Canada: The Limits Of Data Localization Laws: Trade, Investment, And Data

On the 8th and 9th of June, 2019, the G20 Ministerial Meeting on Trade and Digital Economy took place in Tskuba, Japan. In a Ministerial Statement released after the meeting, the Ministers reaffirmed their commitments to transborder data flows noting that it generates higher productivity, greater innovation, and improved sustainable development, while acknowledging certain challenges related to "privacy, data protection, intellectual property rights, and security".

Indeed, with the increasing importance of data in everything from cloud computing, the internet of things and big data analytics, the free flow of data is essential to unlocking the full potential of global e-commerce and modern business in data driven economy. This is true not only for multinational corporations but also as noted in a recent report from the International Chamber of Commerce, small to medium enterprises that use online e-commerce are five times more likely to engage in import-export trade than enterprises that do not engage in e-commerce.

To address certain concerns relating to data protection, privacy, national security, law enforcement and industrial policy several countries have recently considered and adopted laws to regulate data flows. "Data localization" laws require certain types of data to be stored/ located within a certain country. To date, at least thirty-four countries have adopted data localization laws, including Germany, Russia, Greece, Taiwan, China, Vietnam, Malaysia, Brazil, Australia.

The Canadian federal government, in its recent announcement of the creation of Canada's Digital Charter, said that Canada continues to support bilateral and multilateral commitments relating to the cross-border transfer of information, as well as commitments, which seek to prevent data localization requirements. At the same time, provincial governments across Canada often impose data localization requirements in procurement tenders, presumably taking advantage of the exceptions to such new rules. Canada is also engaged internationally to promote the global interoperability of privacy frameworks. This is especially important in the context of data flows supporting the development of artificial intelligence. Following the commitment made by G7 Innovation Ministers during their Ministerial Meeting on Preparing for Jobs of the Future, Canada hosted a G7 Multi-stakeholder Conference on Artificial Intelligence on December 6, 2018 in Montréal. This built on the G7 Innovation Ministers' Statement on AI, and the G7 Leaders' Charlevoix Common Vision for the Future of Artificial Intelligence.

Trade and investment agreements provide a framework that govern transborder data flows, promote openness and, more recently, certain mega-regional trade agreements, such as the ones reviewed below, provide express guidance on the balance that may be struck between free flowing data and limitations based on legitimate policy concerns.

Where personal information is involved, countries may seek to impose data localization requirements in the context of privacy legislation. The Office of the Privacy Commissioner of Canada recently announced a consultation on transborder flows of personal information, intending to explore effective privacy protections "in the context of transborder data flows and transfers for processing, accepting that transborder flows are the subject of international trade agreements and that both domestic and international transfers bring significant benefits to individuals and organizations."

Trade Agreements

WTO

From a trade perspective, while the World Trade Organization (WTO) and other international fora are now more directly engaged in developing rules on international e-commerce and digital trade, cross-border data flow is primarily governed by WTO agreements, 21st century free trade agreements and investment treaties.

The WTO General Agreement on Trade and Services (GATS) applies to services, including where data storage is an element in the provision of the service. The GATS requires, subject to any specific exclusions for particular services, that data localization legislation respect the core obligations of the trading system. For data, this includes:

• Most Favored Nation treatment: data localization laws may not be imposed selectively on nationals of any given country;
• National Treatment: data localization laws may not provide preferences to locals over foreign nationals and greater burdens could not be imposed on foreign nationals;
• Market Access: Access to a country's market may not be accessible on the condition that data is stored locally.
• Any data laws must not be applied in a manner, which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade.

The GATS provides for limited exceptions to these obligations. Most relevant to data localization provisions are the exceptions relating to laws necessary to protection public morals or public order, and the protection of privacy in relation to the processing dissemination of personal data and the protection of confidentiality of individual records and accounts. The GATS also contains a national security exception.

Under the GATS, a data localization law that breach the above commitments may be challenged by another WTO member, among other things, on the basis that a less-trade restrictive measure may fulfill the stated objective of the targeted data law. Any such challenge may question and scrutinize the nexus between the stated policy rationale and the effects of data localization as well as any discriminatory elements stemming from a law's effect that may not be justified by legitimate policy objectives.

