A Introduction
Policymakers face a tension between, on the one hand, generating the economic benefits associated with unfettered data flows across borders and, on the other hand, providing a trusting environment for individuals, firms and governments taking part in the data-driven economy. International trade agreements seek to regulate data flows through provisions aiming to facilitate the cross-border trade of goods and services built on data, such as data processing and other computing services.Footnote 1
On the margins of the G20 leaders’ meeting in Osaka in June 2019, twenty-three countries plus the European Union (EU) signed the Osaka Declaration on the Digital Economy.Footnote 2 The declaration states that the signatories, ‘standing together with other World Trade Organization (WTO) Members that participate in the Joint Statement on Electronic Commerce issued in Davos on 25 January 2019, in which 78 WTO Members are on board, hereby declare the launch of the “Osaka Track”, a process which demonstrates our commitment to promote international policy discussions’. The referred-to January 2019 Joint Statement, issued during the World Economic Forum’s annual meeting in Davos, confirms the members’ ‘intention to commence WTO negotiations on trade-related aspects of electronic commerce’.Footnote 3 This Joint Statement is itself a restatement of a previous Joint Statement issued at the WTO’s eleventh ministerial conference in Buenos Aires in December 2017, where some seventy-five members ‘recognize[d] the important role of the WTO in promoting open, transparent, non-discriminatory and predictable regulatory environments in facilitating electronic commerce’.Footnote 4 The Buenos Aires Joint Statement indicated that the signatories would begin exploratory work toward ‘future WTO negotiations on trade-related aspects of electronic commerce’.Footnote 5
A number of discussion rounds took place in 2018 and 2019 in Geneva in order to delimit the scope of potential plurilateral negotiations on electronic commerce/digital trade. The provisions on e-commerce/digital trade found in the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP)Footnote 6 and the United States–Mexico–Canada Agreement (USMCA),Footnote 7 the North American Free Trade Agreement’s (NAFTA) replacement, are currently the most detailed proposals being considered in the WTO’s plurilateral negotiations on e-commerce.Footnote 8
This is why this chapter offers a detailed analysis of these CPTPP/USMCA e-commerce/digital trade provisions that pertain to data flows in order to identify the constraints they could impose on national data regulation.Footnote 9 To do so, it uses Canada as an example, because it is a party to both trade agreements and it seeks to build a high-trust data environment for consumers and businesses.Footnote 10 The analysis leads to the conclusion that Canada’s CPTPP and USMCA commitments could ultimately negate the effectiveness of future data protection policies that the Canadian federal government might want to adopt to achieve its ‘trust in the digital age’ objective.Footnote 11
B Cross-Border Data Flow and National Data Regulation
Policymakers have lots of reasons to try to link the free flow of data and data protection. According to Dan Ciuriak, ‘there is a need for free flow of data, including on a cross-border basis’, because data is ‘intrinsic to commercial transactions’.Footnote 12 He sees data as the ‘fifth freedom’ of commerce, with free movement of goods, services, capital and labour as the other four. Legal and regulatory limits on cross-border data flows can, however, act as beyond-the-border obstacles to trade.Footnote 13 For instance, Martina Ferracane and Erik van der Marel find that policies that restrict the cross-border flow of data have a negative impact on trade in digital services.Footnote 14
In certain circumstances (for example, to protect privacy, security, competition, culture, and so on), there is a need for the regulation of data collection, access, use and transfer. For example, the use of and access to people’s data should be fair, transparent, accountable and subject to individuals’ explicit consent. Moreover, the use of personal data should not lead to discrimination and bias when people seek to obtain a good or a service, whether it is from the private or the public sector. Another example is the protection of proprietary business data against uncompensated commercialization by others. On the other hand, access to data should not be controlled in such a way that it limits competition and innovation.
