Skip to main content

tv   Discussion on Digital Privacy  CSPAN  October 19, 2015 8:32am-9:35am EDT

8:32 am
this year we're taking our coverage into classrooms across the country with our student cam contest, giving students the opportunity to discuss what important issues they want to hear the most from the candidates. follow c-span's student cam contest and road to the white house kohage 2016 on -- coverage 2016 on tv, on the radio and online at c-span.org. >> earlier this month the european union's highest court struck down an international agreement that allowed companies to transfer personnel data between the e.u. and the u.s. next, a discussion on the ramifications of that decision. the u.s. chamber of commerce and the e.u.'s delegation to the u.s. this was hosted by the caucus advisory committee. it runs an hour.
8:33 am
>> we're going to get started. good afternoon. i'm with the internet education foundation. i want to welcome you to our briefing. this event is cohosted by the congressional internet caucus advisory committee in cooperation with the congressional internet caucus. the cochairs are representatives bob goodlatte and anna eshoo on the house side, and on the senate side, senators john thune and patrick leahy. we thank them for their support of educationallal events like this. and just a little bit of housekeeping before we get started, the twitter hashtag is e.u. safe harbor, and all of our twitter accounts, the panelists' information is on your program. we also have a few upcoming events, both of which are listed. on october 21st, there'll be a happy hour with the facebook team and october 22nd the second annual congressional app
8:34 am
challenge will kick off. for more information about how to get your office involved, visit our web site or talk to our executive director. i'm now going to turn it over to mary ellen call a hand -- callahan, former chief privacy officer for the department of homeland security. >> thank you very much, rachel. thanks for coming. i want to thank my panelists who i'll degreely introduce. -- briefly introduce. from my far right, damian levy is the head of the trade section of the european union to the united states. adam. >> losser is the director for the center for global regulatory cooperation international at the u.s. chamber of commerce. gayle slater is the vice president of the internet association and amy stepanovich is u.s. policy manager at access. i want to thank them all for coming, and fest let's talk
8:35 am
about what are we talking about here today, right? we're talking about boat, all sorts of sinking, that doesn't sound very good. i'm going to ask my panelists to tell me whether or not i'm right and where we're going in the future. so the safe harbor decision that was decided by the european court of justice on october 6, 2015, actually has its origins 20 years earlier. in 1995 the european union passed a data protection directive which has rules and regular rations -- regulations and general standards by which e.u. member states have to adhere to data protection or privacy regulation. there's a prohibition in the directive about allowing the cross-border transfer of personal data, which is very broadly defined and it pretty much is all electronic information. you cannot be have cross-border transfer unless the country to whom you're transferring the information has adequate privacy protections or, alternatively, some other sorts of protections.
8:36 am
the united states has a sectoral approach to privacy and is not considered to be adequate under the european regime. it wasn't in '95, and to this day it is still not considered to have an adequate privacy regime. so what's a u.s. company to do? from 1998-2000 the u.s. department of commerce negotiated with the european commission and created something called the u.s./e.u. safe harbor. the u.s./e.u. safe harbor is a regime and it basically follows the e.u. standards, the e.u. privacy principles. and if companies go and make a public problem that mission, i, company, adhere to the u.s./e.u. safe harbor, they're listed on the department of commerce's web site -- which i believe currently disabled -- but they go and make a promise, and they say i agree to adhere to these
8:37 am
standards. the federal trade commission has the authority to investigate whether or not people have the ability to -- whether or not they are actually keeping that promise. and you have to renew that promise every year in a public statement, and the list is about 4500 companies currently have safe harbor regime. that safe harbor was considered to be an adequate legal process under the european commission. and there's been some questions, and there have been -- throughout from 2000 on there had been a lot of questions, is safe harbor sufficient, is this public promise sufficient, shouldn't there be stronger e.u. guidance on this and so on. kind of came to -- and by the way, that deal, the u.s./e.u. safe harbor deal is an executive branch decision, so there was no congressional approval over it. it was the u.s. department of commerce directly with the european commission from a legislative per pebtive -- perspective for those in the
8:38 am
room n. 2013 we had the unauthorized disclosures colloquially known as snowden. i try to call them the unauthorized disclosures of 2013 to not personalize this. but after those disclosures, an austrian law student went to the ireland data protection commissioner and said i think facebook is violating e.u. privacy law even though they are safe harbor certified. the eye spanish dpa -- irish dpa said i can't decide this. the i ooh rich high court -- irish high court concurred with the data protection authority, then it was appealed to the european court of justice. the european court of justice, first, the advocate general came out with a decision late in september that said based on the u.s.' systemic failures in privacy protection and particularly pointing out the june 2013 disclosures associated with surveillance and wholesale collection of particularly
8:39 am
european union citizen databased off of the reporting, that the advocate general recommended invalidating safe harbor. the european court of justice concurred and invalidated safe harbor as of october 6th. it's a long way to get there, but i thought it'd be helpful with some framing. my question to you, damian, is what did the court decide on, and what's scope of the decision? >> thank you very much for this great summary. the court of justice was actually asked by the high court in dublin -- actually, it's the first-level court that concur with the the dpa, and the high court did not rule against, but actually asked the court a question to court of justice asking whether or not we have this safe harbor decision of the commission of 2000. the irish data protection authority is telling that it doesn't have any duty to
8:40 am
