NAFTA 2.0: Data Protection Considerations for Canadian Companies

Thank you to Cristina Onosé, Sarah Nasrullah and Haley Fine for your assistance in developing this article and support.

Executive Summary

The renegotiated North-American Free Trade Agreement, or NAFTA 2.0, will have a significant impact on companies. The fundamental concept in the United States, Mexico and Canada Agreement is the creation of a continental market in digital goods and services, while prohibiting data localization for private sector enterprises and creating explicit requirements to ensure that personal information is protected. It puts the onus on companies to utilize frameworks and to ensure that data is protected before it can be transferred across borders. NAFTA 2.0 in Chapter 19 emphasizes the APEC Privacy Framework and Cross-Border Privacy Rules which may now be considered a baseline for cross-border data flows that did not previously exist. Organizations should leverage NAFTA 2.0 to have greater freedom to move data, provided an appropriate privacy and data governance is in place, not just for continental flows but for APEC member countries; it does however, require additional consideration of the implications for organizations subject to the EU General Data Protection Regulation.

Note: The new NAFTA, signed on November 30, 2018, is called different names in Canada, USA, and Mexico. USA calls it “USMCA”; Canada, “CUSMA”, and Mexico, “T-MEC”. In this article it is being referred to as “NAFTA 2.0”.

NAFTA 2.0: Background

The governments of the United States, Canada and Mexico recently completed the United States-Mexico-Canada Agreement (“USMCA” or “NAFTA 2.0”), the trade deal intended to replace and update the previous NAFTA. NAFTA 2.0, signed on November 30, 2018, has notable new changes affecting the protection of personal information and the free movement of data that organizations can utilize to give a boost to data-driven innovation in all three countries. In that sense, NAFTA 2.0 follows in the footsteps of the EU’s General Data Protection Regulation (“GDPR”) and the Asia-Pacific Economic Cooperation (“APEC”), by unifying the North American continent and creating a free market in digital goods and services.

Mexico has already ratified the new agreement; the US Senate recently approved it after changes were requested by the Democratic House majority; and now only the Canadian Parliament remains to formally ratify it. Ratification is not by itself a guide to when it will be implemented, but the White House has indicated a desire to see it come into effect in July 2020.

Chapter 19: Continental Free Trade in Digital Goods & Services

The most important provisions borrowed from the Trans-Pacific Partnership (TPP) are those that largely prohibit data localization. While NAFTA 2.0 mirrors the TPP by excluding financial services which are governed by other rules, it provides greater ability to have privacy controls follow the data than TPP’s provisions. Data localization — the practice of requiring residents’ data to be kept within the jurisdiction — is arguably the antithesis of a free market in digital trade.

Data localization limits access to global services and serves as the principal instrument for protectionism in the digital age. To counteract the impulse to keep data within local jurisdictions there must be effective privacy protection. To quote Viviane Reding, former Vice-President of the EU Commission, “what we want is data protection – not data protectionism.”

NAFTA 2.0 follows the TPP in requiring each country to establish personal information protection laws. Although it leaves the content of such laws and the means of enforcement to be decided by each country, NAFTA 2.0 does not preclude a nation from adopting strict privacy protections.

Interoperability is given important consideration nonetheless. The personal information provision in Chapter 19.8 might, in fact, hint towards a global unification of personal information protection. It reads:

In the development of its legal framework for the protection of personal information, each Party should take into account principles and guidelines of relevant international bodies, such as the APEC Privacy Framework and the OECD Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013). (United States-Mexico-Canada Agreement, Chapter 19.8, Section 2)

Under NAFTA 2.0, websites should be transparent with their users on data collection and usage, and give them a choice instead of mandating agreement. This language may influence – or be influenced by – both Canada’s anti-spam law (CASL) and the upcoming review of PIPEDA, Canada’s privacy law pertaining to the private sector. (Note that there are hints the Federal Government, while in a minority government, may table legislation in either late spring or early fall).

The purpose of these kinds of provisions is to protect the personal information of North Americans, but to do so in a way that facilitates digital trade. Notably, the agreement adopts an expansive view of personal information, and calls upon the three signatories to effectively support the privacy expectations of residents of the other countries.

Existing Canadian data localization laws — like those in Nova Scotia and British Columbiathat restrict the exportation of any personal data collected by or for public bodies — remain lawful, as Chapter 19 does not apply to government procurement. Presumably, this should not change government restrictions on where data processing occurs. This does pose an interesting issue, however: while the ban will not impact where, for example, health information held by a government is stored, a nation or province likely cannot tell a private health clinic where to store its data.