Skip to main content

tv   The Communicators Online Privacy Rules  CSPAN  August 6, 2018 8:00am-8:33am EDT

8:00 am
>> you're watching book tv on c-span2 with top nonfiction books and authors every weekend. book tv, television for serious readers. >> next on the communicators a discussion about european rules concerning internet privacy, after that senate hearing on foreign and influence and social media. and pennsylvania senator bob casey talking about aviation safety. c-span, where history unfolds daily. in 1979 c-span was created as a public service by america's cable television companies and today we continue to bring you unfiltered coverage of congress, the white house, the supreme court, and public policy events in washington, d.c. and around the country. c-span is brought to you by your cable or satellite provider.
8:01 am
>> and this week on the communicators discussion put into place in europe who they affect and what they are, joining us is victoria espinel, software alliance, ms. espinel it was written that europe is the most powerful regulator of silicon valley, do you agree with that? >> i think europe took a big step and they are certainly the first major market to have privacy law and very important about privacy regulations in europe that are positive, but i think looking beyond europe for a moment to where this is going to take us i think what is really important is that we get to a harmonize standard, that's what i would love to talk about,
8:02 am
harmonize standard, europe has taken big important step and important conversations happening in other places in the world and that's really what we need to get to, international consensus on privacy. >> europe is now the most powerful regulator of silicon valley, agree or disagree? >> on data, yes, it has been going on for a while, the gdpr is kind of positive or negative, protection directive of 1990's, fair information practice principles, formalizing what europe has been doing and leading frankly global dialogue, i completely agree with victoria, where we need to go is harmonize harmonize but right now absent u.s. leadership and absent leadership, the eu is occupying
8:03 am
the field for compliance from multinational companies. >> what do tatta protection agencies do and who do they affect? >> it affects the gdpr formalizes what is already in place in european-member countries in one animus law. individuals have some interest and control of their data held by companies so it affects any company doing business in a way that it affects data of european accident or a person located in europe and comes with significant fines. i take no issue because i've been working for privacy for a long time, many issues of compliance and how to implement it and whether people understand really what's expected of them, i think that most of the regulators are acting in good will and we will see further guidance coming and i think we,
8:04 am
victoria is right that we need a harmonized standard, u.s. needs to come to the table, something that we have been saying for decades. >> naula o'connor president and ceo of center of democracy and technology, victoria espine president and ceo of business software alliance. >> if you are a company anywhere in the world and you are doing business in europe or you have european customers and you're selling into europe, then the gdpr applies to you and one of the things that is interesting about that and positive about that is it means a lot of companies who are not data companies who don't think of themselves as data companies because that's not their principal business are impacted about the gdpr, so now they need to be thinking about important issues like privacy, so there
8:05 am
are -- there are many aspects to have gdpr but one of the things that is interesting about it is because the scope of it is broad and the application is broad and because it applies to companies that are all over the globe but doing business in europe or want to do business in europe, it is making much larger sloth of companies, our companies have been at the forefront of privacy and not not so much of legal compliance, obviously important, mostly they want to make sure that their customers expectations of privacy are met. we breathe and live privacy and have for many years because of gdpr privacy is much more in headlines for at least some than it was before and i think it's in part because the scope is really broad and one of the positive aspects of that is it's making a much broader group of
8:06 am
companies start to think about this issue in a thoughtful way >> host: you mentioned companies that don't consider themselves tech communication companies are affected, such as, can you give example? >> if you were doing business in europe of any kind -- >> host: car company. >> companies in europe or if you're trying to attract in europe, marketing in europe, you are going to be impacted by the gdpr, the gdpr will apply to you and you need to think whether you're in legal compliance, of course, i'm a lawyer by training, the legal compliance is important but more broadly you need to be thinking about how you are going to treat the data of i wouldn't say just european customers, any customers that you have and that's -- you know, again for our companies, they've been thinking about this for many, many years, so there's not -- this is something that's very much baked into the dna of the companies that i represent but for many companies
8:07 am
understandably it's not and so that's, i think, one of the interesting things that the gdpr that you now have many more companies who are thinking about this and hopefully not just from sort of a legal compliance perspective but thinking about the bigger issue about why is privacy important and has to do with treating customers and what expectations did they have and how do we meet those expectations? >> what are some of the companies that you represent? >> so we represent the global software industry, so think companies like apple and ibm and microsoft and we have many wonderful members that basically we represent pretty much every big and small software company that is there. >> anula o'connor mentioned large companies which probably have resources to comply with regulations, does this hurt smaller companies? >> you know, that's a comment i heard a lot from particularly u.s. base companies, i don't think the intention behind the
8:08 am
law was to cement larger institutional players against smaller upstarts and in fact, some would say it was intended to increase competition by european companies and bring their software in tech industry to the floor, i worry about that and we have been hearing about privacy compliance for a long time that only biggest players like my former employer general electric or others had the resources. i'm not certain that that is 100% correct. ic that there's a lot of compliance that needs to be done to start the analysis of what data your company has, what information you have about your customers, suppliers, vendors, business partners, i think a good data steward and i want to double down on victoria's point it not only affects the tech industry, but any institution that's doing business in europe with european customers of any kind. if you've got customers, or business partners in europe, you are affected by this new law.
