Renegotiating Data Localization: The Role of Provincial Law in NAFTA e-Commerce

By:   Eitan Morris

Globalization and technology have led to increases in opportunity and connectivity for individuals and businesses around the globe.  In response to the increasingly porous nature of technological barriers, many countries are attempting to exert control through regulation.  A common method of regulation is through the implementation of data localization legislation.   Data localization is the requirement that data about a country’s citizens or residents be collected, processed, and/or stored on servers physically located in-country.  Placing limitations on the cross-boarder transfer of data can have consequences across economic sectors.  For these reasons, data localization regimes have been called into question.  One key example is Canadian provincial data localization laws which have become a hotly contested element in the e-commerce section of the current North American Free Trade Agreement (NAFTA) renegotiations.

In July 2017, the Office of the U.S. Trade Representative published negotiating objectives in which it stated the U.S. position regarding e-commerce was to “establish rules to ensure that NAFTA countries do not impose measures that restrict cross-border data flows and do not require the use or installation of local computing facilities.”  Although the Canadian government has not enacted any federal data localization legislation (with the exception of the requirement that all government email be stored domestically), both British Columbia and Nova Scotia have enacted provincial legislation requiring certain data be stored locally.

British Columbia became the first Canadian province to mandate data localization in 2004 when it adopted the Freedom of Information and Protection of Privacy Act (FIPPA).  FIPPA requires public bodies to ensure that all personal information in its custody or under its control be stored and accessed only in Canada.  This extends to public bodies and their service providers or contractors in education, transportation, health care, and the judiciary, and covers all data stored on computer logs, backup drives, and in the cloud.  In 2006, Nova Scotia followed in British Columbia’s footsteps when it passed the Personal Information and International Disclosure Protection Act (PIIDPA).  PIIDPA includes nearly identical provisions to FIIPA.

FIIPA and PIIDPA were enacted in direct opposition to the passage of the USA PATRIOT Act in 2001.  At the time, there were significant fears that the PATRIOT Act would allow the collection of Canadian citizens’ data without their knowledge or consent.  In British Columbia, these fears were further exacerbated in 2013 when the provincial government attempted to outsource the administration of health care records to a U.S. based company.  Because British Columbia and Nova Scotia resorted to data localization measures, Canadian NAFTA negotiators are placed in an awkward position across the table from their U.S. counterparts.

Under the now stalled Trans-Pacific Partnership, provincial data localization regulations were to be grandfathered in.  Many fear, however, that the Canadian government is now willing to compromise domestic data localization regulations for advantages in the auto and agriculture sectors.  On December 17, 2017, however, the Director of Services Trade with Global Affairs stated before the Parliamentary Committee on International Trade that the Canadian position in current trade negotiations is to take a “balanced approach so that we can still ensure a cross-border flow of data but at the same time protect that information that’s held by government or in a government procurement context.”  This would protect the data localization regulations in FIIPA and PIIDPA as they stand currently but would limit any future attempt to broaden their application.  This position, however, rebuffs the U.S. stance of restriction-free cross-border data transfers.

With the sixth round of NAFTA negotiations having concluded in Montreal at the end of January, it remains to be seen what shape the e-commerce section of NAFTA ultimately takes.  Whatever agreement emerges will set the tone for future negotiations regarding cross-border data flows and data localization between the U.S., Canada, Mexico, and their potential future trade partners.  For example, the World Trade Organization has already announced the creation of a working group of e-commerce “friends” in which the U.S. will participate.  Additionally, President Trump’s Administration has expressed an interest in restarting the Transatlantic Trade and Investment Partnership (TTIP) negotiations that have been on ice since the 2016 U.S. election.  Negotiations for the Trade in Services Agreement (TiSA) similarly fell by the wayside during the 2016 election but may be restarted under the current administration. Under the current administration, it is unlikely the U.S. preference for restriction-free cross-border data transfers will change. Ultimately, whatever shape the NAFTA e-commerce clause takes will set the stage for the future of e-commerce agreements.


Note: The views expressed above are solely those of the author(s) and do not reflect any official position taken by the Information Security and Privacy Law Student Group, the Washington College of Law, or American University at large.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Blog at

Up ↑

%d bloggers like this: