Any hopes by privacy advocates of stronger data localization requirements for Canada have been dashed by the United States Mexico Canada Agreement (USMCA). The U.S. Trade Representative (USTR) achieved its objectives on data localization for the renegotiation of the North America Free Trade Agreement (NAFTA). However, Canada also obtained important commitments that preserve its ability to protect the privacy of Canadians and the stability of Canada’s financial services sector.
When the USTR published the United States’ negotiating objectives, the USTR included a number of provisions directed to prevent Canada from enacting or expanding measures that would disrupt data flows to the United States. Key USTR objectives were to ensure that Canada refrain from imposing measures that would restrict cross-border data flows or that would require the use of data centres located in Canada. The USTR’s goals for the free flow of data involved the entire trade in digital goods and services. However, the USTR was specifically concerned about the financial services industry. Rumours were that the Office of the Superintendent of Financial Institutions (OSFI) was considering stronger data localization requirements.
It was a foregone conclusion that Canada would concede a general requirement for free flows of data. Free-trade without a free-flow of information is an unrealistic scenario in the information economy. A perennial exception is sensitive government information. Each state maintains its ability to keep sensitive government information within its borders (Article 13). However, how did Canada fare in other areas?
Financial Services Sector (Article 17)
The USTR achieved its goals in the financial services sector. Canada has committed to:
- Refrain from requiring financial institutions to only use computing facilities in Canada, so long as OSFI and other applicable financial regulatory authorities have “immediate, direct, complete and ongoing access to information processed or stored on computing facilities” used by the financial institution in the United States or Mexico; and
- Ensure that the regulator provides the financial institution with an opportunity to remediate a lack of access (to the extent practicable) before requiring the use of computing facilities in Canada.
However, Canada’s regulators have the freedom to:
- Require that financial service institutions obtain prior authorization from their regulator to designate particular enterprises as recipients of information. This seems to open up the possibility that OSFI could, for example, require pre-approval to use particular cloud service providers. This might be a welcome initiative to ensure that there are standardized cloud computing service arrangements and to avoid concentration risk from financial services institutions all using the same cloud service provider.
- Adopt or maintain measures relating to business continuity planning practices with respect to the maintenance and the operation of computing facilities. This opens the door for OSFI to adopt more robust regulatory requirements with respect to the use of cloud computing services in the financial services sector.
- Adopt or maintain measures to protect personal privacy and the confidentiality of individual records and accounts. This preserves the ability of OSFI and the Office of the Privacy Commissioner of Canada (OPC) to impose privacy measures. For example, it may permit OSFI and the OPC to require the encryption or tokenization of data and the maintenance of the encryption keys or the token look-up table in Canada. Given the advancements of cloud computing technologies, these are unlikely to be barriers to trade.
Overall, therefore, Canada has done well to preserve a very significant degree of regulatory autonomy to oversee the financial service’s sector’s use of information technology.
Digital Trade Generally (Article 19; Article 32)
Canada has agreed that it will not require businesses to use or locate computing facilities in Canada as a condition for conducting business in Canada. In addition, Canada has agreed that it will not prohibit or restrict the cross-border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business.
However, Canada preserved a measure of regulatory autonomy because it may adopt or maintain a measure that restricts international data transfers if it is “necessary to achieve a legitimate public policy objective” provided the measure meets two criteria. First, the measure cannot be applied in a manner that would be arbitrary or unjustifiable discrimination or a disguised restriction on trade. Second, the measure cannot be greater than necessary to achieve the objective.
Does this mean that Canada could impose something like the European Union Standard Contractual Clauses that only apply to cross-border transfers outside of Europe? Probably not. The explanatory note states that a measure would be off-side if (a) the measure imposed different treatment to cross-border transfers than intra-country transfers and (b) the measure modified the conditions of competition to the detriment to the service providers in the other country. However, data transfer agreements could be required if they applied to all data transfers (intra-country and cross-border).
Canada also obtained some important commitments from the United States with respect to the protection of personal information. Each country agrees to maintain a legal framework that provides for the protection of personal information taking into account principles and guidelines of international bodies such as the APEC Privacy Framework and the OECD Recommendation of the Council concerning Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data. Canada obtained agreement that the APEC Cross Border Privacy Rules are an appropriate mechanism through which to facilitate cross-border transfers. Privacy advocates may argue that Canada should take advantage of this concession to impose compliance with these rules as a condition of data transfer.
In addition, each country has agreed to “endeavor to adopt” non-discriminatory practices in protecting individuals from personal information protection violations. The countries agree to pursue compatibility between their regimes.
However, these commitments do not extend to personal information collected by the state. So, they will not result in the situation of Canadians improving under the U.S. Privacy Act of 1974.
Better than expected
The possibility of expanding data localization requirements in Canada to restrict or add additional hurdles to the cross-border to transfer of data to the United States (and Mexico) have been averted for U.S. organizations. However, Canada did better than expected (or better than I expected) in preserving regulatory autonomy to protect Canadians.