investigate this case. is that right under e.u. law, or is it the case that despite this decision of 2000 by the commission that rules on this side or privacy principles are equivalent to the rules on the european side? is it the case that still national data protection authorities have a duty to in fact a claim when a person -- to investigate a claim when a person says i think my rights have been violated? the short answer is the court is basically saying, yes, indeed. the national authorities retain a duty to investigate a claim by citizens. and the reason why the court takes that decision is to say under e.u. law and european charter for fundamental rights, you need the right of redress. and you need to be -- and so also the right to privacy of the protection of personal data is a
8:41 am
fundamental right in our european be charter and, therefore, national authorities have also a duty to enforce compliance of that right, if you want. and so by combining in the directive and european charter, the court comes to that conclusion. but to come to that conclusion, the court also says since the claim was the safe harbor decision of the commission of 2000 is invalid and the high court in dublin seems to go along with that decision, i mean, it's not -- i haven't read the irish court decision, i only read the european court of justice's decision. it's kind of interesting to say that the european court said, yeah, indeed that irish court seems to go along with the things, therefore, i need to invest this issue of validity or invalidity of the safe harbor decision under e.u. law and primary law, what we call the e.u. treaty, if you want.
8:42 am
which is, anyway, equivalent to your constitution. and so the court looks at the safe harbor decision of 2000, article i and then article iii, and!shecks whetherw3 itç consis that the commission decision remains valid under the law given the fact, given what, what has appeared since then. but also from day one. it looks at how the safe harbor arrangement is constructed. it's not a commitment by united states government. it's a system of certification by american companies, and the court says, well, that's okay. it's better that the laws protect the data of private individuals, but till it's okay. and then looks at how it's enforced, how it's organized and enforced and comes to the conclusion -- i don't need to go into the details now -- that
8:43 am
basically it's not a sufficient protection and, therefore, the rights of the citizens are not sufficiently protected and, therefore, the commission decision is invalid. i'm doing a very short summary of that. and so, therefore, not only the answer to the irish court is, yes, you have to tell the irish data protection authority, you need to investigate this case on facebook, but it's also ruling -- [inaudible] and this ruling is binding within european union including commission and all the national data protection authorities. actually, that decision of 2000 is not valid. >> so the decision that the safe harbor is not valid, amy, i have a question for you. do you think that this is a decision that's related to sur is vail lance -- surveillance and the unauthorized disclosures of 2013, or is it related to commercial data privacy decision?
8:44 am
>> thank you, mary ellen. so i think at its heart we have to say this is a surveillance decision. the impetus for the entire case are the 2013 revelations by "the washington post" and in the guardian about surveillance conducted specifically under section 702 of the fisa amendments act and more specifically, a program called prism. so that was -- these revelations were what really motivated the case to ask for an investigation, to ask for the irish national authority to look is into safe harbor. so everything that has come out of that initial decision has come out because of surveillance. and the european court of justice's opinion really spent a lot of time looking at surveillance and looking at what the u.s. allows and what standards the uses in order to judge what surveillance is necessary. so the rest of the world really uses international human rights standards to guide their
8:45 am
surveillance programs. they say that surveillance was only appropriate if it is necessary or it is proportionate. that's a standard that the e.u. uses, it's a standard under the iccpr, the international covenant of civil and political rights, and it's a standard that kind of was incorporated into safe harbor. there's a huge exception for national security in safe hard hard -- harbor. only if that surveillance conducted in the name of national security or law enforcement or public safety is necessary. and so the u.s. really, what the court of justice found is that the u.s. practices are not necessary, and they do not insure this very high level of protection that is adequate for european data. now, all of that said, the but is coming. it's a surveillance decision, but safe harbor is about commercial data practice. it is primarily a commercial
8:46 am
data mechanism. and if you read through the court of justice's decision, they actually spend a fair amount of time talking about the inadequacies of safe harbor, about the fact that it's a self-certified mechanism so that there's no independent audit that say if an entity is complying, that there's not enough transparency, accountability. so you have to look at the entirety of the decision and realize that anything that flows out of it also has to meet kind of these deficiencies that the court is identifying in the safe harbor mechanism also from a commercial perspective. so you really have to kind of dual consider what do we need to do from a surveillance perspective to make sure that the united states law and practice is in line with the international standards that the e.u. thinks it should be in line with, and also what do we have to do from a commercial privacy perspective to make sure that whatever new mechanism comes in -- and we will certainly talk about new mechanisms in a bit -- actually complies with what the court of justice thinks it
8:47 am
should comply with. because now that the court of justice has said that national norths have a basketball -- national authorities have a ability to review decisions from the commission, we can expect any new mechanism can a also go up to the court of justice, and so you don't want another period of indecision following this where an inadequate mechanism can get struck down a couple years from now. >> adam, i'm going to ask you the same question which is, is this a surveillance decision or a commercial pryce decision, and regardless of the answer, if you could let our audience know why trans-border data flows are so important and what's the impact of this decision. >> sure. well, first, i'd like to add a point of clarification about the actual ruling by the court of justice. so in the ruling there was no examination of the commercial practices. it was examination of the national security side, and it wasn't even based on an investigation. it was based on allegations and powerpoints and guardian
8:48 am
articles. so it would be very helpful moving forward if the european court of justice, if the data protection authorities could conduct a thorough investigation examining the changes to united states law made since 2013. the discussion in the ruling was based on practices as understood when safe harbor was created. and that also brings us to the point that the ruling is a process ruling. so the decision is based on the tact that when safe harbor was agreed upon, the commission, according to the court, didn't do a thorough investigation of the national security side of how the exemption in the safe harbor would be used by the united states and what our practices were in the year 2000 when it was agreed upon. so while safe harbor was invalidated on process grounds, there is no examination yet on the commercial be side. and, in fact, the united states department of commerce, ftc and the commission have been undergoing a review and an enhancement of safe harbor for the past two years. so there are some changes in
8:49 am
place. there was a report that was put out by the commission two years ago, and both seeds of the atlantic have been work -- both sides of the atlantic have been working very hard to satisfy the decision conditions in that report. to your question, it was a surveillance decision. is so i think that, hopefully, answers that. the other piece is on the commercial side, the united states is has a really strong system of enforcement. if you violate your self-certification, the ftc will carry out an enforcement action. there's nothing like that anywhere else in the world. and the european commission, when they conduct adequacy determinations, often do not take the enforcement side into account. so while in the united states our commercial privacy practices aren't exactly in line with the european rules on paper, in words, in many areas we go above and beyond what the europeans do. in fact, some of the other governments that are deemed adequate include argentina, and i'm sure they have a robust
8:50 am
system of enforcement in their own way, but i'm willing to bet in the united states we have stronger privacy practices how it works in reality, not just on paper. but getting to your second question about why is this whole issue important, why are we here, why do we care? it's not just spam and advertising, it's the backbone of the global economy and the transatlantic economy. at the u.s. chamber, we represent the interest over f of over three million companies in every single sector, every single size. energy companies, manufacturing, consumer goods, hospitally, plus the internet and technology the side. every company you can think of relies on the internet today, and you need to be able to transfer data. something very tangible, very easy is credit cards. you travel around the world, you go to europe, you can use our credit card. yes, you have money in your account, it goes to other companies to verify that, yes,
8:51 am
you're you, and the purchase is satisfied within mere seconds. on the business-to-business side, it's any company that might have business around the world, it's transferring that employee data globally, it's keeping track of a global customer base. it's, say, for an airplane manufacturing business, it's having data on their engines while the plane is in the sky being able to troubleshoot and fix problems on the fly, literally. so there's a variety of uses for cross-border day flows, and there's an unlimited amount of reasons why it is essential to the global economy. >> thank you. have. thank you very much. and we're going to get back to how the safe harbor decision is impacting companies a little bit later in the program. but first, adam raised the question, amy, about whether or not the decision accurately described the u.s. surveillance and national security procedures both in 2000, 2013 and today. could you tell us a little bit what your opinion is? >> sure.
8:52 am
so there have been significant changes made in u.s. surveillance practices since 2013, and i think you have to start with recognizing that. earlier this year we passed the usa freedom act which access and most of the other groups we work with were in sport of. it's actually the biggest restriction placed on the nsa and surveillance since the '70s. so it was a huge win. one of the things it didn't really speak to is section 702 and other sections which, as i started out saying, is what this case was filed under. so it has small steps forward on transparency in regard to those surveillance authorities, but it doesn't really change any of the practices or have substantive modifications of those surveillance authorities. so big win but doesn't touch what we're talking about in this case. the question was, does the case accurately describe
8:53 am
surveillance. so, actually, the european court of justice decision -- only mentioned prism once. but they do mention this discriminate type of surveillance that is happening in the u.s. so from a perspective that you're not looking at a specific program, you're looking at 702, executive order 12333, yes, that is happening. will they say that is exactly technically proper in regards to section 703? there were some inaccuracies in regard to how surveillance was being conducted but the overall general programs can happen, are happening, and it's because the u.s. doesn't recognize any rights for people outside of the united states. and so this indiscriminate surveillance that they really key into absolutely is going on. >> i may take a little bit of a moderator's liberty here which is the point that amie's making
8:54 am
is executive order 12333 makes the distinction between domestic intelligence and foreign intelligence. and that distinction is that there were different types and more robust types of intelligence-gathering activities that can take place outside the united states as well as against foreign citizens. and so the section 702 that amie is talking about from the fisa amendment act has that theme within it, and section 702 does talk about foreign residents controls, the privacy and civil liberties oversight board did a report on 702 as did the president's review group. so i point you to those for more detailed discussions of 702. gayle, i want to ask you a question which is, you know, damian did a great job of summarizing the decision, and as amie pointed out, consistent
8:55 am
with u.s. surveillance activities. do you think that the court should have looked at e.u. surveillance and national security issues as well as as a comparison? >> so, thank you. first of all, i want to thank -- >> is your mic on? >> yes. >> okay, cool. >> i want to thank tim and -- [inaudible] for having me here today. my name is gayle slater. >> [inaudible] >> light's on. >> let me -- >> just a moment, folks. >> can you hear me now? okay. so to reiterate, wanted to say thanks to the net caucus for having me. my name is gayle slater, i'm from the internet association. so to answer your question, i think absolutely yes is the short answer. i can explain why, and i think i'd like to invoke a create shy here to -- cliche to explain why i think the court absolutely should have looked at e.u.
