U.S.-Mexico Trade Pact Aims to Allow Banks to Move Data

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

The preliminary U.S.-Mexico trade deal would prevent both countries from requiring financial institutions to store data locally, as long as regulators can reach the information they need.

The deal would prohibit data localization rules when a “financial regulator has the access to data that it needs to fulfill its regulatory and supervisory mandate,” according to an Aug. 27 Trump administration fact sheet.

Data localization requirements have increased globally in recent years. Russia, China, and Vietnam have adopted versions, while Germany and Canada have applied them to specific sectors. Banks and companies in other sectors forced to keep citizens’ data stored within a country’s borders see the rules as trade barriers that can inhibit their growth into new markets.

The prohibition in the U.S.-Mexico deal “makes a clear delineation to protect the banking sector from unwanted and risky data localization requirements,” Norma Krayem, senior policy adviser and chair of Holland and Knight’s global cybersecurity and privacy regulation group, told Bloomberg Law. “If the regulator has the ability to access what it needs for its oversight, then data localization cannot be used as an excuse,” she said.

The U.S. government has long sought prohibitions on such mandates, William Reinsch, senior adviser of international business at the Center for Strategic and International Studies, a nonprofit think tank, told Bloomberg Law.

“I do think it’s good policy, particularly for financial services, where the growth of localization requirements has been a problem,” Reinsch said.

The prohibition may also serve as a warning to nations that have imposed their own data localization laws, Krayem said.

The data localization prohibition is a “sign to other nations that the U.S. will no longer stand for unwarranted access into U.S. companies systems,” Krayem said.

Privacy Protections

The deal also would “guarantee that enforceable consumer protections, including for privacy and unsolicited communications, apply to the digital marketplace,” according to the administration’s fact sheet.

Privacy advocates are awaiting more details, but said Aug. 27 they’re pleased the deal included such language.

“It is at least encouraging that the U.S. is willing to commit to the principle of enforceable consumer protections for privacy the digital marketplace,” Eleni Kyriakides, international counsel at the Electronic Privacy Information Center, told Bloomberg Law. But “without additional transparency about the content of the tentative deal it is too soon to tell what this promise could mean in practice,” she said.

The U.S. Trade Representative’s office did not immediately respond to Bloomberg Law’s request for further details on the privacy language.

Request Bloomberg Law: Privacy & Data Security