Chapter 8: Trans-Border Data Flows and Data Localization Requirements

HTML VERSION

Chapter 8:
Trans-Border Data Flows and Data Localization Requirements

I. Defining Data Flow vs. Data Localization

The term “trans-border data flow” refers to channels of data flowing across borders. In contrast, the term “data localization” refers to the physical location of data at rest. These concepts are distinct, but often converge. For example, a data localization requirement in most cases will restrict how the data is permitted to flow.

II. Trans-Border Data Flows

There is no Canadian federal prohibition against trans-border data flows. In the private sector, while transfers must certainly be reasonable and transferors must remain accountable, the most controversial issue involves the principle of consent, previously mentioned in subsection III of Chapter 1.

[See PIPEDA, s.5(3), Sch. 1, Principles 4.1, 4.3.]

The OPC pursued a consultation on trans-border data flows earlier this year, focused on the issue of consent. The consultation was recently closed with a reminder to consider PIPEDA’s principles flexibly, and with common sense and pragmatism, until legislative reform takes place. However, the broader issue of privacy protections related to cross-border data flows and consent is far from closed. The OPC will continue to make recommendations for new laws.

[Consider OPC’s Patriot Act decision (PIPEDA Case Summary #2005-313, Oct 19, 2005), with OPC’s Equifax decision (PIPEDA Report of Findings #2019-001), and OPC’s “Consultation on transfers for processing – Reframed discussion document” (Jun 11, 2019). See also OPC’s Announcement re conclusion of consultation on data transfers for processing (Sep 23, 2019).]

In the federal public sector, entities have light due diligence and contractual requirements when outsourcing to data controllers and processors in other countries. This topic was discussed in subsection II of Chapter 2, and is the present extent of federal public-sector obligations arising from data flowing across borders.

[See Government of Canada, Directive on Privacy Impact Assessment (Apr 1, 2010).]

The approach of certain provinces is different. Nova Scotia, for example, has expressly placed limits on cross-border data transfers. Meanwhile, certain other provincial rules applicable to data localization, discussed below, effectively block trans-border data flows altogether.

[See Nova Scotia’s PIIDPA, ss.9(2)(d), 9(3)(b).]

The provincial data-flow impediments are arguably at odds with the federal government’s greater net neutrality commitments. Namely, the commitment to foster unimpeded information communication (i.e. data flow) through U.S. telecom networks.

[See the net neutrality letter by Navdeep Bains, Minister of Innovation [undated], in response to the ETHI Committee Report, “The Protection of Net Neutrality In Canada” (May 2018).]

Moreover, the provincial data-flow impediments are difficult to reconcile with Canada’s international obligations. Pursuant to the Comprehensive and Progressive Trans-Pacific Partnership (“CPTPP”), all Parties to the CPTPP must “allow the cross-border transfer of information by electronic means, including personal information,” when such activity is for the business of a covered investment, investor, or service supplier. An exception applies if restricting data flow would serve a Party’s “legitimate public policy objective.” However, it is improbable that provincial data-flow laws would fall into this exception without support from the federal government.

[See CPTPP, Arts. 14.1 “covered person”, 14.11.]

Finally, provincial data-flow impediments will soon conflict with Canada’s larger treaty obligations to the U.S. Since the U.S. is not a Party to the CPTPP, Canada’s agreement with the U.S. on trans-border data flows is found in the United States-Mexico-Canada Agreement (“USMCA”) (pending ratification). Instead of requiring Parties to permit cross-border data flows (as provided in the CPTPP), the USMCA contains stronger language—that there is no right to prohibit or restrict data flows absent legitimate policy objectives. Again, in the absence of federal government support, provincial data-flow blockades will likely need to give way.

[See USMCA, Art. 19.12.]

As an additional matter, data channels often have “bi-directional flow”. Therefore, personal data may in certain cases be covered under legislation in Europe or other jurisdictions. With respect to Europe, Canada’s PIPEDA has fortunately received an “adequacy decision” that permits personal data to be transferred back from the E.U. without impediment.

[See GDPR Art. 45; Recital 103; adequacy list (as of Dec 3, 2019).]

However, the European data controller must still disclose the cross-border transfer to the data subject. Moreover, adequacy decisions can change upon the European Commission’s review, which must take place every four years pursuant to the GDPR. Since the GDPR came into force in May 2018, and no PIPEDA review has been conducted since then or the two years prior, a review of the adequacy decision for PIPEDA should be expected anytime before the end of 2020.

[See GDPR Art. 14(1)(f); Art 45(3); Recital 106; Recital 107.]