8:56 am
surveillance at the time of the opinion. and the cliche is people in glass houses shouldn't throw stones. so look at, we've talked about this decision, and as i see it, it's based on various snap snots, okay? so one of the snapshots is u.s. surveillance in 2013 at the moment in time that the snowden revelations happened, okay? another snapshot is u.s. commercial privacy enforcement i think at the moment in time when the first safe harbor was entered into in the year 2000. so that's the second snapshot. and then they didn't take a third snapshot, and that was a snapshot of e.u. surveillance through the member state intelligence agencies in 2013 also around the time of the noden revelations -- snowden revelations. and so i think these three snapshots are important because they all go to this question of
8:57 am
adequacy. so the safe harbor foundation is a decision taken that the u.s. system of privacy was inadequate in the year 2000 versus the e6789 -- e.u.'s system, okay? and then they made some incremental changes, agreed to make incremental changes to the u.s. privacy regime such that they could close the gap between the e.u. system and the u.s. system. is so that was back in the year 2000. and then the decision comes along, and the court says that because of mass surveillance in the u.s. as revealed by edward snowden in 2013, the safe harbor was no longer in valid because of this inadequacy. but you have to ask yourself inadequate compared to what? and so the comparison here if we're looking both at surveillance and commercial privacy has to be
8:58 am
u-surveillance. we also know from edward snowden also in 2013 that many e.u. member state intelligence agencies were engaged in mass surveillance of their own citizens at that time. and the list is pretty extensive. my computer just turned off, so i'm going to have to log back in. >> [inaudible] >> he did. so the list includes the germans, the french, the spanish, the swede spanish the british -- swedish and the british intelligence agencies. ironically, it did not include the irish agency. i'm not even sure there is an irish intelligence agency -- [laughter] but this is significant because this is, of course, where the case originated from that went to the european court of justice. so what the snowden revelations with regard to the e. u. member states said was that there was extensive, mass surveillance going on also in 2013 of internet traffic and phone traffic of e.u. citizens. and so what the, what the
8:59 am
guardian did was it revealed documents, particularly a document produced by gchq which is the british intelligence agency, and essentially it was a scorecard across the a number of dimensions of their sister intelligence agencies. and just to give you some context here, in my experience the british are never likely to give the french a compliment unless they really deserve it. and here's what gchq had to say about the french. they described the french agency as highly motivated, technically competent partner who have shown great willingness to engage on internet protocol issues and to work with gchq and cooperate and share with us. so -- >> that means that france is sharing surveillance information with england. okay. just wanted to make sure i got that. >> both internet and telephoneny data. so i think this is important. i think it's also important that the second snapshot i talked
9:00 am
about which is surveillance in this country post-snowden revelations and the significant reforms that have been put in place since 2013 were not taken into account by the court. again, this goes to this adequacy finding. and i think had the court taken into account both e.u. surveillance and u.s. reforms post-2013 and also the sort of market-based solution to surveillance which has increased adoption of encryption technologies by association members but also by other technology companies, the delta, the inadequacy delta we'll call it between the u.s. and the e.u. systems would, i think, have declined significantly. ..
