Folks are shuffling in. I will just go ahead and get started in the interest of encouraging them to everyone to kong regular eight again. Thanks to those of you whove stuck with us through a long and fascinating day at the 2016 Cato Institute surveillance conference. Our last pair of flash talks is going to focus on some of the global aspects of u. S. Surveillance. At cato of course were big fans of the constitution. We tend to focus very much on the Fourth Amendment and domestic law and how it regulates surveillance of american citizens and their rights. But the scope of american surveillance, both for Law Enforcement and intelligence purposes, is now really global in scale. So as a result it has implications for the human rights of people around the world but also for our political and diplomatic and economic relationships with other countries, in particular the economic interests of u. S. Companies that hope to do business around the globe. So talk about two aspects of that. Alan butler a senior counselor with the electronic privacy information center, who will talk about the shrims case and the ways some u. S. Surveillance is creating problems in europe. And professor jen dask who will talk about trying to articulate some principles for Data Exchange as it becomes thornier trying to figure out whose jurisdiction applies to the kind of data Law Enforcement needs in investigations. Well begin with alan butler. Thanks, julian and to cat o. For having me. Happy to be here today to speak about a new International Dimension to this debate over u. S. Surveillance authorities. Im talking as many of you probably know about the shrems decision of the correlate of justice of the European Union last year. This decision really upended the primary mechanism that was used by businesses to to transfer decision it tloed a renegotiation of privacy agreements between the two governments and has opened up new avenues to challenge these surveillance activities. Now, historically, u. S. Surveillance Reform Movement here has focused on statutory and constitutional limitations as julian mentioned that apply domestically, if you think about the debates over fisa and the patriot act and ecba. And there have certainly been International Groups who have been engaged and vocal on these issues. But these issues havent necessarily played these International Issues havent necessarily played a major role in executive branch or congressional policy making on surveillance. But that all changed after 2013 and the snowden revelations. When the u. S. Came under increasing scrutiny in other countries, especially the eu, for their surveillance activities, in the eu in brt theres a strong history of privacy protections and independent enforcement authorities in each of the regulating countries and traditionally these Data Protection authorities have focused a lot of their attention on the actions of private companies. But the Prism Program provided for the European Courts a clear link between the actions of companies that collect and transfer personal data and the surveillance activities of the u. S. Government. And it certainly didnt help that section 702 under which prism is authorized specifically ignores the privacy interests of foreign citizens in the u. S. But at the time prior to the schrems case it was not exactly clear what leverage the eu would have to in a sense push back on the u. S. For this broad surveillance that was being revealed. Then an individual, max schrems, whos an austrian law student, filed a complaint with the Data Protection authority alleging that facebook that transferred his data to the u. S. , thus exposed him to these surveillance activities. Now, facebook has a Major Business operations in ireland for tax and other reasons, and so the irish Data Protection authority had the authority to bring claims against facebook for violate iing the eu privacy directive and fundamental rights und err why the eu charter. The eu privacy directive specifically applies to any company that processes personal data in europe and also limits the ability of companies to transfer that data to other countries in particular had those countries do not provide adequate protection for that data or essentially equivalent protection for that data relative to whats provided in the eu. So that transfer of personal data between the eu and the u. S. Specifically has historically been authorized under an agreement that those two governments entered into in 2000 called the safe harbor agreement. Basically, they created a safe harbor, a set of principles that countries could sign on to and agree to and therefore transfer data freely between the two countries without in theory violating the directive or eu law. And this was called into question in the schrems case because there schrems alleged to the Data Protection authority that despite the safe harbor agreement facebook was violeting the directive and violating his rielths u rights under the charter by transferring his data and expoegz them to u. S. Surveillance. The Data ProtectionAuthority Found they con bring an action against facebook because facebook was abiding by safe harbor. And ultimately through a suit brought by mr. Schrems against the Data Protection authority a question was certified up to the highest court in the eu, the court of justice, and that question was whether that safe harbor agreement itself was valid or whether that violated both the fundamental rates in the eu and the eu privacy directive. Sxumtly the court of justice did find that the safe harbor agreement was invalid. They held that in october of 2015. And this was sort of the bombshell that dropped on the u. S. Eu privacy world last year. And central to this case was the surveillance alleged in mr. Schrems xrant and revealed in snowden revelations and this hook between u. S. Companies and u. S. Surveillance activities. And ultimately, what the court of justice found was that the safe harbor agreement was nothing more essentially than an agreement between the u. S. And the eu that didnt itself provide for that adequate protection thats required under the directive. And this has been its hard to understate how much of a fundamental shift this has caused in the relations between the u. S. And the eu as julian alluded to before. This has really created an entirely new dimension to the debate over surveillance activities in that now there are all of