NAFTA 2.0: Data Protection Considerations for Canadian Companies

By: Constantine Karbaliotis and Jocelyn Aqua

Thank you to Cristina Onosé, Sarah Nasrullah and Haley Fine for your assistance in developing this article and support. 

Executive Summary

The renegotiated North-American Free Trade Agreement, or NAFTA 2.0, will have a significant impact on companies. The fundamental concept in the United States, Mexico and Canada Agreement is the creation of a continental market in digital goods and services, while prohibiting data localization for private sector enterprises and creating explicit requirements to ensure that personal information is protected. It puts the onus on companies to utilize frameworks and to ensure that data is protected before it can be transferred across borders. NAFTA 2.0 in Chapter 19 emphasizes the APEC Privacy Framework and Cross-Border Privacy Rules which may now be considered a baseline for cross-border data flows that did not previously exist. Organizations should leverage NAFTA 2.0 to have greater freedom to move data, provided an appropriate privacy and data governance is in place, not just for continental flows but for APEC member countries; it does however, require additional consideration of the implications for organizations subject to the EU General Data Protection Regulation. 

Note: The new NAFTA, signed on November 30, 2018, is called different names in Canada, USA, and Mexico. USA calls it “USMCA”; Canada, “CUSMA”, and Mexico, “T-MEC”. In this article it is being referred to as “NAFTA 2.0”. 

NAFTA 2.0: Background

The governments of the United States, Canada and Mexico recently completed the United States-Mexico-Canada Agreement (“USMCA” or “NAFTA 2.0”), the trade deal intended to replace and update the previous NAFTA. NAFTA 2.0, signed on November 30, 2018, has notable new changes affecting the protection of personal information and the free movement of data that organizations can utilize to give a boost to data-driven innovation in all three countries. In that sense, NAFTA 2.0 follows in the footsteps of the EU’s General Data Protection Regulation (“GDPR”) and the Asia-Pacific Economic Cooperation (“APEC”), by unifying the North American continent and creating a free market in digital goods and services. 

Mexico has already ratified the new agreement; the US Senate recently approved it after changes were requested by the Democratic House majority; and now only the Canadian Parliament remains to formally ratify it. Ratification is not by itself a guide to when it will be implemented, but the White House has indicated a desire to see it come into effect in July 2020.

Chapter 19: Continental Free Trade in Digital Goods & Services

The most important provisions borrowed from the Trans-Pacific Partnership (TPP) are those that largely prohibit data localization. While NAFTA 2.0 mirrors the TPP by excluding financial services which are governed by other rules, it provides greater ability to have privacy controls follow the data than TPP’s provisions. Data localization — the practice of requiring residents’ data to be kept within the jurisdiction — is arguably the antithesis of a free market in digital trade. 

Data localization limits access to global services and serves as the principal instrument for protectionism in the digital age. To counteract the impulse to keep data within local jurisdictions there must be effective privacy protection. To quote Viviane Reding, former Vice-President of the EU Commission, “what we want is data protection - not data protectionism.”

NAFTA 2.0 follows the TPP in requiring each country to establish personal information protection laws. Although it leaves the content of such laws and the means of enforcement to be decided by each country, NAFTA 2.0 does not preclude a nation from adopting strict privacy protections. 

Interoperability is given important consideration nonetheless. The personal information provision in Chapter 19.8 might, in fact, hint towards a global unification of personal information protection. It reads:

In the development of its legal framework for the protection of personal information, each Party should take into account principles and guidelines of relevant international bodies, such as the APEC Privacy Framework and the OECD Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013). (United States-Mexico-Canada Agreement, Chapter 19.8, Section 2)

Under NAFTA 2.0, websites should be transparent with their users on data collection and usage, and give them a choice instead of mandating agreement. This language may influence - or be influenced by - both Canada’s anti-spam law (CASL) and the upcoming review of PIPEDA, Canada’s privacy law pertaining to the private sector. (Note that there are hints the Federal Government, while in a minority government, may table legislation in either late spring or early fall).

The purpose of these kinds of provisions is to protect the personal information of North Americans, but to do so in a way that facilitates digital trade. Notably, the agreement adopts an expansive view of personal information, and calls upon the three signatories to effectively support the privacy expectations of residents of the other countries. 

Existing Canadian data localization laws — like those in Nova Scotia and British Columbia that restrict the exportation of any personal data collected by or for public bodies — remain lawful, as Chapter 19 does not apply to government procurement. Presumably, this should not change government restrictions on where data processing occurs. This does pose an interesting issue, however: while the ban will not impact where, for example, health information held by a government is stored, a nation or province likely cannot tell a private health clinic where to store its data. 

Chapter 14: Financial Services

Under NAFTA 2.0’s provisions, Canada cannot require financial services to solely use computing facilities in Canada. However, relevant Canadian regulators (such as the Office of the Superintendent of Financial Services, or OSFI, a federal financial regulator, or other provincial regulators as may be applicable) must have “immediate, direct, complete and ongoing access to information processed or stored on computing facilities” by a financial institution in the United States or Mexico. Additionally, the regulator must provide to a financial institution the opportunity to remediate lack of access before requiring the use of computing facilities in Canada. 

