Canada is currently engaged in a process to develop a national digital strategy — and there is no doubt that one is needed. As we enter the fourth industrial revolution, we face a period of substantial social and economic change. This change is about more than deciding how to take advantage of new economic opportunities or support innovation. The technological transformations that are underway will profoundly change how we live, work and interact. As a country, we are struggling to define ourselves as innovators while at the same time trying to protect ourselves from becoming digital lab rats or data farms for the world’s digital powerhouses.
Although much of the press around the United States-Mexico-Canada Agreement (USMCA) has focused on staples of the old economy (agriculture and the automotive sector, and even the film and music industries), the USMCA also tackles issues relevant to the new economy. Canada’s challenge in this regard is that we have yet to really set a course for ourselves. There are big choices to be made, and some of them may require divergence from established paths.
CIGI Senior Fellow Susan Aaronson, for example, has questioned whether international trade agreements are the right forum for addressing cross-border information flows. Dan Ciuriak, also a senior fellow at CIGI, has warned that we are making decisions about digital trade without any real understanding of their implications for Canada’s economy. Apart from economic issues, there are broad public concerns about how we want to live and work in an increasingly digital and automated economy. The considerable public pushback against the Sidewalk Toronto smart city project, for example, reveals a deep-seated unease about privacy, autonomy and control in relation to our digital futures.
Negotiating a trade agreement and making concessions on digital trade in such circumstances is a risky proposition, and some of the terms of the USMCA raise concerns. In addition to wide-ranging intellectual property commitments, the USMCA contains provisions that address data localization and cross-border information flows. In some cases, the commitments made are notably different from those in the recently concluded Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP, formerly the TPP). These divergences may reflect how rapidly the digital environment is changing; they may also be indicative of the less-than-ideal negotiating circumstances of the USMCA.
One set of noteworthy differences between the CPTPP and the USMCA relates to source code and algorithms. We are moving into a period where a growing number of decisions in both the public and the private sector will be made by algorithms. Algorithms already drive what news content and advertising each of us sees online. They will be used by governments to decide who receives or is denied benefits; banks will use them in decisions regarding credit. The federal government is controversially experimenting with the use of artificial intelligence in decisions around immigration and refugee status. The ability to evaluate the performance and potential biases of algorithms used in such processes is an increasingly pressing public policy issue.
Article 14.17 of the CPTPP addresses “source code,” and its first paragraph basically prohibits signatories from requiring “the transfer of, or access to, source code of software...as a condition for the import, distribution, sale or use of such software.” This is a fairly modest restriction, particularly when it is paired with the second paragraph, which limits its application to “mass-market software or products containing such software and does not include software used for critical infrastructure.” In other words, if software is to be imported for use in critical infrastructure, a government could still require a transfer of or access to the source code in order, for example, to ensure that security standards are met.
The equivalent USMCA provision, article 19.16, shares the title “Source Code,” but has some significant differences from the CPTPP. First, the opening commitment now includes not just software, but any “algorithm expressed in that source code.” Second, the moderating language that limited the prohibition to mass-market software is gone. The prohibition is absolute and applies to all categories of software and algorithms. This may raise some interesting concerns given the growing government use of software and algorithms in key systems and processes. Surely, there are important sovereignty issues here.
The CPTPP contains a further moderating provision. It clarifies that it does not prohibit “the inclusion or implementation of terms and conditions related to the provision of source code in commercially negotiated contracts,” nor does it prevent a party from requiring source code to be modified in order to comply with its laws or regulations, so long as the modifications are consistent with the CPTPP. Such modifications might relate to privacy or security requirements, for example. A clause of this kind is entirely absent from the USMCA. Although there is nothing in the USMCA that explicitly prohibits the inclusion of source code conditions in negotiated contracts and nothing that bars any requirements for modification, the gap is worrisome.
Interestingly, the USMCA does include a concession regarding the need for algorithmic transparency in some contexts — something that is absent from the equivalent provisions of the CPTPP. The USMCA specifies in article 19.16 that its source code provisions do not preclude judicial or regulatory oversight of software or algorithms “for a specific investigation, inspection, examination enforcement action or judicial proceeding, subject to safeguards against unauthorized disclosure.” This is important given that we are already facing contexts in which it is necessary to understand the algorithms that lead to certain decisions. It is easy to imagine future litigation around accidents involving autonomous vehicles, for example, in which it will be important to understand how the technology guiding the vehicle’s decision-making processes may or may not have played a role in the accident. It is also entirely likely that a regulator such as the Privacy Commissioner will be called upon to assess how personal information is used in an automated decision-making process.
To be clear, the “source code” provisions of the USMC are not a disaster for Canada, but there is enough there to cause concern about what the nation might be trading away at the early stages of a profound digital transformation. These provisions must also be considered in conjunction with others that address intellectual property, privacy, data transfers and localization. Together, they will have an impact on the shape of our emerging digital economy — and they will have this impact even as the government continues to consult on what that shape should be.