August 10, 2017
TO: Marketing Research & Intelligence Association
RE: NAFTA Negotiations Regarding Out-of-Country Storage of Publicly-Held Personal Information
Q. 1: Do you see any issues with publicly-held personal information flowing to the United States?
Q. 2: Should the MRIA (Marketing Research & Intelligence Association submit a brief to the Canadian government calling on it to refuse the US government’s request to end “local infrastructure requirements” for data storage.
My response to both questions is an emphatic “YES”
Although I am no longer a member of the MRIA, I felt it incumbent upon me to respond to your request for comments regarding the upcoming NAFTA negotiations on out-of-country storage of publicly-held personal information.
Let start me by saying that I oppose the storage of Canadians’ personal data in another country, especially the United States. My reasons are as follows:
- The United States privacy protection laws do not extend beyond US citizens or residents, according to Executive Order 13768 “Enhancing Public Safety in the Interior of the United States” which was aimed at illegal immigrants but could be extended to cover other non-US citizens. Accordingly, storing Canadians’ personal data in the US would lead to exposure or misuse of their personal data.
- Canada should be wary about developing a “privacy shield” program similar to what the United States has with the European Union and Switzerland. This would allow US companies to voluntarily self-certify. A public commitment by a US company would become enforceable under US law. Accordingly, a European complainant would have to go through the expense of suing a US company in the US court system.
- An agreement between the US and the EU is the EU-US Umbrella Agreement, which extends the benefits of the US Privacy Act to Europeans and gives Europeans access to US courts â€“ again, a very expensive and risky proposition.
- Storing Canadians’ personal information in US-based servers would make them subject to US laws and any court cases would be held in US courts.
- Canada will be negotiating from a position of weakness. The US has an array of federal and state privacy laws but apparently none of these will be under negotiation: https://informationshield.com/free-security-policy-tools/us-data-privacy-laws/
- As mentioned in your email, national security was cited as an important reason for digitally storing sensitive or protected data in Canada. Does surrendering such an important asset to private US corporations enhance Canada’s national security? I should think not.
- If the personal data of Canadians are allowed to be held in the US, inevitably all Canadian servers holding such data will eventually be closed down, thus a substantial amount of Canadian capital invested in such equipment will be lost.
- Finally, under the Canadian constitution, provinces have jurisdiction over private property. Personal data is private property and so long as provincial privacy laws exist the federal government has no jurisdiction to negotiate away provincial jurisdiction.
Finally, regardless of what the federal government decides on this issue, my company will enforce Canada’s privacy laws as they now exist.
Any business partners my company may deal with in the future will need to prove that they store Canadians’ personal information on servers based in Canada and will not allow foreign entities to access such data.
I think that Canadians would prefer that their personal data be held in Canada as opposed to any other country.
Enrico Codogno, Principal Consultant