Canadian financial regulators can provide oversight to financial institutions through a variety of mechanisms. They can:

• require prior authorization to designate particular enterprises as recipients of information;
• compel the adoption of measures relating to business continuity and planning; and
• adopt or maintain measures to protect personal information and confidentiality of individual records and accounts.

These requirements serve to provide effective regulation over financial institutions. They also allow the Office of the Privacy Commissioner of Canada and financial regulators to enforce privacy protections in the financial sector, while prohibiting localization requirements unless there is no effective means by which these policy goals can be maintained. (It is also interesting to note that OSFI in January 2019 issued guidelines for its institutions requiring 72-hour notice of cyber and privacy breaches, and there is an increasing tendency for non-traditional regulators to step into areas relating to privacy regulation for their markets).

Considerations for North American Enterprises

NAFTA 2.0 provides a framework for organizations to operate in North America that is intended to be largely free of constraints over the flow of data. However, it also presents a framework that is intended to direct how these flows are to take place to address privacy considerations. 

Enterprises should consider the following:

1. The APEC Privacy Framework and the Cross-Border Privacy Rules (“CBPR”) are emphasized as mechanisms that facilitate the free-flow of data for organizations covered by Chapter 19. While North American inter-country transfers have never had the formality requiring for transfers of personal data from the EU, for instance under Privacy Shield or Model Contract/Standard Contractual Clauses, NAFTA 2.0 may now raise the bar for enterprises transferring data between the three countries, if they wish to avoid regulatory scrutiny or public reaction.
2. The impact on ‘onward transfers’ of data arriving from the EU under either Privacy Shield or Model Contracts have always been a concern for EU regulators. This has been a concern for Canada’s ongoing adequacy status with the EU, and will now be brought to the fore by this agreement. Organizations should consider how the use of the APEC Framework and CBPR can forestall concerns or worse, restrictions, by ensuring that such flows of data are properly documented and are demonstrably protected through the use of these mechanisms. 
3. The CBPR have been proposed as a ‘code of conduct’ pursuant to Article 40 of the GDPR, which would permit their use as an export mechanism. The CBPR could afford organizations a defensible approach to dealing with onward transfers in an environment where such mechanisms do not currently — or cease to — exist. (The framework for considering codes of conduct was only published in July of 2019, and codes are now being proposed). (An interesting possibility would be the potential for CBPR to replace Privacy Shield, should the “Shrems 2.0” challenge be successful - credit to Lauren Reid for this observation).
4.  The APEC Privacy Framework and CBPR can be strategically used by enterprises to assist them with new regulatory challenges. This includes new compliance requirements under the California Consumer Protection Act (“CCPA”), which came into effect in January 2020. A host of other states are looking to introduce similar legislation. A federal privacy law in the US is currently being debated, and some consideration is being given to how CBPR could influence the development of that legislation. (“What Does the USMCA Mean for a Federal Privacy Law”? Centre for Information Policy Leadership (“CIPL”) Whitepaper, at Hunton Andrews Kurth (January 17, 2020)).
5. The APEC CBPR not only enables access to the North American market, but also to those markets of the members of the Asia Pacific Economic Cooperation forum. This is a significant benefit for companies and can help make the ‘business case’ for APEC CBPR compliance stronger within organizations.  
6. All of this is subject to some important caveats. It is unclear whether CBPR will satisfy the EU’s privacy requirements. Take for example Japan’s recent adequacy finding which does not extend to onward transfers, unless based on either consent or an EU finding that the receiving jurisdiction is already adequate. Clearly, the CBPR will need to be supplemented with additional requirements. Canada will have to look to the recognition of Japanese adequacy to address this potential qualification in its own adequacy challenges. We can expect that “CBPR+” will be required to address both the continental free market goals of the NAFTA 2.0 for Canada, as well as maintain its adequacy status with the EU.
7. Good privacy is good privacy everywhere. By aligning their privacy program with key workstreams, organizations can strategically comply with multiple global privacy regulations and open up business possibilities worldwide, while being able to map these activities to multiple regulatory requirements.

Conclusion 

In an era of heightened privacy regulations, NAFTA 2.0 is not alone in putting the onus on organizations to create robust privacy programs. GDPR, US state laws such as the CCPA, and ultimately what Canada will be addressing as part of its Digital Charter and proposed updates to PIPEDA, will create similar requirements. Canadian and other North American organizations should consider a strategic approach to compliance, one that considers multiple laws and jurisdictions. The APEC CBPR under the NAFTA 2.0 is an exciting new opportunity for Canadian organizations to leverage a well-established framework that not only supports privacy compliance, but also opens doors to new business opportunities in the US, Mexico and beyond.