Speaker 0
0:10 – 0:14
Welcome to Tech Talk. Bye. CT. Tea.
Speaker 1
0:16 – 0:46
Welcome to CDT's Tech Talk where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Brian Wasilowski and it's time to talk tech. This week, we have something a little bit different for you. Our president and CEO, Nuala O'Connor, had the opportunity to sit down with Federal Trade Commissioner, Julie Brill, to talk about the impact of the new data flow agreement between the EU and US called Privacy Shield. I'll turn it over to Nuala for this one.
Speaker 0
0:52 – 2:25
Hi, everybody. I'm Nuala O'Connor. I'm the president and CEO of the Center for Democracy and Technology here in Washington DC and around the world. As many of you know, the European Commission has recently announced a momentous agreement, a framework for transatlantic data flows that replaces what we all all of us know as the safe harbor with the privacy shield. The agreement's intended to replace safe harbor that was struck down by the Court of Justice of the European Union in October 2015, and it left many companies in slightly uncharted waters, and wondering and scrambling about what to do next about their transatlantic and cross border data flows. We have not yet seen the text of the agreement, as you know, and it's not expected to be released for some time. But consumers and businesses are curious and wanna know what Privacy Shield will mean for them. To answer some of those questions, we have our esteemed colleague and great federal public servant and and national public servant, but also thought leader in the privacy space, commissioner Julie Brill of the Federal Trade Commission. We're so grateful, so pleased you're here, grateful for your time, grateful for your service. We are excited to hear what you have to say and what your perspective is on this very interesting time in privacy and transatlantic, data flows and relations. So very first, at a high level, what are the most important things people should know about the privacy shield? What does it mean for US companies? And what does it mean for consumers on both sides of The Atlantic? So first of all, thank you so much, Nuala,
Speaker 2
2:26 – 5:16
for having me here and to talk to your stakeholders here at CDT. You, serve such an incredibly valuable role and do so much wonderful work. So it's great to be here. Privacy Shield is is really a momentous agreement and announcement. Of course, we all do still need to see the details and we're all looking forward to that. But at a high level, what it will mean for consumers is stronger protections. I believe, you know, what I've seen of it and I've seen certain elements of it, I see protections that are stronger than had existed with respect to safe harbor. I also think Privacy Shield will be very important because what it will provide important element for consumers is that the agreeing to. And the last important element for consumers is strong enforcement. They've we've always had strong enforcement of the old transfer mechanism. The FTC was very active in enforcement. And I think now, with the new privacy shield, we will see enhanced enforcement by the European data protection authorities and we at the FTC will be able to cooperate with them, in in a in a more streamlined and and significant way. So that's on the consumer side. With respect to companies, I think we're gonna see four or so, important, benefits. An ability to rely on a single set of rules, known rules. I do very much want companies to examine those rules carefully, the principles carefully, so that if they're going to sign up for it, they will be sure that they can comply. We will be establishing a set of principles for a data transfer mechanism that I think for most companies will be much simpler than trying to transfer data through, binding corporate rules or standard standard contractual contracts. There are issues with respect to those other transfer mechanisms. Some of them are just for intracompany transfers and others, like the standard contractual contracts, can require negotiating relationships with dozens, hundreds, maybe even thousands of data partners, which can be very difficult for, for many companies. And I think you actually have some personal experience, in this area in some former lives of yours. The another benefit, I think, for companies is that the companies is that the privacy shield will eliminate some of the uncertainty that has arisen, in the data transfer world, as a result of the Schrem's decision. So I think there are important benefits for both consumers and for businesses.
Speaker 0
5:17 – 5:26
Fantastic. Can you tell us a little bit more about how the agreement may or may not change the way the FTC is working or has worked with the data protection authorities going forward?