9:01 am
i think it's come on leaps and bounds since then. i think we can say with some confidence is probably the leading privacy enforcement agency in the world, and has a track record that's very significant, and a truly something that's left out of
9:02 am
this opinion. >> just to underline what gale said. it's the national security practices on the eu, their federal level but also their member state level. there's two pieces and damien will explain in more detail in the second, but the member states have the competency for national security and law enforcement largely in the european union. i say we to examine the practices it's their federal level and also below that. one jus his quick example of how that works in practice. last year the court of justice reached a decision on a daily retention case -- data retention. the rule written violate i visit much like the outcome of the safe harbor case. however, it was, it is up to the member states to government that decision. so there was no required white our set will have the decision is about. some states got rid of their
9:03 am
rules. some states such as france expanded it. so that's why it's important to examine the practices as they stand today on the member states level. when we travel internationally, their seller countries where we have to get special funds because of security concerns. one of them is france. so it's very interesting. >> i think we are reading too much into the judgments. i think we need to step back and understand what rules the court of justice has to follow in this procedure. it's procedure in terms of national court, where the high court has -- eu law here come safe harbor decision 2000 it's only answering a question from the high court and its relying on the facts as explained or
9:04 am
summarized in the high court decision. i would note that no americans took part in a judicial proceeding in ireland. facebook, nor anyone else. so that's the reason why the court of luxembourg is relying on what it hears from the high court. it doesn't decide on other grounds. i think fundamentally it's about the judges in luxembourg seeing at austin student has had a right of redress. he wants to have -- austrian -- he wants a court listening to his case come into decision was denying that right. i think it's not more than the speed and we will talk about redress but i have a follow-up question based off of tales and patterns, and this is for you, damien. as you pointed out european court of justice decided that individual member state have the
9:05 am
authority to investigate adequacy or whether not there is sufficient protections in each of these scenarios. do those same member state data protection authorities have the oversight authority over member state surveillance and national study issues as adam pointed out? national security as a member state authority. i was wondering do they have that authority in their own right, vis-à-vis their own member states? >> depends. some countries is the case sometimes it is not. i've no doubt after this judgment all the dbas will review and government authority in general review their own laws and practices to make sure they are complying with the new judgment. >> for the member states had a thing for handful of member states that do have authority, oversight over national security. have the been any enforcement actions in those scenarios, do you know this because i don't
9:06 am
know. you need to check country by country. i cannot answer that question. >> that's great, thank you. damien was a we are reading too much into the judgment. i guess my question is regardless of what we are reading into the judgment what's happening on the ground? what are companies doing as a result of the judgment? >> from a policy standpoint it's always fun to read the judgment and speculate at sessions like this but the company we work with, to have a legal department and the compliance department. it's their job to make sure the company follows the law. they have to redo the judgment and read the tea leaves about what's happening around the rest of europe. and reaction to the judgment. so the first order of business is to just do a data mapping exercise and what type of data do we have that's being transmitted, what were the safe harbor bein been used for many companies is there a large multinational they have hundreds of vendors. an example is a hotel company. they of hotels in every single
9:07 am
member state. they have the staff there. they have restaurant staff there. they have food that supplies the rest of the they have reservation list so you're looking at hundreds of individual agreements for hundreds of different entities within the one company. so it's a very, very extensive and time-consuming process to figure out what are we using the safe harbor program for now, and in what to use as a substitute. some of the suggestions are extremely complex and difficult. one suggestion was binding corporate rules. back to take over $1 million, up to 18 months. it was over 18 months prior to the decision was going to be hundreds of companies seeking out approval for the. another mechanism that had been accepted with something called model contract clauses, said clauses approved by authorities that companies can use to prove that they are in compliance with the law. recently there was one german state that sent we may not think
9:08 am
these are valid anymore. >> it's up to five, five, german state data protection authorities. the equivalent of our united states hefted their questioning whether any data transfer is sufficient in light of the decision from last week. week. >> and without a thorough investigation so that would be helpful in providing some heft. if you're a company and you hearing this, what do you do courtship customers that rely on you, employees that rely on you. the decision isn't just about u.s. companies. it's about companies and consumers and end users in europe come in the united states, that is something important to consider as we move forward on this issue. >> how is this affecting transport of data flows right now? >> again, short answer to that question is, we are still in the early stages. i think it's fair to say people including her son are absorbing
9:09 am
this opinion and counseling clients as quickly as possible and steering them in the safest in the right direction. in many cases that's the eu dpas who are known to have good processes in place with regard to reviewing and giving their approval to these binding corporate rules. and also as adam said people are doing audits. so how is this affecting transport of data flows but i think it's too soon to say but what we can say with certainty is this great legal uncertainty. we can also say that this is impacting we believe small businesses, medium-size businesses more than large companies which includes the large companies which would include members of the internet association. the larger companies could see the writing on the wall and they were able to take steps and contingency plans for this. somsummit of them already have n place binding corporate rules
9:10 am
and they've resorted to model contract. they have sophisticated lawyers and the resources to pay for these other instruments. for smaller companies i think it's fair to say many of them are in a state of disarray and they don't have the resources to spend $1 million invest 18 months of man-hours in getting a binding corporate rule through a european gpa. i think we can say that much. and i think there are also depend on business models scenarios where there literally is no alternative to the safe harbor and so that every data transfer but one data transfer we've heard about is, for example, the are not model clauses that apply for to india-based processor of the data transmitting to a non-eu-based cell processor. there's an example of where there's a gap in the law right there. i'm sure you're being asked questions about that scenario.