So the big question for policy-makers is how to allow for data to flow freely across borders while maintaining a high degree of trust among individuals, firms and governments that they will not be harmed in terms of privacy, consumption (price, choice or access), competition, innovation, security and so on. Strong data protection laws and regulations are necessary to create such trust. The problem is that such laws and regulations, if developed independently from other countries, can limit the cross-border flow of data and have negative economic consequences. This is the balancing act that the countries taking part in the WTO’s plurilateral negotiations on ‘trade-related aspects of electronic commerce’ are trying to achieve.
C The CPTPP, the USMCA and National Data Regulation: Example from Canada
This section analyzes the electronic commerce/digital trade chapters included in the CPTPP and the USMCA in order to determine how they may affect data regulation in Canada, in order to provide an example of the potential impact that a WTO plurilateral agreement on trade-related aspects of electronic commerce modeled on CPTPP/USMCA provisions could have on members’ governments’ ability to regulate data nationally. Since the CPTPP’s electronic commerce chapter provided the basis for the USMCA’s digital trade chapter, the analysis focuses first on the CPTPP.Footnote 15
I The CPTPP
The CPTPP contains several provisions in its chapter 14 (electronic commerce) that concern data flows.Footnote 16 Chapter 14 does not specify what types of data are covered, except to say those that are necessary for business purposes. It also preserves member states’ ability to limit the free flow of data held by government entities and encourages interoperability between data privacy regimes as well as cooperation between consumer protection authorities.
Here are the CPTPP’s main provisions relating to data flows:
Consistent with the WTO’s waiver on customs duties on electronic commerce, Article 14.3 prohibits the imposition of customs duties on electronic transmissions; however, it allows ‘internal taxes, fees or other charges’ as long as they are not discriminatory (i.e., applied equally to national as well as foreign entities).Footnote 17 As such, the CPTPP does not discriminate among various types or sources of data.
Article 14.8 CPTPP mandates a personal data protection floor: it ensures that parties have laws and regulations that provide a minimum level of personal information protection but it is flexible as it accommodates different national approaches.Footnote 18
Article 14.11 protects the free flow of cross-border data for business purposes,Footnote 19 although it allows restrictions on such flows in order to achieve a ‘legitimate public policy objective’.Footnote 20
Article 14.13 prohibits the obligation for a business to locate specific computing facilities in exchange for market access.Footnote 21 In other words, it prohibits parties from imposing data localization requirements. However, the ‘legitimate public policy objective’ exception also applies in this case.
Article 14.17 prohibits requirements that source code be transferred or accessed as a condition of import.Footnote 22 The prohibition is, however, limited to mass-market software but not when it is used in critical infrastructure.Footnote 23 The prohibition also does not apply to requests for source code modification to comply with domestic laws of regulations, as long as the latter are not inconsistent with the CPTPP; that is, they are not discriminatory in nature and apply equally to domestic and foreign firm.Footnote 24
Article 14.2(3) CPTPP stipulates that ‘this Chapter shall not apply to: (a) government procurement; or (b) information held or processed by or on behalf of a Party, or measures related to such information, including measures related to its collection’. This means that prohibitions on data transfer restrictions and data localization found in Articles 14.11 and 14.13 do not apply to governments. Therefore, the requirements imposed by the federal and some provincial governments that personal information held by public bodies be kept and processed in Canada are exempted under the CPTPP. This exception is potentially important if Canadian governments wish to make more publicly collected data available for analysis (for example, for artificial intelligence [AI] training purposes) but want to ensure that they retain control over them to protect individuals, as well as the state.