8:09 am
i don't see that as a bad thing in that i think we all need to think of our data custodian responsibilities. in the digital age everybody company is a tech company and every company is a data company, people are using data about individuals and is a sea change in our thinking about the rights of an individual in his or her data and the person has ongoing rights even the data is used legitimate by good corporate actors and that's a conversation every company needs to have. >> who do you represent at the center for democracy and technology? >> the rights of individual, we are funded by foundations, companies, individuals, all interested parties in a highly diversified portfolio but our stance has always been the rights of the individual, the human right, human dignity it's something that needs and
8:10 am
deserves to be protected around the world. >> what's a legitimate right of a company using somebody's data? >> i will give you an example i gave even before i worked at amazon, listen, you want to buy a book from amazon, they have to know your home address to deliver the book, right, that's legitimate interest. they may want to send you ads on the homepage of the website to tell you about other books that you might be interested in. those are primary purpose uses by the company, where people start to lose trust in company use is when they are selling data, when they are transferring it beyond the original transaction or kind of the group of transactions that you have, kind of the boundaries between you and the company, we also work on issues of government data use and surveillance in a separate way, but i think there's primary purpose, secondary purpose which is far beyond the initial transaction. most people get the company -- the company needs certain data to serve you and do what you've asked them to do, they may
8:11 am
understand that they will get future e-mail from the company or other goods or services in ongoing business relationship where it starts to break down is further and further away from the company that you know and the transaction you authorize. >> if i could add onto that because a lot of focus understandably on companies that are consumer facing but many companies are not or they are in part but have big enterprise focus, the aspect of privacy and a lot of policy issues that we come out with enterprise focus, companies that are selling, that are working with other companies where their customers or other companies and i think you know, one of the aspect of gdpr that we were very concerned about is to make sure that if companies need to process data around the world, for example, to detect credit card fraud, that is something a number of companies do and that's impossible to do unless data can move around the world in a relatively seemless way. a lot of the companies are working on cybersecurity and detecting cyber threats, that's
8:12 am
another thing impossible to do unless you can see data realtime coming from around the world to protect patterns. so when we look at not just gdpr but any regulation that's being promulgated by any government around the world, one of the things that we are trying to make sure that it does is allow what our companies do and really more importantly what the customers of our companies do. allow them to use data to support many different kinds of enterprised functions anywhere in the world. >> so are you suggesting that the gdpr could impact cybersecurity? >> no, i think what i would say is the gdpr leaves room for our companies to be able to detect cyber threats, i think there are a lot of real positives with the gdpr and one of those is that we think it does gives companies enough flexibility to be able to do things like detect credit card fraud. it's early days in gdpr, went into effect may 25th and as in
8:13 am
many regulations, there's going to be room for interpretation and one of the challenges that european regulators tr going to have is how they interpret parts of the gdpr that are open to interpretation and so how that implementation was born with any law is going to have impact on exactly how it affects, you know, different companies and different lines of business but our view of it at the moment is in terms of what our companies do and what the corporate and enterprise customers of our companies do that should allow them by in large to be able to conduct the business that they conduct. >> host: do you have something that you wanted to add to that, i saw you writing it out down? >> well, first of all, agreement with much of what victor assayed, i think what's really interesting is where this goes next, right, the intention was to protect the data that is held by companies, the next question i have is not just the data, what is the decision, what is
8:14 am
the decision companies are making about you and so a lot of our research as you know at the center for democracy and technology focuses on implicit bias and consequences and you see a glimmer of that in gdpr, i think you are seeing more and more analysis and concern about large scale droves of data particularly when the data is going to the government directly or indirectly in a way that's not apped by individuals and i think that the gdpr plays into a larger conversation here in the united states which is the new california privacy law, the gdpr and facebook cambridge analytica have created almost a perfect storm which i was saying a year ago, we need omnibus federal law. [laughter] >> but i think people are very
8:15 am
skeptical of that viewpoint even six months ago and then you see this kind of domino effect of the major milestones affecting legitimate companies who are trying to do the right thing and emerging technologies in new ways and americans are saying, hey, what about us, where is our law, where is our privacy law, privacy companies from the companies that are giving protection to european customers and even more i think it reflects a growing sense of a lack of control over your digital identity, your self-expression on line, there are guardrails, guardrails on one side on what can be done, legitimate cybersecurity and another guardrail that says some are off limits, dna or other data that won't don't want, home mortgage loan or whatever, i think you are seeing that the regulate before the europeans have done versus after as
