Internet governance has emerged as a substantial global governance question of the decade, bringing with it substantial consequences for economic growth as well as human, civil, and consumer rights.
Every millisecond, massive amounts of personal, government, and commercial data move through the physical conduits of the global Internet, from one side of the planet to the other, passing through numerous countries before reaching its destination. The unrestricted movement of this data has contributed to the proliferation and success of electronic commerce giants like Google, whose business greatly benefits from access to a global consumer market. In the era of big data, and the wake of the public craze that came with the moniker, data services like storage and processing have received a measure of public scrutiny regarding data privacy expectations. This is because of the risks to personal, commercial, and government data privacy when services are provided by firms, often in other countries, who control, outsource, sell, and potentially store indefinitely private information.
The public exposure of the secret and indiscriminate global surveillance activities of the US National Security Agency (NSA) and other governments has rallied public discontent alongside demands for a defense of personal privacy online.
Many countries have made efforts to better protect privacy of personal data both when it is stored domestically and when it is stored abroad. Some countries have relied more often on domestic legislation to guarantee this treatment of domestic data, while Canada has made pioneering efforts to establish cross-border data privacy expectations through bilateral free trade agreements (FTAs). However, Canada’s ambitions in this area have produced little fruit in recent years and its illegal participation in the Five Eyes global surveillance initiative, recently exposed, has undermined efforts of other actors in the Canadian government who have sought to protect Canadian data privacy abroad.
Looking ahead, there are opportunities for cooperation, and presumably a mutual interest, among Canada’s allies to use FTAs as a forum for Internet privacy governance. Doing so will ensure the treatment of Canadian data according to established Canadian and human rights law, encourage growth in e-commerce, and give peace of mind to Canadians, companies, and public agencies concerned with the privacy of Canadian data moving across international borders.
Along with the changes the Internet age has brought, it has been necessary to evolve our laws and public institutions, in order to ensure the continued protection of citizens and their rights. One area of increased vulnerability for Internet users is their personal privacy. Privacy is seen by the Supreme Court of Canada as a human right protected in the Canadian Charter (1982), the Canadian Human Rights Act (1977), the Canadian Privacy Act (1983), and the Personal Information Protection and Electronic Documents Act (PIPEDA) (2000, 2011) (Harris, 1997; Parliament of Canada, 2014). Since 1977, Canada and each of its provinces and territories have hosted a Privacy Commissioner who monitors and acts to protect the privacy of Canadians.
When an Internet user inputs data into a website, that data may travel a considerable distance before it is put to use. The data may travel through various Internet transfer points (IXPs), effectively the global interchanges of the information super-highway, in the user’s own country and very possibly another country, before arriving at its destination. Furthermore, that data centre, providing a processing or storage service for the local business or national government, might itself be located in a foreign country and be subject to different privacy laws. The extra-national travel and storage of Canadian data risks a breach of Canadian privacy law protections, and potentially a risk to national security if sensitive data can be accessed illicitly while stored, processed, or simply in transit abroad.
It is precisely the international integration of networks and services that makes the Internet the powerful piece of economic and social infrastructure that it is. However, that integration also exposes Canadians to threats against personal privacy.
The opportunities for the illegal interception of personal data are multiplied when it travels around the world before reaching its destination, especially if it travels through the United States (US). The enormous NSA global surveillance program, exposed by whistle-blower Edward Snowden, was described by NSA staff themselves (in private) as an information collection program to “Collect it all,” “Process it all,” “Exploit it All,” “Partner it All,” “Sniff it All,” and, ultimately, “Know it All” (Cole, 2014). If Internet traffic happens to pass through one of the US’ many IXPs, the NSA’s full-take system stores copies of three days’ worth of all data in transit for selective observation and profiling (The Guardian, 2013). The American Patriot Act has been used to oblige American companies to disclose information about their customers to the FBI and other security agencies, in gross and unjustifiable volume. It has further been speculated that personal data stored in Canada, by Canadian firms that are subsidiaries of American companies, could be vulnerable to information disclosure requests from American security agencies (Gunasekara, 2007 [PDF]).
