Many countries are in the process of reforming their data privacy laws, to address Internet users’ privacy concerns, and may are also joining free trade agreement with increasingly robust digital trade and ecommerce chapters that discuss data privacy and data transfer across borders. What are the implications of these agreements on national data privacy laws?
The relationship between the 2019 U.S.-Mexico-Canada Agreement (USMCA) and Mexican privacy law is one example. Mexico’s 2010 Data Privacy Law is one of the most advanced and frequently enforced privacy laws in Latin America. This law obligates data owners to provide detailed information in the privacy notice regarding the data transfers the data subject, or “owner,” is willing to make, including personal information about the data subject, name of the data processor, purpose of transfer and type and category of activity sector of the processor. The same terms that apply to the data owner also apply to the third party receiving the transferred data.
The law stipulates that international data transfers can be performed without the consent of the data subject when the transfer is allowed by a law or treaty signed by the Mexican government. USMCA is such a treaty. Its digital trade chapter states, “No Party shall prohibit or restrict the cross-border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business of a covered person.” Parties to USMCA can adopt or maintain a measure “inconsistent” with that principle, though, if “necessary to achieve a legitimate public policy objective”, provided such a measure does not present “unjustifiable discrimination or a disguised restriction on trade.” The USMCA also explicitly bars data localization, “No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory.”
Legal experts interpret USMCA to be liberalizing – to permit cross-border data transfer and clarify potential exceptions countries can make to cross-border data transfer rules under the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) agreement that both Mexico and Canada are member to. The U.S. withdrew from the CPTPP before its signing.
However, USMCA also cements the principle of data privacy. It requires member countries “adopt or maintain a legal framework that provides for the protection of the personal information of the users of digital trade.” In other words, while USMCA calls on countries to allow data transfers in North America, it allows each member to maintain and adopt new privacy laws. The agreement furthermore calls on members to develop interoperability and compatibility between their different privacy regimes.
Notably, the USMCA formally recognizes the validity of the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system as the baseline data transfer mechanism should any USMCA member restrict cross-border data flows based on a “legitimate public policy objective” permitted in USMCA. CBPR is a government-backed data privacy certification that private companies voluntarily join to demonstrate compliance with international data privacy protections. Businesses and organizations that opt into the CBPR system must submit their privacy practices and policies for evaluation by an APEC-recognized “Accountability Agent” such as TRUSTe in the United States. Upon certification, the practices and policies become binding for that organization and enforceable by a privacy enforcement authority (such as U.S. Federal Trade Commission).
Unlike EU’s GDPR that applies across EU countries, CBPR does not displace or change a country’s domestic laws and regulations, nor does it determine whether a country’s privacy protections are “adequate.” CBPR is recognized by Canada, Mexico, the U.S., as well as Japan, South Korea, Australia, and Singapore. Japan recognized CBPR as a valid data transfer regime in its 2017 data privacy law. Thus, CBPR-compliant U.S companies transferring data from Japan do not need an adequacy decision from the Japanese government they would otherwise need under the Japanese law.
There are still some question marks. Some legal experts argue the USMCA provision citing CBPR means that America’s eventual federal privacy law would recognize the CBPR to be consistent with the USMCA. Others argue that CBPR participation does not and cannot displace local law when local law is more demanding.
However, in general to many observers, USMCA successfully created a flexible data privacy and transfer approach that accommodates local needs and national laws, such as that of Mexico, within a global framework. USMCA also provides a clear signal to the private sector that the U.S., Mexico and Canada, along with Japan, are committed to creating a unified cross-border data transfer regime.