Contents

Introduction. 1

Keep PIPEDA’s Framework for Cross-Border Movement of Data. 3

Protect Intellectual Property by Avoiding Backdoors in Source Code Disclosure. 3

Maintain a Flexible Approach for Developing and Using Artificial Intelligence 4

Ensure an Outcome-Focused Antitrust Enforcement 4

Promote Industry-Led Approaches to Interoperability 4

Protect Consumers Without Overregulating. 5

Promote Open Government Data Without Stringent Licensing Barriers 5

Minimize Counterfeits Through Collaboration and Smarter Enforcement 5

Promote Risk-Based Cybersecurity Cooperation. 6

Endnotes 6

Introduction

The Centre for Canadian Innovation and Competitiveness appreciates the opportunity to contribute to Global Affairs Canada’s consultation on a potential Canada-European Union Digital Trade Agreement (DTA).^[1]

Canada should approach exploratory talks regarding a Canada–EU Digital Trade Agreement (DTA) with caution. Greater alignment with the EU may appear to provide a hedge against U.S. influence, but in practice it risks importing a framework that impedes the potential for Canada’s digital economy and industries while raising compliance costs without increasing competitiveness. A DTA must not become a vehicle for embedding the EU’s digital sovereignty agenda or precaution-first templates, which have already constrained Europe’s own digital economy. Canada should reflect upon the reality that if it wishes to import Europe’s digital economy rules it will also import the moribund condition of the European digital economy that those very rules have engendered.

Moreover, Canada already possesses a stronger foundation in the Comprehensive and Progressive Agreement on the Trans-Pacific Partnership (CPTPP) and potential accession to Digital Economy Partnership Agreement (DEPA). These frameworks prohibit data localization, enable cross-border data flows, and provide modular approaches that adapt to new technologies, while adopting certain EU policies would directly contravene these existing trade obligations.^[2] As the global trade system shifts, CPTPP and DEPA are emerging as preferable models for open, innovation-friendly digital commerce, an approach the EU is now exploring itself through discussions of possible CPTPP accession.^[3] Canada should be exporting these principles to Europe, not importing the Brussels Effect.

In particular, the EU’s General Data Protection Regulation (GDPR) restricts cross-border data transfers in ways that fragment digital services, while the Digital Markets Act (DMA) hard-codes design mandates that reduce consumer choice and delay new product releases.^[4] These rules illustrate the trade-off at the heart of the EU model: more compliance, less innovation.^[5] Canada should not fall into the trap of substituting EU dominance for U.S. influence but instead safeguard its own ability to regulate technologies in a way that supports competitiveness, innovation, and growth.

As a foundation for exploratory discussions, Canada should be guided by the following principles when evaluating any Canada-EU Digital Trade Agreement:

1. Prioritize innovation and interoperability by favouring international, industry-led standards and outcome-based approaches.

2. Reject adopting EU policies by not allowing rules that would lock in one regulatory model and limit future options for governing AI, data, or digital platforms.

3. Align with CPTPP and DEPA norms by embracing cross-border e-commerce and data flows without the EU’s precautionary-first governance approach.

4. Reject low-benefit, high-cost provisions by saying no to rules that burden Canadian innovators without offering clear commercial upside.

5. Design for modularity and adaptability by structuring the agreement to evolve with technology, not freeze it in time (à la DEPA).

The five principles above provide the strategic guardrails for any Canada–EU Digital Trade Agreement. Within those guardrails, the following recommendations address the specific issue areas raised in the government’s consultation. They identify where alignment with EU approaches would risk importing the Brussels Effect into Canadian law and where targeted cooperation could advance shared interests without constraining Canada’s policy flexibility or innovation capacity.

Keep PIPEDA’s Framework for Cross-Border Movement of Data

EU policymakers often frame restrictions on the free flow of information as safeguards for privacy and cybersecurity, but in practice they are a misguided target. Meanwhile, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) establishes rules for organizations transferring personal information outside the country. While PIPEDA does not prohibit cross-border transfers, it obliges organizations to ensure a “comparable level of protection” through contracts when data is processed outside Canada. In addition, PIPEDA mandates that individuals be notified that their data may be transferred abroad and accessed by foreign authorities.^[6]

Canada should not trade its data protection principles for the EU’s approach. PIPEDA takes an organization-to-organization accountability model: Canadian organizations are responsible for ensuring that third parties provide a comparable level of data protection before transfers occur. While PIPEDA’s principles are widely aligned with CPTPP and APEC’s Cross-Border Privacy Enforcement Arrangement (CPEA), they contrast with the EU’s country-to-country approach, where the European Commission must designate other jurisdictions as “adequate” before transfers can proceed.

