The inclusion of a Digital Trade chapter in the US-Mexico-Canada Trade Agreement (USMCA) is an important, and modernizing provision of the agreement. To maximize its effectiveness, the three countries must work to address existing issues that inhibit complete implementation of the agreement. The author's insight was derived from a private event convened by the Mexico Institute and the Canada Institute.
The United States-Mexico-Canada trade agreement’s (USMCA) digital trade provisions are touted as one of the clearest examples of why NAFTA needed an upgrade. The scorecard on whether these provisions have lived up to expectations after a year of being in effect (July 1, 2020) is mixed. It’s equal parts revealing and troubling. It’s troubling as Mexico misuses national security concerns to justify financial data localization and enacted a “kill switch” to block foreign digital firms that don’t pay taxes. It’s revealing in how Canada and the United States define “Internet sovereignty” through their targeted use of data localization for government data. This post provides an analysis of digital developments post USMCA and how the lack of enforcement, and countries’ own use of localization policies, sends a troubling signal to other countries like China and the European Union that want to use the same excuses to justify much broader use of data localization.
Mexico: Financial Data Localization and the Troubling Lack of a U.S. Response
Mexico is demonstrating how easy it is for countries to use self-judging exceptions for national security by enacting financial data localization. In late 2020, Mexico’s central bank (Banxico) and the National Banking and Securities Commission (CNBV) issued draft fintech regulations (Provisions Applicable to Electronic Payment Fund Institutions) that would force firms to only choose cloud providers based in Mexico.
Mexico’s draft regulation is particularly troubling as officials justified it on the basis of broad, vague, and highly unlikely national security grounds. Just as troubling is the fact that the Trump administration reportedly did not push back on Mexico’s use of this rationale, in part due to its own misuse of national security rationales to enact tariffs on foreign automotive and steel imports. Mexican officials reportedly looked to Russia as their model as it enacted payment data localization as part of an initiative to replace foreign payment firms with a state-supported payments system (known as MIR) after being targeted with financial sanctions for invading Ukraine and annexing Crimea.
Mexico’s data localization proposal breaches both the spirit and the letter of USMCA’s digital trade and financial services chapters. The financial services chapter prohibits rules forcing firms to use or locate local computing facilities as a condition of market access (article 17.18). Should a firm face an issue providing data to regulators, they would have a reasonable opportunity to address the issue and shift data to a jurisdiction where access is assured (article 17.18). In contrast, Canada removed two financial data localization policies (two sections of the Canadian Bank Act) to come into compliance with USMCA. The United States Trade Representative’s Office (USTR) is using USMCA’s novel Rapid Response Labor Mechanism to ask Mexico to review labor rights at an automotive factory, but has not called a meeting of USMCA’s Committee on Financial Services as a first step in addressing this issue.
The United States’ lack of action is surprising as the USMCA’s financial data framework is seen as the gold standard it wants replicated in other agreements. It’s especially ironic as financial data has created such turmoil for the United States, following U.S. Treasury’s initial insistence (and then backtracking) on a carve out for financial data in the Trans-Pacific Partnership (TPP).
Mexico’s Kill Switch: Using Tax Enforcement to Cut Off Digital Market Access
In December 2020, Mexico enacted a law that would allow it to block foreign providers of digital services from offering their services in Mexico if they fail to comply with Mexico’s digital tax rules. It’s particularly troubling as no other country does this for tax compliance, so it sets a troubling precedent.
As Inu Manak and Alfredo Carrillo Obregon at CATO explain, Mexico’s Ministry of Finance initially floated the idea for a “kill switch” mechanism, where tax authorities would ask Internet service providers to block access to digital services from a company that is not in compliance with Mexico’s tax laws. The measure is most likely a breach of Article 15.3 (National Treatment), Article 18.3 (Access and Use), and Article 19.4 (Non-discriminatory treatment of digital products). Mexico’s approach contrasts with Chile and other countries’ non-trade restrictive approach to ensuring tax compliance by foreign digital service providers. Again, it’s up to USTR to raise this issue. However, again, there’s no evidence that USTR or Canada have raised the issue with Mexico. Thankfully, the measure is not yet enforced. Mexico is reportedly developing details to outline under what conditions it will use the kill switch if companies don’t respond within a certain timeframe.
