The USTR’s Reverse Logic on Data Protection Trade Barriers
As Michael Geist reported yesterday, in its new annual report on foreign trade barriers, the US Trade Representative has identified certain Canadian regulations and policies restricting cross-border personal data flows as a new trade barrier.
According to the USTR,
The strong growth of cross-border data flows resulting from widespread adoption of broadband-based services in Canada and the United States has refocused attention on the restrictive effects of privacy rules in two Canadian provinces, British Columbia, and Nova Scotia. These provinces mandate that personal information in the custody of a public body must be stored and accessed only in Canada unless one of a few limited exceptions applies. These laws prevent public bodies such as primary and secondary schools, universities, hospitals, government-owned utilities, and public agencies from using U.S. services when personal information could be accessed from or stored in the United States.
In addition, the USTR raises concern about the new initiative by the Government of Canada to consolidate information technology services across 63 email systems under a single platform. The USTR notes that
The request for proposals for this project includes a national security exemption which prohibits the contracted company from allowing data to go outside of Canada. This policy precludes some new technologies such as “cloud” computing providers from participating in the procurement process. The public sector represents approximately one-third of the Canadian economy, and is a major consumer of U.S. services.
The USTR concludes that
In today’s information-based economy, particularly where a broad range of services are moving to “cloud” based delivery where U.S. firms are market leaders; this law hinders U.S. exports of a wide array of products and services.
The USTR’s mission is to works toward opening markets throughout the world to create new opportunities for American businesses, and from this perspective its grievance about those Canadian data protection policies is understandable. Nevertheless, the complaint reflects reverse logic. To the extent that those policies hinder the ability of U.S.-based companies to provide some IT services to Canadians, the fault is not in those who promulgated those policies. Those policies have been adopted to protect the privacy rights of Canadians, as well as ensure their Constitutionally protected ability to communicate electronically without being subject to surveillance (and in the case of the federal government, also to ensure that its communications are hidden from the prying eyes of the US government).
These measures aren’t protectionist trade barriers, or in the language of international trade law, they aren’t likely to be considered as “arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade”. Rather, these measures seem like a necessary and inevitable response to two simple facts. The first is that whatever protections Americans have under the U.S. Constitutions, those protections do not apply to foreigners–including Canadians. As a result, Canadians’ data stored in the U.S. is, as far as U.S. Constitutional law is concerned, unprotected fair game. The second is that the recent revelations about the extent to which the U.S. government is flouting its own laws that are supposed to protect its own citizens suggest that, even if the same protections were nominally available to Canadians’ data in the U.S., Canadians would be effectively unprotected. Either case, if seems that Canada would be fully justified in adopting those measures, irrespective of their effect on cross-border trade in services. This conclusion holds even if it turns out the Government of Canada is engaging in the same illegal practices as the U.S. government, because Canadians still have standing to seek redress against those practices in Canadian courts, and can still exercise their political rights to influence their government practices in ways from which they are foreclosed in the U.S..
In fact, Article XIV of General Agreement on Trade in Services (GATS), setting out general exceptions for countries’ commitments to liberalize trade in services, explicitly contemplates this kind of measures, where it provides the following:
Subject to the requirement that such measures are not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination between countries where like conditions prevail, or a disguised restriction on trade in services, nothing in this Agreement shall be construed to prevent the adoption or enforcement by any Member of measures … (c) necessary to secure compliance with laws or regulations which are not inconsistent with the provisions of this Agreement including those relating to … (ii) the protection of the privacy of individuals in relation to the processing and dissemination of personal data and the protection of confidentiality of individual records and accounts.
Since “like conditions” with respect to the protections of Canadians’ data do not prevail, Canada is fully justified in adopting measures to protect the rights of Canadians, even if this impacts cross-border trade in services. Granted, this outcome is less than ideal, because all things equal, this barrier to trade affects not only U.S. providers, but can also reduce the supply or competitiveness of options available to Canadians, but the USTR is pointing its finger at the wrong direction. If the U.S. is worried about this trade barrier, it can remove it by guaranteeing that data stored in the U.S. would be just as protected, de jure and de facto, as data stored in Canada.
Of course, the USTR may not have the mandate or incentive to recommending changes in U.S. policies, and “blame Canada” may always be expedient, but what’s easy is not always what’s right. The USTR’s complaint is based on reverse logic.