Descending Clouds by Gary Hayes (CC BY-NC-ND 2.0)

Descending Clouds by Gary Hayes (CC BY-NC-ND 2.0)


The Trouble with the TPP, Day 12: Restrictions on Data Localization Requirements

If all TPP countries implemented similarly strong privacy protections, there would be little need to consider alternative mechanisms to enhance public confidence in their privacy through additional legal safeguards. However, the Trouble with the TPP is that it actually weakens privacy protections by treating voluntary undertakings as equivalent to comprehensive privacy laws (prior posts include Day 1: US Blocks Balancing Provisions, Day 2: Locking in Digital Locks, Day 3: Copyright Term Extension, Day 4: Copyright Notice and Takedown Rules, Day 5: Rights Holders “Shall” vs. Users “May”, Day 6: Price of Entry, Day 7: Patent Term Extensions, Day 8: Locking in Biologics Protection, Day 9: Limits on Medical Devices and Pharma Data Collection, Day 10: Criminalization of Trade Secret Law, Day 11: Weak Privacy Standards). The TPP goes further in harming privacy, however, by restricting the use of data localization requirements that might otherwise be used to provide privacy protection.

Data localization has emerged as an increasingly popular legal method for providing some additional assurances about the privacy protection for personal information. Although heavily criticized by those who fear that it harms the free flow of information, requirements that personal information be stored within the local jurisdiction is an unsurprising reaction to concerns about the lost privacy protections if the data is stored elsewhere. Data localization requirements are popping up around the world with European requirements in countries such as Germany, Russia, and Greece; Asian requirements in Taiwan, Vietnam, and Malaysia; Australian requirements for health records, and Latin America requirements in Brazil. Canada has not been immune to the rules either with both British Columbia and Nova Scotia creating localization requirements for government data.

In response to mounting public concern and government regulations, global companies are starting to offer local servers. Last week, Amazon announced plans to establish Canadian-based cloud computing services, and last year Microsoft pledged to do the same. In fact, Microsoft’s general counsel Brad Smith is on record that people should be able to choose where their data resides.

Despite the momentum toward data localization as a privacy protection measure, Article 14.13 of the TPP establishes a restriction on legal requirements to do so:

No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory.

This general provision is subject to at least three exceptions. First, government services are excluded, meaning that the Canadian provincial laws remain in place. Second, there is an exception for financial services, which has sparked protest from some members of the U.S. Congress. The exclusion is reportedly due to demands from the U.S. Treasury, which wanted to retain the right to establish restrictions on financial data flows.

The third exception is cited by supporters of the TPP as evidence that privacy protections are still a possibility. The exception states:

Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 2 to achieve a legitimate public policy objective, provided that the measure:
(a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and
(b) does not impose restrictions on the use or location of computing facilities greater than are required to achieve the objective.

When combined with a 1999 WTO reference to privacy, the argument is that privacy could be viewed as a legitimate public policy objective and therefore qualify for an exception.

The problem is that the historical record overwhelmingly suggests that reliance on this exception will not work. As Public Citizen noted in a study on the general exception language:

the exceptions language being negotiated for the TPP is based on the same construct used in Article XX of the World Trade Organization’s (WTO) General Agreement on Tariffs and Trade (GATT) and Article XIV of the General Agreement on Trade in Services (GATS). This is alarming, as the GATT and GATS exceptions have only ever been successfully employed to actually defend a challenged measure in one of 44 attempts. That is, the exceptions being negotiated in the TPP would, in fact, not provide effective safeguards for domestic policies.

In other words, the exception is illusory since the requirements are so complex (each aspect must be met) that countries relying on the exception have failed in 43 out of 44 cases.  For countries concerned about the weakened privacy protections, the TPP restricts the use of data localization requirements as a remedy just as more and more countries are exploring such rules.


  1. Prof Geist,

    I think the internet in Canada, if regulated by an independent agency with an appropriate* legal framework, would provide the kind of safe, regulated space that would allow everyone’s participation. Individuals, groups, corporations, would all have to have an ID and follow the laws, just like we have in our real life neighborhoods and communities.

    I wonder if this would provide the assurance to participants that every one and every business on the Canadian internet space was legit and culpable in law.

    I do not recall ever seeing a suggestion by you or anyone else along these lines. Has there been one? If not, why not?

    A response pointing me and other readers somewhere would be appreciated as well.

    The internet has become so big that I don’t trust it. And I don’t trust corporations to make it work. Taxpayers must do it to allow potential benefits and disallow crime.

    * ie, provide a master ID for any Canadian, linked to existing legal docs, specifically to allow anonymity on the public internet. Provide the police with the real ID where approved. Exacting roles and regulations for the agency enhance trust, eg, they must protect the info foremost (no different than current agencies eg for passports etc.).


    Ps. This was done on my phone so please excuse the lack of proper lines of thought. I hope you get my general question about who, if anyone, is looking into this.

    • Devil's Advocate says:

      Your impression of what “the Internet” is seems to differ with what it actually is. There’s just too much wrong with that comment.

      • Well, I couldn’t put in a whole paper. And of course there are a lot of issues and I probably have some misunderstanding. Maybe you do too. But I want to know if anyone is working on this idea. Is there a better one?

        • Devil's Advocate says:

          You definitely misunderstand. Nobody would be working on such an idea. What you suggest is incompatible with the realities of the Internet.

          • I think I know what “Robin” needs though, it’s a disk from something called AOL, i think I have it somewhere here in my desk…

  2. Pingback: Amazon Web Services coming to Canada –

  3. Pingback: 1 – The Trouble with the TPP, Day 12: Restrictions on Data Localization Requirements

  4. Pingback: The Trouble With the TPP, Day 35: Gambling With Provincial Regulation - Michael Geist

  5. Pingback: The Trouble With the TPP, Day 50: The Case Against Ratifying the Trans Pacific Partnership - Michael Geist