澳门六合彩

The United States-Mexico-Canada trade agreement鈥檚 (USMCA) digital trade provisions are touted as one of the clearest examples of why NAFTA needed an upgrade. The scorecard on whether these provisions have lived up to expectations after a year of being in effect (July 1, 2020) is mixed. It鈥檚 equal parts revealing and troubling. It鈥檚 troubling as Mexico misuses national security concerns to justify financial data localization and enacted a 鈥渒ill switch鈥� to block foreign digital firms that don鈥檛 pay taxes. It鈥檚 revealing in how Canada and the United States define 鈥淚nternet sovereignty鈥� through their targeted use of data localization for government data. This post provides an analysis of digital developments post USMCA and how the lack of enforcement, and countries鈥� own use of localization policies, sends a troubling signal to other countries like China and the European Union that want to use the same excuses to justify much broader use of data localization.

Mexico: Financial Data Localization and the Troubling Lack of a U.S. Response

Mexico is demonstrating how easy it is for countries to use self-judging exceptions for national security by enacting financial data localization. In late 2020, Mexico鈥檚 central bank (Banxico) and the National Banking and Securities Commission (CNBV) issued draft fintech regulations ( that would force firms to only choose cloud providers based in Mexico.

Mexico鈥檚 draft regulation is particularly troubling as officials justified it on the basis of broad, vague, and highly unlikely national security grounds. Just as troubling is the fact that the Trump administration reportedly did not push back on Mexico鈥檚 use of this rationale, in part due to its own misuse of national security rationales to enact tariffs on foreign automotive and steel imports. Mexican officials reportedly looked to Russia as their model as it enacted payment data localization as part of an initiative to replace foreign payment firms with a state-supported payments system (known as ) after being targeted with financial sanctions for invading Ukraine and annexing Crimea.

Mexico鈥檚 data localization proposal breaches both the spirit and the letter of USMCA鈥檚 digital trade and financial services chapters. The financial services chapter prohibits rules forcing firms to use or locate local computing facilities as a condition of market access (article 17.18). Should a firm face an issue providing data to regulators, they would have a reasonable opportunity to address the issue and shift data to a jurisdiction where access is assured (article 17.18). In contrast, Canada removed two financial data localization policies (two sections of the Canadian Bank Act) to come into compliance with USMCA. The United States Trade Representative鈥檚 Office (USTR) is using USMCA鈥檚 to ask Mexico to review labor rights at an automotive factory, but has not called a meeting of USMCA鈥檚 Committee on Financial Services as a first step in addressing this issue.

The United States鈥� lack of action is surprising as the USMCA鈥檚 financial data framework is seen as the gold standard it wants replicated in other agreements. It鈥檚 especially ironic as financial data has created such turmoil for the United States, following (and ) on a carve out for financial data in the Trans-Pacific Partnership (TPP).

Mexico鈥檚 Kill Switch: Using Tax Enforcement to Cut Off Digital Market Access

In December 2020, Mexico that would allow it to block foreign providers of digital services from offering their services in Mexico if they fail to comply with Mexico鈥檚 digital tax rules. It鈥檚 particularly troubling as no other country does this for tax compliance, so it sets a troubling precedent. 聽

As , Mexico鈥檚 Ministry of Finance initially floated the idea for a 鈥渒ill switch鈥� mechanism, where tax authorities would ask Internet service providers to block access to digital services from a company that is not聽 in compliance with Mexico鈥檚 tax laws. The measure is most likely a breach of Article 15.3 (), Article 18.3 (), and Article 19.4 (Non-discriminatory treatment of digital products). Mexico鈥檚 approach contrasts with Chile and other countries鈥� non-trade restrictive approach to ensuring tax compliance by foreign digital service providers. Again, it鈥檚 up to USTR to raise this issue. However, again, there鈥檚 no evidence that USTR or Canada have raised the issue with Mexico. Thankfully, the measure is not yet enforced. Mexico is reportedly developing details to outline under what conditions it will use the kill switch if companies don鈥檛 respond within a certain timeframe.

