Eijiro Kakihara
Winner: Research Path
This policy assessment argues that a legal contradiction exists between U.S. surveillance practices and Canadian privacy protections, and trade agreements like CUSMA restrict Canada’s ability to enact robust data localization laws. These factors have led to a fragmented policy landscape for data sovereignty.
Canada and the U.S. have differing legal frameworks. This misalignment suggests that U.S. laws infringe on Canadian privacy rights through a legal loophole. Canadians are broadly protected from unreasonable search and seizure by authorities under Section 8 of their Charter (Department of Justice). Furthermore, Canadians’ data is protected during transfers outside the borders as well. The federal PIPEDA requires organizations to practice due diligence and be transparent with users about how foreign recipients handle Canadian data, even if those jurisdictions have less stringent privacy laws (Office of the Privacy Commissioner of Canada). Meanwhile, the U.S. National Security Agency, under Section 702 of the FISA, is authorized to intercept and analyze foreign data routing in the U.S., including from Canada, without a warrant (Director of National Intelligence 2-3). This law has significant impacts on Canada, as nearly two-thirds of its data and over half of Canadian government website traffic are routed through the U.S. before returning to Canada, according to a 2019 report (Orr 2-4). In other words, even if Canadian data is sent and received within Canada, the significant portion that passes through the U.S. is subject to warrantless U.S. surveillance. This is a legal contradiction; while Canadians’ data is protected domestically under the Charter, and internationally under PIPEDA when it is transferred outside their borders, it is not protected from the NSA if the data routes through the U.S. This legal contradiction creates a data policy landscape that significantly undermines Canadians’ data protection, especially considering the large amount of data that travels across the U.S.
Canada-U.S. trade agreements pose significant barriers to solving this contradiction. Chapter 19.12 of CUSMA restricts any member country from requiring a company to store or process data within that country as a condition for doing business (Global Affairs Canada). The only exception to this law is when a digital good or service is provided to a government. This means that generally, if a private company is offering a digital product or service, its data cannot be mandated to be localized domestically by a member country. This provision in the CUSMA is criticized by various politicians and academics, especially concerning how little analysis was done on the impact on Canada. The chief negotiator of CUSMA, Steve Verheul and his team revealed in a Standing Committee hearing that “no analysis was completed” that shows that “Chapter 19 of CUSMA will not prevent Canada from adopting laws that would create similar provisions such as those contained in Article 20 of GDPR” (“Trade Officials, Dairy Farmers on New NAFTA Bill” 11:14 – 12:33) which allows the EU to retain legislative freedom to enact data privacy and localization rules against CPTPP (Intersoft Consulting). In other words, according to law professor Michael Geist, “the very foundation of national digital and data strategy will be dictated by a trade agreement in which the government conducted little analysis”. This restriction poses a threat to Canada’s data privacy laws, as any policy that attempts to force the private sector to localize data would need to carefully navigate CUSMA provisions or amend CUSMA altogether. The political turmoil of CUSMA further poses a disincentive for the government to make any policy that may violate the treaty.
The dual challenges of a legal contradiction between U.S. and Canadian surveillance regimes and the restrictive provisions of CUSMA have resulted in an inconsistent policy framework for data sovereignty in Canada. These unresolved tensions continue to undermine Canada’s ability to protect its citizens’ digital privacy effectively.