The new United States-Mexico-Canada Agreement ("USMCA"), the successor to NAFTA announced on September 30, 2018, includes a Digital Trade chapter, which addresses personal information protection, cross-border transfer of information by electronic means, and location of computing facilities. Under the Digital Trade chapter, the USMCA includes several key provisions relevant to data protection:
- Recognizing "the economic and social benefits of protecting the personal information of users of digital trade and the contribution that this makes to enhancing consumer confidence in digital trade," Article 19.8 affirms each Party's agreement to "adopt or maintain a legal framework that provides for the protection of the personal information."
- Such framework shall take into account principles and guidelines of the APEC Privacy Framework and the OECD Guidelines on Transborder Data Flows, including "limitation on collection; choice; data quality; purpose specification; use limitation; security safeguards; transparency; individual participation; and accountability."
- The Parties "also recognize the importance of ensuring compliance" and "ensuring that any restrictions on cross-border flows of personal information are necessary and proportionate to the risks presented."
- They are to adopt "non-discriminatory practices" in affording protection from privacy violations occurring within their respective jurisdictions and shall publish information on how individuals can pursue remedies and how businesses can comply with legal requirements.
- And recognizing "that the Parties may take different legal approaches to protecting personal information," they should encourage the development of mechanisms to promote compatibility between their different regimes and arrangements for exchanging information about such mechanisms. Specific reference is made to the APEC Cross-Border Privacy Rules system as a valid mechanism for facilitating cross-border information transfers while protecting personal information.
- On the issue of cross-border dataflows and data localization, Article 19.11 asserts that "(n)o Party shall prohibit or restrict the cross-border transfer of information, including personal information." However, this does not prevent a Party from doing so for a "legitimate public policy objective," as long as any restriction does not constitute "a means of arbitrary or unjustifiable discrimination or a disguised restriction on trade," and does not purport to do so any more than is necessary to achieve that objective.
- As for the localization of computing facilities, Article 19.12 goes on to add that "(n)o Party shall require a covered person to use or locate computing facilities in that Party's territory as a condition for conducting business in that territory."