8:16 am
americans do may not work in the data context because once the data is out there and misused as we have seen in cambridge analytica is hard to get it back, maybe more guidance on the front end is what's called for here in the united states. >> host: do you agree with that? >> that's sort of what i was alluding to before when i said interesting decisions happening in places other than europe, one of the places is here in the united states, it's happening both in california but also starting to happen in a real way here in washington in terms a move toward federal privacy law and i think that's a really interesting set of discussions and i think there's real value there but, you know, again, we as an organization are global and companies are global and we are looking and following closer the discussions in latin america, asia, recently big milestone in japan, i consider
8:17 am
big milestone between japan and european union coming to an agreement that japan's system is what's called adequate but essentially is recognized by the european union as a really strong system which it is. the japanese system is different from the european union and the reason that that's important is i think it sends a really clear signal to countries around the world that in order to be consistent with europe and in order to have businesses in europe, you can have system that's different, the japanese system is different and still be compatible with the european union. i think the conversations in the united states are important and we are hope to go move those forward. i also think we should be looking to other models around the world and i you would put japan on the table as a country that has thought about this in an interesting way, the japanese
8:18 am
privacy law provides privacy protections for individual consumers but also has some flexibility in it that will serve it well in the future as technology continues to evolve and i think we should be looking at different models around the world and all the conversations we are having and then hopefully get to a place where it not just clear rules in the united states but there are clear and consistent rules globally, that's what we really need. you know, i was talking a little bit before about the reasons that we need data to move around the world and they are myriad and important but it's hard for that to happen unless there's a reasonable harmonized system of privacy and so i see, i see kind of a consistent set of rules on data and data moving around the world is absolutely essential for all of the emerging technology that we work on and i see as core underpinning of that having a harmonized privacy system and i think if we want
8:19 am
all of the innovation that the united states is so good at, it has done so much for the world, if we want that to move forward in a positive way, we need to have the right rules underneath that, we need to have the right legal underpinnings and getting global consensus on privacy, i will hold a moment, i think that is really important part of this, you know, privacy isn't just an issue and silo privacy and privacy rules have impact in technology and how it's developed and i think that is a really important part of this broader conversation. >> privacy and data protection norms have big parton how they construct themselves. we are still in search of the holy grail of where in the world this global regulator is going to come from, what victor adjust described is exactly right that japan was deemed at quit by the
8:20 am
europeans and many lawyers who will say, even that contract that europe gets to decide whether you're adequate or not. it's a term of art in area of the law but it's a bilateral conversation, bilateral with ore non-eu european countries and canada and now japan and some other countries but what we don't have is a home for this conversation that is truly global and that can create norms and create the kind of level playing field that we are discussing. i am still in search, the question that i ask every wise person that works on this issue, where is that, that's probably not the wto, it's probably not the united nations, so where the global dialogue going to happen and who is going to set the norms because victoria is absolutely right, the data is going to flow faster and more opaque manner than any of us can
8:21 am
imagine and really regardless of national borders. it becomes a super national conversation where the companies in some ways are acting outside of boundaries and outside of borders and i think that's stunning regulators that companies in the era have power that is unique to the data that they hold and in some ways greater than the power of physical borders and that's hard for regulators to hear, in addition to trade issue, i want to say that it's a telling sign that this year's data commissioners in each country of the world that will enforce the laws who have their own gathering but may not have the international cloud to set, although they are setting international norms, keynote speaker is the competition minister so i see there's a real kind of parallel track and possible trains colliding of data and competition law because
8:22 am
many people around the world are looking at do we want to break down the big companies and i said, that's not necessarily -- that's not area we play but i do see concern of power of data held by one company, while it's not the power of the company to jail you or deprive you of liberties or acets is, it is a power to control what you see and what you hear and what you know in your digital world and with that prior i think comes responsibility. ho host so you're both in favor is it fair to say a national standard of some type on data protection? >> we certainly are, i personally have been working federal omnibus privacy protections are necessary in the united states, they're necessary but not sufficient as victor assayed to get into the global conversation we will need a simpler standard than what we have now. we have privacy, we have health
8:23 am