Canada: Quebec and Alberta’s De Facto Data Localization Measures
Canadian provinces have a track record of enacting misguided data localization requirements for data privacy. In 2021, Quebec’s enacted the Act to Modernize Legislative Provisions respecting the Protection of Personal Information (known as “Bill 64”), includes a de facto localization policy. Many parts of the law are commendable in that it reflects the accountability principle in its use of contracts to ensure firms manage data the same, wherever they transfer it. It is similar to Alberta’s Personal Information Protection Act, which requires firms to notify people when sending their personal data outside of Alberta during outsourcing arrangements. However, requiring firms to disclose the possibility that the personal information being collected could be transferred outside the province at both the time of collection (of personal information) and upon request creates the misconception that personal data transferred outside of Quebec is somehow less safe. What’s unique about Quebec’s law is that there is no distinction between international and inter-provincial transfers within Canada. Meanwhile, Canada’s Personal Information Protection and Electronic Documents Act has no such disclosure requirement.
The Use and Misuse of Exceptions is More Important Than the New Digital Trade Rules Themselves: How Canada and the United States Use Data Localization for Government Data
A central question in global data governance and digital trade is how countries use—or more worryingly, misuse—trade law exceptions for government procurement, privacy, national security, and other public policy objectives to justify data localization. USMCA’s digital trade chapter does not apply to government procurement or information held or processed by or on behalf of the government. Furthermore, USMCA’s chapter on exceptions and general provisions (chapter 32) includes the General Agreement on Trade in Services exceptions language (Article XIV), such as for public morals or safety and privacy. Given USMCA’s ambitious digital trade provisions, how each country uses exceptions to enact localization for government data and services is perhaps even more important than the use of USMCA’s anti-localization provisions, as it demonstrates how each country seeks to define the use of this barrier to trade.
Canada is unique in its clear and explicit articulation of “data sovereignty” in relation to government data and services. It requires cloud services to keep certain categories of sensitive and classified data (at rest) within Canada. It does not necessarily apply to data in transit, as Canada recognizes that certain cloud services may only be run outside of Canada. These requirements are included in Canada’s public service cloud contracts. AWS and other U.S. cloud firms with data centers in Canada have won contracts given they have local data centers. Similarly, provincial level data localization requirements in British Columbia and Nova Scotia for personal data held by public bodies remain unaffected by USMCA (although it’s unclear under what legal basis).
Similarly, the United State’s GovCLOUD uses contractual arrangements to requires local data storage for specific, sensitive data types managed by certain government agencies, such as the International Traffic in Arms Regulations (ITAR), the Federal Risk and Management Program (FedRAMP) High, Department of Defense Security Requirements Guide (DoD SRG) Impact Levels 4 and 5, and Criminal Justice Information Services (CJIS). The service (managed by AWS) uses data center operations that are physically separated from all other AWS cloud regions and only staffed by U.S. citizens.
Conclusion: Live Up to the Spirit and the Letter of USMCA’s Promise
How the United States, Canada, and Mexico use and enforce (or misuse and don’t enforce) USMCA’s much touted data-related provisions has important implications.
Firstly, new digital trade rules are only meaningful if they’re enforced. These rules don’t provide the certainty that firms operating in North America thought that they would provide given the lack of enforcement against misuse in Mexico.
Second, how countries conceptualize “Internet sovereignty” in relation to government data localization is a critical issue in the global digital economy as the European Union, China, Russia, and others want broad, self-judging exceptions to justify localization and other restrictions that impact digital trade. In particular, as a leader in the global digital economy, that the United States uses some data localization and other data-related restrictions at home has a major impact elsewhere in the world. The situation in Mexico is also an example of what happens if USTR doesn’t push back against countries that misuse national security for digital protectionism.
Similarly, it’s hard to understate the impact that the Trump administration’s arbitrary targeting of Tencent and WeChat—based on vague national security grounds—had on countries that have (or were considering) digital trade barriers as they know they can ultimately rely on dubious national security exceptions. The self-judging use of national security exceptions is among the most troubling trends in global digital trade given how easily it can be misused for any manner of digital issues, such as government surveillance or cyberattacks.
USTR should fully enforce USMCA’s digital trade provisions to send a clear signal to its trade partners at the WTO and elsewhere that it wants and will use new rules to ensure clear digital market access. Ideally, the United States, Canada, and Mexico would also remove their misguided data localization requirements for government and financial data as it sends a signal to every other country that not only are such misguided practices legitimate, but they can probably go much further in misusing broad and vague national security concerns.
This post was derived from a private event convened by the Mexico Institute and the Canada Institute.