On January 29, 2020, the United States-Mexico-Canada Agreement ("USMCA") was signed into law. The USMCA contains a section on digital trade which will impact digital commerce and how data can be handled in the United States, Mexico, and Canada (the "three-country area") (USMCA, Ch. 19). Here is a look at some of the most notable provisions.
First, in terms of the purely economic, the USMCA provides that there will be no customs duties, fees, or other charges in connection with the importation or exportation of digital products transmitted electronically among persons in the three-country area. (USMCA, Ch. 19, art. 3.)
The USMCA also provides protections to personal information. (Id. at 19.8.) Specifically, the signatories recognize the "economic and social benefits of protecting the personal information of users of digital trade." To this end, the signatories agree to adopt or maintain a legal framework that provides for the protection of personal information. The USMCA also encourages the signatories to "encourage the development of mechanisms to promote compatibility between [their] different regimes." (Id. at 19.8.6.)
The USMCA also provides that the signatories shall not prohibit or restrict the cross-border transfer of information, including personal information, by electronic means" provided it is in connection with the business of a person in the three-country area. (Id. at 19.11.1.) Despite this blanket statement, however, the USMCA does provide for some prohibition or restrictions if "necessary to achieve a legitimate public policy objective." (Id. at 19.11.2.) Such restrictions must not be arbitrary or a disguised restriction on trade, may not provide different treatment of data transfers solely on the basis that they are cross-border, and the restriction must be no greater than necessary to achieve the objective. (Id. at 19.11.2 & n.5.)
The USMCA also seeks to limit so-called spam communications. Article 19.13 provides that the signatories "shall adopt or maintain measures providing for the limitation of unsolicited commercial electronic communications." The signatories also agree that they shall provide recourse in their body of law against suppliers of spam communications that do not comply with the USMCA's provisions. (Id. at 19.13.3.)
With regard to cybersecurity, the USMCA provides that the signatories will endeavor to build capabilities of national entities responsible for cybersecurity incident response and to strengthen existing collaboration mechanisms to identify and mitigate cyber threats. (Id. at 19.15.1.)
It will be interesting to see if the USMCA becomes the impetus for the United States Congress to create and pass a federal law that governs digital privacy and data security throughout the United States, displacing state laws on the subject. At present, digital privacy and data security laws vary from state to state, causing businesses to have to comply with multiple laws within the United States based on the geographic location of end-users. A consistent and complete approach to cybersecurity would provide more certainty to businesses and reduce the costs associated with complying with multiple laws.