Charting the Path Forward for EU-US Data Flows

Bill Echikson

Hi, thanks for joining us today. I’m Bill Echikson, a Senior Fellow specializing in digital policy here at the Center for European Policy Analysis. The Irish digital, the Irish Data Protection Agency recently leveled a record euro 1.2 billion fine on Meta, and declared illegal the way the company transfers data across the Atlantic Ocean. The decision has sparked a crisis. First about the way the European Union enforces privacy regulations, and second about the fate of a new EU-US data privacy framework. The fine against Meta came almost five years after the EU legislated its landmark privacy regime, the general data privacy regime, GDPR. Since then, tensions have risen among regulators in Europe about how to enforce the rules. In the Meta case, the Irish regulator actually approved Meta’s compliance plan, but four continental regulators overruled it and imposed the fine. A key hotspot concerns data transfers to the United States. Twice the European Court of Justice has ruled that the so called privacy shields were not compatible with GDPR because they didn’t do enough to shield European personal data from American intelligence agencies. The EU and US had now signed that new privacy shield which would allow Meta and other US tech companies to keep transferring data across the Atlantic Ocean. But the EU still must give final legal approval. Now we’ve convened a panel of experts from both sides of the Atlantic to discuss these key hot privacy and data issues. The panel is composed of former government officials, industry representatives and data transfer subject matter experts. They include Sean Heather, who is a Senior Vice President for International Regulatory Affairs and Antitrust at the US Chamber of Commerce, and he currently leads the Chamber’s center for global regulatory cooperation. Alex Joel is a Scholar-in-Residence and Adjunct Professor at the American University Washington College of Law. Previously, he was Chief of the Office of Civil Liberties, Privacy and Transparency at the US Office of the Director of National Intelligence. His research now concentrates on transatlantic data relations. Joe Jones is Director of Research and Insights for the International Association of Privacy Professionals. Previously, he was Deputy Director for the International Data Transfers with the UK Government, as well as the UK Deputy Head of Digital Trade Policy. So let’s jump right in. Sean, how is the US industry reacting to the Irish ruling? Do you see, you know, incidents? Is this posing big problems for not just Meta, but also other American companies?

Sean Heather

Well, thanks, Bill. It’s good to be with you. And thanks to CEPA for pulling us together on what is a very timely conversation. I think the US industry is looking at this. I don’t know if you’re an opera fan or you’re a fan of sports analogies are a fan of, you know, sequels and movies that you can’t wait for the next one to come out. But as you alluded to, we are watching a very long story play out that goes back to original court rulings stemming from concerns around Edward Snowden’s disclosures about how US foreign government surveillance activities of foreign citizens takes place. And from that we’ve seen a series of decisions and responses and this is the latest. So when we look at this, we’re not sure we’re at the end of the story. We are still waiting to see what comes out of the next chapter. But let me make a couple of observations. One, none of this is about how companies use data commercially. So when we talk about GDPR, and its implementation, for the most part, people think about whether or not a company like Meta or any other US company or European company for that matter, how they’re collecting personal data, how they’re using that data, whether they’re doing so in a way that is responsible to the privacy rights and expectations that their customers have. We’ve now layered on to that conversation. GDPR was never intended to figure out the answer of kind of government access to data and whether or not you have a law enforcement issue, or whether you have kind of surveillance questions. And now we’ve tried to use GDPR as an answer to that. Privacy Shield was struck down by the court. Most recently, the court did not tell the Irish DPA or the European DPA to determine whether or not it did not decide definitively whether or not standard contractual clauses were a viable mechanism for data transfers or not. They asked him to examine that question. For those who aren’t as familiar standard contractual clauses are really the workhorse of data transfers the vast majority of companies, the vast majority of data transfers that occur between the United States and the EU rely on standard contractual clauses as the mechanism GDPR recognized standard contractual clauses as a valid transfer mechanism. What has now been injected in all of this is whether or not standard contractual clauses protect European citizens data from prying eyes of the US government. And ultimately, the court did not definitively pronounce on that, but as the Irish and European DPAs. To examine that question, what we have now is an answer to that question. That the assessment is such that if standard contractual clauses under their current form, do not provide that protection. That is a huge problem for transatlantic data flows. And I’m going to assume Europe does not want to become a data island when data flows are the lifeblood of any modern economy. So the good news is that there is help on the way and we are in the midst of seeing a US-EU agreement that has been politically agreed to come close to being finalized and implemented. And we fully expect that the European Union will once again the commission will once again grant adequacy to the United States and data flows will once again retain legal certainty. What will remain from all of this? And let me just stop real quickly on this is there’ll be two things one, what happens to the fine because I think the fine is egregious. And we can talk about that it doesn’t make sense for a whole lot of reasons. And I suspect that will be litigated. And the other thing that will be litigated is whether or not this new solution that’s coming into place, will withstand additional judicial scrutiny. And so when I say we’re in the middle of a long opera that has many intermissions, or multiple sequels to a movie series, the next, next question is what happens to this fine? And what happens to this solution that we’re on the verge of, of putting into place?

