What does privacy have to do with trade agreements? As Canada, the U.S., and nine other countries negotiate a multilateral trade agreement called the Trans-Pacific Partnership, the TPP, U.S. negotiators are pushing to include a provision that would commit members to allowing free-flow of data over their borders. They want to prevent countries from implementing “localization requirements” that require companies doing business in their jurisdiction to physically locate their computer servers there.
One rationale for domestic localization is to increase a government’s ability to enforce domestic laws, including privacy laws. However, localization requirements can make it more expensive and difficult for companies to do business across borders and in the the cloud.
A few weeks ago, I moderated a panel discussion in Ottawa on the topic of trans-national date flows, privacy and trade agreements. The panel was part of a Big Tent conference put on by Google and the Canadian American Business Council. CPAC-TV has recently made footage of the discussion available online.
The panelists were (left to right):
– Bill Reinsch, President, National Foreign Trade Council;
– Jennifer Stoddart, Privacy Commissioner of Canada;
– Jonathan R. McHale, Office of the United States Trade Representative, Deputy Assistant USTR for Telecommunications and Electronic Commerce Policy;
– Christopher Parsons, PhD Candidate, Department of Political Science at University of Victoria;
– Michael K. Brown, Vice President, Security Product Management and Security Research and Assessment, BlackBerry
In opening comments, U.S. Ambassador David Jacobson called for a shared position between the U.S. and Canada: “The cross border data flows, data privacy, these are issues that are important to have Canada and the United States aligned on,” Jacobson said.
The panel discussion starts around 10 minute mark of the video. I’ve excerpted some of the exchanges below:
On the importance of cross-border data-flows to the private sector:
Bill Reinsch: It’s huge and it’s been a revelation to me. When we first started thinking about this in my organization, an association that represents global companies, I thought: Google cares, Microsoft cares, Facebook cares… But then I was advised very strong my manufacturers, that a whole bunch more people care than that. Now everybody does everything on the Internet. One of our companies, Procter & Gamble, they do their research on the Internet. They shift it around the globe to follow time zones. People are always working 24/7 on research…. General Electric sells power plants. They monitor their power plants remotely so they don’t have to send something out when something breaks… It has also enabled an explosion in micro-exports… My favorite little old lady in West Virginia who makes quilts. For 30 years she’s been selling them at farmer’s market on the weekend or to her neighbors. Now she goes on eBay and she sells them in Germany, sells them in France, all over the place. This is a huge boom of small exports all enabled by digital trade. It has also created a boom in the logistics industry because who likes the quilts the most? UPS, Fedex, and DHL. Because they are the ones who ship them. And there is also a whole host of documentation that goes along with that, all on-line. So there has been an explosion of usage of the Internet that transforms the trading system into something very different than what it was even eight years ago.
On what the U.S. is trying to achieve on data flows in the TPP:
Jonathan McHale: What we do in the trade world is we focus on the negative – what are the barriers, what are the impediments [to trade]? I’m not going to say that privacy is a barrier, or security is a barrier. But it can be used in a way that impedes trade. …
One concrete example would be Australia. They have put in place an electronic health records system as we have. Due to privacy concerns, due to concerns that they thought they couldn’t address what legitimate privacy issues, they are insisting by law that the data remain in country — has to be processed in-country, has to be stored in-country. Is that necessary? I think that’s an open question. What we are trying to do is to set up a system where the default is, the data should move. There are always going to be exceptions, there are always going to be governments who say no, I don’t have the trust to allow that to happen. But can’t we at least have a system where the default is it should move, and that you should be able to have a conversation with a government – how can we take into account your legitimate needs without blocking the data? How do we move away from an instinctive government reaction which is “no.”
Q: I understand from Commissioner Stoddard, that the Canadian government is overhauling its own IT system and is putting in a requirement that personal information will have to be held on servers in Canada. So this kind of a local server requirement, is that an unfair trade practice? Is that protectionism that will prevent companies – whether in the U.S. or another part of the world – from providing these services because their servers are located elsewhere?
Reinsch: [interjects] Yes!
Q: [To McHale] But under what you are negotiating, is that the outcome of what you are trying to negotiate?
