MONTREAL — A few brief lines in the new North American trade agreement delivered a jolt in Canada, at least in some circles.
“No Party shall prohibit or restrict the cross-border transfer of information, including personal information,” for business purposes, reads the text of the provisional deal signed Sunday by Canada, the United States and Mexico.
It adds that no member country can require a company to store “computing facilities” on its soil.
These measures mean abandoning rights that Canadians have often seen as privacy bulwarks against their powerful southern neighbor, especially in the post-9/11 era in which sweeping legislation has given government agencies wide latitude to surveil individuals.
Physically storing Canadians’ data on their own land — a relatively common practice — kept it safe, some believed, from American surveillance agencies or from American police warrants.
This week, some Canadian data experts criticized the new kind of free trade, saying it undermines Canadian sovereignty.
But those deeply involved in the debate say it is also more complicated than most citizens realize. In the era of big data, the importance of location is not yet clear, they say, and fears inspired by post-9/11 surveillance are outdated.
“I think, realistically, if you’re looking at superpower intelligence agencies, they would be able to access the data regardless of whether it’s stored in a server in Toronto or in Chicago,” said Omer Tene, vice president of the U.S.-based International Association of Privacy Professionals. “There’s very close collaboration between intelligence agencies, and they can overcome bigger technological obstacles than [the border].”
The new trade deal, the successor to the 1993 North American Free Trade Agreement, marks the first time Canada and the United States have formally negotiated data’s role in trade.
Practically speaking, the new regulations will not result in much immediate change, experts say.
Many Canadian contracts have asked for or encouraged local data storage, particularly federal government contracts. That has helped lead to new “cloud facilities” in Canada, such as one of Google’s, in Montreal, and those sorts of contractual requests will still be permissible under the new trade deal.
But only two provinces, Nova Scotia and British Columbia, have passed laws mandating the local storage of certain citizen data — something that will be forbidden under the U.S.-Mexico-Canada Agreement, or USMCA.
Nova Scotia privacy lawyer David Fraser says those provincial laws are a “blunt instrument” that may safeguard local jobs but offer little extra data security.
There are bigger concerns, he said. “There’s the issue of hacking. There’s the issue of interception,” he said. “Frankly, I’ve seen . . . health-care providers decide they would use a less secure data center in Canada instead of a much more secure data center in the United States.”
U.S. government access to Canadian data is equally complicated, he said. Much Canadian data would not be “particularly interesting” to U.S. agencies.
In any case, the location of a data facility is secondary in those situations, too. “It could be held by a U.S. company in a Canadian data center and the U.S. company is still subject to U.S. law.”
Privacy aside, the flow of data is an important trade issue. Requiring local data storage in Canada, while achievable for giants such as Google and Amazon.com — or any smaller Canadian firm — can present insurmountable extra costs for American start-ups hoping to do business in Canada. Being able to use U.S.-based storage can also cut costs for Canadian companies.
The world of big data moves so quickly that the debate has changed even in the year since the NAFTA negotiations began. Last spring, the passage of the U.S. Cloud Act smoothed the way for U.S. law enforcement authorities to obtain digital information stored in Canada and other countries — and for Canadian authorities to do the same in the United States. Canada has not said whether it plans to enter into such an agreement, but if it did, it would render one Canadian concern mostly moot.
That pace of change, however, is what worries the Canadian critics of the new trade provisions.
Regular people are only beginning to understand the data trail they create, and governments are only beginning to adjust. In the past few years, for example, the European Union has created barriers around its citizens’ data, including rules governing where it can be stored.
The USMCA limits Canadian provincial governments’ ability to fine-tune their policies in the future, said Michael Geist, an expert in privacy and digital law at the University of Ottawa.
“As there is growing concern around personal information and where it goes, the pressure on governments to establish those kinds of restrictions or requirements, I think, is a real possibility,” he said, “which is one of the reasons you see these kinds of provisions included in these agreements.”
Canada signed away too much, too soon, Benjamin Bergen, executive director of the Council of Canadian Innovators, a technology business group, said in a statement. “Leading trade experts and economists warned that it was too early to enshrine data in trade agreements,” he said.
A Canadian government spokesman said negotiators “obtained guarantees” under the USMCA that Canadians’ privacy will be guarded and their financial data kept safe. One measure allows requirements that Canadians’ financial data be stored in Canada if a foreign financial institution appears unable to ensure that Canadian regulators will have full, immediate access to the data.