9:11 am
so what businesses are looking for is legal certainty, looking for quickly. there turning to the european dpas in particular we have noticed article 29 working part of which is kind of a trade association of european dpas and they're looking for that group, they are looking, turning to them for federal guidance. because right now we have a scenario where you could have 28 different interpretations depending on the dpas and then in addition to the 20 a plethora of german dpas at the local level interpreting the opinion in their own different ways which would obviously splinter the european the data flows before you even get to transatlantic data flows. and so that's a concern. so companies are looking for titans from all of the eu dpas to the article 29 working party and they're looking for in a timely way. >> speak at tonic the article 29
9:12 am
working party is meeting right now trying to figure out how to deal with this, what advice to give, i could have a de facto period of transition, have a gentlemen's agreement with another phrase i heard about during a transition. and as of the time we started this session the article 29 working party had not come out with guidance yet but it may come out while we. no, and so as divisive as the trade association for the data protection authority. in terms of giving guidance on what they think it's ugly the european commission has made general statements in terms of looking at this. i'm trying to figure out what to do. consecutive commerce yesterday in a speech said obviously not surprising the sector was disappointed with the decision and is looking to work with the commission to figure whether safe harbor to mac can work. but i guess my question to the panelist and i t to the panelist and i will start with you, amie but it was love to hear from each one is what can congress do?
9:13 am
>> want to do things congress should be looking at is the fact that it was mentioned that the uk, that the eu data retention directive was also struck down recently. in response the uk passed another data retention law in order to fill that void. recently that also was struck down. so they attempted to pass a law that would fill the void left by an eu court action and immediately, not immediatel immt quickly construct and an attitude, that they'r there bace drawing board drawing another provision that they think they need no to fill this void again. what i think the u.s. should be trying to avoid is being in thae same situation where we take action and then are told that action was similarly not sufficient and that we have to go back again. so we should become the u.s. congress should be looking at what it can do now. i know yesterday several members of congress both the house and senate said other to the ftc and the department of commerce
9:14 am
asking for them to enter into new safe harbor for quickly. i think that maybe the wrong path to take because until the u.s. congress passes comprehensive surveillance reform, you can count on the eu court of justice saying that nothing is going to be adequate enough. and so when you as so when you see freedom act that passed earlier, many members thought it was done with surveillance reform. members of the civil society community were looking ahead to december 2071 of fisa in an act is set to sunset and singer not going to be done but we don't know if we can weasel and more surveillance reform until the sunset two years from now. i think we should wait those two years. we should be engaging on the fisa amendments act right now. we should be engaging substantively on executive order 12333 and try to figure what limitations and what protections we can put into place for that authority as well trying to make sure again that we are comply with international standards that every other country that
9:15 am
the signatory complies with. in regards to necessity and proportionality of surveillance. the final thing we should be looking at is trying to come again i think there's a necessity to read the tea leaves about what the court was saying on the commercial aspect of safe harbor and looking towards potentially a comprehensive privacy law in the united states, something that many civil society groups capital pushing for an trying to put into place protections so that a next time the court of justice revisited the subpoena they don't strike it out under consumer protection elements as well. for congress does have a huge role to play here i think. >> going to turn to adam and gail to see if any thoughts. damien, i figure you don't want to give guidance on u.s. congress so i will give you passed. other thoughts on how congress can help control, particularly given our audience today? >> so i would just go back and respond to amie's position on
9:16 am
this by saying i do feel strongly that regardless of, and damien says the ecg look at what it had in front of it and these are comments tuesday these are confusing dana point out that in the case, before the ecj it was an extensive fact-finding and discovery done. and so that's what you're looking at what i saw these three snapshots and i believe all three were inaccurate. but i think that it's a very, very important regardless of what the ecj has done and the court has spoken that in political conversations and negotiations going forward we did keep going back to this inadequacy delta and these inaccurate snapshots. because i think what amie has mapped out is a very tall order for any congress i also don't know exactly what is needed when you look at the state of
9:17 am
surveillance in the eu when you look at the robust enforcement by the ftc. and w when you look at the not insignificant surveillance reforms since 2013. one thing we do know for sure because damien and his colleagues at the eu delegation havhad said this was many times that congress can pass the redress act, and that's something that we understand going to the floor of the house soon your yes, and so that would be a significant step for because what he would do is extended eu citizens rights enjoyed by u.s. citizens under the privacy act of 1974. and that is a significant step forward as we understand from the ec commission but also from the dpas themselves and a step forward in the right direction. >> the chamber, internet association, several others around town and companies all signed a letter supporting the judicial redress act and calling for to come to vote soon.
9:18 am
one piece that i see report in the press all the time, it's not just tech help it is, it's again all businesses, a broad spectrum of businesses. if we had a bit more time come if there's more time to others signed a letter i know there's plenty of other countries that would've joined on as well. it's a big base of companies and associations that support the act. that's one thing we can do help answer the concerns of the europeans. out when it comes to any other changes in congress, there's things we should do for americans can ourselves not just for the europeans. if it makes sense to look at a privacy bill that maybe simplifies the rules and has a right balance between innovation and privacy, that's something we could do for america and not just for europeans. i think the immediate step to answer the court's ruling would be the judicial redress act. anything beyond that is for the united states i think and it should be to ba borrow a word fm our european colleagues, proportional, whatever that may be. >> thank you.