McHale: It is. We are proposing a rule that says, you shall not require the use a local server as a condition for offering the service. Now, I think in the Canada case, the one case that I’m aware of it’s actually a government procurement issue. And we do have to segregate government data which is different – governments have a different relationship with their citizens than commercial entities. And we think it’s an important issues but that is a bit of a separate issue. But from a commercial perspective, yes. I’ll give you another concrete example, Vietnam, on of our TPP partners, is in the process of putting gout a whole range of regulations for how to deal with a range of Internet services – gaming services, social networking services, email services. And we are not quite sure the reason, but their way of asserting their jurisdiction, control, … is to say that servers have to be in-country. Companies are not going to be putting servers in every country. They are just not. It’s just not a viable approach from an economic perspective.
On transparency concerns around the TPP:
Q: [To Parson] Chris, you are a privacy advocate, an academic. You study these issues. You have heard what the business world wants, what are your concerns about this vision of localization as a trade barrier. “Is there a problem?
Parsons: There can be. Yes. There are problems you can run into – in particular with the TPP. There are suggested changes to the way that domain names are registered. So currently in Canada if you are an individual, non-commercial, you can have anonymous information. … That could change. In BC, we do have laws that limit government data flows and to some extent, commercial data flows as well. In the case of government, consent has to be received from all people who have the data going over the border. So when it’s just Chris Parson’s data moving across, it can actually go there if I consent. The challenge that comes up is when you have multiple people that are attached to it. So if I mention your name, you have to consent before your data can be stored in the U.S. for a government service.
Q: Sketch out for us here, what is your nightmare scenario, what is it that you are afraid will happen if this provision is included in the TPP?
Parsons: I would hesitate to use the word fear because that is perhaps a bit stronger. The concern is that data that enters the US is subject to – entirely understandably – different legal regimes. As a result, some of the protections for due process that a Canadian may enjoy may not be enjoyed when data is sitting on a U.S. server. That’s the origin of the BC law in particular. How exactly to address that is very challenging. We have, as Commissioner Stoddard is aware, we have some agreements between Canadian and US government for data flow transfer for law enforcement. It’s not exactly clear what is happening there.
For regular Canadians who are not involved in high-level diplomatic negotiations, it’s very hard to even understand the contours of how this data could, may or will be used. There is a monumental lack of transparency.
As for the TPP in particular, most information comes from leaked documents – which don’t come out as often any more — and statements from trade representatives. That means some of the largest governments in the world are engaged in negotiations that will reshape some of the most important democratically decided decisions, without the people who democratically decided those laws, know what is going on. That is the issue. It’s not just a trade issue, it’s a democratic issue. And that hasn’t been adequately addressed yet.
On Canadian privacy law compared to the U.S. and other countries:
Q: I’d like to ask Commissioner Stoddart, can you situate the Canadian privacy regime in a global context? … There is a view in Canada that the American privacy regime is not as stringent as Canada’s. I don’t know if that’s empirically true, but I’d like to get your thoughts on where Canada fits in – and after ten years [on the job] where you think it should head?
Stoddart: I think Canada’s privacy law, for the commercial sector … Canada adopted a very flexible law that I’ve spent a lot of time explaining to our European colleagues. It basically says data can flow freely – except those that send it (called the ‘data-controllers’ in the jargon) have to make sure it is treated outside of Canada according to Canadian standards. And those are basically OECD principle standards. So it’s not very complicated.
The preamble to Canada’s law says: “In order to further electronic commerce…” This is a commercial law. So we say fine, we do not restrict data flows, but those who send data outside the country, have the responsibility to make sure it is treated in a third country with the security safeguards that are required by Canadian law. The Canadian law is honestly getting a lot of interest internationally. In the latest version if the European regulation – I don’t know if I dare mention that word because temperatures will rise – they talk about accountability being a useful principle in data protection. There is a certain amount of interest in American think tanks and American business to try to move towards an accountability model because instead of doing prior checking, having binding corporate rules, and a big administrative burden ahead of time – we just say, this is the law, do it. If we find you are not doing it, there is a problem.
What do I see for the future? I think the Canadian law needs to be strengthened. Many of its commentators, notably those on the other side of this data protection act debate, say, well, how do you know what they are doing with this Canadian data when it is sent anywhere? Well, the answer is, I don’t. Just last week, as I neared the end of my ten-year term, I said we have to look more like the [U.S.] Federal Trade Commission. We need more attention from those who are dealing with Canadian data and we know the FTC gets major attention when it chooses to act.
Q: Do you agree with the critics who say that protections for privacy in the U.S. are not as strong as in Canada and therefore we should be worried about these trade agreements?