Speaker 2
5:27 – 6:26
Yes. We will have a more streamlined way to communicate with the data protection authorities. We, have always committed to taking any referral from the European DPAs, as a high priority. And, we believe we've received very few. There's been a discussion about how many we've actually received, which pointed to the need to make sure that we do have clear communications and that we do have a mechanism to ensure that the DPAs know how to reach us and how to reach the ensure that the DPAs know how to reach us and how to reach the Department of Commerce in the event that they have issues that either the Department of Commerce can clear up quickly or that we may want to take a closer look at. And, Privacy Shield does that and I think that, that'll be a very important mechanism to ensure that the DPAs have a way to get their concerns at least heard here in The US by a legitimate and strong enforcement authority.
Speaker 0
6:27 – 6:33
Are there speaking of authorities, are there changes in the tools or the authorities or scope that you wanna share with us?
Speaker 2
6:33 – 7:49
So with respect to the FTC? Yeah. No. Actually, we have plenty of authority. You know, our section five authority allowed us and will continue to allow us to enforce the principles that any company voluntarily signs up to live up to. And, that's what we did in the past with respect to 39 cases that we brought, and we plan to do that in the future. The other authority that we have, which will be very important in terms of cooperation with the DPAs, is, authority under our Safe Web Act, which allows us to assist, foreign colleagues, foreign, regulators, when they're enforcing a law or a rule that has an analog here in The United States, and if they're gonna agree to work with us and and it's a mutual, assistance, then, we can do things like help them with subpoenas, and other, enforcement tools that we can bring to bear to help them do their investigations. So that authority already exists and we we have already been using it and we will continue to use it. So there's no new change in FTC authority. It's really what Privacy Shield does is it allows for more streamlined mechanism for communication between us and the DPAs.
Speaker 0
7:49 – 7:54
Changes in the reporting or transparency or other requirements on US companies?
Speaker 2
7:56 – 8:31
There are going to be changes on the requirements with respect to US companies. The principles will be more robust. For instance, it has and it's hard for me to talk about all of them because some of them are still being kind of written up and, but one that has been identified publicly by both the European Commission and the Department of Commerce are the principles around onward transfer. So if you are a controller and you are transferring Europeans' data to another entity, there will be requirements that all of the principles that attach to that data
Speaker 0
8:35 – 9:09
recipient of the data. So onward transfer will be, more robustly protected. That's just one example. That's terrific. I think many of us thought that was the way it worked or should have worked anyway, so that's terrific news. An important element of the agreement that many have focused on is the introduction of the ombudsman function to deal with complaints from US or EU citizens rather on signals intelligence activities relating to privacy shield. How do you think that's gonna work? Is it an effective mechanism for oversight and redress? Anything else you wanna tell us about this or that you can't tell us about this? Right. So this one's,
Speaker 2
9:11 – 10:33
sort of a late breaking development in the discussions, as I think most people know. It is, still, the subject of, it's still being written up. But, it will be a person here in the US government who will, serve as a focal point for complaints that European citizens may have about the way in which their data is being used, at least by some of the intelligence community in terms of the signals intelligence. And I personally believe that this is unprecedented. This was a real it appears it will be a real step forward. The proof will be in the pudding, of course. You know, we'll have to see how it works. But one of the good things about Privacy Shield, one of the many good things about Privacy Shield, is it sets up a mechanism to have ongoing reviews. There will be ongoing discussions between the European Commission and, the Department of Commerce, as well as ongoing discussions between the FTC and the DPAs. So if something like the ombudsman isn't working out, you know, we can talk about that and we can try to fix it. But my view of of it is it is it was described and disclosed, is that it really is unprecedented and I'm very hopeful that it will go a long way to solving some of the concerns.
Speaker 0
10:33 – 10:45
Sounds like a really great development. There are many who've said, should US citizens have a similar function for our own intelligence or on the other side of the Atlantic? Any chance of that happening?
Speaker 2
10:46 – 10:57
So let me just say that's not really an FTC issue. Beyond the scope. But let me also say that I think that that is a really good question that's worthy of discussion.
