Because Privacy Matters

Digital Trade Provisions of NAFTA 2.0

“NAFTA 2.0” or the United States–Mexico–Canada Agreement (USMCA) enters into effect on July 1, 2020. The new regional agreement between the three North American powers takes into account the explosion of technology, networks and the Internet, and addresses international trade issues associated with the use and commercialization of computer programs, image, text, video, sound recording or other products that are digitally encoded and can be transmitted electronically digital trade issues at the down of the commercial Internet. In its Chapter 19 – Digital Trade, the USMCA focuses on cybersecurity, privacy, data localization, and cross-border data transfers, as well as protection against unsolicited commercial communication, source code protection, prohibition against the application of customs duties, and internet platform liability for third party content.


USMCA promotes cooperation between the parties to the Treaty (“Parties”) in tackling cybersecurity challenges, and encourages the use of best industry practices to keep networks and services secure. Art. 19.15 sets forth a commitment to develop the capabilities of each Party’s national agencies responsible for responding to cybersecurity incidents and to strengthen collaboration mechanisms to cooperate in identifying and mitigating malicious intrusions or dissemination of malicious code that affects electronic networks, and to share information for awareness and best practices.

Further, under Article 19.15(2), each Party commits to encourage enterprises within its jurisdiction to use risk-based approaches that rely on standards and best practices to identify and protect against cybersecurity risks and detect, respond to and recover from cybersecurity events.


USMCA Art. 19.8 requires each party to adopt and maintain a legal framework that provides for the protection of personal information of digital trade users. It provides that each Party should take into account the principles and guidelines of international bodies, pointing to the APEC Privacy Framework and the OECD Guidelines for the Protection of Privacy and Transborder Flows of Personal Data. Art. 19.8(3) goes in further detail, and specifically recognizes the key data protection principles: limitation on collection; choice; data quality; purpose specification; use limitation; security safeguards; transparency; individual participation, and accountability. Finally, Art. 19.8(5) requires each Party to publish information on the personal information protections it provides to users of digital trade, including how a natural person can pursue a remedy, and how an enterprise can comply with legal requirements.

Cross-Border Data Transfers

Recognizing that Canada, Mexico and the United States take different legal approaches to protecting personal information privacy and data protection, USMCA Article 19.8(6) invites each participating country to encourage the development of mechanisms to promote compatibility between their different data protection regimes. In particular each Party makes the commitment to explore ways to promote compatibility between the different regimes. In this respect, Article 19.8(6) points to the APEC Cross Border Privacy Rules as a valid mechanism to facilitate cross-border information transfers while protecting personal information.

In addition, USMCA Art. 19.11 which focuses on cross-border transfers of information by electronic means prohibits the Parties from barring or restricting the transfer of information, including personal information, by electronic means if this activity is for the conduct of the business of an investor or service supplier of another Party.

Data Localization

In its Article 19.12, USMCA addresses data localization, prohibiting signatory countries from requiring that an investor or service supplier use or locate computing facilities in that party’s territory as a condition for conducting business in that territory. 

Other Provisions

In addition to the above, Chapter 19 of the USMCA addresses other aspects that are relevant to provide a foundation for the expansion of trade and investment in innovative products.

Regarding source code, USMCA limits governments’ ability to require the disclosure of proprietary source code and algorithms before a product can be distributed in its territory. Article 19.16 states that Treaty member countries may not require persons located in another of the parties to transfer, or provide access to the source code of its software, or the algorithm expressed in that source code, as a condition for the importation, distribution, or marketing in their territory, of such computer programs or products containing them. 

USMCA also requires each Party to adopt or maintain consumer protection laws to proscribe fraudulent and deceptive commercial activities that cause or may cause harm to consumers engaged in commercial activities, as well as to adopt or maintain measures providing for the limitation of unsolicited commercial electronic Communications. USMCA Chapter 19 also promotes the use of electronic authentication and electronic signatures, prohibits the use of customs duties and other discriminatory measures from being applied to digital products distributed electronically.

~ ~ ~ ~ ~ ~ ~

USMCA Chapter 19 on Digital Trade shows an intent to help the expansion of trade and investment in innovative products and services. It promotes the development of mechanisms for the promotion of privacy and cybersecurity, and  expresses a commitment to lift barriers to trade by prohibiting the customs duties, data localization or source code disclosure. Time alone will tell the extent to which the promises made will be actually put into effect, and whether they bring tangible results.

Digital Trade Provisions of NAFTA 2.0
Scroll to top