CPTPP & USMCA

Transborder data flows are explicitly governed in certain recent mega-regional trade agreements as part of new digital economy and e-commerce chapters. These modern agreements include express prohibitions on data localization laws with a limited number of exceptions.

The Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), which entered into force a majority of signatories in January 2019, contains specific provisions prohibiting data localization. While recognizing that each country may regulate data, Article 14.13 of the CPTPP includes a prohibition on data localization as a condition for conducting business in that territory. The CPTPP includes a broad exception to the localization rule. To fall within the exception any such law must (i) serve a legitimate public policy objective, (ii) must not be applied in an manner that does not constitutes arbitrary or unjustifiable discrimination or disguised restriction on trade, and (iii) does not impose restrictions on the use or location of computing facilities greater than are required to achieve the law's objective. The specific policy objective of any law may be set by each country, and is not subject to contestation.

Additionally, the CPTPP also includes a general national security exception for any measure that is limited to measures relating to the maintenance or restoration of international peace or security, or the protection of its own essential security interests.

Similarly, the recently signed, although not yet in force, USMCA between the US, Canada, and Mexico, also includes a general prohibition on data localization in Article 19.12. Under the USCMA there are no exceptions to this rule contained in the digital trade chapter, although Chapter 32 of the agreement incorporates a limited number of the GATS exceptions into the digital trade chapter as discussed above. The USCMA also includes an identical national security exception as included in the CPTPP.

CETA

The Comprehensive Economic and Trade Agreement (CETA) between Canada and the EU and its member states does not contain any specific provisions on data localization, although it includes provisions for future dialogue or consideration of issues concerning cross border data flows. Similarly, other EU agreements with Japan, and Mexico also do not provide for any specific provisions on data localization.

Investment Treaties and Data

Although investment treaties do not explicitly address data or data localization, they provide certain protections to investments made by foreign nationals. Most investment treaties provide for the basic protections of most favored nation, and national treatment, fair and equitable treatment, prohibitions against performance requirements, and expropriation. While these protections are similar to those included in trade agreements, one key difference between trade and investment treaties is that investment treaties allow investors to bring actions directly against a non-complying country, whereas any non-compliance and dispute resolution under trade agreements is dealt with between the signatory states. To the extent that data localization favors domestic companies or individuals, or may be viewed as unfair to foreign investors, such laws and regulations may form the basis of an investment claim. Although to date, there has not yet been any such investment claim, it is possible that data localization forms the basis or part of an investment claim.

Conclusion

In brief, to date, trade and investment treaties are the only binding legal framework for data localization. Through their core norms of non-discrimination and minimum standards of fairness they provide support for open transborder data flows and protections against unjustified data localization requirements. More recent trade agreements address data localization directly, with prohibitions against that practice, save for situations that may fit into express exceptions. Legitimate privacy-related data flow measures are likely to fall within the exceptions, although the specific intent of the legislation, and overarching trade law framework in place would need to be considered. These mega-regional agreements are developing the standards of openness which must be taken into account when legislating and regulating data localization and against which data localization may be tested.

Footnotes

1 G20 Ministerial Statement on Trade and Digital Economy, June 9, 2019.

2 We note that the specific data covered in data localization legislation varies. For instance, the British Columbia Freedom of Information and Protection of Privacy Act applies to "all records in the custody or under the control of a public body". Freedom of Information and Protection of Privacy Act RSBC 1996, Chap. 165, at art. 3.

About Dentons

Dentons is the world's first polycentric global law firm. A top 20 firm on the Acritas 2015 Global Elite Brand Index, the Firm is committed to challenging the status quo in delivering consistent and uncompromising quality and value in new and inventive ways. Driven to provide clients a competitive edge, and connected to the communities where its clients want to do business, Dentons knows that understanding local cultures is crucial to successfully completing a deal, resolving a dispute or solving a business challenge. Now the world's largest law firm, Dentons' global team builds agile, tailored solutions to meet the local, national and global needs of private and public clients of any size in more than 125 locations serving 50-plus countries. www.dentons.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Specific Questions relating to this article should be addressed directly to the author.