Speaker 0
10:58 – 11:42
Well well said. Well said. So when we saw the safe harbor, we here at CDT and many others in the civil society advocacy community, we look at it very much not only through the lens of data protection, but also through our work in security and surveillance. And we really look to this and hope for a moment for reform of government surveillance practices, which again, I know are beyond the scope of the Federal Trade Commission. But we are wondering what the long term prognosis is for Privacy Shield, given a very clear statement about reform for surveillance on both sides of the Atlantic. Do you think that there are risks or that this is an enduring solution that will hold up in court on both sides of the Atlantic? So let's talk about the European courts.
Speaker 2
11:43 – 15:10
I think that's where the probably more immediate challenge may be lodged. And, you know, if you look at what the Schrems Court said, that is the the decision by the European Court of Justice that was issued in October that invalidated the old transfer mechanism safe harbor, what the court said was, not really focused on whether or not surveillance was proportionate here in The United States, but rather it the court said the European Commission failed to take into account those issues when it issued its decision back in 2000 to create the safe harbor. So it's a little bit of a, you know, twist or, you know, it's a pres it's That was the procedural posture that was that the case present how the case presented the national security use of, signals intelligence and law enforcement access is is not proportionate. It did not make that determination. It used allegations about that to say these were issues that should have been considered. I do, am very hopeful that if and when this comes up before the court again, the court will have before it the full flavor of with all the facts, you know, the the full scope of all the activity that has taken place here in The United States since the Snowden revelations. Now since 2013, we have engaged, we as a society here in The United States, have engaged in a very robust conversation to try to figure out, you know, do we have the balance right? And we've seen the presidential policy directive 28, which has dealt with some of these issues on an administrative level. We've seen USA Freedom, which has taught which has dealt with some of the programs and dialed some of those back. And we've now just seen, you know, the Judicial Redress Act, more or less passed, done by con Congress has finished with it now, will now be wending its way to the president's desk. These are very significant reforms. Whether they meet the court's test, I think comes down to the issue of what did the court mean, that is the European Court of Justice mean, when it said that any transfer to a third country will be, must be to a country that has laws that are essentially equivalent to the EU legal order. And the question, a lot of people have been focused on what is essentially equivalent. I'm focused on what is the EU legal order. And the reason why is because I think there's two potential answers to that. On the one hand, we could say the EU legal order is as it's set out in the charters of fundamental rights and human rights. And whatever is happening on the ground in the member states doesn't matter. We're gonna judge it by the platonic ideal of what exists in the in the charters. The other way to think about the EU legal order is to look at, well, what are the member states doing? And how do they balance, security and privacy? Because as you and your very smart stakeholders know, at the in Europe, the European Commission, as well as many DPAs, do not have authority,
Speaker 0
15:11 – 15:16
are not competent to talk about national security issues. That happens at the member state level. So if the European Court of Justice says, okay, if we're going to examine The US practices, we're
Speaker 2
15:23 – 15:25
member states, that would be a very different conversation
Speaker 0
15:26 – 15:40
than simply looking at The US practices and how they line up with the with the charters. Such a great observation and it really segues into my next question, which is we we can guess what the courts might say. What do you think the reception is going to be at the member state level, both politically and among the DPAs?
