- Trade agreements invariably involve trade-offs. Including data governance as yet another trade-related issue complicates the policy process.
- Greater control over data may lead to benefits for privacy, security and innovation policy; however, the competing policy goal of support for open networks and the free flow of data complicates the issue.
- Data transfer restrictions could pose an additional significant problem for Canada with respect to data transfers with the European Union, which has relied on the 2001 adequacy finding to ensure the free flow of data transfers. Given that European privacy law is set to advance with the General Data Protection Regulation (GDPR) in May of this year, and that Canadian privacy law has only undergone minor statutory reforms over the past 15 years, the retention of the adequacy finding in light of current standards is far from guaranteed.
IGI’s essay series on data governance in the digital age has shone a spotlight on the need for a national data strategy. Central to any data strategy will be some measure of data control. Given the implications for privacy, security and innovation policies, this includes some control over where data is stored and the conditions under which it is transferred across borders. Yet, despite the mounting data concerns, Canada may have already signed away much of its policy flexibility with respect to rules on both data localization and data transfers, severely restricting its ability to implement policy measures in the national interest.
The Trans-Pacific Partnership (TPP) — now renamed the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) — features restrictions on the ability to mandate data localization and impose limits on data transfers.1 Canada signed the CPTPP on March 8, 2018, and is expected to begin steps toward implementation later this year. The CPTPP model is rapidly emerging as the standard approach in “modernized” trade deals featuring e-commerce or digital trade rules, as it can be found in agreements large (the renegotiated North American Free Trade Agreement [NAFTA]) and small (the recently concluded Singapore-Sri Lanka Free Trade Agreement). Given the proliferation of the provisions, the linkage between data sovereignty and trade agreements seems likely to grow tighter in the years ahead.
The inclusion of data provisions within these trade agreements raises two key concerns. First, trade agreements invariably involve trade-offs on a wide range of issues from tariffs on agricultural goods to environmental policy. The inclusion of data governance as a trade-related issue complicates the policy process since it treats a critical yet complex policy matter as little more than a trade bargaining chip.
Second, it highlights a difficult policy challenge that sits at the heart of controlling data in a networked economy. While there may be benefits for privacy, security and innovation policies from greater control over data, the issue is complicated by the competing policy goal of support for open networks and the free flow of data, which may fuel innovation and hold the potential to promote pro-democracy norms. Striking an appropriate balance that promotes an open internet and safeguards the privacy, security and innovation issues associated with data should be a top priority for trade negotiators, yet the headlong rush to conclude e-commerce or digital trade chapters in modern trade agreements suggests that the policy flexibility has narrowed considerably, with countries bound by policy limitations that they have barely begun to understand.
Data localization rules, which require data to be stored locally, have emerged as an increasingly popular legal method for providing some assurances about privacy protection for personal information. The issue first came to the fore in Canada in 2004, when the government of British Columbia proposed outsourcing the management services associated with its Medical Services Plan (Geist and Homsi 2005). The proposal was challenged by the affected union, which argued that the data generated under the plan, including sensitive health information, could be put at risk due to provisions found in the USA PATRIOT Act. Skeptics dismissed the union’s opposition as a transparent attempt to protect local labour, but the concerns resonated with a wide range of communities, including privacy advocates, civil liberties groups and health-care activists. The BC government responded by enacting legislation designed to temper public concerns by requiring that certain public data be hosted within the province. Soon after, the Nova Scotia government enacted similar legislation.
Data localization requirements are not unique to Canada — similar statutes have popped up around the world (Lovells 2014). Today, there are localization requirements in European countries such as Germany, Russia and Greece; Asian countries such as Taiwan, Province of China; Vietnam and Malaysia; Latin American countries such as Brazil; and in Australia, where there are data localization requirements for health records.2
Data localization rules, which require data to be stored locally, have emerged as an increasingly popular legal method for providing some assurances about privacy protection for personal information.
In response to mounting public concern and government regulations, global companies are starting to offer local cloud storage services that help forestall regulations and respond to market demand. For example, major global service providers such as Amazon and Microsoft now offer Canadian-based cloud computing services. In fact, Microsoft’s General Counsel Brad Smith is on record as saying that individuals should be able to choose where their data resides (Vogel 2014).
Anticipating the budding interest in localization rules and their potential impact on the data storage industry (much of which is based in the United States), the CPTPP establishes a restriction on data localization requirements in article 14.13: “No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory.”
This general restriction is subject to at least three exceptions: government data, financial services and a general four-step test exception.
The exclusion of government services from the CPTPP might signify that the Canadian provincial laws described above may remain in place. In fact, permitting data localization rules for government data was a policy priority for many countries, including Canada. Last year, Tracey Ramsey, a Member of Parliament for the New Democratic Party, asked department officials about the issue within the context of the Trade in Services Agreement (TISA) at a December 2017 hearing of the Standing Committee on International Trade: “My next question is about the probability of including provisions that ban data localization. I think you mentioned things in the future. I think about NAFTA. We couldn’t have envisioned the world that we’re in now 25 years ago, so there wasn’t language about that in there. Do you think that data localization measures will be included in TISA? It’s a concern for Canadians, in particular the two provinces, that we have to protect that” (Standing Committee on International Trade 2017).
Darren Smith, the director of services trade with Global Affairs Canada, replied: “In fact, data localization is an issue that’s being discussed in TISA. That work is not complete, but Canada’s approach, which is shared by a good number of other participants, is to have a balanced approach so that we can still ensure a cross-border flow of data but at the same time protect the information that’s held by government or in a government procurement context, so the two cases that you referred to, Nova Scotia and B.C., would not be part of TISA” (ibid.).
