Julie Brill, partner and codirector of global privacy and cybersecurity at Hogan Lovells, and Justin Antonipillai, counselor to the secretary with the delegated duties of undersecretary for economic affairs at U.S. Department of Commerce, join Microsoft’s Lee Brenner to discuss the possibility of reconciling the EU and U.S. privacy regimes. The European Union and the United States have different concerns over privacy and take unique approaches to regulating and enforcing individual privacy online. These differences have become areas of contention in disputes over transatlantic data flows, the so-called “right to be forgotten,” and personal data held by U.S. corporations physically located in Europe. The panelists discuss the challenges facing and the future of Privacy Shield and identify areas of agreement and potential cooperation between the EU and the United States.
Julie Brill, Partner and Codirector of Global Privacy and Cybersecurity, Hogan Lovells; Former Commissioner, Federal Trade Commission
Justin Antonipillai, Counselor, Delegated Duties of Undersecretary for Economic Affairs, U.S. Department of Commerce
BRENNER: All right. Good morning, again, everyone. My name is Lee Brenner. I’m on the Technology and Civic Engagement Team at Microsoft. We are now in second session, going to be talking about is reconciling the EU and U.S. privacy regimes possible. It came up a little bit in the first session, but we have two excellent speakers, really, who have worked closely on our policies and working with the EU over the last number of years. To my immediate right, Justin Antonipillai.
ANTONIPILLAI: Antonipillai, but close enough. Yeah.
BRENNER: Polai (ph), OK, it’s close—currently at the Department of Commerce but—and has worked very closely on a lot of these laws. Julie Brill, who is now a partner at Hogan Lovells, specifically focused on global privacy and cybersecurity, and is a former commissioner at the FTC. So, first and foremost, I think I’d like each of them, just give a couple minutes on what they’ve been working on specific in this area over the last few years, and then we’ll get into specific questions about privacy, the shield law and other things that really are going to be paramount moving forward, especially as we deal with both the EU and other international actors. So, let’s start with Justin. Good to have you.
ANTONIPILLAI: Oh, it’s great to be here. The first panel was absolutely terrific, and thanks, Adam, for putting together something like this at a—that ended up being extremely topical and timely.
So, I’m at the Commerce Department. I joined with Secretary Pritzker about three years ago, and she’s speaking later on today. I’ve had a—actually, I’ve had a great job. So, my job included acting general counsel, acting chief of staff for Secretary Pritzker. I was deputy general counsel, and now I’m in an undersecretary role and I run the Economic and Statistics Administration. But as it pertains to what we’re talking about today, I came in right after the Snowden disclosures, so I worked on everything from the PPD-28 process, the signals intelligence reform, the White House Big Data Report.
BRENNER: What is that?
ANTONIPILLAI: So the PPD-28 is—
BRENNER: Everyone’s so D.C. with—
ANTONIPILLAI: Yeah, yeah, no, I apologize. So right after Snowden, the president actually made a speech in January of 2014, where he also announced the implementation of what’s called PPD 28, which put into place rules and guidance for signals intelligence collection, and it was a very, very important announcement and has been very important for us, actually, around the world as we talk about security and national intelligence issues. But I—we worked on that. And I’ve worked on a lot of the privacy issues that have been coming up, with a lot of friendly faces in the room, including there was an effort to reform ECPA, which is the Electronic Communications Privacy Act. If I have to do this for every acronym, I’m not going to make it.
BRENNER: No. (Laughs.)
ANTONIPILLAI: And then I led—I co-led with a colleague of mine at the Commerce Department the U.S. negotiating team for Privacy Shield, and of course did a lot of work on the general data protection regulation in parallel. My current remit at the Economic Statistics Administration is I shifted from privacy to open data, and that’s why I find these discussions really interesting. And the secretary had a very interesting focus on trying to use our data to drive innovation. So, we have an internal development team and data science team. We’ve been building APIs, wrangling data, presenting data, and working with the private sector to try and democratize it, to bring more tools to charities, nonprofits, advocates, economists, statisticians. So, that’s been a great remit, but it’s the opposite, in some ways, or very complementary to what I was doing on privacy.
BRILL: Great. Well, again, thank you to everybody here, the Council, to you, Lee, to Andy for organizing this. I—for the last seven months I have been co-lead of Hogan Lovells global privacy and cybersecurity practice, and so I’ve been spending quite a bit of time with clients dealing with many of these issues for the past seven months. But prior to that, for the previous six years I was a commissioner at the Federal Trade Commission, and I did take on the role of becoming one of the leading voices within not only the commission but also the U.S. government with respect to some of these transatlantic issues. And the reason I did that is because as I began to—as I began my role as a commissioner back in 2010 and I started to meet Europeans, as well as international officials from elsewhere, I realized that there was a huge disconnect between what was actually happening in the United States with respect to privacy law, how it really worked, how enforcement worked, and the perception. The perception was completely off, in my view. And why do I have the ability to talk about these things? Because before I became a commissioner, I was a state assistant attorney general and deputy attorney general in two different states: Vermont for many years, and then North Carolina for a shorter period of time. And I led the 50 State Privacy Working Group. So, I knew an awful lot about the way privacy is enforced and data security is enforced in the United States at the state as well as the federal level, because we worked all the time with the FTC and with other federal agencies at the state level. So, I knew a lot about the subject.
And as I went around talking to Europeans in particular, but also as I said elsewhere, I would say things like, well, you know, you say that there’s no privacy enforcement, but have you heard about the Fair Credit Reporting Act? Have you heard about the Children’s Online Privacy Protection Act? Have you heard about this, that? Have you heard about the data breach notification laws, and do you know what the states are doing? And I got blank stares. I mean, literally, they just really didn’t know what was going on.
So I—and I particularly ramped up my activity after the Snowden revelations, just as Justin said. That was quite significant, needless to say, in these discussions. I think I was the first person to appear in Brussels, if not in all of Europe, who was a U.S. government official who uttered the word Snowden on stage and said, you know, this was a paradigm shift and we do need to recognize that a lot of information has come out as a result of this. It’s an important teaching moment for everybody, for companies, for government, for Europeans as well as Americans. But do understand—this was my message to the Europeans—do understand that it is having a significant impact in the United States as well, and that there are a lot of policymakers who are trying to adjust and understand what needs to be changed as a result of it.
So, that was a multiyear project, having those discussions in Europe. I worked closely with Justin and his colleagues at the Commerce Department, as well as my colleagues at the Federal Trade Commission, talking through these issues, talking through Privacy Shield, talking through how we could improve, you know, the prior and invalidative transfer mechanism known as Safe Harbor, in order to ensure that the data would flow.
And I took this position. It was of course important for business and it was of course important for the economy as a whole, but I also felt it was important for consumers. I felt that this was kind of a win-win-win situation. And it was important for consumers not just in the United States but actually in Europe as well. And I tried to—and I think I was fairly successful in explaining to many of my European colleagues, whether they were the DPAs—that is, sorry, the data protection authorities—or whether they were within the European Commission or the European Parliament or the Council—all of whom I met with and spoke to—I explained that European consumers actually need this as well. They need to be able to have data transferred so that they can continue to enjoy services that they’re using.
So, it was a multiyear project. I think it was fairly successful. But obviously, there’s a lot of more work to do and, you know, there are—it’s unclear where it will come out, I think. Sitting here right now today, it’s not going to be easy to predict where everything will come out.
BRENNER: Right. So, let’s focus on the Privacy Shield.
BRENNER: It moves forward, obviously a lot of work went into it, and then obviously there’s immediate legal actions. And then—and people are challenging it. Will it survive? Will he both in the context of just the legal challenges and then from a perspective as the—our country and Brexit and all these different movements are happening in global affairs, will it survive on both—on all those fronts?
ANTONIPILLAI: Would you like me to jump?
BRILL: Sure, please, go for it.
ANTONIPILLAI: So I thought maybe I’d say, first, a great question. And we talked about this last night with some folks who are here as well. Let me start by saying just a sentence or two on what it is. Is that helpful?
BRENNER: Please, yeah.
ANTONIPILLAI: Because I define some acronyms.
ANTONIPILLAI: But what you have here is you have different countries with different organic laws and regulations around protecting privacy. And if you want to move the data between one country and another, you need a means to do it that makes both sides comfortable. So, under the European framework, there are basically four ways in which you can transfer data. I won’t go through them, but Privacy Shield is now one of them. And so, the way it works is, companies—there are a set of principles. Companies agree to abide by these principles. So, it’s a voluntary agreement. They’re sort of publicly representing that they’re going to abide by them. And then in the United States and in Europe, we build enforcement mechanisms to make sure they do that right. And if you do that, then essentially you have something where the—where both sides are comfortable that you’ve kind of bridged between the two. The two don’t have to be identical. The standard under European law is it has to be essentially equivalent, so that when you take our organic laws and you build this Privacy Shield on top of it and the companies agree to abide by these principles and you have enforcement, it’s essentially equivalent to what it is here.
I’m biased on your question, so you have to take what I say with the bias I have. And I can’t—you know, I was a litigator before I tried and argued many cases, and I’m not in the business of predicting what a court will do, generally. But I think I would say a couple things on people being nervous about Privacy Shield. One, the fact that people file lawsuits doesn’t have anything to do with whether they’re meritorious, OK? People here and in other places sue all the time, and we should encourage people to sue if they have—you know, have a concern about it. That’s the way you figure out whether you’re right or wrong. And companies are pretty used to regulations coming out and somebody challenges them. That doesn’t mean you know or don’t know that it’s going to be valid.
The way we built the shield is, we were negotiating with the European Commission, and in the middle of the negotiations the Court of Justice actually issued a very long decision that explains some of the things we needed to take into account. And in some ways, it was very disruptive for it to happen that way. But we had pretty good guidance about the issues that were of concern to the court, and we hewed to those issues when we were putting together the shield
The third issue I would identify is, yes, the Court of Justice struck down the decision—the prior decision, Safe Harbor decision. But I think there’s a lot of confusion really about what the court did and didn’t do in that Schrems decision one—the one that came out last October—because if you read it carefully, what it actually was saying—and I’m not going to interpret it and what it meant in the broader—there’s a lot of folks that have done that—but what it was technically doing was saying that the original 15-year-old written decision by the commission was very thinly done. That’s not meant to be critical, but it’s just sort of what the court was saying. And if you think of a little bit like an APA case or where you’re reviewing an administrative decision, it was only like four pages long, the original European Commission written decision. And so, what they were saying is, you have to consider A, B, C, D, E. You have to lay out your reasoning before you can make an adequacy decision. So, we worked very closely with the commission. We brought in our intelligence community. We basically explained the way our U.S. protections work. And the commission wrote, like, a 40-page—and I’m going to get the number wrong—but a very thoughtful, very deep finding, and it went back up and was approved by the member states and by the council. So, I think it’s a defensible, very strong, durable agreement. I think there are going to be some very challenging conversations because of technology and other issues, but I think it’s at least set up actually to be much more durable than folks really appreciate, especially in the context of what happened before.
BRENNER: And who actually—let’s ask who are the people that are challenging it, and why are they challenging it?
ANTONIPILLAI: So that is, again, a very good question. Do you want to jump in?
BRILL: No, no, do you—why don’t you answer that and then I’ll answer the bigger, broader question. So, please.