Bill Echikson

Yeah, I think that’s that’s right. But the quick question, I think it would help our, our listeners, if you could just explain how we got there. I mean, the Irish regulator didn’t the Irish regulators say these were okay. It was fine. The way Meta was transferring its data, and it somehow was overruled. How did that happen?

Sean Heather

I’m not sure that’s exactly what went down behind the curtain. Certainly, I think, Helen Dixon, who’s the Irish lead regulator for Mehta? I think she was put in a box a little bit, not just by what the court said in terms of the kinds of factors that it laid out for consideration, but also by her colleagues across across Europe. And so I’m not sure that you know, she was, she can obviously speak for herself, but I’m not sure that I see Alex’s head nodding here. I’m not sure that, you know, she was in a position to give a clean bill of health, shall we say, but at the same time, I’m not sure that she thought, you know, complete damnation of what was going on made sense, either. And so one of the reasons I think this took so long is that she was, I think, in a very tough spot and tried to find a way. Because she also knew politically, there was a negotiation underway between the United States in the European Union that she was hopeful would kind of come in and in some ways, alleviate some of these pressures. But unfortunately, the timing of those things did not come to fruition. And I suspect that, you know, it was not the Irish DEP that pushed for the fine. I suspect the fine came out of colleagues at the European Data Protection Board, and I think that is that we can talk about the legal questions about data flows, the United States, but I think define itself as its own Congress. Session and is quite frankly, hard to look at with any kind of credibility, given the fact pattern here. And I suspect at some point in the future, that will be challenged in European court system, and I would fully expect that I would not be surprised at that fight is greatly reduced, if not ultimately resend it.

Bill Echikson

Yeah, no, I agree. I mean, I think the Irish in their press release said that they actually disagreed with the ruling. So they were imposing the fine, but disagreed with it, which was kind of surrealistic. But, Alex, maybe you could explain that and how we’re trying to fix it. I know you’re a specialist on on the new Privacy Shield. I don’t know if we’re calling it that. But the new deal to get to fix this long running up or or to end the long running opera. Right. And you think that the US has probably done enough that will pass legal muster this time?

Alex Joel

Yes. Thanks, Bill. And I want to just repeat what, or emphasize what Sean said in terms of the ruling, it’s the DPCs decision is actually 200 pages. There’s a lot to digest here. It’s very, there’s a lot of there’s a lot of detail here. It’s actually very interesting in terms of what she lays out, that went into the decision. So I’ll just quickly summarize some of the key points. One is, as Sean says, she was clearly felt her hands were tied by the CJ EU decision on the merits, like on the question of whether dataflows could continue as before, she felt very much that the Trump’s two ruling had to be complied with, of course, and their findings in particular about what you want us law allows and doesn’t allow, she must have returned to the freight to a particular sentence in the industry MPs to opinion a dozen times or so which I found very interesting, specifically focusing on section 702 of the Foreign Intelligence Surveillance Act. And it’s a passage in the shrimps two opinion, which I think didn’t quite get it correct in terms of how the actual statutory authority works, and based on how she was discussing it, and her summary of the arguments that both meta and the US government had put forward. Clearly, they were trying to distinguish or explain how the actual US law was perhaps not quite accurately captured in the trends to opinion but she felt bound her hands were tied by what by the wording of that decision. So I think that has very interesting implications. In any event, what hurt her also

