Canadian Foreign Minister Chrystia Freeland outlined Canada’s NAFTA negotiating objectives in talk earlier this week, identifying the need to modernize NAFTA so that “all sectors of our economy can reap the full benefits of the digital revolution.” I posted yesterday on how the IP chapter could be used to level the playing field for innovation. This post discusses how the new e-commerce chapter, which will be the most obvious manifestation of a modernized NAFTA, offers the opportunity to address an increasingly important aspect of modern cross-border commercial activity.
The policy behind an e-commerce chapter should be to facilitate modern, electronic commerce. Canada should be wary of provisions that undermine legitimate public policy interest, including privacy and security. This concern is particularly pronounced with respect to restrictions on data localization and data transfers, both identified by the USTR as issues of concern. Further, Canada should seek higher level privacy protections and e-commerce regulations in NAFTA.
The Implications of NAFTA for Privacy and Security
The U.S. has identified restrictions against local data storage – often called data localization – as one of its objectives. The issue originates from Silicon Valley tech company frustration with a growing number of governments that want local data to remain within their jurisdiction. The reason for data localization requirements typically stem from mounting concerns over U.S. surveillance activities and the power granted to U.S. law enforcement under laws such as the USA Patriot Act.
The combined effect of these U.S. laws is that many users fear that once their information is stored in the U.S., it will be accessible to U.S. authorities without suitable privacy protections or oversight. Since U.S. law provides less privacy protection to foreigners, there is indeed limited legal recourse for Canadian data held in the U.S. Provinces such as British Columbia and Nova Scotia have enacted laws to keep government information (such as health data) within the country.
In response to the mounting public concerns, leading technology companies such as Microsoft, Amazon, and Google have established or committed to establish Canadian-based computer server facilities that can offer localization of information. These moves follow on the federal government’s 2016 cloud computing strategy that prioritizes privacy and security concerns by mandating that certain data be stored in Canada. The Canadian government should resist efforts within NAFTA to limit the ability of federal or provincial governments to establish legitimate privacy and security safeguards through data localization requirements.
Limitations on data transfer restrictions, which mandate the free flow of information on networks across borders, raises similar concerns. Those rules are important to preserve online freedoms in countries that have a history of cracking down on Internet speech, but in the Canadian context, could restrict the ability to establish privacy safeguards. In fact, should the European Union mandate data transfer restrictions as many experts expect, Canada could find itself between a proverbial privacy rock and a hard place, with the EU requiring restrictions and NAFTA prohibiting them. While the U.S. is seeking a ban on data transfer restrictions, Canada should ensure that privacy and security laws will not be superseded by NAFTA restrictions.
Using NAFTA To Safeguard Privacy Protections
Privacy protections are a key aspect of e-commerce, providing consumers with assurances that their personal information will be appropriately safeguarded. A renegotiated NAFTA should include a high level privacy protection requirement. The starting point for privacy protection in most countries is a national privacy law modeled on the OECD privacy principles. Enforcement measures are frequently handled by privacy or data protection commissioners with some form of enforcement powers as well as additional rules on issues such as mandatory disclosure of security breaches. A privacy requirement that extends beyond voluntary undertakings is essential for Canadians to have the necessary assurances that their information is properly protected and to place Canadian companies on a level playing field with their NAFTA counterparts.
NAFTA should also include mandatory anti-spam legislation as a national requirement. The provisions could specify that the law provide for a binding unsubscribe mechanism and an opt-in consent requirement, consistent with the Canadian anti-spam law. Other e-commerce laws, including consumer protection requirements and electronic contracting provisions, would be suitable for inclusion in an e-commerce chapter.