The United States-Mexico-Canada Agreement (USMCA) brings to light the contrast between free trade and closed borders. Its special emphasis on prohibiting data localization policies sends an interesting message — the data must flow, yet, the people cannot.
What Role for Data Localization in a Trade Agreement?
One way to describe data is as a digital shadow. Data doesn’t appear out of nowhere but rather via the activities of people and organizations. This data is intrinsically linked to these people and organizations, hence the concept of a digital shadow that follows its subject wherever it goes. Since these shadows may be generated by anything from subscriptions to online services to e-commerce transactions to social media use, they must be addressed in trade pacts. Increasingly, negotiators consider where and how data will be stored, regulated and used as it — or if it — crosses borders. And, since the rules of data governance, surveillance and privacy differ from nation to nation, addressing the flow of data in a multilateral trade agreement is no small feat.
In the case of the USMCA, Canadian negotiators agreed to the prohibition of data localization (the requirement that data stay within its country of origin), yet, when Canadian data flows into the United States, it isn’t necessarily protected from intrusive surveillance or use.
The recent legalization of cannabis consumption in Canada provides a good illustration of the shadow. For someone living in Ontario, for example, the only way to purchase cannabis is through the Ontario Cannabis Store website. If that person makes an online purchase with a credit card, US border authorities may access that data and then have the ability to deny the person entry because they bought a substance that is banned in the United States. If the data associated with that transaction had remained localized, it wouldn’t precede the purchaser into a jurisdiction that treats said information quite differently.
Of course, this is a complicated example with a lot of layers (that will only become more complex if the USMCA is ratified) but it does present an interesting paradox; why would negotiators trade away the possibility of data localization policies when the trade puts citizen rights at risk?
Data Localization Is Misunderstood
Perhaps the problem is a result of poor framing — data localization is often regarded as a potential trade barrier rather than as an aspect of data protection and privacy. The assumption is that data localization would require a service provider to invest in local (and redundant) infrastructure in order to do business in a new country. This focus on enabling new services entering the market ignores the reality of existing services exporting data in massive and increasing volumes.
This is where the European and North American approaches vary greatly. Europe focuses on privacy and data protection, especially given the US dominance of the digital services industry. The United States, on the other hand, focuses on further empowering and enriching their digital industry. If the USMCA is ratified, Canada, too, may enrich the United States’ digital industry.
Arguments that contemporary trade depends on the free flow of information miss the whole point of data localization. Arguably, the information can still flow freely while it resides in a specific jurisdiction. The reality of cloud computing is that a new entrant does not need to invest in new infrastructure, because that infrastructure is already in place. Canada is not a computing backwater; it has cloud computing capacity, and it is easy for a foreign company to set up a digital branch plant in Canada to harvest Canadian data. Simply put, data does not need to leave the country for a foreign company to make money from it, whether by sharing data with advertisers or by using the data in the generation of machine learning models. And, as encryption technology advances, access to data can be distinguished from copying of data.
Critics also claim that protection and security suffer under data localization policies, because these policies may prevent service providers from using locations that have the best security practices. This argument ignores the reality of state-sponsored hacking and intelligence agencies accessing hosted data. A better approach would be to spread best practices in computer security as far and wide as possible so as to encourage better protection overall.
There Is Hope for Data Localization
Chapter 32 of the USMCA does open up the possibility of protecting privacy or having a kind of data localization through its reference to article XIV of the World Trade Organization’s General Agreement on Trade in Services, which gives countries room to pass laws that protect privacy. This article spells out a number of exceptions that provide member countries the room to tailor laws to their own needs and culture. Privacy is cited specifically, but so are public morals (which privacy could be considered as), and the prevention of deceptive or fraudulent practices (which some might consider applies to social media). Hence, data localization could becomes permissible in so far as it seeks to address these needs.
This suggests that there is room for innovation; the Canadian federal government could work within the constraints of the USMCA and still protect the privacy of Canadians. Returning to the example of cannabis legalization, the federal government could insist on the anonymization of cannabis consumer data so as to prevent discrimination when its citizens are crossing borders. This stipulation would not focus on data localization or on preventing that data from moving across borders, but rather ensure that the data itself is protected at the source.
Of course, the research on data’s place in a trade agreement is fairly limited, and there is considerable demand for more. There is no tried and true method for ensuring privacy at the point of data collection, whether via anonymization, aggregation or the prohibition of the collection of certain kinds of information (such as those belonging to young children) — more research is almost certainly required. Additional research funding could focus on systems that enable data access rather than data migration, so that data can reside in a specific jurisdiction yet still enable access to cross-border services.
While the federal Office of the Privacy Commissioner does have the ability within the USMCA to impose privacy measures on data that will leave Canada, it would have to know what data is vulnerable, how it might be secured and how it might be protected.
Fortunately, the USMCA does provide a bit of wiggle room. It exempts sensitive government information from data localization prohibitions — sensitive cabinet or national security information should not be in the hands of foreign entities. Arguably, that definition could be extended. Could sensitive government information include, say, health data? Provinces such as British Columbia and Nova Scotia that have already passed data localization policies may want to use that exemption in creative ways to preserve their current approach.
In a press release about the USMCA’s data provisions, Sara Neuert, executive director of the BC Freedom of Information and Privacy Association, said that “controlling where personal information flows, and who has access to it, is an essential tool in the ongoing and evolving process of protecting the privacy of British Columbians.”
“Evolving” might be the key word in Neuert’s response. We don’t yet have a fully formed picture of the harms and benefits of data localization. In a recent Maclean’s article, CIGI Senior Fellow Teresa Scassa says it best: “Researchers and policymakers haven’t completely wrapped [their] heads around when data localization is appropriate or what it should look like — so we should absolutely not be shutting the door on it from the outset.”