All negotiations rounds between Mexico, Canada and the United States in order to modify the North American Free Trade Agreement (NAFTA) have been conducted in secret and, for that reason, it is not possible to determine with certainty whether the topic of data protection has been part of the discussions. However, considering both the objectives declared by the Trade Representative of the Office of the President of the United States and the failed attempts to regulate the issue in previously negotiated treaties such as the TPP, TTIP or TiSA, at SonTusDatos we assume that a modified NAFTA Agreement would present the following risks for the protection of personal data in Mexico.
1. The transfer of all types of data across borders. One of the objectives of the United States is to eliminate any form of restriction to the transfer of personal data, which includes all types of data, including those considered “personal”, that enable the identification of individuals and making decisions about them that are susceptible to harm them (the TPP already included a similar proposal in its article 14.11). This provision directly conflicts with the human right to data protection and its regulation in Mexico covered by the Federal Law on the Protection of Personal Data Held by Private Parties and its Regulations, and should therefore not be admitted as proposed. Certainly, an essential part of a free and open Internet is the flow of information, but when personal data are included within the scope of the term “information”, this cannot imply that all types of restrictions are eliminated, especially when that “restriction” is a human right.
One cannot forget that in Mexico there are approximately 70 million Internet users, of which 83% use social networks. Within these, 95% use Facebook; 93% Whatsapp; 72% YouTube; 66% Twitter; 59% Instagram and 56% LinkedIn. If one adds email providers such as Google (Gmail) or Microsoft (Outlook), this means that a handful of American companies provide most of the services used by Mexican Internet users. Consequently, there are some direct and specific beneficiaries of the proposed concept of “data flow”. To accept that those who collect the largest amount of personal data could then transfer them without any restriction not only violates a human right, but is equivalent to let private companies use and manipulate the personal data of millions of people at will.
2. The non-obligation to use or establish local computing facilities. Another objective of the United States in this renegotiation process is not to mandate service providers that operate on the Internet to establish a subsidiary in the country in which they do business. This would allow them, for example, not to have to pay taxes in the country, and at the same time it would be an obstacle practically impossible for most people to overcome should they would wish to file a complaint against those companies. If those companies did not have an actual place of business in Mexico, the mere fact of having to serve them notice in their own country would inhibit most lawsuits that could be taken against them.
Every country must be able to impose on any company that wishes to carry out operations within its territory – even in cyberspace – as a minimum the obligation to respect the human rights of its residents and citizens (as, in this case, it would be the protection of personal data), as well as taking measures to ensure that they can effectively access justice.
3. The source code cannot enjoy absolute opacity and immunity. The algorithms of the programs or software are also known as “source code”, which are the core of the operation of the companies whose main activity occurs on the Internet. Although certain legal protections must be given to these codes (as already provided by copyright), this cannot imply that governments be forbidden to enact laws that would determine the cases in which they should know how this source code operates. There are several reasons why this possibility is justified, among them the following:
- To monitor the processing of personal data. Most of our personal data are already processed automatically: if we do not know how our data are processed and how the algorithms and source code operate, we will not be able to determine whether they comply or not with the data protection legal framework.
- Avoid discrimination. Whether inadvertently or not, the automated operation of source code that runs Internet applications and platforms may produce discriminatory results. As users, we are automatically categorized within certain profiles. Product or services to which we are getting access, credit card applications or, in general, the activities that we can carry out online are being increasingly determined by automated source code. This is why it is essential to know how source code works, or otherwise get to suffer its consequences without knowing its causes.
Therefore, considering that this type of measures tends to consolidate a digital colonization scheme, which in fact already exists, we propose the following measures:
- We reject the possibility of unlimited personal data transfers, and with this we need to ensure that any exchange of data respect the human right to data protection.
- We cannot allow United States companies (and of any country, for that matter) to be exempted from having to comply with the Mexican legal framework; we do not prevent the government from requiring that companies use or establish local computer facilities.
- Source code absolutely cannot be opaque, so that its disclosure for certain lawful, legitimate and necessary purposes could not be prohibited.
No human right is a barrier to trade, just as no commercial consideration is more relevant than human rights.
For this reason, and as we have done earlier, we will keep track of the advances in the NAFTA Agreement negotiations to ensure that none of the aspects mentioned in this statement are accepted by the Mexican government.