ANTONIPILLAI: Yeah. So, there are a couple of different groups that are bringing it up. So, the first is, one of the first cases that came out—there’s a guy, Max Schrems, who, you know, is pretty well known. He brought the original case. His first case after Privacy Shield came out was actually not about Privacy Shield but was about one of the other transfer mechanisms, standard contractual clauses. And the issue in that case actually is not commercial. It’s about the means of redress for national security purposes. And I don’t want to go down to a rabbit hole, but that’s a pretty interesting issue. And the reason it’s so interesting is, there was no finding by the Irish regulator. He brought a claim challenging the way our national security redress mechanisms works, but it—whatever the finding on the national security side—and this is important—any finding on national security issues that are broad actually affects all the means of transfer.
So, we can go into this later, but the reason there’s so much pressure and will be so much pressure in any of these challenges is that on the European side, it’s a very, very complicated dynamic. I know I’ve added a lot of value to the dialogue with that last sentence, but you have—you have an interesting tension between the European Commission and the member states. The European Commission generally doesn’t have “competence,” in quotes, over national security issues. That’s left to the member states. You have a really interesting dynamic between two courts in Europe—the European Court of Justice and the European Court of Human Rights, both of which are issuing decisions on human rights issues. You have these data protection authorities that before had no enforcement mechanism, really, over Privacy Shield, that almost in the way the SEC got authorities in the 1930s are becoming enforcement mechanisms, are real enforcers, and they’re getting possibly significant budget when the new GDPR goes into effect—that’s the General Data Protection Regulation—because the level of fines goes from what some call very low to up to 4 percent of global revenue. So, there’s a lot of dynamics actually occurring in parallel over the next couple years that are going to make it pretty interesting. So—
BRILL: So I, too, hope that Privacy Shield is upheld. I think there are a few dynamics that are worth mentioning here, and some of them certainly Justin alluded to. There’s sort of a process issue where—and under that consideration, under the consideration of how this is going to be moving through the courts, I think Privacy Shield is better situated. The substance, I think, is as good as it’s going to get, and I think the jury is still out as to whether it will make it through. That’s my bottom line, and I’ll explain how I get there.
In terms of process, Justin alluded to the fact that there are other challenges underway as well. So, Max Schrems has shifted his challenge now that he was successful—and we have to say he was successful in his mission of having Safe Harbor, you know, deemed inadequate. He is now focused on standard contractual clauses, because the company that he—that was kind of the fulcrum of his agenda, even though it’s had very little to do with what that company was actually engaged in, they’ve now shifted to standard contractual clauses, and therefore that is now the subject of what we all are calling Schrems II. That challenge is now in the Irish High Court, or moving to the Irish High Court. Unlike the first challenge, there are now interveners that are going to be participating, and those interveners are going to be the U.S. government—which frankly, I think, should have intervened before, but it’s, you know, better late than never—as well as some business advocacy groups and some privacy advocacy groups. So, I think the courts will be better informed about the full scope of some of the facts on the ground and some of the things that the court should be considering.
Previously, when the decision was rendered, it was really based all on allegations. As you say, it was based on—it was almost like a motion to dismiss kind of thing for the lawyers in the room. It was based on the decision that back in 2000 the European Commission had rendered, which was deemed to be very thin. And then it was also based on allegations that the commission made 13 years later when it raised questions about the—how safe is Safe Harbor, and it wrote an opinion, again, based on just sort of things that the commission had heard as a result of the Snowden revelations, and that formed the basis of the European Court of Justice’s opinion. So, I think it’s great that now these issues are going to move forward with facts and with other participants.
But what’s also interesting is that because standard contractual clauses will likely move first to the European Court of Justice, Justin is absolutely right, the underlying national security issues, which animated Schrems I—it was all about whether or not there were appropriate safeguards in place and appropriate redress mechanisms with respect to government access of information. It had nothing to do with what companies were doing or not doing. Standard contractual clauses are subject to the same issues, but standard contractual clauses are positioned very differently in Europe than is—than was Safe Harbor or is Privacy Shield. Standard contractual clauses are a mechanism that European companies use to transfer data, not just to the United States.
And it’s not just used by U.S. companies to transfer data from Europe to the United States, but standard contractual clauses are also used by European companies to transfer data all around the world, because, as Justin said, the European system—this is not really—you kind of made it like both sides need to feel comfortable—the United States is comfortable. We don’t have an adequacy mechanism. We don’t worry about those issues. But Europe does. And when European companies want to transfer data to India, to China, to Russia, to Brazil. I could go on and on, because there’s only, you know, less than two dozen jurisdictions that have been deemed adequate thus far.
Whenever that transfer takes place, there needs to be an adequate mechanism. And many European companies use standard contractual clauses to transfer that data. So this decision that will be before the Irish high court and then will undoubtedly move to the European Court of Justice with respect to standard contractual clauses is arguably much more threatening to European businesses than is Privacy Shield.
And I think what we will see—I’m frankly encouraging all of my European colleagues, both within the German government and within other governments, to get very active in the case involving standard contractual clauses. And it really doesn’t take that much convincing, frankly. I raise the issue and they say, oh, yeah, yeah, yeah, this is a big deal for us. And they are planning to get involved, because it is such—going to have so much economic impact.
So that’s all on the process, if you will. And I think that process is important to understand, because it’s not as if Privacy Shield is going to be decided in a vacuum. It’s not as if this will be the only case the court will consider. So I think having standard contractual clauses go first, if you will—and if the timing that is currently apparent actually proceeds in that way, that’s likely what will happen.
I know that the Europeans are unhappy with that, but I think with respect to Privacy Shield it probably is better, because I think it’s better to have all these issues around national security and government access to data raised in a context that is arguably much more significant for Europeans and will hopefully engender much more participation by European governments, by the member states, to talk about why redress mechanisms and other mechanisms that have been put in place in the United States, that were in place before, but especially that have been put in place since 2013, actually create an adequate regime through Privacy Shield, through standard contractual clauses.
