The North American Free Trade Agreement (NAFTA) exists to remove barriers to the exchange of goods and services between the United States, Canada and Mexico. As an integrated market worth $6.5 trillion annually, it also removes taxes on traded products and protects copyrights, patents and trademarks. However, the personal information of Canadians is on the table this time as NAFTA heads into renegotiations this month.
Personal Information Protection and Electronic Documents Act
In Canada, data is federally protected under the Personal Information Protection and Electronic Documents Act (PIPEDA). This law holds private and public sector organizations accountable and responsible for the protection of your data. It also governs the collection and use of your data by those organizations, as well as how they disclose your personal information. However, this doesn’t apply to provincially-regulated organizations in Quebec, Alberta and British Columbia.Private Sector Organizations
- Market driven, supported by profits
- Malls, grocery stores, restaurants etc.
- Using tax dollars to fund services
- Federal, provincial and local government
- Government agencies
- Crown corporations
- Government funded establishments (schools, hospitals)
Personal Information Protection Act
In addition to this federal law, each province within Canada has their own private-sector legislation called the Personal Information Protection Act (PIPA). This legislation governs how private sector organizations can collect, use and disclose your personal information. In AB and BC, it has been deemed “substantially similar” to PIPEDA and therefore is only applied to interprovincial and international transactions.
British Columbia and Data Storage
British Columbia is one of two provinces in Canada that have additional legislation on privacy rights, the second province being Nova Scotia.Freedom of Information and Protection of Privacy Act
In addition to PIPA there is a second piece of legislation that specifically deals with the rights of individuals in the public sector and is called the Freedom of Information and Protection of Privacy Act (FIPPA). This act is about disputes between private citizens and gives them the right to access their own personal information that’s in the custody of a public body. However, there’s a provision within the act, 30.1, that says all personal information must be stored and accessed in Canada.Public Bodies Covered Under FIPPA
- Primary and secondary schools
- Government-owned utilities
- Public agencies
In 2001 the United States Congress passed the Patriot Act, giving American security or intelligence officers access to data stored within their country, including Canadian data stored within the States. The provision was introduced to protect British Columbians' privacy, as they didn’t want their personal information, like medical information, easily available to the United States Government.
FIPPA is reviewed by a special committee every 6 years and with numerous public bodies coming forward with concerns, those were addressed within the committee's report that was released on May 11, 2016. The problem lies within the health organizations and post-secondary education technology sectors, who claim the 30.1 provision negatively affects their daily business operations by impacting “administrative efficiency and security, international engagement and student recruitment, online learning offerings, and academic integrity.” However, the committee found that there are enough adequate alternatives and recommended no changes.
NAFTA Impacts on Canadians
NAFTA talks will be under way this month and President Donald Trump wants to “establish rules to ensure that NAFTA countries do not impose measures that restrict cross-border data flows and do not require the use or installation of local computing facilities.” However, provision 30.1 does just that, by requiring public bodies to store their data on domestic servers. The US Trade Representative noted the data storage issues in a report this year, calling those requirements “discriminatory and contrary to the notion of cross border trade.”
There are a few concerns to note from both sides of the conversation. On one hand, summing up Toronto Lawyer David Young's comments, he believes as Canadians we should be able to adapt our own privacy policies without interference. However, on the other hand, the Information Technology Association of Canada believes residency rules create a false sense of security and that focusing on location is arbitrary, because when it comes to internet traffic (data, email etc.) it's available world-wide.
As reports come in that Canadian travellers are being rejected at the border based on their private activities, it leaves the door open for more controversy on the subject if those measures were to be lifted. We may see more Canadian organizations making the shift towards international storage solutions and therefore Canadian data will be at the liberty of those countries to do with it as they please.
NAFTA renegotiations begin on August 16, 2017.