In light of recent activity on US trade agreements, here is a quick update on developments with regard to US-China, US-Mexico-Canada (USMCA), and US-Japan. This summary focuses on technology and cybersecurity-related issues affecting private enterprises. The trade agreements are lengthy, so absence of an issue should not be interpreted to mean it is not addressed in the agreement.
A couple top-level highlights:
- The China Phase One Agreement takes some steps to improve intellectual property enforcement and prohibit tech transfer requirements. This may reduce some risks of IP theft for businesses operating in China. However, it remains to be seen how stringently China will enforce the agreement.
- The USMCA includes the first chapter dedicated to digital trade in a US trade agreement. It includes cybersecurity provisions encouraging Mexico and Canada to implement and promote a risk-based approach to cybersecurity that encompasses the principles of the NIST Cybersecurity Framework (without mentioning the NIST Framework by name). This can help cybersecurity products and services companies refer to a common set of practices and controls when building cybersecurity programs and assessing needs.
US-China Phase One Agreement
Status: The US-China Phase One Agreement was signed on Jan. 15, 2020. A partial rollback of tariffs has also been announced. The US-China Phase One Agreement will not require Congressional approval to enter into force.
Phase One Highlights: Most of the agreement focuses on commodities rather than tech issues. However, there are provisions on IP, tech transfer, and purchase of services.
Intellectual Property (Chapter 1):
- Expands the scope of liability for trade secret misappropriation to cover all persons, such as former employees, or "cyberhackers."
- China's legal system must prohibit electronic intrusions and breach of confidentiality as part of trade secret misappropriation.
- Government requests for confidential business information must be limited to no more than what is necessary to exercise regulatory or investigative authority, and to prohibit unauthorized disclosures of that information.
- Requires stronger penalties and injunctive relief for IP theft.
- China must release an Action Plan within 30 days on how this chapter will be implemented.
Tech Transfer (Chapter 2):
- Prohibits tech transfer as a requirement for market access, licensing, administrative approvals, or other special advantages. All tech transfers and licensing must be voluntary and by mutual agreement.
- All administrative and licensing requirements must be transparent, and sensitive technical information must be protected in any administrative, regulatory, or review processes.
- "Tech transfer" is not defined in the agreement. There are questions regarding whether these provisions apply to security assessments.
Purchases (Chapter 6):
- China commits to dedicate $37.9bn to purchase of services, which may include "cloud and related services."
Phase Two and cybersecurity: US officials have stated that Phase Two will focus more on technology, IP, and cybersecurity issues - potentially including Huawei and rollback of additional tariffs. There is no public timetable yet, though President Trump noted that Phase Two would begin "very shortly."
US-Mexico-Canada Agreement (USMCA)
Status: The USMCA was approved by the US Congress and entered into force on Jan. 16, 2020. Much of the content was borrowed from the now-defunct Trans-Pacific Partnership. Unlike the China Phase One Agreement, USMCA is comprehensive and addresses several economic sectors, including a detailed chapter on digital trade (Chapter 19). This is the first digital trade chapter in a US trade agreement.
USMCA Digital Trade highlights:
- Cyber risk management: The Parties “shall endeavor to” employ and encourage enterprises to use risk-based approaches to cybersecurity, based on standards and best practices, to identify and protect against cybersecurity risks and to detect, respond to, and recover from cybersecurity events. Rapid7 fought for inclusion of this provision in USMCA based on feedback that a common NIST-like framework would be helpful for communicating about cybersecurity in international markets.
- Cybersecurity collaboration: The Parties “shall endeavor to” strengthen collaboration mechanisms for cooperating to identify and mitigate cyberattacks and cybersecurity incidents.
- No data localization: The Parties shall not require enterprises to locate or use computing facilities in that Party’s territory as a condition for conducting business there. The Parties may not restrict cross-border flow of information unless necessary to achieve specific purposes and in proportion to the risks.
- Source code protection: The Parties shall not require access to or transfer of source code as a condition for market access.
- No favorable treatment: The Parties shall not accord less favorable treatment to a digital product produced in another country.
- No custom duties or fees: The Parties shall not impose custom duties or fees for digital products transferred electronically.
- Safe harbor for platforms: “Interactive Computer Services” (that provide electronic access by multiple users to a computer server) shall not be held liable for harms caused by user-generated content.
- No weakening encryption: With some caveats for financial instruments, the Parties shall not require local design elements (i.e., intentionally weakening) in commercial cryptography as a condition of market access.
US-Japan Digital Trade Agreement
Status: The US-Japan Trade Agreement was signed by both countries on Oct. 7, 2019. This deal is more limited than USMCA, focusing largely on tariffs and digital trade. Because it is limited, the US-Japan Agreement does not require congressional approval to move forward. The digital trade chapter was broken out into a separate agreement - the US-Japan Digital Trade Agreement - and will be enacted in the US as an Executive Agreement. However, the Japanese Diet must still approve the Agreement.
US-Japan Digital Trade Agreement highlights: The text is almost identical to the USMCA digital trade chapter. We should expect this to be the base negotiating text for digital provisions US trade agreements moving forward - including the upcoming US-UK, US-EU, and China Phase Two agreements.
* * *
We welcome the inclusion of issues like information flows, IP protection, and cybersecurity into new trade instruments. Inclusion of these digital trade issues better reflect the technological environment of global businesses. As cybersecurity continues to grow in importance to industry, and as an industry itself, we hope future trade agreements and other instruments incorporate additional priorities related to cybersecurity.