But whether that will be successful or not, we really don’t know, moving to substance. And, you know, at some level—I’ve said this also to all of my European contacts—I think the European Court of Justice is going to have to decide, and the European governments writ large, both member states and the EU as a whole, will have to decide whether they want national security and to what extent they think that national security is an important agenda and endeavor, because I think if you look at the attachments to Privacy Shield, the letters that came out from the ODNI and elsewhere, you see that there really have been a lot of changes and that there really is a strong effort to try to provide redress.
Could it be improved? Gosh, anything can be improved. The European system could be improved. There hasn’t been much of a conversation, as Justin alluded to, to how the member states are dealing with some of these issues. That’s not going to be before the court unless the member countries actually put it forward.
So it’ll be a very interesting process. I don’t think anyone could really predict how it will turn out, but I do think Privacy Shield is as well positioned as it could be, in light of all that we’ve been talking about.
BRENNER: And because you mentioned government surveillance, and it was such a key factor in moving these issues forward—you talked about we’ve been working on them for years; you know, child safety protection, all these other things, you know, before Facebook and all these things were, just from a consumer perspective, and even possibly before at least the government surveillance was made available or aware to the Europeans—do you think that trust that was broken that probably energized these discussions can be brought back to the Europeans, not necessarily even just the courts and the governments, the European people, who are obviously—it sometimes maybe bubbles up from them—can it be put back in the bottle? Are they worried about it?
BRILL: So, you know, I think we—I know previously, on the other panel, there was discussion about the election. I don’t think we can answer that question in the absence of talking about what happened last week. And, you know, it is clearly the case—by the way, I think I’m sort of the designated European on this panel. I have been called by Isabelle Falque Pierrotin, who is the head of the Article 29 working party, her most European American friend. And for a Parisian, that is like the highest praise you can give someone. And I will assure you that I’ve never said to her that she’s my most American European friend, because that would be the greatest insult to a Parisian.
So I’m certain—I will be very happy to channel for a moment what I understand to be the Europeans’ concerns. I am not actually European, although I’m from Vermont, and it’s about as close as you can get to Europe.
So, you know, I think that there’s a tremendous amount of fear right now about what will be happening as a result of the election. I think, you know, a lot is unknown. It’s unknown in this country. It’s unknown over there in terms of precisely how policy will be laid out.
I’ve spoken at an event—actually, Justin was at the same event, although we weren’t on the same panel—and I said that it is my deep hope that because something like Safe Harbor, and now I believe Privacy Shield, has always been bipartisan—you know, Safe Harbor was up and running during the Bush administration, and there was never any question as to whether it was an appropriate policy.
My deep hope is that there will be—continue to be support in the new administration. But, you know, let’s be honest. There were some things said during the campaign that made it seem as if issues around transatlantic data transfers might not be a top priority for incoming administration officials.
So the jury, again, is a little—is out on that question, at least from the Europeans’ perspective. And I think that if there is a desire on the part of the new administration to assure Europeans that this is something that will be important to them, that they understand the importance of data flow and that they understand the importance not just from a business perspective but also from a citizens’ rights perspective—which is, again, very much the European focus on it—I think that there will have to be an extra effort made by the new administration to make that clear, because I think the Europeans are quite nervous about this right now.
BRENNER: Justin, any thoughts?
ANTONIPILLAI: I think it’s a little hard to just say Europeans maybe. That’s—if I were to disagree even mildly—
BRILL: That’s fair. That’s fair.
ANTONIPILLAI: —there’s so many overlapping issues when you get into this that are actually pretty nuanced. So the narrative that ends up coming up is—you know, that the narrative that you often read is European—U.S. companies, for some reason, don’t care about privacy or it’s not a focus, and Europeans are only focused on privacy. I haven’t really—honestly, I haven’t seen that dynamic.
On the U.S. side, having—you know, one of the things, when you’re actually negotiating these, you need some—you need to talk to companies and stakeholders and civil society. I was—you know, I did criminal defense, and I litigated a lot of privacy cases in the private sector before I came in. So we spent a lot of time on this, on engagement.
What I’ve seen on the U.S. side is an epic investment in making sure that companies are actually complying with privacy on a technological front. I bet you the folks that are in this room would tell you their companies are spending crazy amounts to actually comply in the right way. So I think the narrative that it’s just we don’t care about it is not right on this side.
On the European side, you know, we have a lot of contacts with the governments of Europe, and it’s not just the commission. I mean, the commission is a very, very important part, and they’re a very important voice. And we need to keep engaged. And really thoughtful—honestly, part of the benefit of being in this, you see very thoughtful people at the commission who are trying to work through issues in really interesting ways, including the legal services group that’s very smart and thoughtful.
But the member states, we’re engaging with them on law enforcement regularly, on intelligence matters regularly. There’s very, very hard national-security issues that we’re in the last eight years, and then the next eight years. So the idea that it’s—it’s bilateral on many different issues. And while I agree with Julie that, you know, on adequacy in some ways it looks like a one-way street, when you’re in the middle of these discussions, if you actually stopped data moving from Europe to the U.S., companies, stakeholders, non-profits on both sides would be going crazy. How do you even deal with safety information? How do you deal with HR information? Are you really, really interested in the member states in stopping the movement of digital trade right now?
So it becomes a very tied conversation. And some of the—you know, some of the legislation that was passed in the last couple of years, including on governments sharing for justice purposes, for law-enforcement purposes, have considerations about whether you’re allowing data to move for commercial purposes too.
So what I see is a lot of things that are tied together. They’re much nuanced when you get into it about these conversations. And on the issue of trust, I think it’s important to engage. I can tell you, there were colleagues of mine, like Bob Litt, who is the general counsel at ODNI, and even Director Clapper, who are very focused on their mission. They’re not going to reveal classified information in any public way, and were protecting their stakeholders. But they were also, together with our broad interagency team, actually able to make the case, because we can, that we protect civil liberties in the United States. We’re the country of the Fourth Amendment. We have courts and judicial review. And I take our rule of law against any country in the world.