The scope of application of Article 14.2(3) CPTPP is, however, somewhat ambiguous, when it comes to subnational governments, especially part (b). This is because Article 1.3 defines ‘Party’ as ‘any State or separate customs territory for which this Agreement is in force’. As such, it would exclude subnational governments at the provincial and municipal levels, especially since ‘regional level of government’ is defined separately in Article 1.3.Footnote 25 The term ‘government procurement’ in part (a) is less ambiguous. Article 15.2(2) CPTPP establishes the scope of application of government procurement: ‘For the purposes of this Chapter, covered procurement means government procurement: (a) of a good, service or any combination thereof as specified in each Party’s Schedule to Annex 15-A’. In Canada’s schedule in Annex 15-A, section B deals with sub-central government entities.Footnote 26 Government procurement provisions do not apply to schools, universities, hospitals and Crown corporations for all provinces and territories except Ontario and Quebec.Footnote 27 This means that only in Ontario and Quebec (the excluded provinces) could such public entities impose localization restrictions with respect to data storage and processing in their procurement contract
Articles 14.11 and 14.13 CPTPP on the prohibition of, respectively, restrictions on cross-border data transfers for business purposes and requirements to localize the storage of data domestically, both contain an exception for a ‘legitimate public policy objective’. This means that CPTPP parties, such as Canada, can restrict the in-and-out flow of data in order to pursue such an objective. The big question, however, is: what is a ‘legitimate’ objective? Article 14.11(3) states that a measure restricting cross-border data transfers cannot: (i) be ‘applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade’ and (ii) ‘impose restrictions on transfers of information greater than are required to achieve the objective’. Article 14.13(3) offers the same limitation on the ‘legitimate public policy objective’ (also called general) exception:
Nothing in this Article shall prevent a Party from adopting or maintaining measures inconsistent with paragraph 2 to achieve a legitimate public policy objective, provided that the measure: (a) is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade; and (b) does not impose restrictions on the use or location of computing facilities greater than are required to achieve the objective.
Michael Geist questions whether privacy protection would qualify under the above-mentioned exception.Footnote 28 He seems doubtful when he writes: ‘the [CPTPP] restriction on the use of data localization requirements may pose an insurmountable barrier’.Footnote 29 The same conclusion would apply to Article 14.11 CPTPP on data transfers. For instance, in early April 2019, the Office of the Privacy Commissioner of Canada (OPC) released a consultation paper on transborder data flows in which it indicates that it would require a company to obtain prior consent from individuals before moving their personal data outside of Canada.Footnote 30 According to Geist, this new approach ‘is a significant reversal of longstanding policy that relied upon the accountability principle to ensure that organizations transferring personal information to third parties are ultimately responsible for safeguarding that information’.Footnote 31 The OPC stated that this new approach would be consistent with Canada’s international trade obligations but Geist is not so sure: ‘The imposition of consent requirements for cross-border data transfers could be regarded as imposing restrictions greater than required to achieve the objective of privacy protection, given that PIPEDA [Personal Information Protection and Electronic Documents Act] has long been said to provide such protections through accountability without the need for this additional consent regime’.Footnote 32
Andrew Mitchell and Neha Mishra, for their part, also point out that there is the potential for conflict between e-commerce or digital trade chapters in free trade agreements (FTAs) and WTO agreements, such as the General Agreement on Trade in Services (GATS).Footnote 33 They write that Article XIV GATS provides the basis for the general exception found in FTA provisions, such as the CPTPP’s Articles 14.11 and 14.13; however, they also note that ‘these exceptions may be unable to address all aspects of data flow restrictions’.Footnote 34 In addition, Mitchell and Mishra mention that ‘strict scrutiny of these measures [restricting data flows] under international trade law may lead to unsatisfactory outcomes because GATS Articles XIV and XIV bis are limited in scope and do not facilitate consideration of Internet trust issues holistically’.Footnote 35 The above implies that general exceptions on data transfers and data localization found in the CPTPP may not offer as much policy flexibility as originally thought with respect to future laws and regulations that Canadian (federal and provincial) governments might want to put into place to govern data in order to ensure trust as well as stimulate innovation.
Given that algorithms ‘drive what news content and advertising each of us sees online [and] will be used by governments to decide who receives or is denied benefits’,Footnote 36 it is reassuring that Article 14.17 CPTPP does not prevent governments from regulating and supervising source codes, as long as it is not done in a protectionist way against foreign producers. Teresa Scassa notes that it is necessary to be able to access the source code of an app, software or AI in order to evaluate algorithms’ performance and potential biases.Footnote 37 Such enquiries are important if governments want to protect consumers, workers and businesses from suffering the negative consequences associated with, for example, fraud or discrimination.