Bill Echikson

be clear to clear to our listeners the shrimps to agreement is or decision is, is the decision by the European Court of Justice that rule the data transfer mechanism, the Privacy Shield illegal, right?

Alex Joel

Yeah, I tend to sort of jump into the middle of things. Yeah, so it ruled it illegal based on findings that the main authorities the US had, which was section 702 of the Foreign Intelligence Surveillance Act, as well as Executive Order 12, triple three, two legal bases that the US was using to conduct surveillance activities, did not meet EU standards for necessity and proportionality. On the one hand, in other words, the surveillance wasn’t sufficiently controlled by EU standards, and on the other hand, didn’t provide adequate redress. So coming out of that whole process, the US and the EU created the successor to Privacy Shield called the EU US data privacy framework. And in that framework has essentially two main goals. One is to demonstrate and to put in place controls on us surveillance to show that it is in fact that it does in fact, meet EU standards for necessity and proportionality. And I wrote a whole long paper that tries to explain this. And the second is on redress that that EU residents didn’t have the ability to go to some kind of a court or tribunal to complain about or find out more information about any surveillance that was being conducted against them. And to address both those concerns, the US put in place an executive order, as well as a regulation that has been issued by the Attorney General. And I won’t go into a lot of detail about them now. But they both they try to address both necessity, proportionality and redress. and the European Commission has issued a draft decision finding them to be adequate for EU law purposes. In other words, once the finding of adequacy goes into effect, then the Irish DPC would be able to turn to that adequacy decision and say, Yes, this is now something that I am required by law by EU law to allow these transfers to go forward on the basis of this adequacy decision. And then, you know, Max Trump has already indicated that once it goes final, he will challenge that again in court. So going to Shawn’s allusion to further litigation. That’s what that’s what would happen. The problem is that the In terms of timing, it hasn’t been completely finalized yet. There are some steps that still have to take place. There are some policies and procedures that agencies have to issue. The court but one of the things that they did to address redress was to create this new a new data protection review court, which sits within the Department of Justice, they are still vetting the judges to be on that court. And very importantly, in order to bring a claim before that court, or tribunal or whatever you want to call it, the Attorney General must find that the country from which the complainant is making the complaint has to be a quote unquote, qualifying states, they have to find the Attorney General has to find that the country or region like the EU, has adequate or appropriate protections for Americans who wish to, you know, make claims in that country. And so that process is still going on. And and I think the DPS the Irish DPC very correctly points out that it hasn’t been finalized yet. And until it’s finalized, eu residents cannot, in fact, make claims before this redress tribunal. So that has to happen. And it has not happened. So I think just one more point I’ll make before I stop talking here is that the finding that data transfers were not allowed. Pending the finalization of this new data privacy framework was expected. Like, you know, of course, the strange two rules really said what it said, the data privacy framework has been put in place to address those concerns. It has not yet been finalized, the adequacy decision has not been finalized. And the data protection review court has not actually started because the qualifying states have not yet been designated. So I think all of that was expected what was not expected, at least at this magnitude was the size of the fine. And which, as you pointed out, the Irish DPC found that meta had engaged in trying to resolve this data transfer issue in good faith. So there was no attempt to circumvent it was done in in open discussions with the Irish DPC, it was done in good faith. They were doing things that were similar to you know, every other company that’s transferring data to the United States, it’s in a similar situation is meta. So, so the size of the fine is one issue. And then also, they’re applying this retroactively to data that had previously been transferred in his in the United States. And I think that’s the other major thing. And here, I’ll stop talking because I see Joe, vigorously nodding his head up and down.