So I’m happy to argue the case or explain it, but I’m not in a mode where I feel like we need to be so defensive, especially where the standard that you’re under is not absolute. It’s whether your regime is essentially equivalent to what’s going on in Europe. And that doesn’t mean you just, like, look at our laws and say is it absolutely the same. You’ve got to look at what’s actually going on here and what’s actually going on in Europe or the rest of the world and say are we comparing apples to apples?
And when we—and Julie has been a great partner with ours, but when we in the government go and have a conversation in the member states, I’m not shaky on that. I feel like we can defend our laws, our practices, on certainly that standard, with anybody.
BRILL: So I agree that it is a more subtle conversation than just simply saying the Europeans. And I spent a lot of time not being defensive at all about the U.S. system. And I completely agree with you, when it comes to civil liberties, when it does come to things like the FISA Court, to PPD-28, whatever it is. You know, I would be very happy to stand that up against any European regime.
But the European regimes are not what’s going to be under discussion with the court, really. That’s not what the court will be looking at. The court will be looking at what happens when data is transferred to the United States. It’s unfortunate. I would like there to be more of a comparative discussion. But that’s just not what’s going to happen.
And I completely agree with Justin that companies have completely stepped up to the plate on this and have made a tremendous effort in Europe, as elsewhere around the world, to explain what they do to protect consumers and citizens’ privacy. And indeed, many of the efforts by companies to challenge the U.S. government on things like transparency reporting has gone a long, long way within the European conversation to demonstrate to European regulators that indeed companies get this and that they’re doing what they can to improve the situation to the extent that it needs improvement. And again, as I said before, any system can be improved.
So I think the meme that businesses don’t care and that they’ll just do whatever they want with data, I think that meme in Europe is dissipating, because I think—because of the project that companies have been engaged in, in a very thoughtful way, and I think that they’ve done a very good job.
When I said that I think we need to work on building trust within Europe, what I meant was with respect to regulators. And in particular I meant with respect to the DPAs, because the DPAs are different. And indeed, the Schrems decision in some ways enshrined and elevated their role beyond what anyone had ever previously imagined; I mean, that the DPAs can stop transfers if they believe that the transfers are happening in an inadequate way.
The only thing the DPAs can’t do is actually undo an adequacy decision by the commission. The courts kept that power for itself, not unlike our court has done over its, you know, 200-plus-year history. But the DPAs can do just about anything else. And that was a surprise to many people how much power, including the DPAs themselves, I should say—(laughs)—that they now have a tremendous amount of power. And it is the DPAs who will be undertaking the first annual review of Privacy Shield. And all of these issues will be part of that conversation in the first annual review.
So when I talk about building trust, I’m primarily talking about doing that with the DPAs in Europe, particularly with the German DPAs, but also with the CNIL, and all of the Article 29 DPAs. And then also I think the conversation needs to continue to take place with the European Commission, the European Council, and other members of the European government.
But really the ball has now been handed to the DPAs in many, many ways. So, yes, Europe is a complicated place. Yes, there are a lot of different players that need to be involved in this discussion. Businesses absolutely need to continue what they’ve been doing over the past couple of years.
But I think that an important conversation needs to be had. And I think that that needs to be done not just by people like me, who have long had a great relationship with the DPAs and will continue to have that conversation with them, but I think also the new administration. And that will have to come from the FTC. It will have to come from other independent agencies who are dealing with privacy issues, because that’s who the DPA see as their counterpart.
BRENNER: All right, so I want to open up to questions from the audience. Remember that we’re on the record. Wait for the microphone to come to you. Just raise your hand. And then please stand up, state your name and your affiliation. And if there is a specific person on stage that you want to answer it, please direct the question appropriately.
Right in the front there.
Q: I’m John Croft with Northrop Grumman. I’m not sure if this mic is even—
BRILL: It’s sort of on.
Q: I’ll project enough.
Q: John Croft, Northrop Grumman.
I really enjoyed the panel. I’m going to direct the question to Julie Brill, if you can channel your inner European DPA—
Q: —specifically regarding the German DPAs just announced their intention to do a review of transatlantic data flows for some 500 companies.
BRILL: Yes. Yes.
Q: I wondered if, channeling your DPA, you can perhaps comment on that, and also how that interplays with the power in Brussels regarding these movements.
BRILL: Yeah, absolutely. That’s a great question, and not surprising, coming from you, John, because you’ve been following these issues for a really long time too.
The German DPAs are very, very important to the regulatory conversation in Europe. So, just to take a step back, so everybody—just to level set, Europe—sorry, Germany has a federal data protection authority. That person is Andrea Vosshoff, a very nice woman who came out of the German Bundestag. She regulates the federal agencies. She does not regulate companies.
Companies’ activities in Germany are regulated by what are known as the länders DPAs, essentially like state privacy data protection authorities. So they’re located in each of the German states, or länders. Land, I guess, is what it would be called. And they form a college. And all of the länders DPAs get together at least twice a year, but I believe actually that’s just formally. I do believe they get together quite a bit and talk about issues.
The German DPAs are very active within Article 29 working party and are, in many ways, the leading voices in terms of raising concerns about U.S. government surveillance. For instance, the opinion that Article 29 wrote about Privacy Shield back when it was first announced, the question—the portion of that opinion that raised questions, my understanding, was largely coming from the German DPAs.
It was a balanced opinion at the end of the day because a lot of different, disparate views had to be weighed within Article 29, because, again, it’s a heterogeneous group, to your point that you just can’t say the Europeans. But I do think, as a group, the Germans tend to be more questioning.
But even within the länders college, there—it’s a heterogeneous group. And you have folks like Thomas Kranig out of Bavaria and others who I think are—have spent a lot of time over the past few years trying to really dive into the issues and understand what is happening and what companies are trying to do. He runs a German-American privacy day once a year. And many of us have gone there and met with him a number of times. And then you have other länders DPAs who are different and who are more questioning of U.S. government efforts.