9:19 am
older gail and adam have mentioned the redress act and the judicial redress act as gail pointed out with provide all citizens the right to redress interned under a 1974 privacy act. the 1974 privacy act of are near and dear to my heart when i said homeland security. i had to enforce it. and what was, it is about the government's collection and use of personal information that you to say what you do, how to record retention policy and have the ability to provide redress to u.s. citizens and legal permanent residents. so why was that carved out, is a question my colleagues and i asked all the time. it could be we did have a transport data flow that turn 11 has spoken so passionate about it could be that they did want to redress rights -- gail and adam. asking for visas to come to u.s. could a whole bunch of different things. it could be that when you think
9:20 am
about filing cabinets is different when you think about the internet, the internet of things. so the judicial redress act is proposed and as gail said is moving to the house would give redress rights to european citizens are basically to -- given that the judicial redress act as we have described only addresses, collection and use of personal information, and even in the privacy act is preconstructed there's an exception for national security. does the judicial redress act solve this problem? >> i think we all agree that the current situation where we are in is in consideration of severe legal and certainty -- uncertain. judicial redress act would be a big step forward to reducing the legal uncertainty. so from european perspective we've been saying this two years, officials believe he had
9:21 am
been saying this for six years access i was negotiating with the european commission. >> i think it would be very important to take this decision. but broadly i wanted to just intervene and save what government does not on the european side. what the commission is doing. first of all it's our national authorities to -- they need, the trade association this group of government officials representing sovereign states. the european commission is also there to help them come to a single point of view. that's what they've been doing last week, yesterday and today. and everybody realized we need to give guidance to companies. also reassure citizens on what's going on with data. so that's the number one priority. it may take a while. we need to be a bit patient. also don't forget that three weeks ago we proposed a fundamental overhaul our whole
9:22 am
regime have much better regime with less of urgency of applications. we really hope that the council and parliament and legislation will adopt these rules as soon as possible. thank you. >> amie come to think the the judicial redress act helps solve this problem? >> we support the judicial redress act but it's an incremental step forward and i want to be very clear. it's a small step forward. it does give, and not necessarily eu citizens, it gives a certain countries who are certified by u.s. authorities, so the coach are not named, not message of the country into you or only countries in the you. certain rights under the privacy act. but again as mary ellen pointed out there are huge exceptions to it and many of the programs we're talking about are not going to be covered by judicial redress. i would have at least in the senate it has been proposed as an amendment to the cybersecurity information sharing act, which many civil
9:23 am
society groups both in the u.s. and abroad have outright opposed because it creates huge new surveillance loopholes for more personal information to go to the government which i think runs directly contrary to the court opinion we're looking at now. so it is passing a law that goes and if criminal support in the name of rights to a bill that actually takes a huge step backward, is a net loss. >> i was wondering if you thought, damien has been focusing on thi this redress ise to get something out when i was talking to the europeans when i was at oakland security. is redress the panacea for these data flows from her perspective on the commercial side? >> as edwin said it's a step in the right direction but at this point it's unclear what a tennessee would look like to the european side. again, they would be -- panacea would look like -- it would be helpful to see where the current rights, not just on paper but in
9:24 am
practice at the european union level and at the member state level. the united states should provide or should only be asked to provide equivalent rights to those of the europeans. we shouldn't be asked to go above and beyond what is actually the practice on the ground over there. and just real quick, on the cyber information sharing act, something we support we think it's very useful in helping deter bad actors. we don't see it or the act is not a loophole for more surveillance. that's the case where his and other entities can share information with those who deter the bad actors pic it's not going to give bad actors more information but instead stop. if there's a breach in one area, companies and those in charge of information security can work together to stop the same breach from happening again. >> i'm going to ask the panel to look in their crystal ball, do a
9:25 am
little gazing and talk about what's next for safe harbor if so, safe harbor to point out that if they negotiated between the department of commerce and the european commission -- 2.0. is that dead on arrival? does that add you like with what we think will go on without? what it out the u.s. the relationship? or are we thinking we're going with this? i would ask you to think the short term, what's going to happen as all kind of work out this legal uncertainty i think was a danish phrase and secondly a medium-term what do we think the relationship should trend towards in the future. i think i will start with amie and then work down the line, please. >> i can't i don't know if any new mechanism is going to work in love comprehensive surveillance reform. i just don't know if we can find a mechanism that complies with this court's opinion is lou of changing the standard under which the united states conduct surveys. i agree with the deal there's a
9:26 am
problem with surveys indicate that the public surveillance around the world. there's a problem with surveillance. and recut to get as much authority as they possibly can to conduct and we need to start looking seriously and holistically out all of these countries practices in pulling it back. right now we need to look at the united states practices because that's what stand in way of a new mechanism. axis have supported the model contract clauses that were mentioned but we called it model contract clauses plus because we think they need to include more robust mechanism for transparent to end for data security in order to protect against unauthorized access to data. such as what's happening, for example, in the nsa was tapping into the backbone between google or yahoo! data centers but we think that's not necessarily a good thing for surveillance agencies to be doing so we think that that it needs be protected or wisely. we're looking forward to engaging more thoroughly at
