Renegotiating NAFTA: between free flows of data and data protection & privacy rights

Photo of Isabella Mancini

Isabella Mancini, PhD Candidate, CIty, University of London

Abstract: Cross-border data flows have now become the backbone of digital trade and are high on the agenda of leading economies in North America, Asia, not least the European Union. In this context, increasing concerns have arisen in relation to data flows containing personal information. This blogpost engages to analyse the interplay of trade, cross-border data flows and the rights to privacy and data protection, in an era where digitisation affects trade as much as rights. The Digital Trade chapter in the renegotiated NAFTA is taken as the most recent example warranting exploration as to the place of data protection and privacy rights. From here, this post wants to spur reflections on what this new era of mega-regional trade agreements means for the regulation of the relationship between data flows and data protection rights in trade.



The recently negotiated United States-Mexico-Canada Agreement (or “USMCA”) has departed from the ‘analog’ North American Free Trade Agreement (NAFTA) of 1994 by introducing a new chapter on “Digital Trade”. In fact, the USMCA reflects much of the content of the E-commerce chapter of the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), succeeding the Trans-Pacific Partnership (TPP), of which the US was originally a negotiating country, and of which Canada, Mexico and Japan are current signatories. The TPP had been praised for going much beyond what had been hitherto included in relation to provisions on e-commerce and cross-border data flows. At the same time, it had been harshly criticised for not providing enough safeguards to, or for even harming, data protection and privacy rights.

As megaregional trade agreements,1both the CPTPP and USMCA provide new powerful templates for the regulation of international data flows.This is extremely significant in the light of increasing competition for global influence on the legal framework and standards of data privacy. In this picture, the European Union (EU) emerges as a significant actor and divergent pole, advocating for strong privacy safeguards.The question arises as to where data protection and privacy rights fit (or do not fit) in the emerging global trade regime.

This blogpost starts with a brief discussion of the debate on the relationship between trade agreements, cross-border data flows and data protection rights. It then looks at the extent to which these rights are dealt with in the draft text of the Digital Trade chapter in the USMCA. Finally, it aims to raise questions on the implications of this new era of mega-regional trade agreements for the regulation of international data flows and the place of data protection and privacy rights in the emerging global economic governance.

The relevance of cross-border data flows for digital trade

McKinsey Global Institute, 2014

The liberalisation sought by USMCA seems to have a broader reach than TPP as it names “digital trade” a chapter that would have been usually named “e-commerce”. The former encompasses the latter, yet not the other way round. Digital trade can be said to go beyond online purchases or sales, and to cover more broadly those trade activities that make use of digital technologies for business purposes (UN ESCAP, 2016). A report from the McKinsey Global Institute (2014) shows how digital technologies, not only imply a new way of doing business, but also alter the use and place of data therein. New technologies enable data flows, which now increasingly underlie global flows of goods, services, capital as well as people. Cross-border data flows are an ever more prominent component of digital trade, and data is becoming a tradable asset of its own. It has been referred as “the new oil” (The Economist, 2017) or a “new currency” (Aaronson, 2015), representing an important source of profit and innovation for businesses. In this context, businesses have increasingly demanded to regulate cross-border data flows in trade agreements via provisions that would forbid measures restricting their free flow. The US has traditionally adopted this approach, which is now reaching a pick in the USMCA and in the CPTPP. However, as it is shown below, it is very difficult to impose rules freeing data transfers, without having consequences for data protection and privacy rights.

McKinsey Global Institute, 2014

The intersection of data flows and data protection & privacy rights

Data flows and data protection are liable to clash with trade in cross-border services, including financial services, e-commerce transactions and telecommunications.The digital economy requires data to flow easily, especially for businesses which today increasingly depend on data flows; yet flows of personal data need to be protected, too, as the object of fundamental human rights.The challenge is thus to define clear benchmarks drawing a line between, on the one hand, measures that amount to digital protectionism and unnecessary regulation impeding such flows of data; and on the other hand, measures that are addressed at the protection of personal data and privacy, and would be therefore legitimate. Within such debate, those who see restrictions of cross-border data as new non-tariff barriers to trade denounce measures that require data to be retained onshore (such as data localisation and local storage) and those that require businesses to have their physical presence on territory.Typical arguments against such measures are that they do not serve data security, while constituting an impediment to companies’ competitive advantage. On the other hand, some have pointed at the risk of ‘data havens’, whereby data processing operations could end up being made in countries with less strict requirements for privacy (Bygrave, 2002). Facebook is a fitting example as it has recently decided to move its headquarters to the US as a way to ‘limit its exposure’ to the EU General Data Protection Regulation. Beyond national security concerns, this is liable to undermine the privacy of users and unauthorised uses of their data, which would amount to a breach of an internationally recognised human right. This is increasingly significant in a digital economy that relies on Big Data, collecting massive amounts of information on people’s preferences and habits. How does the renegotiated NAFTA deal with this?