Locking GDPR concepts such as adequacy determinations or consent-based transfer rules into a Canada–EU Digital Trade Agreement (DTA) would raise compliance costs, discourage efficient cross-border data use, and slow the deployment of AI, analytics, and digital services.^[7] These mechanisms impose significant compliance burdens, introduce legal uncertainty, and fragment data architectures, functioning as trade barriers that harm Canadian exporters, AI developers, and cloud providers. Some policymakers in Europe have gone further, advocating for data storage inside the EU. While not present in GDPR itself, such proposals illustrate how conditional transfer regimes can drift toward outright localization pressures.

Ottawa should clarify federal primacy over cross-border data flow rules, modernize national privacy law to reinforce accountability principles, and pre-empt provincial measures that fragment Canada’s digital market.^[8] Quebec’s GDPR-style Law 25 already includes adequacy assessments and contractual clauses, while Alberta mandates additional notice provisions for cross-border transfers. This patchwork creates uncertainty for firms, raises compliance costs, and undermines Ottawa’s ability to negotiate a coherent, innovation-friendly digital trade framework.

Canada should therefore ensure that any DTA commits to the free flow of data across borders, subject only to narrow and clearly defined public policy exceptions. The agreement should explicitly prohibit localization requirements and reject adequacy-style transfer tests as a condition of market access. Data mobility should remain the default, with trade provisions reinforcing accountability, security safeguards, and redress mechanisms rather than hardwiring EU-style restrictions.^[9]

Protect Intellectual Property by Avoiding Backdoors in Source Code Disclosure

Intellectual property (IP) protection is reflected in DTAs mainly in the prohibition on parties forcing the transfer of source code as a condition of market access. Canada already accepts this provision by being a signatory to the CPTPP and other agreements, such as the United States-Mexico-Canada Agreement (USMCA). At the same time, the EU-New Zealand Free Trade Agreement (FTA) has binding provisions on source code protection.^[10] One key difference in this provision is that the CPTPP offers carve-outs only in patent applications and judicial orders to solve patent disputes, while the EU-New Zealand FTA is broader, targeting all IP rights disputes.^[11] Canada should avoid expanding these carve-outs, as other IP rights disputes (e.g., trademark or copyrights) rarely require access to source code, creating a de facto backdoor for forced disclosure of source code, making this provision less effective.

Maintain a Flexible Approach for Developing and Using Artificial Intelligence

The EU AI Act defines high-risk systems broadly, front loads conformity assessments, and hardwires documentation and model obligations that fit Brussels institutions, not Canadian deployment realities. If mirrored in a DTA, those design choices would freeze Canada’s policy space and deter AI adoption in health, manufacturing, and agriculture by turning pilots into compliance projects. Canada shouldn’t agree, through a trade deal, to copy the EU’s list of “high-risk” AI systems, to require government approval before AI can be used, or to follow the EU’s specific compliance and testing rules.

The agreement should limit itself to cooperative principles: risk-based oversight using sectoral-based regulators, post-deployment monitoring, and incident reporting where warranted. Regulation should reference international, industry-led standards for AI assurance, not EU legal texts and include a standing regulatory cooperation forum to share evidence and testbeds, with an explicit carve out that prevents any presumption of alignment with EU definitions or high-risk schedules.

Additionally, provisions relating to the research, development, and diffusion of emerging technologies, such as AI, should be particularly flexible as the technology is in its early stages. DEPA’s modular and flexible model should be seen as an example of how to address emerging technologies in a modern DTA, without locking in premature rules.

Ensure an Outcome-Focused Antitrust Enforcement

The DMA exports a policy model that imposes prescriptive design rules on large platforms, from default settings to app store terms. Baking DMA-like obligations into a DTA would constrain Canada’s case-by-case antitrust enforcement, raise costs for Canadian developers, and chill pro-competitive integration that scale-ups need to grow. Canada shouldn’t sign a trade deal that locks in rules automatically targeting large firms just because they’re large.

