The USMCA’s Impact on Digital Trade and Data Transfers
Privacy in Focus®
On January 29, 2020, the President signed into law H.R. 5430, which implements the United States-Mexico-Canada Agreement (USMCA or Agreement), the successor to NAFTA. The Agreement has been ratified by Mexico and the United States. Once Canada ratifies it, the Agreement will take effect 90 days later. The USMCA reflects the critical importance of data transfer and privacy considerations in digital trade by including new provisions designed to protect and encourage the exchange of data across borders.
The new digital trade chapter of the Agreement prohibits tariffs on digital products and bars its members from requiring companies to store data locally. Additionally, it recognized the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System as a valid cross-border transfer mechanism and requires that any new restrictions on the cross-border transfer of data be based on a “legitimate public policy objective.” This pairing is thought to be responsive to uncertainty that could be created by new privacy legislation in any member country, such as that caused by the European Union’s General Data Protection Regulation (GDPR). Specific to cross-border transfers, the GDPR restricts the transfer of personal information from the EU to a country without “adequate” data protection laws or that otherwise doesn’t comply with certain cross-border mechanisms – several of which have been challenged – creating uncertainty and confusion. Instead, members of USMCA would use the CBPR System as a baseline transfer mechanism should any member country adopt future cross-border restrictions that are based on a “legitimate public policy objective.”
The CBPR System is a data privacy certification. Companies that join must commit to its data privacy protections. The CBPR System specifically requires: enforceable standards, accountability, risk-based protections, consumer-friendly complaint handling, consumer empowerment (access to data, right to correct), consistent protections (requiring same baseline regardless of legal regime, although may do more), and cross-border enforcement cooperation. The CBPR System is recognized by Japan, South Korea, Australia, and Singapore, in addition to the United States, Mexico and Canada.
While the USMCA, once effective, will ease cross-border transfers of data, it is important to remember that both Mexico and Canada have comprehensive privacy laws. Any company doing business in either country should be aware of and understand its compliance obligations under these local regulations. Mexico’s privacy law, passed in 2010, is called the Ley Federal de Protección de Datos Personales en Posesión de los Particulares (or the Federal Law on Protection of Personal Data Held by Private Parties). It is generally recognized as one of the most comprehensive and actively enforced privacy laws in Latin America. The law covers a broad definition of personal information and applies when the personal information of a Mexican citizen is being processed. Similar to other comprehensive privacy laws, it gives the individual certain rights to their personal information and requires that businesses be transparent in their collection and use of personal information. Canada’s privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), has been in effect since 2004. PIPEDA applies to businesses that collect, use, or disclose personal information for a commercial purpose. PIPEDA, likewise, grants an individual numerous rights to their personal information, including notice/transparency, access, right to deletion, and consent for some uses.
For companies that conduct digital trade across the U.S./Mexico/Canada borders, the USMCA builds in privacy safeguards to allow for the flow of data between these countries while providing each country with the flexibility to adopt new privacy regulations. If your company is unsure of the CBPR System requirements or needs assistance in confirming its compliance with the CBPR System requirements – or other jurisdictional privacy laws – please contact one of our privacy professionals.
© 2020 Wiley Rein LLP