The Canadian government, therefore, insists on retaining the rights for data localization measures for government data that it holds or that is held by third parties under contract. This addresses some potential concerns (including the viability of provincial data localization laws in British Columbia and Nova Scotia), but it would appear to exclude the wider use of data localization requirements, leaving individual Canadians and businesses without equivalent protection.
The CPTPP also includes a specific exception for financial services, ironically at the insistence of the US Treasury, which wanted to retain the right to establish restrictions on financial data flows. The United States is no longer part of the CPTPP, but the exception remains intact. The US financial services industry balked at the exception, but the decision to exit the CPTPP altogether has, unsurprisingly, quieted discontent over the provision.
The CPTPP's general exception is the most important since it establishes a four-step test to allow for additional measures that run counter to the restriction on data localization. The exception states: “Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 2 to achieve a legitimate public policy objective, provided that the measure: (a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and (b) does not impose restrictions on the use or location of computing facilities greater than are required to achieve the objective.”
The general exception must therefore meet four requirements:
- it must achieve a legitimate public policy objective;
- it cannot be applied in a manner that would constitute a means of arbitrary or unjustifiable discrimination;
- it is not a disguised restriction on trade; and
- it does not impose restrictions greater than required to achieve the objective (i.e., a minimal impairment requirement on the use or location of computing facilities).
Whether the exception would apply to privacy protection remains unclear. Given the 1999 reference to privacy by the World Trade Organization (WTO), privacy could be viewed as a legitimate public policy objective and therefore qualify for an exception.3 However, the historical record suggests that reliance on this exception is rarely accepted. As Public Citizen (n.d.) noted in a study on the general exception language “the exceptions language being negotiated for the TPP is based on the same construct used in Article XX of the WTO’s General Agreement on Tariffs and Trade (GATT) and Article XIV of the General Agreement on Trade in Services (GATS). This is alarming, as the GATT and GATS exceptions have only ever been successfully employed to actually defend a challenged measure in one of 40 attempts. That is, the exceptions being negotiated in the TPP would, in fact, not provide effective safeguards for domestic policies.”
In other words, the benefits of the general exception may be illusory since the requirements are so complex (each aspect must be met) that countries have rarely managed to meet the necessary conditions. For countries concerned about the weakened privacy protections, the trade agreement restriction on the use of data localization requirements may pose an insurmountable barrier.
Data Transfer Restrictions
In the legal context, data transfer restrictions mirror those for data localization. Insofar as restrictions on data transfers can be used by governments as a restrictive measure that runs counter to an open internet, limitations on their use is a welcome development. However, those restrictions may also be used as a safeguard for privacy and security.
Data transfer restrictions are a key element of the European Union’s approach to privacy, which restricts data transfers to those countries with laws that meet the “adequacy” standard for protection. That approach is becoming increasingly popular, in particular, following the Edward Snowden revelations about government surveillance practices. Several CPTPP countries, including Malaysia, Singapore and Chile, are moving toward data transfer restrictions, as are other countries such as Brazil and Hong Kong.4
That approach is becoming increasingly popular, in particular, following the Edward Snowden revelations about government surveillance practices.
The CPTPP’s restriction on data transfer limitations is very similar to the data localization provision. Article 14.11 states: “Each Party shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.”
The rule is subject to the same general four-step test exception discussed above.
The data transfer restriction could pose an additional significant problem for Canada with respect to data transfers with the European Union. In October 2015, the European Court of Justice (ECJ) considered whether transferring data to the United States violated European privacy laws in light of the widespread use of government surveillance.5 The court effectively declared the agreement that governs data transfers between the United States and the European Union invalid. The decision sparked immediate concern among the thousands of companies that rely on the “safe harbour” agreement that dates back to 2000. The European Union and the United States subsequently negotiated a new “privacy shield” agreement, but it too has been challenged at the ECJ.
From a Canadian perspective, the risks are particularly acute given the absence of a specific agreement with the European Union on data transfers. The recently negotiated Canada-European Union Comprehensive Economic and Trade Agreement is surprisingly silent on the matter. Instead, parties have relied on the 2001 adequacy designation that the European Union granted to Canadian privacy law. Yet Canadian law is scheduled for another EU review no later than 2022. Given that European privacy law is set to advance with the GDPR in May 2018, and that Canadian privacy law has only undergone minor statutory reforms over the past 15 years, the retention of an adequacy finding in light of current standards is far from guaranteed.
The result could place Canada in a privacy and data quagmire, with trade agreement restrictions on the ability to implement limitations on data transfers and the European Union demanding such restrictions in order to retain an adequacy finding.
Given that data often ends up in the United States, restrictions on data localization requirements have emerged as a key US demand in its trade agreements. Data governance is a poor fit for trade deals, but the provisions that appeared in the CPTPP6 seem likely to emerge as a foundational aspect of the proposed digital trade chapter in NAFTA7 and will undoubtedly be part of the currently stalled TISA.
Canada has sought to preserve its policy flexibility with respect to government data, but agreeing to a ban on future data localization requirements, or data transfer restrictions consistent with privacy, security and innovation policy needs, is a short-sighted position that unnecessarily handcuffs policy makers on future measures.
There is a policy balance to be struck with data localization and data transfers — support for an open internet is closely linked to the issue — but the balance involves more than just government data and must ensure that reasonable privacy, security and public policy measures will not be blocked due to trade agreements such as the CPTPP or NAFTA. Given the rapid dissemination of such provisions, Canadian officials should take steps to carve out much-needed policy flexibility within interpretative documents and work to ensure that the general four-step exception can be triggered, as appropriate, in order to properly reconcile an open internet with domestic privacy, security and innovation policy priorities.