The battle over data localization

Canada has long been a laggard on digital regulation, and it is only just now putting together a set of rules on how private companies can broker and move data around. The new suite of regulations will give Canadians a say in how their data is moved, used — and, possibly, abused. The changes will bring it more in line with how Europe and other parts of the world are tackling the issue.

But lawmakers need to think carefully about rules around data localization. Last year, Gowling WLG published a report on global data protectionist trends. In it, the firm cites Canada as being particularly “high risk” for setting up barriers to digital trade.

“Data is the new frontier of both globalisation and protectionism,” the report reads. “In many ways, data protectionism is an old problem manifesting itself in a new frontier...data-localisation requirements that seek to confine the storage of data within particular state borders to ensure privacy and security can act as a non-tariff barrier, limiting the growth of trade in an increasingly digitised world.”

It’s a point of concern for businesses who benefit from free and open data flows, especially companies who store vast amounts of data in one place — or several places, as is often the case — and who balk at the idea of bringing new servers online just to handle those requirements.

Indeed, those concerns wound their way into the new United States-Mexico-Canada Agreement (USMCA), the successor to NAFTA. As Bereskin & Parr associate Amanda Branch wrote last October, the digital trade chapter holds that the “new provision restricts the parties' abilities to localize data freely, such that a party cannot require, as a condition for conducting business within their country, that stored data be located within its territory.”

The agreement contains a public policy carve-out, requiring the regulations to have a legitimate policy objective, but where that begins and ends may yet be a subject of litigation.

Even with the new language in the trade agreement, the Office of the Privacy Commissioner dropped a new consultation paper earlier this month, raising an unexpected suggestion. It is proposing that “a company that is disclosing personal information across a border, including for processing, must obtain consent.”

Lyndsay Wasser, a partner at McMillan who co-chairs both the firm’s privacy & data protection and its cybersecurity groups, says the consultation paper is “a bit of a game changer.”

She stresses that the office has been responsive to input in the past, and has stepped back on some more onerous possible regulations, nevertheless says this consultation paper is a big step.

The commissioner says that the consent requirements under the Personal Information Protection and Electronic Documents Act (PIPEDA) mean that “individuals would reasonably expect to be notified if their information was to be disclosed outside of Canada and be subject to the legal regime of another country.” Whether they would ultimately go through with the relationship with said data processor “should be left to the discretion of the individual.”

Wasser says that before this, it appeared the Privacy Commissioner did not view cross-border data transfers to be “necessarily problematic.” The case law from that office basically held that there is inherent risk in moving data abroad, but so long as the recipient country had a comparable legal framework as Canada, there needn’t be consent given.

Michael Geist, a law professor at the University of Ottawa and Canada Research Chair in Internet and E-commerce Law, says the bold new suggestion comes from a dearth of action from the government. He wrote on his blog that “the absence of meaningful updates to Canadian privacy law for many years has led to another exceptionally aggressive interpretation of the law by the OPC.”

Wasser says there were clues that the commissioner was heading this direction, however.

“The first shift that I saw was when the Privacy Commissioner released their guidelines on handling personal information in cannabis transactions,” Wasser says. Because customer information could lead to prosecutions in foreign countries, particularly in the U.S., the Commissioner took the view that the data should reside in Canada.

Wasser says the consultation paper is “a much more substantial shift” in the matter. She expects “strong feedback” to come from it.

As the Privacy Commissioner begins consultations, Industry Canada is also undergoing a review of PIPEDA, preparing for what may be the most substantial overhaul of the legislation since it was passed nearly two decades ago.

If data-transfer rules wind up in the new PIPEDA, it will supersede whatever the commissioner comes up with. And, in devising the new legislative framework, the government does have a roadmap.

“The GDPR has a whole framework built around this,” Wasser says, referring to the EU’s General Data Protection Regulation, enacted last year and which govern how citizens of the EU have their data handled. “It’s strict,” but “manageable.” The regulations have had spillover effects on other countries in many ways.

When it comes to cross-border data flows, the GDPR is flexible. Under the rules, Wasser says, “consent is a last resort.” Generally speaking, the GDPR allows for personal information to be sent to outside data processors or parties, so long as the data protection regime in the intended country is under the GDPR or at least “adequate.”

The Privacy Commissioner’s proposal goes far beyond that, and doesn’t appear to have any consideration vis-a-vis which country the data is headed to.

“I don’t think it will be as smooth to try and roll out a consent model for transfers to service providers in other countries,” Wasser says.

Wasser puts all of this movement squarely in the push-and-pull she sees going on every day.

“What I have seen in recent years is more and more contractual requirement to keep data within Canada,” she says. Clients and companies are awake to the possible risks of offshoring data, and have made a push to try and keep the data home. Or, least, to bake in language to the contract that would require notice and consent. Control over the data is definitely a priority.

And yet, there’s a “flip side,” she says. Many cloud service providers simply refuse to keep data local. Even in cases where there are laws, in British Columbia and Nova Scotia, for example, requiring localization for some government-owned data, “they won’t move.”

There’s no question the fight over localization and data protectionism is playing out on many levels. Whether there will be a victory anytime soon is anyone’s guess.