioner of Canada or the Canadian Bankers Association, there was very little pressure on the Canadian government to fight the U.S. on this point.

With little opposition, the USTR obtained two important concessions. First, Canada cannot require financial institutions to use computing facilities in Canada. There is a caveat. OSFI or other applicable financial regulatory authorities must be able to have “immediate, direct, complete and ongoing access to information processed or stored on computing facilities” used by the financial institution in the United States or Mexico. Second, OSFI or the applicable regulator must provide a financial institution with an opportunity to remediate a lack of access (to the extent practicable) before requiring the use of computing facilities in Canada.

However, this doesn’t mean that Canada has ceded its ability to regulate. Canadian regulators still have three important powers that are expressly conceded by the United States.

First, the notes to Article 17.21 suggest that Canadian regulators could require that financial services institutions to obtain prior authorization from their regulator to designate particular enterprises as recipients of information. It is uncertain what this may mean in practice. One possible scenario is that OSFI might require pre-approval to send data to a cloud computing provider in the United States. This would allow OSFI to ensure standardization of contractual terms and technical requirements and to monitor concentration risk if financial services institutions are all using the same provider.

Second, the notes to Article 17.21 also suggest that OSFI or the applicable regulator retains the power to adopt or maintain measures relating to business continuity planning practices with respect to the maintenance and the operation of computing facilities. This seems to leave the door open for OSFI to adopt more robust regulatory requirements with respect to the use of cloud computing services in the financial services sector.

Finally, Canada retains the ability to adopt or maintain measures to protect personal privacy and the confidentiality of individual records and accounts. This preserves the ability of OSFI and the Office of the Privacy Commissioner of Canada to impose privacy measures, such as an encryption requirement that requires the financial institution to hold the key in Canada.

Digital trade

The USTR also succeeded in prohibiting data localization in digital trade generally. Canada has agreed that it will not require businesses to use or locate computing facilities in Canada as a condition for conducting business in Canada. In addition, Canada has agreed that it will not prohibit or restrict the cross-border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business.

However, even here, Canada managed to preserve a measure of regulatory autonomy. Canada is free to adopt or maintain a measure that restricts international data transfers if it is “necessary to achieve a legitimate public policy objective” provided the measure meets two criteria. First, the measure cannot be applied in a manner that would be arbitrary or unjustifiable discrimination or a disguised restriction on trade. Second, the measure cannot be greater than necessary to achieve the objective.

This is entirely consistent with Canada’s current approach to data transfers under PIPEDA. Canada has used the same rules for intra-country transfers as for international transfers. The focus is on the protection of the data in the custody of the recipient rather than the location of the recipient. The carveout in the USMCA permits the government to enact more stringent requirements on data transfers provided that these apply to domestic and U.S.-Mexico recipients as well.

But there is more. At the end of Article 19.8, there is a hint of potentially more to come. Canada, the U.S. and Mexico expressly stated that they “recognize that the APEC Cross Border Privacy Rules system is a valid mechanism to facilitate cross-border information transfers while protecting personal information.” It may be possible for Canada to require compliance with the CBPR system as part of international data transfers. For more on the CBPR, see the IAPP’s GDPR matchup: The APEC Privacy Framework and Cross-Border Privacy Rules and Joshua Harris's piece from Oct. 10. 

The missing piece

Overall, Canada appears to have ensured that it retains some regulatory freedom even if it conceded the data localization point as a general principle. It would be unfair to criticize the Canadian government for conceding data localization given the context in which it was negotiating and the fact that it is, after all, a free-trade agreement. Requiring data to be kept in Canada would be a major impediment to trade.

However, if there is a missing piece, it is the lack of a strong, accessible mechanism for Canadians to obtain redress in the event of misuse of their data. There is a general commitment in Article 19.14 to cooperate with respect to enforcement and compliance regarding personal information protection. There is also a general commitment in Article 32.8 for parties to “endeavor to adopt non-discriminatory practices in protecting natural persons from personal information protection violations occurring within its jurisdiction.” But there is little in the way of a substantive commitment to ensure that Canadians have a direct ability to seek redress, although the CBPR system could provide an answer.

If the government becomes serious in modernizing PIPEDA, the USMCA has carved out the available paths to improve privacy protections for Canadian data transferred to the U.S. and Mexico.

Top image: From Wikipedia.

Author
Headshot Timothy Banks IAPP Member Contributor
Tags
Government
Canada
Privacy Law
Privacy Opinion
Transborder Data Flow
Comments

If you want to comment on this post, you need to login.

Related Stories
Related Stories
Tags
Government
Canada
Privacy Law
Privacy Opinion
Transborder Data Flow
Recent Comments