Speaker 2
15:43 – 19:19
It's a great question. The DPAs and the member states, they're not monolithic. No. Right? They're they're very it's a very heterogeneous group. I have met with many of the DPAs, not only Isabelle Flock Parotan who runs the Article twenty nine Working Party, which is the college of all the DPAs that get together and talk about policy issues. I've also met with all of the German Landers DPAs. That is the individual state level DPAs. I think I'm the first US government person to meet with them as a group. Now, many of us have met with individuals, one or two, but to meet with them as a group. My And I've met with, many others, not just Isabelle at the at the member state level, but also, you know, the The UK DPA, the Irish DPA, the Dutch DPA, the Belgium DPA, the German DPA, the Spanish DPA. I mean, I've, it, I've met with many, many. Almost as many as I did when I was shopping the GEBCR all those years ago. I I'm certain that's true. I'm certain that's true. They're heterogeneous bunch here. They are. My my sense of the DPAs is they very much want a solution to this. They don't they don't want a solution that won't work or that doesn't satisfy whatever the standard is going to be. But I don't think that they're looking for a fight on this. I think they want commerce to flow. They want data to flow, but they want it to be protected. So I think that, that, you know, they're gonna examine Privacy Shield very closely. They've given, the the Department of Commerce and the European Commission thirty days to see it, written up, thirty days or so. And they're gonna examine it closely as they should. But I'm very hopeful that they will see that it is a tremendous step forward and that there are so many protections built in, both for individual redress on the commercial side, as well as for them to ensure that their complaints will be heard in some fashion or another. I I I think that they will be satisfied, but but we'll see. It'll be their call. At the member state level, again, heterogeneous bunch. But as you know, unlike in 2000 when safe harbor was, pushed put forward where that was just the European Commission decision. Now the decision as to whether or not privacy shield is an adequate transfer mechanism must also go to the article 31, which is a working group of the member states. They'll get together and they too will examine this to determine whether or not it is adequate. Once again, you know, I speak with, again, lots of, folks, politicians and whatnot in Europe about these issues. My sense is many of them do wanna see a solution. They see, just like I do, you know, data is is such an important, issue and it's such an economically important issue for so many different, forward looking technologies and forward looking business models and ways in which to grow economies. And they too see the issues around things like big data and potential for discrimination, Internet of things in the collection of deeply sensitive information, the new general data protection regulation that's gonna be coming online, what's known as the GDPR. These are big issues that I think all of us need to be thinking about, you know, how this is gonna work transatlantically. So I think most of the folks that I speak to, both, at the political level in Europe as well as at the regulatory level, would like to see an appropriate solution. And I'm very hopeful that they'll take a close look at this and see that it is one.
Speaker 0
19:20 – 19:50
So our last question, setting aside our transatlantic dialogue and looking long term, we are you you are now queen of the world and you get to decide what is the global transfer mechanism. What is the right venue or what is the right path forward for a truly global piece of global framework on data protection and data transfers? Because as we want the Internet to be a truly global structure, we want the data to flow, right, Appropriately and safely. Right.
Speaker 2
19:51 – 21:28
I think I'll have to be the princess rather than the queen on this one. Because I'm not sure I have a full answer. Right? It's it's a great question. It's the 64 gazillion dollar question. Now we no longer say 64,000, right? Inflation. But I do think that we need we need to have clear solutions about cross border, transfers, whether in the commercial space, with respect to law enforcement and mutual legal assistance treaties, or with respect to proportionality on national security. And I I don't know that there'll be one solution for all of these, but I think the critical piece is to have discussions, to talk about the ways our frameworks really work, not the the rumors or the memes about, oh, you know, The United States doesn't have any privacy and in Europe, privacy is fabulous. Because in point of fact, in The United States, we have a complex system, but it can be deeply protective and in some areas, I believe, more protective than than exists in Europe. And in Europe, they have baseline privacy legislation, but enforcement hasn't really been as active. Right? And now with the DPAs having such a huge role as set out in the Schrem's decision, will they have the resources to do what they need to do? I mean, these are some big questions. So I think that we need to approach all of these issues with an honest view on what our frameworks really are like, the strengths and weaknesses of them, and see how we can continue to build these bridges, so that we can try to answer
Speaker 0
21:28 – 21:45
your big, big question. And I see Privacy Shield as a very much as part of that solution. It's a great step forward and we are so grateful for your time today and for your continued service and protection of our customers' and citizens interests around the world. And thank you for being here with us. Thanks so much for having me. This was great.
Speaker 1
21:46 – 22:02
That's all for this episode of Tech Talk. We have some video clips from Nuala's conversation with commissioner Brill online at cdt.org. As always, tweet us any questions you have or topics you'd like us to cover to at SendemTech. I'm Brian Wasilowski, and thanks for listening.