II The USMCA
The USMCA, unlike NAFTA, which it replaces, contains a chapter (19) on ‘digital trade’ (not ‘e-commerce’, in order to signify its broader scope) that builds on the CPTPP’s chapter 14.Footnote 38 As such, the USMCA introduces a number of differences from the CPTPP. The following analysis focuses on these differences.
One significant difference with the CPTPP concerns the requirement for USMCA member states to ‘adopt or maintain a legal framework that provides for the protection of the personal information of the users of digital trade’.Footnote 39 While the USMCA does not prescribe specific rules or measures that a party must take to protect privacy, it goes further than the CPTPP by providing more guidance to inform a country’s privacy regime. In particular, the USMCA refers explicitly to the APEC (Asia-Pacific Economic Cooperation) Privacy Framework and OECD (Organisation for Economic Co-operation and Development) Guidelines as relevant ‘principles and guidelines’ when developing a legal framework for protecting personal information.Footnote 40 Unlike the CPTPP, the USMCA also mentions key principles that parties should follow as they develop their legal framework.Footnote 41
In addition, the USMCA stipulates that the parties ‘recognize the importance of … ensuring that any restrictions on cross-border flows of personal information are necessary and proportionate to the risks presented’,Footnote 42 thereby providing some limit on the extent to which data protection legislation or regulation can constrain cross-border personal data flows. Such a standard for potentially restricting data flows in order to protect personal information is not present in the CPTPP’s Article 14.8(2). As such, the USMCA provides some guidance, albeit vague, to future panel arbitrators in interpreting the ‘legitimate public policy objective’ exception in the case of a dispute involving limits imposed on cross-border data flows by one of the USMCA parties. The big issue in this case is what ‘necessary and proportionate’ mean in the context of protecting personal information? For instance, would a requirement for organizations in Canada to obtain explicit consent from individuals before the latter’s data are transferred across the border to the United States be deemed necessary and proportionate?
What is probably the most important difference between the USMCA and the CPTPP is the former’s Article 19.17 on Interactive Computer Services, which has no equivalent in the CPTPP. According to this article, Internet service providers, social media platforms and search engines cannot be treated as information content providers for liability purposes, which means ‘immunity from legal consequences for content generated by users’.Footnote 43 However, Annex 19-A(4) states: ‘For greater certainty, Article 19.17 (Interactive Computer Services) is subject to Article 32.1 (General Exceptions), which, among other things, provides that, for purposes of chapter 19, the exception for measures necessary to protect public morals pursuant to paragraph (a) of Article XIV of the GATS is incorporated into and made part of this Agreement, mutatis mutandis’. This paragraph opens the door for potential limits on the article’s scope and application but, as mentioned earlier, there is a lot of uncertainty with respect to the general exception’s reach.Footnote 44 In any case, the USMCA’s Article 19.17 will likely make it harder for Canadian governments to develop measures to protect individuals and consumers of social media, search engines and other user-generated content providers from the consequences of disinformation (for example, ‘fake news’).
Another noteworthy difference between the USMCA and the CPTPP concerns source code and algorithms. First, the USMCA’s Article 19.16 gets rid of the CPTPP’s Article 14.17(2).Footnote 45 This implies that all types of source code are covered by the USMCA, without exception. As Scassa notes: ‘This may raise some interesting concerns given the growing government use of software and algorithms in key systems and processes’.Footnote 46 The USMCA also does not contain the CPTPP’s provision on allowing requests for source code modification.Footnote 47 Instead, it offers Article 19.16(2), which does not exist in the CPTPP: ‘This Article does not preclude a regulatory body or judicial authority of a Party from requiring a person of another Party to preserve and make available the source code of software, or an algorithm expressed in that source code, to the regulatory body for a specific investigation, inspection, examination, enforcement action, or judicial proceeding, subject to safeguards against unauthorized disclosure’. Scassa says that the difference between the USMCA and the CPTPP provisions is ‘important given that we are already facing context in which it is necessary to understand the algorithms that lead to certain decisions [for example, litigation involving autonomous vehicles]’.Footnote 48 So the USMCA improves on the CPTPP in terms of source code transparency but it is also a step back when it comes to the absence of a provision allowing requests to modify algorithms, which could be found to be biased or causing harm to people, businesses or governments. With the USMCA, unlike the CPTPP, a Canadian request for algorithmic modification could be challenged as a protectionist measure discriminating against the US or Mexican producer of the software or application.
