Data localization fears may be inflated
When technologists started poring through the digital trade chapter of the new USMCA trade deal this week, one provision raised a few eyebrows: what appeared to be a blanket ban on data localization policies, a development that critics worried would represent a significant threat to national sovereignty in the digital age.
But it may not be true, exactly.
Data localization isn’t normally a topic for discussion around the office water cooler, but as business functions shift toward cloud services, the question of where internet servers are physically located has become increasingly important.
If a company’s data is stored on server farms overseas, that can represent a cybersecurity threat — for example, a foreign government could access private or commercially sensitive information.
On the other hand, there are concerns that governments could create data localization laws — requiring companies to make costly investments to set up local server facilities as a condition of doing business in the country — as a non-tariff barrier, which is why the Comprehensive and Progressive Agreement for TransPacific Partnership (CPTPP) tackled this problem.
“Certainly in the TPP context, a number of the smaller TPP countries did tend to use data localization requirements as a way of restricting investments, and they could make it extremely expensive for businesses to set up in those other jurisdictions,” said Matthew Kronby, a trade lawyer with Borden Ladner Gervais LLP.
In CPTPP, signatory countries were forbidden from making laws to force data localization onto companies, but there was a carve-out that allowed policies involving data localization as long as they achieved “a legitimate public policy objective.”
When the text of the USMCA trade deal was released, Chapter 19 covering digital trade included nearly identical language to CPTPP in banning data localization laws, but there was no carve-out in the following paragraph.
On its face, that led many analysts to conclude that Canada, Mexico and the United States had agreed to a total ban.
But Kronby noted that Chapter 32 of the USMCA includes a reference saying that Article 14 of the General Agreement on Trade in Services (GATS) from the World Trade Organization should apply to the USMCA digital trade chapter.
Following the bouncing ball over to GATS, Article 14 says, among other things, that countries can still pass laws for “the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.”
“Practically speaking, there may not be a significant difference (between USMCA and CPTPP)” Kronby said, although he noted that because both agreements are so new, it’ll take a while for trade lawyers to argue the nitty gritty and establish precedents for how exactly these provisions get interpreted.
But Dan Ciuriak, senior
fellow at the Centre for International Governance Innovation, argued that Canada should not be making any commitments whatsoever when the digital landscape is evolving so quickly.
Ciuriak said that as the world changes, any restrictions on how Canada responds can only serve to help entrench the dominance of the American tech giants who currently dominate the market.
And Ciuriak said if Canada is content to let our country’s data reside in the cloud, on servers outside of the country, that represents a threat to sovereignty in the digital age.
“I think almost everyone in Canada would assert that our physical borders have to be secure. Well, so do our digital borders,” he said.
“We don’t know what the robust architecture is, and it is ridiculous to think that the cloud model is going to be it. All we know about the cloud model now is one massive data breach after another.”
But even if governments don’t pass laws requiring cloud service providers to build local server farms and store data locally, the companies that provide cloud services might do it anyway.
Box is an enterprise cloud service provider that offers “Box Zones” to customers, which lets companies decide where they want their data to be kept — including a data centre in Montreal.
And Box CEO Aaron Levie said that practice is unlikely to change any time soon.
“Our philosophy is, no matter where the regional laws or data privacy issues evolve towards, we want to support our customers,” he said.
“I think in general, we’re certainly moving in a direction where if you’re a bank, if you’re a pharma company, if you’re a hospital, you’re going to start caring really deeply about where your data is stored, how it’s encrypted, who has those encryption keys.”
Levie wouldn’t comment on the specifics of USMCA because it’s so new, but he said that it’s worth thinking about where data is physically stored, because even if it’s not a regulatory requirement today, laws can always change tomorrow.
“As a technologist, I’d like to think it doesn’t matter,” he said. “But as a realist and from purely pragmatic standpoint, a lot of our laws — in fact, all of our laws — are inherently regional and government-specific.”