The Digital Trade Chapter in the UMSCA and the place of data protection and privacy rights

The USMCA has drawn upon the e-chapter of the TPP and reveals the same strong US footprint in the approach it adopts.A brief comparison of the obligations on consumer and personal data protection on the one hand,with the obligations prohibiting restrictions of data flows and localisation requirements on the other,reveals a big difference in the balance struck by this framework. Strong obligations are introduced that require the Parties to refrain from the introduction of measures that might restrict the flow of data. Such an approach departs from that of the EU, which subjects the free flow of data to the adoption of a mutual adequacy decision recognising that adequate levels of protection are provided first. As per the USMCA, the US, Mexico and Canada would thus not follow this approach and would be prohibited from restricting free flows of data. The exception that is provided implies a lengthy process of justification, which, as discussed in the context of TPP, might lead to regulatory chill effects (Greenleaf, 2015).10 What is more, while the text of TPP includes an exception for the provision on location of computing facilities, the USMCA does not. On the other hand, the obligations to provide frameworks for the respect of personal information in digital trade are very weak, and additionally watered down by a footnote implying that the self-regulatory system approach adopted by the US would be compatible with that requirement. The relevant standard that is repeatedly mentioned for the protection of personal information is the Asia-Pacific Economic Cooperation (APEC) Privacy Framework. While the OECD Privacy Guidelines are also mentioned, the APEC is referred to again as a “valid mechanism to facilitate cross-border information transfers while protecting personal information”; it is also made the object of cooperation activities, while the OECD Guidelines are not. The APEC Privacy Framework, however, is closer to the US approach of self-regulation, as it holds the original collector of data ‘accountable’ for complying with the original data protection framework, while neglecting the recipients and location of data transfers (Yakovleva, 2018). As such, it provides very little protection. Berka (2017) refers to the Google’s choice to promote the APEC Privacy Framework as the global model for privacy standards as embodying ‘adverse winds’ to EU data protection standards.


The digital economy seems to demand a modernisation of trade policy as a way to facilitate digital trade, yet it is questionable how this modernisation is sought, and the place of data protection and privacy rights therein. How to cope with a world which is increasingly digitised, and requires flows of data, but also requires that privacy rights are not violated, without making them subject to allegation of protectionism? While providing an answer is beyond the aim of this brief blogpost, it is still its aim to provide a starting point to prompt questions: what does this new era of mega-regional trade agreements implies for the shape of the emerging global governance of data flows and data protection in trade? At present, there only seems to be fragmentation and legal uncertainty (Burri, 2017b). Not only has the EU concluded a trade agreement with Canada, a Party to both USMCA and CPTPP, deepening privacy commitments in a number of digital trade-related issues; it has also reached an agreement with Japan on a mutual adequacy decision for the creation of the largest area for ‘safe transfers’ of personal data, complementing the free trade agreement; and it is also in the process of renegotiating the Global Trade Agreement with Mexico, which envisages the inclusion of a chapter on “Digital Trade”. How can different approaches be reconciled towards greatest convergence? 


 United States-Mexico-Canada Agreement

 Aaronson S, ‘Why Trade Agreements are not Setting Information Free: The Lost History and Reinvigorated Debate over Cross-Border Data Flows, Human Rights, and National Security’ (2015) 14 World Trade Review4.

Berka W, ‘CETA, TTIP, TiSA, and Data Protection’ in Stefan Griller, Walter Obwexer and Eric Vranes, Mega-Regional Trade Agreements: CETA, TTIP, and TiSA; New Orientations for EU External Economic Relations(OUP 2017).

Burri M, ‘The Governance of Data and Data Flows in Trade Agreements: The Pitfalls of Legal Adaptation’ (2017a) 51 UC Davis Law Review1.

 Burri M, ‘New Legal Design for Digital Commerce in Free Trade Agreements’ (2017b) 107 DigiWorld Economic Journal Communications & Strategies. 

Bygrave L, Data Protection Law – Approaching Its Rationale, Logic and Limits(Kluwer Law International, 2002).

Greenleaf G, ‘The TPP Agreement: An Anti-Privacy treaty for most of APEC’ (2015) 138 Privacy Laws & Business International Report21-23.

Greenleaf G, ‘Looming Free Trade Agreements pose threats to privacy’ (2018) 152 Privacy Laws & Business International Report23, University of New South Wales Law Research Series 38.

Keller P,European and International Media Law: Liberal Democracy, Trade and New Media(OUP 2011).