The final difference between the USMCA and the CPTPP is with respect to the provisions on data localization (‘Location of Computing Facilities’). In the CPTPP’s Article 14.13, ‘the Parties recognise that each Party may have its own regulatory requirements regarding the use of computing facilities, including requirements that seek to ensure the security and confidentiality of communications’Footnote 49 but ‘no Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory’Footnote 50 unless it is for a ‘legitimate public policy objective’.Footnote 51 For its part, the USMCA’s Article 19.12 only has one provision: ‘No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory.’ This means that, unlike the CPTPP, the USMCA does not allow its parties to invoke a ‘legitimate public policy objective’ exception to impose a data localization requirement to firms from the other two parties as a condition for providing a digital good or service in the territory. The only exception possible here is for the specific case when a digital good or service is provided to a government, because the USMCA’s chapter 19 does not apply to ‘government procurement; or except for Article 19.18 (Open Government Data), to information held or processed by or on behalf of a Party, or measures related to that information, including measures related to its collection’.Footnote 52 Therefore, governments can only require organizations that collect, hold or process information to locate their computing facilities in the territory when these activities are undertaken for or on behalf of a government, which is in line with current practices. However, if, for example, data deemed critical for national security reasons were held by a private organization, then the USMCA would technically require a government to allow these data to be held and processed in the other two member states’ territory. As a result, these data could become accessible to the other member state governments (for example, through the USA PATRIOT Act in the United States).
III Interim Conclusion
With the CPTPP and the USMCA, Canada has adopted obligations that provide for the free flow across borders of data for business purposes while, in principle, protecting consumers, personal information and government-related data. However, as analyzed earlier, these two trade agreements also pose potential obstacles to Canada’s ability to effectively regulate data and it is unclear how much policy flexibility they leave to the federal and provincial governments to pursue legitimate objectives and protect the vital interests of their citizens. It will ultimately be left to state-to-state dispute settlement panels in the CPTPP and the USMCA (as well as the investor–state dispute settlement mechanism in the CPTPP) to resolve this uncertainty and determine the scope of Canada’s national data regulation. If dispute settlement panels were to rule in favour of cross-border data flows and impose limits on Canada’s ability to ensure trust among individuals and businesses when it comes to the data-driven economy, then such decisions could undermine the CPTPP’s and the USMCA’s legitimacy and political support.