Bill Echikson

I do too, Joe, what’s the perspective from from the UK? And how do you? I mean, I know you have an international background privacy background, so you can give us your perspective on these questions.

Joe Jones

Have the advantage of coming third and last in the running? Not a whole much? Not much else I can say on top of Alex insurance comments. But I do want to underscore some some points. Yes, it’s largely been expected that there would be an order requiring matter to stop transfers. As Alex rightly pointed out, lots there’s lots in this decision, not just the Irish decision, but the decision of the European Data Protection Board as well, that has surprised professionals and organizations and sent shockwaves I think I’ve heard many commentators say this is a meta issue. And actually that that might be true insofar as the fine applies to matter. But really matter as the canary in the coal mine. We’re talking about a fine and orders corrective action orders levied against a company for issues that only governments can solve. There is nothing and the DPC is very clear here, there is no transfer mechanism, there is no corporate compliance measure that meta could put in place to remedy and rectify the perceived gaps in US laws and practices. That notwithstanding the fine and the order of bytes on letter, the largest fine ever levied under the GDPR by reference to the citation to matters purported negligence, that the size of data being transferred the impact to its daily users over 300 million in Europe. But the short pointer 1000s, if not hundreds of 1000s of organizations in Europe relied on not just the SCCs but other data transfer mechanisms, binding corporate rules with various derogations Like consent, other data transfer mechanisms to transfer data to the United States. They might use large platforms like metal, no matter services, cloud service providers, they might also do those transfers directly themselves. They will write the feel like those transfers are imperiled and at risk? Yes, they might be looking on to data adequacy coming online soon, but it’s going to be a close foot race. Will adequacy come online soon enough to take away this regulatory uncertainty? Will there be? And will we see a chilling effect in the market where European organizations will say we’re not sure we have enough confidence in the lawfulness of sending data, personal data to the United States because of this enforcement and because it looms large, over companies like meta and it might loom large over companies like us. This is also not just the United States issue a transatlantic issue. It’s important to put these things into perspective and into context. The United States is one of over 150 countries, that is not yet article in the EU’s eyes. Of course, the opera, it’s been a long running thing here, dating back 10 years now to the Snowden disclosures. But there are many, many countries around the world where you could pose the same questions quite legitimately about their own redress mechanisms about their own rules and practices relating to the necessity functionality of the data practices, as concerns national security, and law enforcement. It just so happens that the magnifying glass is over the United States at the moment. But companies and regulators will soon if they’re not already be asking these questions about countries like the United Kingdom who is adequate, but there’s a there’s a lot of commentary around the UK, Investigatory Powers, India, countries around the world that have for many good reasons have their own different rules and requirements. So not only as matter the canary in the coal mine, but perhaps the United States is as well. And so it’s important to zoom out of the immediacy of parties in this case, and the laws and practices being litigated to think about the effect on global international data transfers, you’re invited me to comment on the UK is place in all of this. And I would say this, I’m biased. But I think the UK has an interesting role to play an interesting place in this triangle for want of a better term. And it’s an it’s probably an isosceles triangle with the longest sides being between the EU and the United States. But I think the UK has a long tradition, history and philosophy of seeing itself as not just a convener but a bridge between different approaches. And then you have following Brexit, the UK having inherited the text of the GDPR. Now pursuing ways in which it can interpret and apply that text in different ways, and in the UK government’s words and words of the regulator, the Information Commissioner’s Office, they believe there is a way to pursue those interpretations in a more pragmatic, global way in ways that are sensitive to different cultures and legal traditions and constitutions in a more inclusive way. Insofar as concerns international data transfers, there, certainly policy agenda to strike arrangements with countries around the world. The UK, like the EU, and the United States is very active in multilateral fora, the OECD. They are the most recent participant in a multilateral initiative being led by the United States, Singapore, and some other jurisdictions to find a multilateral data transfer arrangement. And that is called the Global cross border privacy rules program. And a lot of the thinking, in the UK at least, is that over the past few years, we’ve seen this slow, but steady build up of an increasingly complex web of unilateral and bilateral data transfer mechanisms. Were used to the EU doing data adequacy assessments, that there are now over 70 other jurisdictions that do their own data adequacy assessments, there are over 20 different sets of SCCs around the world. So we’ve seen this proliferation of different local requirements, thrust upon other jurisdictions, and that’s becoming an increasingly complex web for professionals and for organizations to manage. And so initiatives like those, led by the OECD by the global CDPR forum, are seeking to put in place a more sustainable and more scalable data transfer arrangement. There’s a lot of hope and promise in that. I know that’s not just felt by UK government officials, but I know that’s felt by officials in many other countries and frankly, in May Many countries that have felt that this opera has excluded them. So if you are a developing economy, and you want to participate in the global digital economy, and you look on, and you see this opera in this saga probably doesn’t look all that appealing. Do we really want to have our insurance while insurance to insurance three case against us? And if so, how long will it take? Doing these data adequacy agreements, as Alex well knows, is labor and time intensive. And so if you are a Kenya or South Africa, and you wants to be data adequate, you might be thinking this could take a long time for us to get up the queue. And for us to get through the process. And so there appears to be a demand for these more scalable solutions. I’ll end there just with that global perspective and where we might go with other nations in the world. I think that’s really,

