Data localization rules, which require data to be stored locally, have emerged as an increasingly popular legal method for providing some additional assurances about the privacy protection for personal information. Although heavily criticized by those who fear that it harms the free flow of information, requirements that personal information be stored within the local jurisdiction is an unsurprising reaction to concerns about the lost privacy protections if the data is stored elsewhere. Data localization requirements are popping up around the world with European requirements in countries such as Germany, Russia, and Greece; Asian requirements in Taiwan, Vietnam, and Malaysia; Australian requirements for health records, and Latin America requirements in Brazil. Canada has not been immune to the rules either with both British Columbia and Nova Scotia creating localization requirements for government data.
Given that data often ends up in the United States, restrictions on data localization requirements have emerged as a key U.S. demand in its trade agreements. The provisions appeared in the TPP, in the proposed digital trade chapter in NAFTA, and in the stalled Trade in Services Agreement. While the issue is a prominent one in trade talks, the Canadian position has remained largely unknown. That may have changed last week at a hearing of the Standing Committee on International Trade when NDP MP Tracey Ramsey asked department officials about the issue:
My next question is about the probability of including provisions that ban data localization. I think you mentioned things in the future…I think about NAFTA, we couldn’t have envisioned the world that we’re in now 25 years ago, and so there wasn’t language in there. So do you think that this will include data localization measures, in TiSA? It’s a concern for Canadians in particular, with the two provinces that we have that protect that.
Darren Smith, the Director of Services Trade with Global Affairs, replied:
Yes, in fact, data localization is an issue that is being discussed in TiSA. That work is not complete but Canada’s approach, which is shared by a good number of other participants, is to have a balanced approach so that we can still ensure a cross-border flow of data but at the same time protect that information that’s held by government or in a government procurement context. So the two cases that you referred to, Nova Scotia and B.C., would not be part of TiSA.
To the best of my knowledge, this is the first time the government has stated its position, which amounts to retaining the right for data localization measures for government data that it holds or that is held by third parties under contract. That addresses some potential concerns (including the viability of provincial data localization laws in B.C. and Nova Scotia) but it would appear to exclude wider use of data localization requirements.
Given the privacy concerns extend beyond just government data, agreeing to a ban on future data localization requirements consistent with privacy and security needs is a short-sighted position that unnecessarily handcuffs policy makers on future privacy measures. There is a balance to be struck with data localization, but the balance involves more than just government data. Rather, it requires ensuring that reasonable privacy, security, and public policy measures will not be banned due to trade agreements such as the TPP or NAFTA.