Stoddart: That’s a very, very complex debate. And I won’t say yes or no. It’s different. The problem is that many people who say this live in countries based on parliamentary democracies. The democracy in the U.S. is not a parliamentary democracy. It’s set up in a different way. I’ve always thought there was as much privacy protection in the U.S. but it’s set up in a different way. It’s set up differently, the mechanisms are different, it looks different. And that is a bit disconcerting to critics in other countries who don’t understand how these protections can work.
On how BlackBerry developers deal with different privacy regimes around the world:
Q [to Brown]: How do you deal with varying privacy regimes across different countries that sometimes aren’t only different, but sometimes are in conflict in what they require of you?
Brown: I am coming at it from a bit of a different angle. We are building products that get used by different regimes around the world for customers who have operations in quite a number of countries around the world. In some sense, we are trying to meet different needs are there. You’re right. Some countries have very different requirements. In the UK, you might have voice recording requirements, but in other parts of the EU that might be strictly forbidden because of where you are. A lot of it comes from the mobile industry coming from that space of everything you do is emanating from all around the world. So when you are thinking about designing products, borders in some sense are about a map – not about the reality of data flows. Similarly, data sitting on the Internet can travel any which way depending on what is the least cost. So if we are going to provide a product to customers, we have to assume data can go anywhere, and hence design accordingly to provide the kinds of data protections that our customers expect.
Q: So the bottom line then, does that mean that the country with the strictest data protection laws becomes the de facto standard that you have to design for because there is a chance that the user might use it in that country?
Brown: Effectively, yes. For anyone who is providing products that are going to be used globally, they aren’t going to provide a country-specific product. It has to meet the strictest requirements that are out there.
On how TPP countries could preserve privacy protections if free flow of data is agreed to under the TPP:
Q: Jonathan, you’ve been quoted as saying part of your negotiating position in the TPP is not only that data should flow freely, but that somehow you can ensure member countries that they will be able to enforce their own laws. How do you do that? How do ensure that a country can enforce it’s domestic laws but still allow a free flow of data?
McHale: It’s not easy. As opposed to the EU who generally says, well, here is a law, put this legal framework in and that will be the equivalency – or as they call it, the “adequacy” – that ensures that adequate protections are maintained… What we are working with – and I believe Canada in APEC has been a partner on this – is to say, let’s put the onus on the company. Let’s have the company that is moving the data to say whatever the regime is in the U.S., I as the holder of the information will take on the obligation that you set within your country.
We are not trying to short-circuit a sovereign decision on the level of privacy that a particular country sees as appropriate. What we are saying is, whatever that level is, it should not be a bar to data leaving that country. Companies can undertake to protect it to that level, as I think Canada has done. And in the U.S. we have the benefit of having a very effective a Federal Trade Commission who will enforce some of these undertakings… So the APEC model is they’ve come up with what they think are the core elements of privacy that map to the members who have joined this group. And the FTC says, if a company makes representation that it will to live up to those standards, and they don’t, then we in the U.S. are willing to enforce essentially what is a requirement sent by another government.
On whether the TPP negotiations should be more transparent:
Parsons: I don’t think people are acting in bad faith. However, with the TPP, in the advocacy community, there isn’t one group that stood up and said there is a problem. All around the world there is a concerted effort to just be at the table, to know what is going on, to have a voice. That hasn’t happened. So we have advocacy groups which tend to not be well funded and they’ve seen this as a real issue. So when trade negotiations are going on, they are sending people to have separate events, to effectively protest about being locked out. I don’t think it’s necessarily the intent to “short-circuit” however the unintended consequence can be that the trade negotiation facilitates one aim of things – and as a by-product or externality it affects other pieces. That is the concern. People don’t have a seat at the table to say, if you want to change this one piece, it will affect Canadian law in this way, or Canadian policy in this way.
Let’s figure out a way that we rather than finding that, we are not there. We are not at the table.
On whether some regimes want localized servers to aid in censorship and protectionism:
Q: Bill, how does cyber-security figure into the broader trade and economic picture?
Reinsch: It’s a huge problem and a growing one. If government, on the economic and commerce side, and the private sector don’t get together and figure out how to deal with it, the train will be taken over by the law enforcement side with outcomes that will make everybody’s lives more difficult because they have a different set of priorities.