Canada has prioritized privacy in FTAs when faced with demands from the US for protection of the ‘free flow of data’ to be enshrined in the agreement (Aaronson and Townes, 2012[PDF]). The US, on the other hand, has been championing a free-flow-of-data mandate. In 2011, American Trans-Pacific Partnership (TPP) negotiators allegedly proposed binding obligations to not block cross-border data flows and to prohibit countries from obliging businesses to locate data centres in the country where they operate, also known as server localization requirements.
While this has been met with resistance, the US has been successful in incorporating principles of Internet openness and free flow of data into its FTA with Korea, which came into force in 2012 (Aaronson and Townes, 2012 [PDF]).
The polarization created around the Americans’ ambition to prevent privacy law from inhibiting international data flows may lead one to think that the free international movement of data and the protection of privacy are mutually exclusive. They are not, in fact, and efforts made in the Canada-Colombia FTA to socialize and harmonize Internet privacy protection in the domestic laws of both countries are a good example of how privacy protection can be supported without impacting trans-border data movement.
The European Union (EU) has maintained a similar position as Canada in FTAs. Both parties consider privacy a human and consumer right and have asserted that they will not include actionable provisions on the free flow of data or server localization in their trade agreements; a rejection of U.S. demands (Aaronson and Townes, 2012 [PDF]).
There have been substantial privacy law harmonization efforts among the 47 members of the Council of Europe, the body representing the signatories to the European Convention on Human Rights. This effort is leaps and bounds ahead of what Canada attempted in its FTA with Colombia. European privacy law harmonization has even prompted India to make efforts to harmonize its privacy law with Europe’s in order to make its data service firms eligible for contracts to process and store Europeans’ personal data (Data Security Council of India, 2012).
The TPP and other FTAs are forums of Internet governance. In these forums, coalitions of pro-privacy countries should work together to protect Internet privacy and use international Internet privacy governance guidelines already available from the OECD, the Montreux Declaration of the world’s privacy commissioners, Netmundial, and international human rights law.
Moving forward from Canada’s historic position on privacy in FTAs and in line with its constitutional obligation to protect the privacy of Canadian data abroad, the country should insist on incorporating robust e-commerce chapters that include provisions for privacy in the trans-border flows of personal data. Canada should generally move away from normative language on privacy in FTAs and pursue an initiative of supporting the improvement and harmonization of domestic privacy laws in countries with which it forms trade agreements. Canada should support language in FTAs that allows server localization for government and sensitive personal data, but remain flexible with countries that have domestic privacy laws that can ensure the appropriate treatment of Canadian data. Beyond the positive reinforcements that can come with sharing of best demonstrated practices and privacy supportive technology, negative reinforcements such as suspended trade privileges for partners who fail to protect the privacy of Canadian data may be appropriate in some cases.
The maintenance of the interoperability of the Internet is a primary backstop in Internet governance initiatives (NETmundial 2014, 5; OECD 2013, 7). Efforts made in the pursuit of privacy protection do not need to pose a threat to Internet interoperability and the relatively non-fragmented form of the modern Internet. The most effective way to ensure privacy protection and maintain global Internet integration is to make privacy law relatively homogeneous across all the world’s legal jurisdictions, wherever data is transferred, processed, or stored. In this aim, the expectation for privacy protection should be set according to a relatively high standard, rather than based on the lowest common denominator among cooperating countries. In this case, Canadian legislators may find it useful to look to Europe, both for the benefit of citizens’ privacy, but also for the long term assurance of a market for the Canadian big data industry.
About the Author: Virgil Haden-Pawlowski is a development and humanitarian practitioner presently based in Turkey with a diverse background of work and study on topics ranging from human rights issues, to sustainability and prosperity, to peace building and economic relations, and is an avid policy commentator in these areas.
 OECD. OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. Guidelines, Paris: OECD, 2013.
 27th International Conference of Data Protection and Privacy Commissioners. "Montreux Declaration." International Telecommunications Union. September 16, 2005. https://www.itu.int/wsis/docs2/pc3/contributions/misc/montreux-declaration.pdf (accessed July 31, 2014).
 NETmundial. "NETmundial Multistakeholder Statement." NETmundial. April 24, 2014. http://netmundial.br/netmundial-multistakeholder-statement (accessed July 31, 2014).