Digital Issues in NAFTA: Cross-Border Data Flows and Cybersecurity
This is part of a series of posts on digital issues in NAFTA.
Imagining bits and bytes crossing borders around the world is perhaps the quintessential visualization of the Internet. And for good reason! This flow of information across borders is the lifeblood of the digital economy and by extension the array of traditionally non-digital industries that now rely on the Internet to compete globally.
The Data Must Flow
In the U.S., the productivity gains and efficiencies enabled by data flows have boosted the economy by hundreds of billions of dollars. Cross-border data flows allow Internet platforms and providers to connect small and medium-sized U.S. businesses to a global marketplace.
Small businesses and craftspeople located across the U.S. can use platforms like eBay and Amazon to sell their goods worldwide without the need for brick-and-mortar presences abroad. An array of online payment processors and emerging digital currencies allow the same small firms to handle transactions globally, and global Internet advertising networks enable them to target potential customers in markets they would not be able to otherwise access. Larger companies can similarly take advantage of cloud platforms and globally distributed computing resources to analyze vast quantities of data and improve provision of remote services to customers worldwide, with benefits visible across industries, from manufacturing and retail to finance and healthcare.
To promote these wide-ranging benefits of cross-border data flows, trade agreements like NAFTA should affirmatively protect them. U.S. policy should be to prohibit governments from interfering with data flows or the exchange of information online, in addition to barring direct or indirect data localization or residency requirements on the increasing range of companies that use or manage data. USTR’s Digital 2 Dozen statement from earlier this year promoted similar ideas.
Securing Digital Trade
Protecting digital trade through policy means ensuring data and digitally-enabled goods that consumers and business rely on are technologically secured. Providers of digital devices and services have for many years sought to improve the security of their platforms. Today, strongly encrypted devices and connections protect users’ sensitive personal and financial information from bad actors.
Many countries, at the behest of their respective national security and law enforcement authorities, are considering or have implemented laws that mandate access to encrypted communications. Often the relevant provisions are not explicit, but mandate facilitated access, technical assistance, or compliance with otherwise infeasible judicial orders. Other versions require access to or transfer of source code as a condition of allowing technology imports.
Such exceptional access regimes run contrary to the consensus assessments of security technologists because they are technically and economically infeasible to develop and implement.
Regardless of the form these anti-security measures take, U.S. policy should oppose them. Trade agreements should prevent countries from compelling manufacturers or suppliers to use a particular cryptographic algorithm or to provide access to a technology, private key, algorithm specification, or other cryptographic design details. Similarly, NAFTA should generally prohibit governments from conditioning market access on their ability to demand access to cryptographic keys or source code.