The Trans-Pacific Partnership Agreement (the “TPP Agreement”) is a regional trade and investment agreement negotiated by 12 Pacific Rim countries representing 40 percent of the global economy. Canada, the United States, Mexico, Japan, Malaysia, Vietnam and Australia are signatories. The TPP Agreement, which has 30 Chapters, ushers in a comprehensive program of tariff reduction for goods and services and establishes binding rules in a wide-range of subject areas, including financial services, cross border trade in services, investment, competition policy, intellectual property, telecommunications and electronic commerce. The TPP Agreement also touches on a number of privacy-related issues, including the cross-border flow of information, spam and encryption technology.

Cross-Border Flow of Information

The free flow of information across borders is important for international commerce and the trade in services, particularly information technology services. However, a number of countries regulate the export of data to other jurisdictions and/or require that service providers use local data servers, equipment and infrastructure as a condition of doing business. This has raised concerns that restrictions on cross-border information flows and data localization requirements may be misused as disguised trade barriers to favour domestic service providers.

Under the TPP Agreement, each Party must allow the cross-border transfer of information by electronic means, including personal information, in the course of business activities. In addition, no Party can require a service provider to use or locate computing facilities in its territory as a condition for conducting business in the territory. Exceptions are permitted in order to achieve a legitimate public policy objective, provided that the measure adopted is proportional to the objective and the measure is not applied in a manner which would constitute a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade.

Unsolicited Commercial Electronic Messages

Unsolicited commercial electronic messages (CEMs) – also known as spam – can be exploited to deliver malware, spyware and other related network threats, which can undermine network security and privacy. The TPP Agreement requires each Party to adopt or maintain measures to minimize unsolicited CEMs, but provides each Party with flexibility on how to address the problem. A Party may either require organizations that send CEMs to obtain prior consent from recipients or provide recipients with the ability to prevent ongoing reception of those messages (unsubscribe mechanism).

Canada’s current anti-spam legislation (“CASL”) meets (and far exceeds) the obligations under the Agreement. CASL generally requires both opt-in consent and an unsubscribe mechanism for CEMs and sets out a myriad of disclosure and form requirements. It also implemented a strict enforcement regime.

Encryption

Encryption protects the security, confidentiality and privacy of data by converting data (plaintext) into unreadable data (ciphertext) through the use of a cryptographic algorithm. The use of encryption technology is a major policy issue with technology companies adopting strong encryption for devices (full-disk encryption) and communications on the internet (end-to-end encryption) to ensure data security and protect user privacy. National security agencies and law enforcement allege though, that the use of encryption undermines their ability to investigate criminals and terrorists, and are subsequently pressuring technology companies (and lawmakers) to allow for access to decrypted data (“backdoors”).

The TPP Agreement wades into this debate to ensure that encryption policies are not obstacles to trade, particularly with respect to Information and Communication Technology (ICT) products. Under the Agreement, a Party is not permitted to require a manufacturer or supplier of a commercial product that uses encryption to transfer a decryption key to the Party or integrate a particular encryption in the product as a condition for conducting business in the territory.

However, there are a number of important exceptions to this rule. First, the section does not apply to products used by a government entity. Second, the section does not preclude law enforcement authorities from requesting unencrypted communications pursuant to lawful authority (i.e. court order).  Third, the section does not apply to investigations by financial market regulators. Finally, the section is subject to the Security Exception in Chapter 29 of the TPP Agreement that permits a Party to apply any measure that it considers necessary to maintain or restore international peace and security, including the protection of its own essential security interests.

The TPP Agreement demonstrates that with the growth in digital trade and electronic commerce, international trade and investment agreements will increasingly address privacy-related issues.