Canada: Quebec and Alberta鈥檚 De Facto Data Localization Measures

Canadian provinces have a track record of enacting misguided data localization requirements for data privacy. In 2021, respecting the Protection of Personal Information (known as 鈥淏ill 64鈥�), includes a de facto localization policy. Many parts of the law are commendable in that it reflects the accountability principle in its use of contracts to ensure firms manage data the same, wherever they transfer it. It is similar to Alberta鈥檚 , which requires firms to notify people when sending their personal data outside of Alberta during outsourcing arrangements. However, requiring firms to disclose the possibility that the personal information being collected could be transferred outside the province at both the time of collection (of personal information) and upon request creates the misconception that personal data transferred outside of Quebec is somehow less safe. What鈥檚 unique about Quebec鈥檚 law is that there is no distinction between international and inter-provincial transfers within Canada. Meanwhile, Canada鈥檚 Personal Information Protection and Electronic Documents Act has no such disclosure requirement.

The Use and Misuse of Exceptions is More Important Than the New Digital Trade Rules Themselves: How Canada and the United States Use Data Localization for Government Data

A central question in global data governance and digital trade is how countries use鈥攐r more worryingly, misuse鈥攖rade law exceptions for government procurement, privacy, national security, and other public policy objectives to justify data localization. USMCA鈥檚 digital trade chapter does not apply to government procurement or information held or processed by or on behalf of the government. Furthermore, USMCA鈥檚 chapter on exceptions and general provisions (chapter 32) includes the General Agreement on Trade in Services exceptions language (), such as for public morals or safety and privacy. Given USMCA鈥檚 ambitious digital trade provisions, how each country uses exceptions to enact localization for government data and services is perhaps even more important than the use of USMCA鈥檚 anti-localization provisions, as it demonstrates how each country seeks to define the use of this barrier to trade.

Canada is unique in its of 鈥溾�� in relation to government data and services. It requires cloud services to keep certain categories of sensitive and classified data (at rest) within Canada. It does not necessarily apply to data in transit, as Canada recognizes that certain cloud services may only be run outside of Canada. These requirements are included in . and other U.S. cloud firms with data centers in Canada have won contracts given they have local data centers. Similarly, provincial level data localization requirements in British Columbia and Nova Scotia for personal data held by public bodies remain (although it鈥檚 unclear under what legal basis).

Similarly, the United State鈥檚 uses contractual arrangements to requires local data storage for specific, sensitive data types managed by certain government agencies, such as the International Traffic in Arms Regulations (ITAR), the Federal Risk and Management Program (FedRAMP) High, Department of Defense Security Requirements Guide (DoD SRG) Impact Levels 4 and 5, and Criminal Justice Information Services (CJIS). The service (managed by AWS) uses data center operations that are physically separated from all other AWS cloud regions and only staffed by U.S. citizens.

Conclusion: Live Up to the Spirit and the Letter of USMCA鈥檚 Promise

How the United States, Canada, and Mexico use and enforce (or misuse and don鈥檛 enforce) USMCA鈥檚 much touted data-related provisions has important implications.

Firstly, new digital trade rules are only meaningful if they鈥檙e enforced. These rules don鈥檛 provide the certainty that firms operating in North America thought that they would provide given the lack of enforcement against misuse in Mexico.

Second, how countries conceptualize 鈥淚nternet sovereignty鈥� in relation to government data localization is a critical issue in the global digital economy as the European Union, China, Russia, and others want broad, self-judging exceptions to justify localization and other restrictions that impact digital trade. In particular, as a leader in the global digital economy, that the United States uses some data localization and other data-related restrictions at home has a major impact elsewhere in the world. The situation in Mexico is also an example of what happens if USTR doesn鈥檛 push back against countries that misuse national security for digital protectionism.

Similarly, it鈥檚 hard to understate the impact that the Trump administration鈥檚 鈥攈ad on countries that have (or were considering) digital trade barriers as they know they can ultimately rely on dubious national security exceptions. The self-judging use of national security exceptions is among the most troubling trends in global digital trade given how easily it can be misused for any manner of digital issues, such as government surveillance or cyberattacks.

USTR should fully enforce USMCA鈥檚 digital trade provisions to send a clear signal to its trade partners at the WTO and elsewhere that it wants and will use new rules to ensure clear digital market access. Ideally, the United States, Canada, and Mexico would also remove their misguided data localization requirements for government and financial data as it sends a signal to every other country that not only are such misguided practices legitimate, but they can probably go much further in misusing broad and vague national security concerns.

The author's insight was derived from a private event convened by the Mexico Institute and the Canada Institute.