Bill Echikson

really interesting. We did do something on the Japanese proposal for data flows with trust, which is responding to the issue that you were talking about. But where do you see this going? Do you see us moving towards increasing data localization among democracies of increasing fragmentation of the internet? Or is there I mean, that’s so much against the against where the internet should go? That I think it’s hard to envision that metal would have to store all its European data in Europe and so forth.

Joe Jones

Yeah, well, look, to paraphrase Winston Churchill, this is certainly not the end. I don’t know if it’s the beginning of the end of the string or the end of the beginning. We know for certain that this particular chapter has a lot more road left. And for the specifically with the Irish DPC enforcement against matter, there will be legal challenge to that there’ll be appeals, those appeals, I expect will go all the way up to the Court of Justice. So we have a few more years left in that process. We have heard from the likes of Mike Sherman’s and others that the new EU US data privacy framework will be challenged. So we’ll have a few more years left in that series. And so warnings around the sort of splitting of the internet, this sort of great localization of Fortress Europe, I think at times can be overstated. But that’s not to overlook the fact that what we see in these data transfer skirmishes, is often complemented, not not in a good way necessarily, by domestic initiatives, incentivizing local storage, or local sharing. And so there are various practices around the world that will take us with one hand and then domestically in the market, try to incentivize local national providers. And we’ve certainly seen that in the continent of Europe, we’ve seen that in some other countries, like Indonesia, Vietnam, India, even. And that is a trend that worries many global organizations. For good reason, there are various assumptions with localization that are not tested and don’t prove to be true, if you have a lot of money, you wouldn’t put it under your mattress all in one place. And assume that that is the best place to keep it from a security perspective, you wouldn’t assume that that is the best place to try and grow your money and to diversify its utility. And you can make that analogy with data data storage and data utilization. And so there are certainly worrying trends, I don’t subscribe to the view that it’s all gonna break down the internet. And then certainly not in the near term, but the worrying enough and organizations care about this. You will see this in many large to small organizations, public investor disclosures, we are concerned enough about a trend towards localization that it could really impact our revenue streams.

