How the USMCA Affects Digital Trade

The U.S.-Mexico-Canada Agreement (USMCA), the proposed replacement of the North American Free Trade Agreement (NAFTA), now awaits submission to Congress. While the USMCA is similar to NAFTA in several ways, one difference is that USMCA includes a chapter on digital trade, a now-common feature of trade deals. The USMCA’s section on digital trade is largely lifted from the Trans-Pacific Partnership (TPP), but it lacks certain carve-outs that were present in the TPP. In the future, these exemptions could become an important area of tension in international privacy law, especially in Europe where regulators require in some instances the very thing that the USMCA bans.

Standards for Digital Trade

Digital trade chapters are a new addition to trade agreements, but they typically include provisions based on several specific principles. Most limit customs duties of digital products, establish a legal framework for electronic transactions, include provisions to combat fraud, and seek to expand access to government information. In this regard, the USMCA isn’t that different than the TPP.

More controversially, trade agreements also tend to include sections meant to break down data localization laws, which require that certain kinds of data remain within a country’s borders. Here, the USMCA is like the TPP. For example, Article 14.11(2) under the TPP states,

Each Party shall allow the cross-border transfer of information by electronic means, including personal information, when this activity is for the conduct of the business of a covered person.

The USMCA goes further, making this provision a strong negative statement. It reads,

No Party shall prohibit or restrict the cross-border transfer of information, including personal information, by electronic means if this activity is for the conduct of the business of a covered person.

To give some teeth to these broad ideas, the texts of the TPP and the USMCA include targeted sections on computer facilities. Indeed, both Article 14.13(2) in the TPP and the USMCA’s Article 19.12 read the same:

No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory.

The USMCA lacks, however, the TPP’s qualifiers and exemptions. Most important, the TPP included an exemption in Article 14.13(3) from the anti-data localization requirement if the law achieves “a legitimate public policy objective.” Moreover, the TPP recognized that,

Each Party may have its own regulatory requirements regarding the use of computing facilities, including requirements that seek to ensure the security and confidentiality of communications.

The USMCA lacks these exemptions, resulting in a much stiffer requirement for the signatories. As legal scholar Jacqueline Yin pointed out, “In this respect, the USMCA’s position on computing facilities is more restrictive, and its simplified language allows less room for exceptions.”

Conflict with Europe

This requirement of the open flow of information creates a conflict with Europe’s privacy laws. Europe has strict requirements for how companies protect digital information, and European regulators have given their privacy policies heft by requiring that covered data not be transferred to countries without adequate privacy protection—a de facto localization rule. The newly minted General Data Protection Regulation (GDPR) only strengthens that rule.

Some contend that the USMCA’s ban on localization rules increases privacy risks. As professor Michael Geist of the University of Ottawa argued in The Washington Post,

[The ban on transfer restrictions] means countries cannot follow the European model of data protection that uses data transfer restrictions as a way to ensure that the information enjoys adequate legal protections. In fact, with the European Union adopting even higher standard privacy rules earlier this year, countries could find themselves caught in a global privacy battle in which Europe demands limits on data transfers while the USMCA prohibits them.

The data localization and data transfer rules [in the USMCA] may erode efforts to safeguard privacy, and many other provisions represent a lost opportunity to establish higher standards. Indeed, as the United States touts high standard intellectual property protections in its trade agreements, it seemingly opts for low standard digital trade protections.

But European privacy law can result in poor data security, as Jane Horvath of Apple explained: “In a primary school in Europe … a data-localization requirement results in student data being hosted in an unsecured server under a school administrator’s desk,” with such a data-localization law operating on the paradoxical assumption that information in this local server “is more compliant than in a secure data center outside of Europe, even when that data has been transferred securely.”

Other countries have taken a cue from the European approach and passed laws in the name of privacy—but these laws are naked efforts to control speech and give governmental agencies broad access to information. China, Russia, Indonesia, and Vietnam have all passed laws along these lines. Thus, privacy-related data localizations efforts are a double-edged sword. What constitutes “a legitimate public policy objective” varies widely from country to country.

The Costs of Trade Restrictions

Regardless of the reason for them, data localization efforts are costly. Researchers Martina Ferracane and Erik van der Marcel recently estimated that “if countries lifted their restrictions on the cross-border flow of data, the imports of services would rise on average by five percent across all countries.” China and Russia alone would experience an increase of 50 percent in their digital service imports if they broke down these barriers to trade, they estimate. And some of the biggest beneficiaries of lifting these data restrictions would be European firms in France, Germany, and Denmark, which would benefit from better productivity if given broader access to digital services.

While certain laws might be needed to protect privacy, they are costly. Other provisions within the USMCA will get more attention, but the digital trade section of the agreement highlights how regional regulations can impact an international trade platform such as the Internet.