9:27 am
least in the short term on that as a new mechanism and then looking longer-term out how to engage on protecting privacy from a very holistic point of view. >> the model contract currently proposed by the commission can be added to think amie's comments about model contract plus would have to get folded into any sort of provision on the european commission site. it is a pretty frustrating contract, if i could have a little discretion to say that the it's a very rigid in terms of the opportunities. gail what you think is next for safe harbor and the trans-atlantic relationship? >> the first of all i have to say just for the record, the unit associate supports surveillance reform but we are also aware that congress has a lot on its plate and so we have to be realistic in this context. the other thing i would say by the relationship with you. i don't know some elder statesman used to say the problem with the eu is there's
9:28 am
no one phone line. who are going to pick up the phone to talk to the eu? in this scenario we have many different stakeholders within the eu. i think in talking to the commission, damien is representing the commission, he can speak for them, i think there's a sense in which the commission wants to do the right thing. their decision was invalidate the bad egg on their face and want to try to turn this one. they been negotiating in good faith with the commerce department here. they were close to signing safe harbor, safer harbor 2.0. let's hope it comes to pass in but i know that people within the commission first have to look at this opinion and take a close look at it and decide what the new parameters their operating under are. we also to parliament that is very vocal depend on where you go in the eu parliament on this issue. that's a constraint on the commission. the commission has been mindful and then we have atpase in which we now know there are 28 plus 15 in germany. and so they're all going to have
9:29 am
to want to say something about a safer harbor 2.0. these are all checks and balances the commission has been mindful of going forward. and so that's the eu. that's a lot of different stakeholders at the don't pretend to speak for any of them but they are all important voices. look at come in the meantime i said already, i can't say it often enough and we're looking to the eu dpas working through their trade association, the 29 working party to issue guidance that's helpful to businesses. businesses who signed up for the safe harbor, there are 4500 of them, did so in good faith. they complied with the safe harbor for the most part it if it didn't the ftc went after them. there was backstop enforcement. so then i look at this legal vacuum at the tokyo they're done anything wrong. the government did it but they need guidance. >> what's next?
9:30 am
>> the relationship between the united states and the european union is just too important to we transfer 15 terabytes of information a second. it's a gigantic number. we're literally trillions of investment those going back and forth. the safe harbor decision to go just the one program. if we can't share information from if we can't carry on and monitor our investment, that is a gigantic loss not just? >> guest: politically but around the globe. to paraphrase a quote vice president joe biden, it's -- it's really important speed what does that spell, adam? >> big friendly discussion. speaks ritually important that the governments on both sides of the atlantic get together and work on finding a solution quickly, not dealing. we need to preserve the relationship going forward. and what we need is responsible governments, having a
9:31 am
conversation build connections got not to tear them down. ascended congress committee sent a letter urging quick action. i would like to see more in the congress getting involved, talking to the counterparts on the other part of the lady. there's over we'll encouraging a swift resolution to the issue at hand. >> and damien, what do you think is next? >> what's next, i hope the redress action is fast and together we're working on new safe harbor arrangements, taking into account what the court has said. nobody has an interest in having a new safe harbor 2.0 in a couple months time. we needed take a deep breath and make sure the new arrangement is as solid as we can. thank you. >> great. with that said were at the top of the outfit i want to thank my $10 for actual discussion and want to thank all of you. thanks, have a good night. [applause]
9:32 am
[inaudible conversations] >> later today will get a look at the syrian refugee crisis with officials from the state department and the u.n. they will discuss the global response so far and other humanitarian issues that still need to address. that is being hosted by the bipartisan policy center and we have it live at 11 a.m. eastern on c-span. this afternoon we're live from capitol hill for hearing on pending legislation that would create a new mandatory minimum sentence for those caught aiding terrorists and reduce other sentences for nonviolent crimes. that is being held by the senate
9:33 am
judiciary committee. we get underway at 3:00 eastern with live coverage on c-span. >> tonight on c-span's new series "landmark cases," by 1830 the mississippi river iran new orleans had become a breeding ground for cholera and yellow fever partly due to slaughter houses in the area dumping a byproduct into the river. to address this problem louisiana allowed only one government run the slaughterhouse, crescent city come to operate in the city district and the other houses to into corporate all the slaughterhouse cases of 1873. be sure to join the conversation as we take your calls, tweets and facebook comments during the
9:34 am
program using the hashtag landmark cases, live tonight on c-span, c-span3 and c-span radio. for background on each case what you watch order your copy of the landmark cases companion book. it is available for $8.95 plus shipping at c-span.org/landmarkcases. >> next editorial cartoonist from the "washington post," the lancet journal constitution and other media outlets discuss their work during the george w. bush presidency. they spoke about their methods for detecting serious issues and extent they go into adequate wiseacre subject. is the part of a three-day conference on the bush administration hosted by hofstra university india. india. 0te minutes.ur and 2 >> welcome to political --cartoe "political cartoonists and the george w. bush presidency." my name is lawrence levy, and def

42 Views

info Stream Only

Uploaded by TV Archive on