U.S. Calls Out Canadian Data Protection as a Trade Barrier

The U.S. Trade Representative issued its annual Foreign Trade Barrier Report on Monday. In addition to identifying the geographical indications provisions in the Canada – EU Trade Agreement, telecom foreign ownership rules, and Canadian content regulations as barriers, the USTR discussed regulations on cross-border data flows. I wrote about the issue recently, noting that the Canadian government restricted access to its single email initiative to Canadian-based hosting.

The USTR picks up on the same issue in its report:

The strong growth of cross-border data flows resulting from widespread adoption of broadband-based services in Canada and the United States has refocused attention on the restrictive effects of privacy rules in two Canadian provinces, British Columbia, and Nova Scotia. These provinces mandate that personal information in the custody of a public body must be stored and accessed only in Canada unless one of a few limited exceptions applies. These laws prevent public bodies such as primary and secondary schools, universities, hospitals, government-owned utilities, and public agencies from using U.S. services when personal information could be accessed from or stored in the United States.
The Canadian federal government is consolidating information technology services across 63 email systems under a single platform. The request for proposals for this project includes a national security exemption which prohibits the contracted company from allowing data to go outside of Canada. This policy precludes some new technologies such as “cloud” computing providers from participating in the procurement process. The public sector represents approximately one-third of the Canadian economy, and is a major consumer of U.S. services. In today’s information-based economy, particularly where a broad range of services are moving to “cloud” based delivery where U.S. firms are market leaders; this law hinders U.S. exports of a wide array of products and services.

This issue bears watching given the growing momentum for localized data hosting conflicting with provisions in the Trans Pacific Partnership that would seek to restrict such provisions.


  1. Andrew Morris says:

    Is there a similar exemption in US law, so that US public sector data cannot leave the US?

  2. David Collier-Brown says:

    The US version
    Is that US data is supposed to *not* be subject to NSA snooping, and so no US firm would wish to have their data leave the safety of the country.

    The premise is false, but the consequent is still true (;-))

  3. They could set up business here
    Those US companies could set up business in Canada, benefiting Canadians instead of relying on cross border data traffic. Some are already planning that in EU to keep their market share.
    My hosting and email services are Canadian hosted, even before the Snowden revelations, I prefer to have Canadian law apply since this is where I chose to live.

  4. David Collier-Brown says:

    I suspect the US will make the same claim about the EU declaring that they have failed to provide “safe harbour” for European data, and try to get it back in trade negotiations with EU countries…

  5. They *could* set up business here..
    Per Gerritv’s suggestion, but my understanding that a US company will always run afoul of US law (ie. an IBM subsidiary in Canada would still be subject to US laws and thus required to give up “Canadian” data). Boo.

  6. U.S. tech and privacy policy hinders U.S. exports of a wide array of products and services.

  7. From:

    Rather than taking this as a diplomatic threat to Canada by the USTR, it’s representative on how weak the US tech sector has become economically on the issues of privacy protections, when the USTR is coming out with statements like this. This should serve as an example of a potential downfall in the Canadian tech sector, should the Government continue with it’s approach towards lawful access legislation in the cyber bullying legislation, and not get in front of all of this, to strengthen our privacy laws. I think it could be devastating to Canadian tech companies when eventually the EU comes knocking looking for change in our laws, and forcing that change, rather than implementing that change before it’s forced upon us, at a time when our democracy is currently under the microscope internationally due to the Government’s Election Reform Act.

  8. “These laws prevent public bodies such as primary and secondary schools, universities, hospitals, government-owned utilities, and public agencies from using U.S. services when personal information could be accessed from or stored in the United States.”

    That is probably not possible if they are using a MS-Windows operating system since proper internal file permission management would be required to guarantee compliance. Even apart from OS security, a company like Apple gathers and keeps user information.

  9. Someone Dial 9-wahh-wahh
    For the Wahhhhmbulance for them Yanks. We value privacy. So do EU’s. They can’t handle it? POUND SAND AND GIT!

  10. Joe Klein says:

    Data privacy and security issues
    Borders on the Internet may soon impact US business and future trade considerations with the US’s best trading partner, Canada. So what are the core issues?

    1. PRIVACY – The US has no priority surrounding privacy of it’s citizens, and allows it’s businesses to use citizen information as product. Canada has more policies to ensure privacy of their citizens, as does many other countries. The US does not like it.

    2. SENSITIVE DATA PROTECTION – Sensitive government and commercial storage and processing should not use services beyond the physical and legal boundaries of Canada. The US does this for the government, calling it FEDRAMP, but not for businesses, allowing US businesses to process sensitive health, financial and customer data in places where there exist no data breach disclosure laws.

    In the coming years, this type of data centric trade friction will increase until other countries begin treating their citizens as product or the US begins initiating laws which protect the data of it’s citizens.

  11. Pingback: What is Google deleting under the ‘right to be forgotten’ – and why?Guardian_News | Guardian_News