these companies that engage in these transfers of data every day. Theres lots of money at stake. And by knocking out safe harbor the court of justice really put a lot of uncertainty and a lot of risk for Companies Transferring data that are concerned now that there will be, you know, major Enforcement Actions brought against them, suits against them for violating the directive, and the deal thats been negotiated in the time since the schrems decision came down, which is called Privacy Shield, its not at all clear that it would be that it will be upheld by the court of justice either because again, the court of justice ultimately focused on both the limited scope of u. S. Privacy protections and limited redress for eu citizens for u. S. Surveillance activities. And so with those two sort of looming questions theres now a new case being brought again in ireland, again related to a complaint by mr. Schrems. This time by the irish Data Protection authority itself. And this kcase, which is likely to go back up to the European Court of justice, has to do with the only alternative mechanism at the moment before Privacy Shield was put in place to transfer data. And these are contractual agreements between data processors in the eu and the u. S. That are also provided as a mechanism under the directive. So here the companies essentially enter into a private agreement that is defined by a decision by the europe. Commission as adequately protecting personalitiprotect ing personal data but the same question is at issue which is if a company in the eu is transferring all this, private communications, personal data to the u. S. , are they therefore exposing those eu individuals to surveillance activities of the u. S. Government without providing adequate protection, without providing for adequate redress . So really it puts real money at stake in the debate over the scope of the surveillance authorities and the surveillance protections. And i think it raises a lot of fundamental questions about how privacy law will be structured in the u. S. One issue thats going to be coming up over the next 12 months is the renewal of the 702 authorities themselves. Another issue were going to see in the next few months and certainly within the next 12 months is whether a new administration will Carry Forward some of the privacy provisions that were adopted by the obama administration. And you know, people have different views about how protective or not those provisions may be. But one of the fundamental flaws i think that the european correlate is likely to recognize in relying on executive orders, for example, is that they can be rescinded. They dont exist permanently or semipermanently in law. So it will be a real test in these new cases and a real measurement of whats happening in a new administration for the European Courts to be able to watch as privacy law changes in realtime in the u. S. And react to that. And thats really this new dimension, is to have an outside view of whats happening with u. S. Surveillance authorities going forward. Thats the short 15minute version of the schrems case. Theres obviously a lot more issues there. But i think going forward, its going to continue these cases theres several now. Are going to continue to raise fundamental questions about how the u. S. Structures its privacy protections. Especially whether to what extent it grants protections to nonu. S. Persons abroad. So thank you. So first a huge thanks to cato for putting on this terrific conference and to julian for inviting me here to speak today. I want to talk about what i see as two sides of the same coin, which is u. S. Data that happens to be located outside the territorial boundaries of the United States, and foreign governments need to access data that happens to be within the territorial boundaries of the United States. And ill give you the punchline from the outset. In my view the current set of rules are imposing arbitrary limits on Law Enforcements ability to access data based on where that data happens to be held. Its an attempt in my opinion to kind of blithely transpose rules that apply to other forms of property onto data without recognizing the unique and other features of data including his giv diviesability and perhaps most importantly, third party control, the fact that facebook and google could control where the data is located without us users having any say in that fact. And these together make location an increasingly arbitrary and normatively unsound basis for limiting Law Enforcement jurisdiction. And while these limitations are often described as privacy protective, they actually undercut privacy as well as security and Economic Growth and innovation. So let me start with the problem of u. S. Law enforcement access to data across borders. This was the issue that was decided this summer by the 2nd circuit in whats known as the microsoft ireland case. I i assume everyone here is familiar with that case. It started back in december of 2013. When the u. S. Government served a warrant pursuant to the Electronics Communications privacy act called ecpa. Mieshlth turned over the noncontent data things like name, i. P. Address, billing information, but it refused to turn over the content of communications saying that those were stored in dublin, ireland, that the United States warrant jurisdiction only extends to the territorial boundaries of the United States, and that therefore the warrant was invalid. The government fought back, as the government put it, and two lower courts agreed. This was not a traditional search warrant that involved u. S. Law enforcement officials crossing over into ireland territory and seizing property there. Rather it was directed at microsoft requiring that microsoft disclose the soughtafter communications. Yes, the data was in ireland but microsoft employees sitting in red mop redmond, washington could access the data without ever leaving the territory of the United States. So it was a territorial, not an extrastertal search it came to a disclosure order issued pursuant to subpoena. The 2nd circuit conclude td was about privacy not disclosure, that it was an extraterritorial search and that the United StatesAuthority Pursuant to ecpa extends only to data thats physically located within the physically located within the United States territory. Captions Copyright National cable satellite corp. 2008 captioning performed by vitac