Sean Heather

I agree with with a lot of what Joe said, I look. The issue of data localization in this context really has kind of three conversations swirling around it. One is one is dedicated on privacy. The other is a question of kind of government access to data and whether or not surveillance practices or law enforcement practices are a problem. And then the third is industrial policy. I mean, Joe didn’t say it that way. But that’s what he’s talking about is that governments around the world think that data localization is a path to becoming more kind of economically important in our economy that has become dependent on data and has been digital transforming For every industry, not just the tech sector. And so there’s a healthy amount of industrial policy that runs through this conversation and guiding the decisions of, of elected officials. I also think that’ll position because of market forces and pressure is happening. Companies are making decisions without the pressure of government to localize data, people who provide cloud services are often being asked by the clients that this is where we want our data stored, and whether they choose to be stored in the country that they work in lots of companies, you know, work in many countries. And so they want, you know, that data to be accessed for their enterprise. visa vie their cloud service provider, in certain places. So there’s a fair amount of market driven localization efforts that are happening as well independent of government pressures. And the last thing I would say is, is that you cannot ultimately solve for all of these issues by just simply localizing data. If for commerce to move, it has to move cross border, and whenever commerce moves cross border, you end up having data attached to that movement. So the idea that, you know, we can just solve for this by localizing the data does not get us around, unless you’re going to be an island and be kind of removed from your neighboring countries. You have to be able to move data if you’re going to be able to do commerce. And so localization can only take you so far. But you cannot ultimately localize all data and prevent its movement. I think the last couple of things I would say is in terms of where all this is headed. I don’t know that we’re going to end up breaking the internet, I think we’re going to have lots of different pinch points along the way. But I think that the conversation coming out of the g7, where they’re taking the Japan data flows with trust conversation and depositing that going forward, the OECD a conversation that wrapped up last year at the OECD on government access to data. To me, I think we need to find ourselves in a world where privacy regimes think about commercial use of data. And there’ll be differences from one jurisdiction to the other as to how people define a fundamental right to privacy from a commercial data use perspective, and there’ll be differences around the world, and companies will have to comply with those differences. I think there’s gonna have to be a second agreement amongst nations about national security and the interface between national security and data. And I suspect that that may ultimately divide along the lines of democracy democracies versus authoritarian regimes. We don’t have that agreement in place, we have things that are marching in that direction, but we haven’t put that in place. And I think, ultimately, we need to have that kind of agreement in place, because I think that’s the kind of you can take back to a shrimps three court challenge and say, Look, you know, we have GDPR to deal with commercial data, and concerns around commercial data use. We also now have this other agreement that deals with kind of national security interface questions, with with with data. And, you know, of course, in the European system, national security is a member state question. I think one of the great hypocrisy is to this is not only why can’t you send data to China or and not have the same scrutiny that the United States is under, but I think that the surveillance practices of EU Member States cannot stand up to the scrutiny that the European Court has put the United States under. And I think that’s one of the other kind of great hypocrisy is that if you talk to the intelligence services across Europe, they will will kind of do more and not want to be physically or visibly seen talking about these issues, because they know they would have challenges with how they collect and use debt. And of course, we’re fighting a war visa vie frame, we’re in a NATO pack. So in some ways, it’s silly that there is somehow a lack of trust and data flows, the United States at the same time, that Europe and United States are a national security arrangement. That is right now, you know, fighting alive war on Europe’s doorstep. So all of this has to come together in some kind of understanding about what national security and data means. And that is going to have to be something that governments are going to have to address. I think we’re on a path to getting there. Whether or not we’re there in time for Trump’s three decision, I’m not sure. But that’s ultimately where I think we have to end up.

Bill Echikson

That’s really interesting. Concretely, though, as we move towards that, that’s a global deal on government access to data. What happens to a company like meta or Google that wants to continue, or must continue transferring data across the Atlantic? I mean, does Mehta now have to store everything in Europe? Or as the appeal goes, Will Will you lose your Facebook? Will you lose your access to Google search? Alex?