III. Data Localization Requirements

There is no Canadian federal data localization requirement. However, Alberta and Quebec have enacted data localization rules within the provincial private sector, while British Columbia and Nova Scotia have enacted similar rules applicable to the provincial public sector. There is also an increasing trend of national data localization rules, globally.

[See Alberta’s PIPA, s.13.1(2); Quebec’s private sector privacy act, s.17; BC’s FOIPOPA, s.30.1; NS PIIDPA, ss. 9(2)(d), 9(3)(b); Michael Geist, “The Sharing Economy and Trade Agreements: The Challenge to Domestic Regulation” appearing as Chapter VII in Derek McKee, Finn Makela, Teresa Scassa, eds., Law and the ‘Sharing Economy’ – Regulating Online Market Platforms (UOP, 2018) 233 at 245.]

As a competing parallel development, recent and forthcoming international treaties oppose data localization requirements. In the CPTPP, no Party can require localized computing facilities to do business within its borders. However, similar to the CPTPP’s data-flow provision, this right is subject to limitation by a Party’s “legitimate public policy objective.”

[See CPTPP, Art. 14.13.]

As previously mentioned, the U.S. is not a Party to the CPTPP. Canada’s agreement with the U.S. on data localization is found in the USMCA (pending ratification). Just like in the CPTPP, the USMCA states that a Party cannot require localized computing facilities in order to do business within its borders.

[See USMCA, Art. 19.12.]

However, in contrast to the CPTPP, this USMCA provision is not limited by a legitimate public policy objective. This means Canada has no right to insist that a foreign company operating within its borders use local computing facilities. This federal trade obligation may therefore present problems for provincial data localization rules.

[See also Michael Geist, “How Canada Surrendered Policy Flexibility for Data Localization Rules in the USMCA” (michaelgeist.ca/blog, Oct 10, 2018).]

Meanwhile, the Trade in Services Agreement (“TISA”) is still being negotiated, and will also address data flow and data localization. The participants of the TISA include “the United States, European Union, Japan, Canada, and many other developed economies.” The polarized views of the U.S. and E.U. will not be easily reconciled. While the U.S. is advocating for a CPTPP-style data locality clause, the E.U. is advocating for GDPR-style protections on data flows.

[See Global Affairs Canada, “Trade in Services Agreement (TISA)” (as of Dec 3, 2019); Michael Geist, “The Sharing Economy and Trade Agreements: The Challenge to Domestic Regulation” appearing as Chapter VII in Derek McKee, Finn Makela, Teresa Scassa, eds., Law and the ‘Sharing Economy’ – Regulating Online Market Platforms (UOP, 2018) 233 at 248-49.]

IV. Present Status of “International Data Law”

The laws of data flow and localization are far from settled on the international stage. For example, Canada’s ability to insist on data localization will differ under the CPTPP and USMCA, respectively.

Moreover, it is uncertain how TISA’s data localization provisions will interact with those of the USMCA. If the two sets of provisions differ, data localization rights/obligations between Canada and the U.S. may differ according to which treaty is considered.

This would obviously present complications in the event of subject matter overlap between TISA and the USMCA. Additional complexities may also result, depending on how various treaty standards are applied by the two countries (i.e. “minimum standard”, “national standard”, and “most favoured nation”).

[See, generally, Rudolf Dolzer and Christoph Schreuer, Principles of International Investment Law, 1st ed., (Oxford: Oxford UP, 2008) at “VII. Standards of Protection”, pages 119-194.]

V. Why Legal Counsel for Data Flow is Important

The discussed international law will ultimately affect Canadian businesses through domestic law which is not far off. In 2019 alone, the OPC declared its understanding that Parliament will amend PIPEDA to cover data flow regulation, reframed the question for the benefit of legislators, and advised that its recommendations for new data flow laws for would follow. Moreover, all Canadian privacy regulators recently signed a joint resolution to “call on their respective governments to modernize [privacy] legislation.”

[See OPC, “Reforming Canada’s privacy laws: Shifting from the whether to the how” (May 23, 2019); Government of Canada, “Strengthening Privacy for the Digital Age” (May 21, 2019); OPC, “Consultation on transfers for processing – Reframed discussion document” (June 11, 2019); OPC, “Commissioner concludes consultation on transfers for processing” (Sep 23, 2019); OPC, “Resolution of the Federal, Provincial and Territorial Information and Privacy Commissioners” (Oct 1-2, 2019); OPC, “Canada’s access to information and privacy guardians urge governments to modernize legislation to better protect Canadians” (Nov 6, 2019).]

The foregoing international and domestic legal developments should factor into every Canadian company’s PIA and data governance plan. Further to this end, data governance counsel should be retained to legally assess and manage data flows and localization requirements.