On Sept. 30, representatives from the United States, Mexico and Canada concluded negotiations and released the final text of a revised North American Free Trade Agreement known as the U.S., Mexico and Canada Agreement. While the USMCA still requires passage in the legislatures of the signatory nations, final implementation would mark significant developments for data privacy, the free flow of data, and the future of APEC’s Cross-Border Privacy Rules system.
Among the major updates in the USMCA is the inclusion of a digital trade chapter. Article 19.11 of this chapter generally prohibits the restriction on the cross-border transfer of personal information between the three countries but allows that such restrictions may be imposed where necessary to achieve a “legitimate public policy objective” as long as it is applied in a fair manner that would not otherwise restrict the transfer of information greater than necessary to achieve that objective. In addition, Article 19.8 (6) specifically states that the parties “recognize that the APEC Cross-Border Privacy Rules system is a valid mechanism to facilitate cross-border information transfers while protecting personal information.”
Taken together, these two paragraphs appear to indicate that each country may implement new privacy laws that include data transfer restrictions as long as they are not applied discriminatorily and that they continue to recognize CBPRs as a viable mechanism for data transfer. This recognition ensures that participating companies can continue to use CBPRs as a transfer mechanism as privacy laws develop in the three countries in the years ahead.
This marks the second major milestone for the system in as many years, following Japan’s 2017 recognition of CBPRs as a valid transfer mechanism under its updated privacy law. Should this language be incorporated into a potential U.S.-Japan FTA, it would create a “trilateral plus one” network that could serve as a basis for further expansion and recognition in both hemispheres.
The USMCA also contemplates future cooperation on privacy matters between the signatory nations. Article 19.14 states that “[r]ecognizing the global nature of digital trade, the Parties shall endeavor to … cooperate and maintain a dialogue on the promotion and development of mechanisms, including the APEC Cross-Border Privacy Rules, that further global interoperability of privacy regimes … [and] shall consider establishing a forum to address any of the issues listed above, or any other matter pertaining to the operation of this chapter.”
This language could be used to establish a North American Privacy Forum consisting of regulators and government officials from the participating countries in order to collectively promote common understanding and shared interests in matters related to data privacy. And should this language be replicated in a potential U.S.-Japan FTA, it would seem possible to extend participation to Japanese officials, as well.
This language could be used to establish a North American Privacy Forum consisting of regulators and government officials from the participating countries in order to collectively promote common understanding and shared interests in matters related to data privacy.
Given its inclusion in the USMCA, it is important to highlight how CBPRs impact the laws in each country. Critically, CBPR participation does not and cannot displace local law. This principle is explicitly recognized in paragraph 44 of the APEC Policies, Rules and Guidelines, which stipulates that “[p]articipation in the CBPR System does not replace a participating organization’s domestic legal obligations. The commitments which an organization carries out in order to participate in the CBPR System are separate from any domestic legal requirements that may be applicable. Where domestic legal requirements exceed what is expected in the CBPR System, the full extent of such domestic law and regulation will continue to apply. Where requirements of the CBPR System exceed the requirements of domestic law and regulation, an organization will need to voluntarily carry out such additional requirements in order to participate.”
As this makes clear, CBPR participation is designed specifically to accommodate additional obligations under law — including any that may attach as a condition of an adequacy determination. This concept is further reflected in the BCR-CBPR Joint Referential, whose purpose was “to facilitate the design and adoption of personal data protection policies compliant with each of the systems.”
With recognition of the CBPR system, the USMCA has enshrined a flexible approach that can accommodate additional requirements at the local level with fixed procedures for participation and recognition at the global level. And while certification under CBPRs or any other standard should by no means be the only transfer mechanism available, given its unique attributes, it is critical that it remains a viable option in both trade agreements and regulations going forward.