Alex Joel

Yeah. So I mean, I think the answer is going to be different for every company that’s dealing with this situation, but certainly I think Matt has been very clear and warning that the only way that they can comply with this might involve closing down accounts in EU member states that simply are for Facebook, it’s simply not possible for them to localize data, given how you know, the internet is is is designed and intended to operate. Other companies may have different thoughts about how they might be able to actually keep data in the EU. But I think as Sean said, ultimately, if you want to have international commerce and international benefits from data flows, data is going to have to flow across borders in some way. And I would just add, so but all of that can be, at least for now, through the litigation put aside once this adequacy arrangement is finalized, so this one a lot of focus on getting the adequacy decision finalized, and then there will be an opportunity to work on longer term issues, as both Joe and Shawn have mentioned, which I firmly agree with, I’ll say a couple more things. One is that on the government access side, which is the world that I come from, there was a huge step forward with the OECD declaration that Shawn mentions Joe and I were both involved in that process. Joe, while he was still in UK, government, and I was, you know, a consultant to the OECD as part of the process. And a huge step forward, having OECD member countries come together with their national security and law enforcement representatives at the table, and agree that these are the common principles that democracies use to access data held by companies for national security and law enforcement purposes. Now, it’s not an international treaty or anything like that. But it does have tremendous I think import, because now we can all look at this document and say, well, these are common principles, and how do we build on them? How do we go to the next stage. So I think that is incredibly important. Another thing I’ll mention that Joe highlighted is that understanding how countries access data for national security purposes can be a very complicated and a very difficult thing to do extremely difficult. Because each country does it differently. As Sean pointed out the EU, a member states are not have retained for themselves national security. And so they’re bound by the European Convention of Human Rights, which is a different legal regime very closely related, but different legal regime, different court. And then they have their own member state national security laws, countries around the world have national security laws. And they are not necessarily transparent about it, or as transparent as they could be. The US has done a huge has has undertaken a huge effort to increase transparency and its intelligence activities. Having been on the inside of this, I feel confident and saying the US is the world leader on transparency. And it’s very difficult to do that without disclosing sources and methods. And without people trying to slow things down at a concern for national security. Other countries have a long way to go on this. And it is going to be a very interesting situation to see how any kind of adequacy regime would hold up to that. And the last thing I’ll say is that it is a global issue. It’s not just the EU, as Joe has pointed out, he and the US as well is has has mechanisms in place or was considering measures that would restrict outbound data flows based on whether or not the country that seeks access to the data is complies with US legal standards. I did want to say one more thing, that foot stops with Sean said that if you localize data, not only are you restricting your ability to to do commerce, but it’s also not necessarily effective in terms of preventing cross border data reach from other countries because your if your business has a presence or is doing business in other countries, even if the data isn’t stored in that country, those countries likely will have some kind of law that enables them to engage in cross border reach to force the companies to turn turn over the data regardless of where it’s stored. The US famously has the cloud X. But we did a report recently that showed that other countries have similar principles and GDPR itself. Article Three applies to countries to companies outside of the US borders who are purposefully doing business with EU residents. So the idea that you can immunize your data from the reach of foreign governments laws, I think, is perhaps isn’t isn’t quite taking into account what other countries laws seek to do. And in fact, the trend is for law enforcement in other countries to seek greater and more efficient access to data stored abroad. And we see that with the cloud act with initiatives in Europe in that regard, the evidence directive, etc. So there are trends for increasing the ability to act Since data stored abroad around the world,

Sean Heather

and I would just piggyback on that, to the degree that the response governments have is to force localized data, you’re going to see more governments pass laws as to how they can reach the data that’s localized around the world. But I would also add, and that, well, you know, law enforcement access to data is one question. You don’t have to move data across borders, or sports surveillance, espionage work to happen because things are connected to the internet, the ability for lots of governments around the world to reach into the data that’s stored in other countries for kind of surveillance purposes. So this whole idea that surveillance capabilities of the United States or any other country is dependent on the ability to move the data into that country is itself a, I think, a false premise. I’m not an expert in spy practices. But I think, you know, it’s safe to know that because you’re connected to the internet, there’s an ability to reach around the world and find data, if you’re interested and motivated as a government to do so. So this idea that we’re going to somehow prevent those kinds of surveillance practices from states, just because you’ve localized the data, I think, is is a fiction that is kind of being told and spun out of this debate.

Bill Echikson

And I would ask, I mean, when listening to all of you, I mean, it does seem that the measures to prevent cross border data flows aren’t really protecting personal privacy in any which way. So what is the whole purpose of this? initiative about GDPR? If it can’t really protect personal, personal privacy?

