The United States–Mexico–Canada Agreement (USMCA) enters into effect on July 1, 2020. Nicknamed “NAFTA 2.0” because it replaces the North America Free Trade Agreement (NAFTA), the USMCA addresses a number issues that had not been tackled by its predecessor, conceived and negotiated almost 30 years ago, at the down of the commercial Internet. In its Chapter 19 – Digital Trade, the USMCA focuses on the trading of digital products, such as computer programs, image, text, video, sound recording or other products that are digitally encoded and can be transmitted electronically. Several Articles focus on cybersecurity, privacy, data localization, and cross-border data transfers, which should be of interest to cloud providers and cloud users.  Other areas of interest include, protection against unsolicited commercial communication, source code protection, prohibition against the application of customs duties, and internet platform liability for third party content.

Protection of Personal Information

USMCA recognizes the importance of protecting the personal information of users of digital trade.  In Article 19.8, it requires each party to the Treaty (“Party”) to adopt and maintain a legal framework that provides for the protection of personal information of digital trade users.

Article 19.8(2) provides that each Party should take into account the principles and guidelines of international bodies, pointing to the APEC Privacy Framework and the OECD Guidelines for the Protection of Privacy and Transborder Flows of Personal Data. A footnote to that section allows the use of comprehensive privacy, personal information and personal data protection laws, sector-specific laws covering privacy, or laws that provide for the enforcement of voluntary undertakings by enterprises relating to privacy. It will be interesting to follow the effect and implementation of this section at a time when the United States is still struggling to define basic privacy rights for all individuals in all market sectors. 

Article 19.8(3) goes in further detail, and specifically recognizes the key data protection principles:

  • Limitation on collection
  • Choice
  • Data Quality
  • Purpose Specification
  • Use Limitation
  • Security Safeguards
  • Transparency
  • Individual Participation
  • Accountability

Further, Article 19.8(5) requires each Party to publish information on the personal information protections it provides to users of digital trade, including how a natural person can pursue a remedy, and how an enterprise can comply with legal requirements.

Cross-Border Data Transfers

Regarding privacy and data protection, USMCA Article 19.8(6) recognizes that the three signatories take different legal approaches to protecting personal information, and it invites each Party to encourage the development of mechanisms to promote compatibility between their different data protection regimes.  In particular under Article 19.6, each Party makes the commitment to explore ways to promote compatibility between the different regimes. In this respect, Article 19.8(6) points to the APEC Cross Border Privacy Rules as a valid mechanism to facilitate cross-border information transfers while protecting personal information.

Article 19.8 should be read in conjunction with Article 19.11 which focuses on cross-border transfers of information by electronic means. Article 11(1) prohibits the parties from barring or restricting the transfer of information, including personal information, by electronic means if this activity is for the conduct of the business of an investor or service supplier of another Party.

Location of Computing Facilities

USMCA Article 19.12 ensures that limits on where data can be stored or processed are minimized.  It prohibits Treaty Parties from requiring that an investor or service supplier use or locate computing facilities in that party’s territory as a condition for conducting business in that territory. This provision should be favorable to cloud service providers and help enhance the global digital ecosystem.


USMCA Article 19.15 addresses cybersecurity challenges.  It promotes cooperation in tackling cybersecurity challenges, and encourages the use of best industry practices to keep networks and services secure.

In Article 19.15, the Parties commit to develop the capabilities of their respective national agencies responsible for responding to cybersecurity incidents.  In addition, they commit to strengthen existing collaboration mechanisms to cooperate in identifying and mitigating malicious intrusions or dissemination of malicious code that affects electronic networks, and to share information for awareness and best practices.

Further, under Article 19.15(2), each Party commits to encourage enterprises within its jurisdiction to use risk-based approaches that rely on standards and best practices to identify and protect against cybersecurity risks and detect, respond to and recover from cybersecurity events.

Other Provisions

In addition to the above, Chapter 19 of the USMCA addresses other aspects that are relevant to provide a foundation for the expansion of trade and investment in innovative products.

Regarding source code, USMCA limits governments’ ability to require the disclosure of proprietary source code and algorithms before a product can be distributed in its territory. Article 19.16 states that Treaty member countries may not require persons located in another of the parties to transfer, or provide access to the source code of its software, or the algorithm expressed in that source code, as a condition for the importation, distribution, or marketing in their territory, of such computer programs or products containing them. 

In addition, USMCA requires each Party to adopt or maintain consumer protection laws to proscribe fraudulent and deceptive commercial activities that cause or may cause harm to consumers engaged in commercial activities, as well as to adopt or maintain measures providing for the limitation of unsolicited commercial electronic Communications.  USMCA Chapter 19 also promotes the use of electronic authentication and electronic signatures, prohibits the use of customs duties and other discriminatory measures from being applied to digital products distributed electronically.

~ ~ ~ ~ ~ ~ ~

With the entry into force of the USMCA, businesses located in The United States, Canada and Mexico should expect that the provisions of Chapter 19 on Digital Trade will help the expansion of trade and investment in innovative products and services. USMCA promotes the development of mechanisms for the promotion of privacy and cybersecurity, and  expresses a commitment to lift barriers to trade by prohibiting the customs duties, data localization or source code disclosure. Time alone will tell the extent to which the promises made will be actual put into effect, and bring tangible results.