privacy, financial privacy, kids' privacy, what we don't have easy to explain standard, data is flowing, i have a fitbit which i love and i adore and the company does good work on privacy protections, this thing knows more about me than my doctor knows but it is not regulated by any healthcare privacy law in most cases in the united states and so we certainly neat a gap filler that will help harmonize before we have conversation for the rest of the world. >> host: national standard. >> i think we need to be realistic about the hurdles to get there. i think on the one hand as nuaula said there's a lot of privacy regulation now but it does tend to be silo but real advantages to having sort of a clear harmonized across the united states standard and as i
8:24 am
said, that's a conversation that we want to take forward, i think we need to be realistic about how quickly that can happen and the time frame for it happening, as i said, from where we sit, and again given our company's, the emphasis that they put on privacy, i think that's a conversation that we would like to move forward. >> host: do you think the ultimate goal should be a global standard kind of like air traffic,let take air traffic, a global standard there? >> yes, so with this caveat, when i say standard, what i don't mean is that i think every country in the world has to have exactly the same laws, i don't think that makes sense. the way i would put it is they need to be consistent, they don't need to be identical, right, a past work of inconsistent laws which is a little get situation that we have now, that's not helpful. it's not helpful for businesses or consumers or not helpful to anyone. i think having high-standard of privacy protection that's consistent around the world would be really helpful. >> host: is it expensive to
8:25 am
comply with the gdpr? >> so i will speak for -- [laughter] >> our companies have been thinking about this for many, many years and so they already had very high standards of privacy and, again that was driven not by, you know, the desire to comply with the law but the desire to meet their customers' expectations of privacy which are high. >> host: victoria, think about the start-up who doesn't have the money. >> exactly. so as i said, one of the things that could be more of a challenge for companies that are not the companies i represent, that have not been thinking about privacy more -- for many years now are because they are being impacted in a way that's different. even in europe i heard the commission say that it has -- how should i put it, there's a strong desire there to try to make sure that small companies understand the laws as best that
8:26 am
they can so they can come into compliance and the commission is doing various things to try to communicate out the rules but it's not easy, it's not easy in part because it's a big law and as i said before like any big law there are going to be matters that are subject to interpretation and so the commission and the members -- the regulators in the separate european countries are going to need to figure out how to interpret that and small companies are going to need to try to understand that in a way that is relatively simple and that's why, you know, i was saying, i think while compliance with regulation is obviously important, really what i think is the most important part of this is as small companies are thinking about this, hopefully this doesn't end up is checklist, well, we put things in place, hopefully what it leads to more -- having more companies involved in a more thoughtful discussion about how
8:27 am
data should be treated and what the standards of privacy should be? >> nuala o'connor, is compliance expensive? >> relative to what? [laughter] >> companies will put money towards things that are important, right, that are necessary. here is how i look at it, privacy is an essential element of your service to your customer, right, that's why -- to double down on victoria's thought, new industry actually gets this, they understand both the power of data and the value of data both the company and to the individual whose data they hold and hold it in trust for individual as well as the company's own use. is it expensive, sure, i think some employee time and attention needed to be paid and occasionally some maybe outside lawyers who are wise and helpful in this area but smaller
8:28 am
companies will less data to start, right, being aware that you have a responsibility and a relationship with that data and that customer from the beginning may mean that you as small chart-up will architect system in a way that allows the individual to access their data but the keeps data safe within the boundary of four walls of your house, i think people probably thought it was expensive to comply with environmental laws. i see this privacy and data issue as the -- as industrial companies in the last century saw environmental issues. it was something they had to fix, it was impact on the world. the analogy i always make is -- the general electric company and had to clean up the hudson many, many years after predecessors had polluted it in part. it had impacted the environment, similarly companies, digital companies and nondigittal companies that have individual data that either lose it or breach it are polluting the data
8:29 am
environment, right, and so -- or they have a custodian responsibility and to treat data fairly and humanly and with dignity. i don't think it is outside in relationship to the risk it imposes and the harm it imposes to the individual whose data is being used. >> you know, one place where the gprs could get expensive where is way the penalties work. the penalties if there's a violation can be 4% of annual turnover and if that's applied by european regulators against small company who is in violation of some aspect of gdpr that could be very expensive. if my view and assumption it's not what the european regulators are going to try to do and so, you know, i think it's possible
8:30 am
that -- you know, i think they are going to do what they should do but the main -- what i mean by that is their main goal is to protect privacy. s. and the visor and intellectual property. now o'connor, president and ceo. chief privacy officer at the homeland security. both of them have jvs from georgetown university. thank you and come back. they make thank you, peter.
8:31 am
8:32 am
>> the senate intelligence committee held a hearing on this information used campaign by foreign groups and individuals. this is two and a half hours. [inaudible conversations]


info Stream Only

Uploaded by TV Archive on