Alex Joel

Can I know Joe wants to say something, but let me let me just quickly jump in I do I want to give credit to the European Union and this CJ EU on this, they have raised the bar on these issues, and they are demanding that countries step up their game. So I think that is definitely a credit you it is in the results will be more protective. The the concern that I have is whether or not their standards, particularly on the national security front are realistic. And and and ones that, you know, governments around the world can actually including within the EU, actually can can abide by.

Bill Echikson

Hmm, good point. We have about four minutes left. So I think, you know, we’ll do one less toward the toddler. And some final thoughts. And looking forward on to where we could end this long running opera, which seems to have no end. But anyhow, Joe, why don’t you begin?

Joe Jones

Yeah, well, look, I want to come back to the theme that you build and Shawn are talking about in the beginning, this is GDPR, five years old. And I think a few things are undeniable about that milestone, we have seen dozens of countries around the world divine inspiration to a greater or lesser extent, from the GDPR. Some countries have really copied and paste it others have taken the principles of it and enacted it in their own legislation. We have seen how the GDPR whether it’s a good or a bad thing, and folks will split the difference has become one of if not the top regulation that is litigated in the Court of Justice of the year. So now over 5% of all cases, the Court of Justice are on the GDPR. And that says something about one the litigious environment it’s created, and the sort of cultural phenomenon for people carrying people being aware of their data privacy rights, you know, the GDPR was meme worthy at the time people have heard about it for for good or ill people care about it, and consumers will move with their feet. There are and it is quite legitimate to ask questions around the real world extent to which it has improved standards, especially the interpretation and the enforcement of does a 1.2 billion euro, fine, change anything, especially when the border to cut the cord on those transfers, the United States impacts 10% of matters global revenue. So 10% of its global revenue comes from advertisements in Europe. Now if you cut that cord, that is a lot more to matter than 1.2 billion and that’s the principal reason why the Irish regulator did not think a fine was appropriate because it thought the auditor suspend flows was damaging enough, fine enough. So there are going to be legitimate questions around the extent to which enforcement going forward is about correcting bad behavior or whether it is about punitive enforcement and what is going to be more consequential the amount of being fined or the changes In some cases, fundamental changes being required to business practices and what that means for the operation of those businesses in the global digital economy.

Bill Echikson

Thank you, Shawn. Any final thoughts?

Sean Heather

I think we’ve already quoted Churchill was I will paraphrase him that I think after we’ve exhausted every other course of action will finally do the right thing. And so I’m actually optimistic. I’m not suggesting that we’re not going to have some additional bumps in the road, that we’re not going to find other casualties from from consequential decisions that come out of of courts. But ultimately, I think we’ve started on this path, where responsible governments who think about the rule of law, respect the rule of law, understand the importance of maintaining rule of law will come together and kind of forge a consensus as to what it means for government access type questions, to data, and ultimately, that will rest alongside privacy regimes like GDPR, and other nations laws that are really, in my mind, first and foremost, governing kind of commercial use of data. And so I think we’re on that path. We’ve got a lot more work to do. But But I’m optimistic. And like I said, you know, Churchill once said that after we’ve exhausted all their courses of action, we’ll finally figure out the right thing.

Bill Echikson

Right, and Alex 30 seconds more. Any last thoughts?

Alex Joel

Well, I do think that this whole exercise shows us all that needs to be humble, like, the world is a very complicated place. And there are a lot of laws and a lot of reasons why countries do different things. And it’s really important to stay open minded, and try to understand each other to achieve positive outcomes.

Bill Echikson

Okay, I want to thank all three of you for a fascinating discussion. It really was, was really good. You showed at once why this is such a big problem, a long running opera, as we heard, and at same time, why we might get a nice ending to it. Hopefully, we will. Hopefully you won’t lose your Facebook account, if you live in Europe and will continue this session, I hope in a new time with better news to report. So thank you again, and have a good day. Thank you.