Canadian Privacy Officials Wary of U.S. NAFTA Data Transfers Plan

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Jeremy Hainsworth

Canada shouldn’t completely give up its ability to control cross-border flow of personal data because there may be a need to protect fundamental privacy rights, the Office of the Privacy Commissioner of Canada said in response to the Trump Administration’s recently-released NAFTA renegotiation objectives.

Among U.S. objectives in the North American Free Trade Agreement renegotiations, which U.S. Trade Representative Robert Lighthizer released July 17, is ensuring the U.S., Canada, and Mexico refrain from restricting cross-border data flows in the digital goods and services sector. The U.S. objectives, if realized, could impact the ability of Canadian jurisdictions to restrict flows in order to protect privacy, Canadian officials and privacy attorneys say.

“We recognize the value of international data flows but believe we need to maintain strong privacy safeguards,” Tobi Cohen, spokeswoman for the Office of the Privacy Commissioner of Canada, told Bloomberg BNA. The office is urging Canada’s Minister for Foreign Affairs Chrystia Freeland, who is spearheading the nation’s NAFTA discussions, to pursue privacy protections as a human right in the renegotiation, she said.

“When contemplating innovation and the free flow of data, a necessary component of a modernized NAFTA would be a clause that specifically recognizes privacy as a legitimate public policy objective,” Cohen said.

Saskatchewan Information and Privacy Commission Ronald Kruzeniski told Bloomberg BNA July 18 that the U.S. objectives would mean that servers containing Canadian data stored in the U.S. would be subject to U.S. laws. Canadian data stored in servers in Canada would remain under the jurisdiction of federal and provincial commissioners, he said.

To that end, Kruzeniski said he is glad companies such as Microsoft Corp. and Inc. have established servers in Canada.

“That takes away a lot of issues related to privacy,” he said.

Canadian Privacy Laws

Neither the Personal Information Protection and Electronic Documents Act (PIPEDA)—Canada’s federal private sector privacy law—nor the Privacy Act—which covers federal government departments and agencies—prohibits the transfer of personal information to other jurisdictions for processing, Cohen said.

But PIPEDA makes it clear that companies must remain fully accountable for the protection of personal information transferred under such arrangements—no matter where that processing takes place, Cohen said.

Similarly, Canada’s Treasury Board Secretariat has developed specific policy guidance on personal information agreements and outsourcing of data processing with respect to complying with the Privacy Act, Cohen said.

“We will continue to monitor developments on this issue and advocate for privacy safeguards to be maintained,” Cohen said.

Shaun Brown, a privacy partner at nNovation LLP in Ottawa and Toronto, told Bloomberg BNA July 18 that for now, only British Columbia and Nova Scotia have laws restricting cross-border data flows. Brown said he isn’t “aware of any desire to pass more of these laws,” but noted that the USTR’s proposal “could also interfere with less formal governmental policies on outsourcing that favor Canadian data centers.”

Restrictions on cross-border data flows “are more about responding to emotional and irrational fears that cross border flows will expose personal information to foreign governments,” Brown said.

The Canadian Ministry of Foreign Affairs declined to comment on the specifics of the USTR objectives.

To contact the reporter on this story: Jeremy Hainsworth in Vancouver at

To contact the editor responsible for this story: Donald Aplin at

For More Information

The U.S. Trade Representative's Summary of Objectives for the NAFTA Renegotiation is available at

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security