So it was very interesting that they got together. And I think, if I’m remembering correctly, about 14 of them issued—it wasn’t all of them, but about—it was some subset of the länders DPAs issued those requests to 500 companies asking for information.
I think it is a stake in the ground that the German DPAs have placed. It is going to be part of the conversation of the annual review, undoubtedly, because they’re trying to get information to understand what is happening with respect to data so that they can bring that information—what is happening with respect to Europeans’ data when it is transferred to the U.S. They want to bring that information to the table as part of the annual review.
And I’ve been now saying for several months—actually ever since Privacy Shield was announced and ever since we knew Article 29 was saying it’s OK for now and we’ll see how it works out at the annual review—I’ve been saying for quite some time that this is a very—this is going to be a very important moment, this annual review. And I do think it’s important that all of us try to bring all data to the table so that the DPAs can examine it, including not just the German effort that is underway now but also all the efforts that companies are making to comply with the principles, the enhanced privacy protections, of Privacy Shield.
I also think companies should talk to the DPAs about how they can help the DPAs understand not just what companies are doing but how data is flowing generally throughout the world.
So I think—you know, I don’t know how this will come out, this review, but it is deeply significant, and I think we should all recognize it for what it is, which is an effort to begin driving the conversation with respect to the annual review. That’s how I see it, anyway.
BRENNER: Gentleman over here?
Q: Henry Farrell, George Washington University.
And this question is for Julie, primarily, but perhaps also for Justin. To bring together two of the things that you’ve talked about, which is German DPAs—say, for example, Johannes Caspar, one of the more, shall we say, activist DPAs—and President Trump elect (sic). Those are two great flavors that are probably not going to go particularly well together in terms of the willingness of DPAs to—like Caspar—to actually allow companies to transfer data. And here I guess sort of on Justin’s point, it would seem to me that the likely nightmare scenario is not the European Union suddenly declaring an embargo on all data going outside; it’s the individual DPAs on their own recognizance deciding that this or that company simply cannot transfer data anymore.
And so I wonder, in that context, what is happening with the politics and some of the stuff that was left a little bit vague in the GDPR about, for example, the DPAs and sort of coming together to form a kind of board; the ways in which there’s some sort of this mechanism that’s supposed to be part of Privacy Shield that may be intersecting with that; the one-stop-shop stuff—all of these mechanisms which potentially could lead to a more unified voice among DPAs and perhaps could, if you want to be optimistic, could lead to some of the—some of the mavericks being corralled a little bit, and if you want to be pessimistic, could lead to a new more substantial voice for a much more suspicious attitude towards data transfers. I was wondering if you could talk a little bit about the politics of that.
BRILL: Sure. It’s a great, great question.
The quick answer—and I’ll try to be shorter with my answers. The quick answer is it’s complicated. Right?
So, yes, Mr. Caspar out of Hamberg has been one of the more activist DPAs, and it is absolutely true that we will have—I mean, people talk about a patchwork quilt of privacy enforcements in the United States and they’re concerned about the data breach notification laws being slightly different in the various states. I think we could very well see quite a patchwork quilt in Europe as a result of some of the dynamics that you have alluded to.
There was an effort within GDPR—sorry, the General Data Protection Regulation, which will be coming online—it’s already been passed, it’s approved, it’s going to be up and running as of May 2018. There were—there are some provisions within the GDPR that are designed to bring somewhat less cacophony to privacy enforcement in Europe and to try to bring a more unified voice among the DPAs. The European Data Protection Board—the EDPB—as you mentioned, is one of those mechanisms and one of those institutions that was created out of GDPR. So the European Data Protection Board will be issuing decisions when the DPAs conflict on substantial issues, but those decisions will be about what GDPR actually means—won’t necessarily be about Privacy Shield; won’t necessarily be about interpreting the European Court of Justice’s rulings.
So—and the one-stop-shop was originally conceived as a way to also eliminate some of the cacophony. I won’t go into too many details about the one-stop-shop other than to say that the vision was changed through the process and now is no longer really a one-stop shop. It’s like a sort of one-stop-shop or a half-a-stop-shop in the sense that the other DPAs have made clear that they want a voice when there is enforcement actions that affect the citizens in their jurisdictions. So it’s not like one DPA will be making the decision and that will stick for all of them.
Bottom line, if you look at the Schrems decision and you look at it from a DPA’s perspective—a European DPA’s perspective, as I mentioned, they have been given an awful lot of authority, and I don’t think that’s going to change in any of the decisions that we see coming up. I think that the court, as Bruno Gencarelli, one of our good friends on the—within the European Commission’s DG Justice, has said, the European Court of Justice has placed the DPAs on a pedestal, and I don’t think that pedestal is coming down.
So I do think that we will continue to see a great deal of independence among them. I don’t think the effort within GDPR is going to eliminate that. It might ameliorate it somewhat, but I don’t think it’s going to eliminate it.
ANTONIPILLAI: I guess I would—I agree entirely with Julie, and I maybe—add a couple of turns.
One, the DPAs have a hard job on the front end and on the back end, and honestly we did a lot of work with the Article 29 group, and they’re incredibly thoughtful folks, and I think engagement, exactly as Julie said, will be very important for U.S. companies. We’ve been telling them, go—if you have operations in Europe, if you have—if you are going to be offering services in Europe, go establish a relationship, talk to them about what you’re doing. It will be very important to you earlier.
But when I say that, what I mean is what in the—in looking at adequacy, the DPAs, who are all, you know, practicing in countries all over Europe, had to become generally familiar with U.S. intelligence law, U.S. law enforcement law, U.S. civil enforcement, civil litigation, and overall privacy laws. So I’ve practiced for 20 years in the U.S.—I don’t know very many people that are expert in those five subjects just on U.S. law, and we practice here.