McKinsey Global Institute, Global Flows in a Digital Age: How Trade, Finance, People, and Data Connect the World Economy(Brussels, San Francisco and Shanghai: McKinsey and Company 2014).

The Economist, ‘Regulating the internet giants: The world’s most valuable resource is no longer oil, but data’ (2017, 6th May).

 UN Economic and Social Commission for Asia and the Pacific (ESCAP), Asia-Pacific Trade and Investment Report 2016: Recent Trends and Developments(2016), see Chapter 7 on ‘Digital Trade’.

 UN Human Rights Committee (HRC), CCPR General Comment No.16: Article 17 (Right to Privacy), The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation(1988).

US Trade Representative, Summary of Specific Negotiating Objectives for the Initiation of NAFTA Negotiations (2017, 17th July).

 Yakovleva S, ‘Should Fundamental Rights to Privacy and Data Protection be a Part of the EU’s International Trade ‘Deals’?’ (2017) 17 World Trade Review3.


[1] Megaregional trade agreements have been defined as large-scale deep economic integration partnerships between countries or regions with a major share of world trade and foreign direct investment. See definition provided by Thomas Hirst, ‘What Are Mega- Regional Trade Agreements?’ (World Economic Forum, 9 July 2014), More research at the MegaReg Research Project at the Institute for International Law and Justice.

[2] It has been observed that even before the signature of CPTPP, Singapore and Sri-Lanka concluded a Free Trade Agreement (FTA) which mirrors the approach adopted in TPP. See Greenleaf, 2018.

[3] The findings of the Schremscase and the replacement of the EU-US Safe Harbour Agreement with the Privacy Shield reveal such divergence.

 [4] Among these, only financial services and telecommunications have been addressed under WTO law, while e-commerce has proven more contentious. While not dealing specifically with e-commerce, it has been observed that WTO provisions on Most Favoured Nation (MFN) and National Treatment (NT) are important for contrasting discriminatory measures against like digital products. See Burri, 2017a. For reasons of space, Intellectual Property chapters are excluded from investigation.

[5] The right to privacy is part of the Universal Declaration of Human Rights (Article 12) and of the International Covenant on Civil and Political Rights (Article 17). The right of protection of personal data is not explicitly mentioned, but it has increasingly been interpreted as falling under the human right of privacy. See also Keller (2011) and UN Human Rights Committee (1998) paragraph 10.

[6] As a data localisation requirement, a country imposes as a condition for conducting business in its country that the data are stored in data centres within its jurisdiction, from which they cannot be moved. Local storage requirements are slightly different in that while data can be moved but a copy of it has to remain onshore.

[7] For the US, among the negotiating objectives for the negotiation of “Digital Trade in Goods and Services and Cross-Border Data Flows” was the establishment of rules “to ensure that NAFTA countries do not impose measures that restrict cross-border data flows and do not require the use or installation of local computing facilities”. See US Trade Representative, 2017.

[8] See (1) Online consumer protection (Article 19.7) under which the Parties are required to “adopt or maintain consumer protection laws to proscribe fraudulent and deceptive commercial activities” harming consumers engaged in online commercial activities; and (2) Personal Information Protection (Article 19.8) under which the Parties are required to “adopt or maintain a legal framework that provides for the protection of the personal information of the uses of digital trade”. It is suggested that the Parties should take into consideration “principles and guidelines of relevant international bodies”, explicit reference being made of the the Asia-Pacific Economic Cooperation (APEC) Privacy Framework and the OECD Recommendation of the Council concerning Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data (2013). A footnote specifies that a Party “may comply with the obligation in this paragraph by adopting or maintaining measures such as comprehensive privacy, personal information or personal data protection laws, sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy”.

[9] See (1) Cross-border Transfer of Information by Electronic Means (Article 19.11) which forbids the Parties from prohibiting or restricting the cross-border transfer of information, “including personal information”, via electronic means, “if this activity is for the conduct of the business of a covered person.” The exception follows, allowing a Party to adopt or maintain a measure which, while inconsistent with the obligation above, would be necessary to achieve a “legitimate public policy objective”. That measure would be however subject to the conditions that it is “not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction to trade; and does not impose restrictions on transfers of information greater than are necessary to achieve the objective”; and (2) Location of Computing Facilities (Article 19.12) which prohibits the Parties from requiring a covered person “to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory”. In this case no exception follows.

[10] Regulatory chill can be briefly sketched as a situation whereby the fear of incurring in lawsuits and high damages retains the governments from acting in the public interest and/or pursue public policy objectives. An example of this is the decision, by New Zealand, to postpone measures on plain packaging in the context of the claim against Australia brought by Philip Morris.