I want to mention that sometimes the conversation isn’t about what it seems to be about. … [Not] everything the government does in the name of privacy and security is about privacy and security. In our experience, sometimes it’s about protectionism. … There are countries that are very interested in forced localization – data within the country’s servers. They are interested for a lot of reasons, some of which have nothing to do with privacy. One is they want to support their domestic hometown industry, they want to suppose their data server industry. They also often times want to be in a position to be able to access the data themselves – not always legally. Some governments are outright interested in censorship and they want to control the whole process every step of the way and find that it’s easier to do that if everything is within their borders. Likewise, on the security side, a lot of things are done in the name of security go way beyond what I think are actually the needs of security…
On the level of trust between Canada and the U.S. on data privacy:
Q [to Stoddart]: One thing I’ve been covering for years are these government-to-government efforts between the United State and Canada to come to some sort of agreement about how they will share data and how they will protect it. … You were involved in setting some of the principles for the Beyond the Border Agreement, the latest iteration of this process. There was a lot of mistrust over the years. Now we have news that this entry/exist data collection system pilot project has been a success. Have these efforts built trust between Canada and the U.S? Have they raised new questions? What else can we do to build trust that is the foundation of any kind of data-sharing?
Stoddart: I’ve noticed that in the time I’ve been Privacy Commissioner that there has been a huge growth in trust between the U.S. and Canada on privacy issues. When I took over this job in 2003, we had no contact with anybody among our counterparts at the Department of Homelands Security or at the Federal Trade Commission or at the Department of Commerce.
Now we have very close ties in all those areas. We know that legally they are not quite the same. But we work together I’d say somewhere in our office probably on a weekly, sometimes on a daily basis. Just a couple of weeks ago we carried out something called an “international privacy sweep” in the area of commercial privacy. Do your privacy policies say what they should say? And what they should say is basically the same in the US, Canada and some 18 other countries around the world. This was largely with the help of a network that came out of the OECD and had long been serviced by the FTC.
So in my area there is a huge growth in trust. We exchange employees, we send people to common training seminars. We work together. I work very closely together with the American delegation, as I did with the European Union delegation too. We get along very well with the American delegation at the OECD where new basic rules for fair information principles were just renegotiated in a rather difficult context but we finally came to an agreement. So I am very optimistic about Canada-American cooperation in this area.
On privacy protection and the cloud:
Reinsch: I want to ask Jennifer and Chris – what do you do about the cloud?
Parsons: In what sense?
Reinsch: How does this affect your thinking? Here is this large thing that is not exactly in Canada or necessarily anywhere else. Or it might be in Canada today, and in the United States tomorrow, and in India next week. How do you deal with it?
Q: Who has jurisdiction if you have, say, three people collaborating on a project in three different countries, for a company that it based in a fourth country, and maybe the servers are based in a fifth country? Whose legal regime applies? Is it just the realpolitik of the guy who can shut it down the fastest gets to impose his rules?
Parsons: I just completed a research project funded through the Privacy Commissioner’s Office on social media and the way they deal with data. So Ccloud services. Canadian privacy law has extra-territorial reach. This has been affirmed by the Federal Court and has been seen in the Privacy Commissioner’s actions. We found instances where companies were arguably non-compliant with very basic things: Can I request my data? Can I request the data that you hold about me?
And so I think the cloud creates problems. It’s incredibly complicated. But we need to at least start with the most basic problems: Can I get access to my data? Maybe I’ve outsourced to a cloud provider for my documents. When I delete my stuff, does it go away? In fact, that isn’t always the case. There is a series of companies that provide cloud services that say, no, we guarantee that you won’t see it but we will always have it. This creates problems in the sense that it isn’t always obvious to users that this is the case unless you do a technical analysis. Those are the kinds of things that have to be addressed…. This is a technical problem. I don’t think it’s just trade, it’s not just privacy, it’s not just law enforcement. It’s very hard, it’s very complicated.
We don’t do that by keeping people from the room. We come together at events like this and we try to develop a dialogue to raise awareness and subsequently address problems.
Stoddart: My office has published extensive guidance on this. Basically, we are not against clouds. We don’t say to Canadians, “Don’t use clouds!” Obviously there are huge costs savings, efficiencies and so on. We say, if you used clouds, this may happen, there may be these issues.
What we tell people and organizations like municipal governments is to look carefully at the terms of services the cloud is offering you. Often these are very big organizations that say, “Sign here, that’s it.” Try and negotiate. Negotiate Canadian standards. Negotiate what you expect. It’s not take-it-or-leave-it. You have some leverage with cloud providers. …
We have not yet that I can think of done a cloud investigation. But doubtless that will come. If it’s necessary and there are problems… We will investigate how Canadian information is held in the cloud. But that hasn’t come up yet…
The full video is here.