D Key Proposals at the WTO’s Plurilateral Negotiations on Trade-Related Aspects of Electronic Commerce
In April 2019, the key players in the negotiations – China, the EU and the United States – issued their proposals to the WTO’s plurilateral negotiations on trade-related aspects of electronic commerce.Footnote 53 The Chinese proposal is the least ambitious. It is hortatory in nature and focuses on principles for the facilitation of cross-border electronic commerce, leaving aside data flows.Footnote 54 China’s proposal is thus in line with the electronic commerce provisions contained in some of the FTAs that it has signed so far. As such, it reflects the country’s desire to protect its walled-off digital realm.Footnote 55
The EU’s proposal goes much further than the Chinese one. For instance, it offers specific provisions that mandate unrestricted cross-border data flows,Footnote 56 subject to national rules deemed ‘appropriate to ensure the protection of personal data and privacy’.Footnote 57 The EU’s proposal also stipulates that there can be no requirement for the transfer of software source codes in exchange for market access, although it can be required for legal violations or national security reasons.Footnote 58
The US proposal, for its part, follows closely the digital trade chapter found in the USMCA.Footnote 59 As such, it supports the EU’s position on cross-border data flows, personal data protection and source codes; however, unlike the EU’s proposal, which states that ‘[n]othing in the agreed disciplines and commitments shall affect the protection of personal data and privacy afforded by the Members’ respective safeguards’,Footnote 60 the US offer qualifies the limits on cross-border data flows that national data protection regimes can impose: ‘ensuring that any restrictions on cross-border flows of personal information are necessary and proportionate to the risks presented’ (Article 7.4), which follows USMCA’s Article 19.8.3. Article 8 of the US proposal also restates, verbatim, the USMCA’s provisionFootnote 61 that only restrictions on cross-border data flows that ‘achieve a legitimate public policy objective’ are acceptable. Finally, the USMCA’s Article 19.17 (‘Interactive Computer Services’) is transposed in its entirety into the US proposal,Footnote 62 thereby putting forward the prohibition on treating ‘a supplier or user of an interactive computer services as an information content provider in determining liability for harms related to information stored, processed, transmitted, distributed, or made available by the service, except to the extent that the supplier or user has, in whole or in part, created or developed the information’.Footnote 63
In sum, the proposals occupy different places on a continuum that includes independent national data protection at one end and cross-border data free flow at the other, with China being close to the former pole while the United States is closer to the other pole and the EU is somewhere in between (see Figure 14.1). As analyzed earlier, the USMCA’s digital trade chapter, which itself builds on the CPTPP’s chapter 14, has served to inform the US position in the WTO’s Plurilateral ‘Trade-related Aspects of Electronic Commerce’ negotiations. Should the latter ever prevail, which remains to be seen in light of the divergent key positions on offer, it will make it difficult for member states to adopt national data regulations that impose limits on the cross-border flow of data, most especially personal data.
E Conclusion and Outlook
As the example of Canada demonstrates herein, the CPTPP and the USMCA require their members to adopt obligations that provide for the free flow across borders of data for business purposes while, in principle, protecting consumers, personal information and government-related data. However, as analyzed above, these two trade agreements also pose potential obstacles to a member state’s ability to effectively regulate data and provide a trustworthy environment for individuals, businesses and governments. The analysis shows that it is not at all clear how much policy flexibility the CPTPP and the USMCA ultimately allow governments that want to adopt new laws and regulations to, among various objectives, protect people’s privacy, prevent algorithmic bias, protect critical infrastructure, ensure national security or promote domestic innovation.
For the plurilateral negotiations of an agreement on ‘trade-related aspects of electronic commerce’ at the WTO, this means that the US proposal, which is closely derived from the USMCA’s digital trade chapter,Footnote 64 would create a lot of uncertainty as to how much limits on cross-border data flows a country could impose via its national data regulation regime, until dispute-settlement panels decide on the acceptability and legitimacy of national data rules in restricting data flows across borders.
To leave such crucial decisions for economy and society in the hands of unelected and unaccountable individuals seems an odd way to govern the data-driven economy’s future functioning. A better approach would be to remove issues related to data regulation and standards from the WTO negotiations and push for a separate international regime to govern data and its cross-border flows.Footnote 65 Just like capital (or financial) flows are not part of the WTO’s framework,Footnote 66 which limits itself to rules on trade in financial services, so should data flows be excluded from an eventual agreement on trade-related aspects of electronic commerce. The latter agreement, should it ever see the light of day, should instead focus its attention solely on the rules governing trade in digital goods and services. A separate international body (such as an International Data Standards Board) should be responsible for setting standards that regulate the creation, processing, use, distribution and transfer of data, both personal and non-personal. All countries that apply and enforce these standards would be allowed to take part in a single data area where data would be free to flow across member states’ borders. The WTO’s rules on digital trade would be left to deal with possible infringement of core trade principles, such as non-discrimination.