Canada should limit any competition policy cooperation in the agreement to: 1) exchanging information and expertise between regulators, and 2) emulating the CPTPP by encouraging parties to implement consumer protection laws that define and prevent fraudulent and deceptive commercial activities. The deal should make clear that enforcement stays focused on proven harms and real-world outcomes and protect Canada’s ability to adapt its tools as markets change.

Promote Industry-Led Approaches to Interoperability

The EU tends to try to achieve interoperability through rigid technical mandates that lock in one way of doing things.^[12] This narrows design choices, increases compliance costs for SMEs, and slows the pace of iteration. A Canada–EU DTA should not, directly or indirectly, make EU-origin technical specifications mandatory.

Any standards referenced in the agreement should be international, open, and developed through transparent, industry-led processes such as the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), the International Telecommunication Union (ITU), the Internet Engineering Task Force (IETF), or the World Wide Web Consortium (W3C). Interoperability should be defined as achieving a result, not following one prescribed method. The agreement should recognize different, functionally equivalent implementations and include a mechanism to update references without defaulting to Brussels-led governance.

Protect Consumers Without Overregulating

The EU has developed voluntary consumer protection commitments that can improve redress and transparency, but these often lay the groundwork for later regulation. Following the CPTPP, online consumer protection should focus on protecting consumers from fraudulent and deceptive commercial activities. Canada should engage where practices remain genuinely voluntary and focused on outcomes, not where they serve as soft-law precursors to binding obligations. Cooperation should centre on best practices for disclosure and dispute resolution, and the text should explicitly state that voluntary commitments under the DTA do not create enforceable legal obligations.

Promote Open Government Data Without Stringent Licensing Barriers

In digital trade, the real value of open government data depends on both what is released and how it is delivered. Standard datasets, like business registries, procurement records, or geospatial information, can drive significant private-sector innovation when they are published consistently across jurisdictions. The key is ensuring that when governments release datasets, they follow open, interoperable, and machine-readable formats with clear licensing terms that enable reuse.

A joint Canada-EU technical working group could publish common application programming interface (API) patterns and reliability benchmarks for priority datasets. However, the DTA should avoid imposing content controls, or add licensing carve-outs that block commercial reuse (which would defeat the purpose of open data). In addition, cooperation in open government data should be a best-efforts endeavor rather than a binding commitment, following what is stated in the CPTPP and DEPA.^[13]

Minimize Counterfeits Through Collaboration and Smarter Enforcement

It is uncommon for DTAs to include provisions to address counterfeit goods. For example, neither the e-commerce chapters of the CPTPP and USMCA, nor the DEPA explicitly includes provisions or language regarding counterfeit goods. However, a potential Canada-EU DTA could innovate in this area.

Fighting counterfeits in cross-border e-commerce depends on fast enforcement and effective traceability systems, not heavy-handed platform liability rules. Canada’s trading partners, such as the EU and the United States, have articulated overlapping best practices (through the EU’s Memorandum of Understanding on the Sale of Counterfeit Goods and the U.S. report on combating counterfeits) that recommend measures such as seller verification, notice-and-takedown processes, proactive monitoring of high-risk categories, and information-sharing with rights holders and law enforcement. These approaches provide a useful foundation for cooperation without resorting to rigid design mandates.

Practical areas for joint action include customs cooperation for rapid takedowns, shared risk profiling, merchant verification in high-risk categories, and pilot projects on interoperable authenticity markers and supply-chain traceability.^[14] The focus should remain on speeding enforcement against counterfeit flows, particularly from high-risk sources, without creating compliance burdens that fall on legitimate SMEs.

Promote Risk-Based Cybersecurity Cooperation

The most productive Canada–EU cybersecurity cooperation will be operational rather than compliance-driven. High-value priorities include secure threat intelligence channels, joint botnet disruption campaigns, coordinated incident response exercises, and co-funded R&D on secure-by-design tools and post-quantum cryptography. Risk-based frameworks can be promoted through guidance and procurement incentives instead of rigid certification mandates. Trade provisions should reinforce strong encryption and targeted lawful access through established legal processes, without creating obligations that imply backdoors.

Endnotes