TPP Deal Puts BC's Privacy Laws in the Crosshairs

Author(s): 
July 16, 2015

British Columbia's privacy laws are in the crosshairs of the nearly completed Trans-Pacific Partnership (TPP) agreement. If you're wondering what the heck data privacy protections have to do with trade, you're not alone. Public awareness of the far-reaching, 12-country negotiation is scant, with polls showing three-quarters of Canadians have never even heard of the TPP. 

Unfortunately for privacy advocates in B.C. and the rest of the country, the advancement of "digital free trade" is a high priority for the U.S. in the negotiations. This carefully chosen euphemism conjures up the free flow of information, the convenience of cloud computing, even escaping Internet censorship. It all sounds so positive. 

The thing is, the TPP e-commerce chapter aims not only to free the movement of digital goods, such as software or downloadable music, but also to enshrine the rights of companies to freely move data -- including records of financial transactions, consumer behaviour, online communications and medical histories -- across borders. This personal data is much sought after by marketers, insurers and intelligence agencies that can build detailed profiles and histories of individuals, frequently without their knowledge or informed consent. 

U.S. negotiators are pushing hard to eliminate national laws in TPP countries that require sensitive personal data to be stored on secure local servers, or within national borders. This goal collides with the B.C. Freedom of Information and Privacy Act and similar regulations in Nova Scotia, which are listed as "foreign trade barriers" in a 2015 United States Trade Representative (USTR) report.

According to that report, the B.C. privacy laws "prevent public bodies such as primary and secondary schools, universities, hospitals, government-owned utilities, and public agencies from using U.S. services when personal information could be accessed from or stored in the United States." In practical terms, this means U.S. firms hoping to provide health information management services to the government or online educational software to provincial schools or libraries must guarantee any personal data, such as a person's medical history or academic achievement, is securely stored within Canada and can only be accessed from here, with the express consent of the person involved. 

The TPP text is secret, but we can assume the section on data flows will be the same as, or very similar to, the draft e-commerce chapter of another controversial negotiation called the Trade in Services Agreement (TISA). WikiLeaks recently published the TISA text, which reads, "No Party may prevent a service supplier of another Party from transferring, accessing, processing or storing information, including personal information, within or outside the Party's territory, where such activity is carried out in connection with the conduct of the service supplier's business [emphasis added]."

This would give corporations the right to transfer personal data anywhere in the world as they, not public officials, see fit. The Canadian government supports this language in the TISA, according to the leaks, so we must assume they have already agreed to it in the TPP, though it's still unclear whether that deal will outlaw government regulations restricting cross-border data flows in a limited number of sectors or ban them entirely, as U.S. business lobbies are asking.

Lessons from Korea's massive credit card breach

What might the effect be of this language in practice? Well, after signing a comprehensive free trade agreement with the U.S., which included e-commerce rules, South Korea dutifully eliminated its existing laws requiring financial data to be stored within the country. In their place, companies were required to obtain permission from authorities when personal data was stored or transferred outside the country. To further reduce possible leaks of personal information, the new regulations also banned the use of third-party data processors; multinational companies were required to use their own in-house data processing operations, rather than contracting out this work. 

U.S. business organizations and the USTR claimed the substitute privacy regulations violated the U.S.-Korea free trade agreement. In early 2014, the country suffered a major breach of personal privacy when the credit card information of 20 million Koreans (half the population) was leaked and sold. This incident heightened public concern and government caution. Nevertheless, the U.S. continued to hammer away and just last month, South Korea gave in, announcing it would replace its data transfer regulations with a toothless after-the-fact notification procedure. 

What happened in South Korea can happen in Canada, too. Public officials charged with protecting data privacy are usually playing catch-up in the fast-moving digital era. As Korea's back-pedalling on privacy shows, agreeing to restrict regulatory flexibility in trade treaties can undermine privacy laws. The threat of retaliation and trade sanctions from a major trading partner such as the U.S. is often too powerful to ignore. 

For example, current federal contracts for updating communications technology and email systems include requirements that data be stored within Canada. The U.S. government and the information technology industry oppose these conditions because they preclude U.S. companies who rely on cloud computing hosted through U.S. servers. Official documents unearthed by the BC Freedom of Information and Privacy Association reveal a steady stream of meetings, memos and negotiating pressure on Canada to weaken these privacy rules. They confirm the USTR regards the TPP as a golden opportunity to address U.S. industry concerns -- typically the paramount concerns in any trade negotiation.

TPP open to corporate interests, lobbyists

While closed to ordinary citizens, the TPP is very open to influence from corporate special interests, whose lobbyists have special access as cleared advisors to negotiators. The U.S. lead negotiator on e-commerce, Robert Holleyman, is a former high-ranking industry lobbyist. And the lobbyist for IBM, one of the chief proponents of digital free trade, is Chris Padilla, a former U.S. trade official. This chummy relationship between negotiators and corporate special interests is all too common in the field of trade treaties. 

Just as U.S. corporate interests dominate their government's negotiating position in the TPP, so too does the U.S. dominate the overall project. The TPP cannot truly be called a multilateral agreement; it is more a series of one-on-one bargains with the U.S. hub. This gives the U.S. government undue influence over the end result, which is particularly true of the chapter on data flows, where other countries might have been inclined to band together against overly corporate-friendly rules. 

They would have very good reasons to do so. Thanks to Edward Snowden, the whole world now knows the U.S. is massively violating privacy rights at home and abroad. Whether it is the U.S. goal, or a thoughtless side effect, embedding unrestricted rights to cross-border data flows and cloud computing in trade agreements virtually assures that a vast trove of personal data will be more easily accessible to U.S. intelligence agencies subject to U.S. security laws.

The lack of public awareness in Canada that any of this is happening is quite disturbing. What media coverage there is of the negotiations has focused almost exclusively on the threat to supply management in dairy and poultry -- an important issue, but far from the only one.

The reality is that the TPP negotiations are a perfect cauldron for brewing bad policy. Although the terms are still secret, Prime Minister Stephen Harper insists it is "essential" for Canada to be part of the deal, even if that involves "difficult choices." In this pressure cooker, compromising Canadians' privacy protections is a tempting card for our negotiators to play. It will take greater public awareness and outcry to ensure that privacy protections, including B.C.'s exemplary safeguards, are not sacrificed in the name of digital free trade.

Scott Sinclair is the Director of CCPA's Trade and Investment Research Project (TIRP).

This commentary was originally published on July 16, 2015 in The Tyee.