So it’s—the engagement actually does matter. The ability to come in and bring experts and just explain the way we work and be able to do it in a way that passes on knowledge ends up being very, very important, and that’s why the more you can engage, the better.
On the back end, if you end up having litigation, I totally agree with Julie—there’s a lot of power and that really is vested now in the DPAs but certainly under the General Data Protection Regulation. But when you play out some of these cases—so if a DPA really does cut off data flows, one of the best things about doing it in Europe is there’s lots of judicial review over these things. They have a very strong rule of law and there will be the ability to actually litigate these things if you feel like you’ve been treated unfairly.
And if you actually sent to court and started to say, well—let’s say the theory was President Trump must be, you know, taking away our civil liberties or accessing inappropriately. You actually, A, have to have some basis to allege it, and if you went to the European Court of Justice—and this is why I think it may be kind of interesting, is where you get into essential equivalency. This is where I agree with you—the—especially with Julie—you’re not litigating in the European Court of Justice against the member states. That could happen in the European Court of Human Rights, and they’ve been sort of applying similar standards against the member states in the European Court of Human Rights. Right? So that’s an interesting dynamic.
But if you’re actually litigating what is essentially equivalent, that means you actually have to have some apples-to-apples comparison of what is going on in Europe against what is going on in the United States. So if you end up actually litigating some of these things, it’s going to be an interesting—you know, an interesting dynamic—maybe more interesting than we anticipate.
BRILL: And let me just say, that—the way that Justin laid out the project for a court challenge is certainly what many of us on the United States—in the United States would hope would be the question, is looking at essential equivalence in reality on the ground, how government surveillance happens, how redress happens on the ground in actuality in the United States versus the member states. I have advocated for that in speeches as a commissioner, in speeches that I’ve given since then. So I completely agree that that is the way it ought to work.
But there are many Europeans, and unfortunately I believe including the European Court of Justice, who see it as a different project, and they look at essential equivalence as looking at the redress that’s available in the United States and measuring that against the platonic ideal that is—that exists within the various, you know, Articles of Human Rights and things like that, that govern the data flows with respect to Europe.
So I think that while I agree that it ought to be an apples-to-apples comparison and on-the-ground versus on-the-ground comparison, I despair that that’s not really how the court views its work. But we’ll see. We’ll see what happens.
BRENNER: Gentleman in the middle?
Q: Hi. Andrew Burt (sp). I work for Mueta (sp). It’s a software company focused on many of these same issues.
So, I just have a question about the GDPR which has been mentioned. And this can be answered by the panel. This is clearly a pretty drastic regulation in terms of 4 percent fine of global revenue. I’d be interested to get your sense of how ready you think companies are to actually comply with the regulation. Thank you.
ANTONIPILLAI: Well, maybe I’ll defer to Julie first, but—and then I’ll give you my sense of it. You’ve been actually working now directly—
BRILL: We’re—yes. I’m working with a lot of companies and Hogan, as well as lots of law firms, are working with companies to help them get ready. And I would say that, you know, there’s different levels of attention being paid; there’s different levels of funding that’s being provided, and different levels of readiness at this point in time.
I guess I should also add, though, I don’t really see anybody as being, like, ready right now, because—and they don’t need to be because it doesn’t come online until May of 2018, so there’s still time. But there is a lot of work to do, and, you know, we’re working with many companies to map out a strategy for getting as ready as they can between now and that time.
What we’ve been telling companies, though, is I don’t think anyone’s going to expect perfection come May—whatever it is—whatever the date in May it is. Let’s say it’s May 1st. I don’t think anyone’s going to expect perfection. But what will be expected is that major efforts have been made to understand the law and to move towards compliance in a significant way. And I do think that there are some key components of GDPR that ought to be addressed first, and then there are other components that, you know, probably could be addressed a little bit later.
Focusing on some of the new rights that are going to be given to individuals, whether it’s things like access, deletion, correction, portability, right to be forgotten—I mean, those are very major changes for many companies, and I think that that’s going to be something that needs to be dealt with pretty early on.
And then of course the purpose of your data processing and data use—you know, what is your legitimate interest, or do you have consent? There’s other purposes out there, but really focusing in on that issue as well.
So—and there’s more, but those are kind of the top, top of line. And I think companies—certain people within companies—you know, it sort of depends on the structure of the company too, but the larger the company is, the more it already has a kind of privacy function within it. I think many of those privacy professionals have been able to elevate the issue within their corporate structure, within the C-suite, because of the risk, as you alluded to. There is significant risk for noncompliance, and so I think this issue is starting to really gain ground, and we’re hearing from a lot of companies that they are—they get it and they want to know what they need to do to get ready.
ANTONIPILLAI: And I—do you mind if I add one more point?
BRENNER: Yeah, go ahead. Go ahead.
ANTONIPILLAI: I think it’s a great question. I agree with Julie.
And I’d say two things to add. One, there’s—I’ve been calling it the privacy economy. There’s an enormous growth in the privacy economy. You kind of tell an industry, especially the tech sector, that we have this big challenge, and you have an entire set of service providers and initial products coming out, and I’m actually—one of the interesting things of having moved my remit to really be looking at how to modernize our data stack in the federal government—I’ve seen incredible technological moves that I think are really going to help companies over the next couple years comply with some of these international regulations. So it’s exciting to me in some ways to see an entire privacy economy kind of growing up around the challenge.
I think there’s real challenges around the idea of data provenance—you know, who’s accessed the data and when inside of a company is a really, really difficult challenge given the current data stack and the way most of your companies are actually using the data. And I think that’s one of those areas that, again, I see an opportunity.
BRILL: Mmm hmm. (In agreement.)
ANTONIPILLAI: I think in the areas of automated decision-making and logarithmic decision-making there’s going to be some really interesting challenges, not only from logarithmic or algorithmic transparency, but there are some GDPR requirements around being able to share and make known to somebody about when they’ve been the subject of an automated decision or an automated recommendation, and that’s one thing that I think really should be, you know, an area of focus for the next couple years.
