The United States should use the U.S.-Mexico-Canada Trade Agreement’s (USMCA) new data-related provisions to pressure Mexico to remove data localization requirements in its draft fintech law. If all else fails, the United States should initiate a trade dispute as these requirements would undermine U.S. innovation. The United States should also act to send a broader signal: that Mexico’s use of broad, vague national security concerns to justify digital protectionism is unacceptable. Allowing Mexico to get away with it would set a troubling precedent for other countries to also use it to justify digital protectionism.
In late 2020, Mexico’s central bank (Banxico) and the National Banking and Securities Commission (CNBV) issued draft fintech regulations (Provisions Applicable to Electronic Payment Fund Institutions) that would force firms to only choose cloud providers based in Mexico. Article 50 would impose a local data storage requirement. Article 49 would establish a regulatory approval model with a high degree of discretion and lack of transparency for determining what cloud computing services payments and financial firms could use.
It is clearly a barrier to trade that protects Mexican cloud providers and incumbent banks and payment networks from foreign competition as it would preclude U.S. fintech, payment, and financial firms from using existing U.S. cloud services to serve customers in Mexico. Meanwhile, it would create a clear gap in reciprocity in that Mexican cloud firms and fintech, payment, and financial firms would be free to use whatever cloud provider they wanted in accessing the U.S. market.
Mexico’s draft regulation is troubling as officials justified it on the basis of broad, vague, and highly unlikely national security grounds. Just as troubling is the fact that Trump administration trade officials reportedly did not push back on Mexico’s use of this rationale, in part due to its own misuse of national security concerns to enact tariffs on foreign automotive and steel imports. Mexican officials reportedly looked to Russia as their model. Russia enacted payment data localization as part of an initiative to replace foreign payment firms with a state-supported payments system (known as MIR) after being targeted by financial sanctions for invading Ukraine and annexing Crimea. After these sanctions, Mastercard and Visa refused to process payments from the region, so Russia used the crisis to standup its own payments network.
Russia is a world leader in digital protectionism and authoritarianism. Forced data localization and access to data are key tools in its toolkit. Russia not only requires payment data localization, but local data processing, which essentially precludes foreign firms from using data as part of global data analytics systems. The use of data analytics is at the heart of modern digital services trade and competition, yet U.S. payments firms face these barriers in China, India, Indonesia, Vietnam, and elsewhere as countries behind the border regulations to block them.
Forcing firms to store data locally does not make it more secure and private than data stored in the cloud. This is the false promise of data nationalism. Nor does Mexico face any real threat of international financial sanctions that would somehow cut its payment system off from the global financial system. National security is among the most troubling motivations that policymakers are reverting to try and justify arbitrary and discriminatory digital restrictions as it is self-judging and can be applied to nearly any digital issue.
Mexico’s data localization proposal breaches both the spirit and the letter of USMCA’s new digitally upgraded financial services (chapter 17) and digital trade (chapter 19) commitments. While it does not apply to financial services, provisions in the digital trade chapter highlight each party’s recognition that data localization is a barrier to modern trade. For example, article 19.12 on the location of computing facilities states that “No Party shall require a covered person to use or locate computing facilities in that Party’s territory as a condition for conducting business in that territory.”
The USMCA’s financial services chapter is the gold standard for supporting the free flow of financial data, while ensuring financial regulators have access to data for oversight purposes (as countries like India cite concerns over access as a misguided motivation to enact data localization). The financial services chapter prohibits rules forcing firms to use or locate local computing facilities as a condition of market access (article 17.18). Should a firm face an issue providing data to regulators, they would have a reasonable opportunity to address the issue and shift data to a jurisdiction where access is assured (article 17.18). Mexico could defend its data localization requirement as a prudential measure, but there is a clear lack of evidence that there is a problem that data localization solves (article 17.11).
The United States should use USMCA commitments on financial services cooperation and transparency to pressure Mexico that this data localization idea is a bad one and will have consequences. Several members of the U.S.-Mexico Interparliamentary Group (Rep. Hurd, Rep. Gonzalez, Rep Cuellar, and Rep. McCaul) already sent a letter to former USTR Lighthizer and Treasury Secretary Mnuchin about this data localization proposal. Such awareness and pressure is needed to ensure the United States uses these new tools. USTR Katherine Tai is using the USMCA’s novel Rapid Response Labor Mechanism to ask Mexico to review labor rights at an automotive factor. USTR should do the same and call a meeting of USMCA’s Committee on Financial Services (which is responsible for implementation and any issues), request further information about the measure, and ensure Mexico provides substantive written response to concerns raised about draft financial service regulations.
Just as raising a tariff can tip the scales of profitability for a traditional manufacturing firm engaged in trade, so too can digital restrictions preclude U.S. fintech or financial service firms, especially small ones, from leveraging cloud services to engage in digital trade in multiple markets. The cost and complexity of setting up duplicative data centers is costly, especially for startups and SMEs that may only serve their home market and one or two foreign ones.
For the USMCA’s new digital rules to be valuable, they need to be enforced. U.S. firms and workers benefit from the movement of data as part of digital trade. While it’s hard to specify the exact impact of this one provision, it’s also a matter of recognizing the cumulative impact if more countries enact similar restrictions on U.S. cloud and digital service providers.
If the Biden administration wants to support the innovation and growth in the burgeoning fintech and payment services sector, it needs to send a clear message that countries cannot use regulatory policies disguised as barriers to protect local firms. The United States pushed for ambitious digital trade rules to prevent exactly these types of barriers. Failing to defend them weakens USTR’s efforts to push back against digital protectionism elsewhere around the world.
Nigel Cory is an associate director covering trade policy at the Information Technology and Innovation Foundation. He focuses on cross-border data flows, data governance, intellectual property, and how they each relate to digital trade and the broader digital economy. Cory has provided in-person testimony and written submissions and has published reports and op-eds relating to these issues in the United States, the European Union, Australia, China, India, and New Zealand, among other countries and regions, and he has completed research projects for international bodies such as the Asia Pacific Economic Cooperation and the World Trade Organization.
To read the full commentary from the Information Technology and Innovation Foundation, please click here.