But I do think there is investment going on in this area that I think could move us along materially.
BRENNER: All right. Quick follow-up and then we’ll get a final question—just on that point real quick.
Let’s say someone doesn’t comply, they get fined, they actually agree to write a check. Where does the money go?
BRILL: You know, I heard Justin allude to that maybe that goes to the DPA budget. I’m not certain that’s true. But it’s a great question.
But can I also say, to the—to your question and to Justin’s point and what I said, this is precisely what was in the mind of those who were crafting the GDPR. They wanted to raise this profile. They wanted to see the kind of activity that is now taking place. And their project has been quite successful, I think, because of all the activity that is underway.
I completely agree with Justin. You go to—whether it’s IAPP or some other event where you see this explosion of privacy and compliance professionals that are deeply focused on this. You see technology firms trying to develop technological solutions to data mapping, just to understand where your data is, to go to your point about the data stack and who’s touched it and for what purpose.
So there’s a lot of activity underway to help companies get ready, and I think companies, you know, get it—to a great extent. I don’t want to make it sound like everybody gets it because I think there’s, again, sort of different levels of readiness and funding that’s being offered in order to make this happen.
BRENNER: I’d say we have about four minutes left, so final question.
Q: Thank you. Thank you very much for the panel. I’m Masahoto Ishikawa (ph), and I’m from the Embassy of Japan.
This topic was, you know, bilateralism relationship that, you know, there are a lot of more countries in the world—
Q: —you know, than just in the—to ensure the, you know, cross-border data flow.
Japan also amended our personal information protection act last year to ensure the cross-border data flow, as well as, you know, privacy protection. So what I want to ask you is, you know, yeah, INSA (ph) was a very big deal for the United States, but it is, you know, not realistic to, you know, every country make, you know, bilateral negotiations with country by country, or one by one.
Q: So what is your view for future paths to make an international, interoperable, compatible framework? I know the United States and, you know, Japan is, you know, committed to the promotion of the APEC CBPR, but do you think that will be compatible to the GDPR or something? Thank you.
BRILL: It’s a great—it’s a great question.
ANTONIPILLAI: So the rest of the world (in two minutes ?). (Laughs.)
BRILL: Well, it’s a great question, and Japan has really been leading the effort, as you mentioned, and is, you know, the first truly Asian country to participate in the CBPR. And yes, you are of course right that the law has recently been amended and it really makes a strong effort to move Japan in this regard.
The American—the U.S. government is deeply committed to the APEC system and to the CBPR project for precisely the reason that you described. It alleviates the burden of having, you know, bilateral treaties or frameworks or discussions with respect to each, you know, bilateral data flow project, and instead raises it up to a regional effort, developing principles that are very much founded within the Fair Information Practice Principles—the FIPPs—which is also the baseline of European law, and allows it to happen more seamlessly.
I do think there are many people that are hopeful that the APEC system will take off and that the CBPR system will take off. I’m going to be completely honest: I think that it’s been a little surprising that so few other countries within Asia have joined the system. And there is, I know, a great deal of discussion right now within the Commerce Department and other agencies within the U.S. government to encourage other countries within Asia to participate. There’s been a lot of conversation with Vietnam; there’s been a lot of conversation with others. So there’s a lot of hopefulness that they will join and allow this system to really take off. It hasn’t quite happened yet.
So again, I think this is a project that we’re going to have to kind of wait and see how well it develops.
I think the theory and the principles behind it is a great one for precisely the reasons that you outlined.
ANTONIPILLAI: Yeah, I think it’s a very thoughtful question, and we have been really working on that, honestly, all over our government. And it was interesting—in the middle of these Privacy Shield discussions, we would get from other countries that desire to do the same thing.
So the thing that’s encouraging to me is, while the APEC framework and the Privacy Shield—the paradigm we have adopted actually is scalable. I mean, you have to do individual things, but it’s scalable. It’s scalable in the sense that you don’t need legislative change on either side. It requires an understanding of each other’s legal systems. It requires a real enforcement mechanism, which is why the FTC has been so important, and having folks like Julie lead the way on privacy actually enables us being able to put paradigms like this in place.
You need—but you don’t need to pass new laws on either side. You need companies that are willing to stand up and abide by a system, and you need the rule of law. Right? And if you have that basic framework you can actually scale Privacy Shield or the APEC framework quickly.
The other thing is, when you come to the area of privacy and you look at technology at the same time, these kinds of frameworks are actually much more agile and you can anticipate new technologies much more quickly. So not only in the annual review but in other dialogues, we can say, oh, look at logarithmic decision-making, look at quantum computing, look at de-identification, look at who owns the data, and you can have a dialogue and then have principles actually come up that people can abide by much more quickly.
Because for me at the macro level, what I see on privacy is less a focus on what the law is, but then the idea that, you know, 15, 20 years ago the major innovations were probably driven by investment by the government, through the defense industry or something like it, and you would have the ability to control the technologies. We’ve had a massive democratization in some ways of very, very complicated and complicating technologies, and you need to be agile about it. and I think that’s where I see some real hope and the ability to scale frameworks, have regular dialogues, you know, where you’re putting an annual review and you bring everybody to the table and you try to iterate it quickly.
That’s the way the modern world is going to move. It’s not going to move on, we adopt the telephone and then its 40 years until you have the cellular telephone. It’s going to be every year a new technology that we’re really going to have to anticipate. And I can’t tell you how much time we spend on issues like de-identification in the government. I think it’s going to be a very, very important issue as you get better computing power.
BRENNER: I think we are out of time.
On that note, thank you very much, Julie and Justin, for participating. (Applause.)
BRILL: Thank you. Thank you.
ANTONIPILLAI: Thank you.
This is an uncorrected transcript.