Were going to get started. Good afternoon. Im with the internet education foundation. I want to welcome you to our briefing. This event is cohosted by the Congressional Internet Caucus Advisory Committee in cooperation with the congressional internet caucus. The cochairs are representatives Bob Goodlatte and anna eshoo on the house side, and on the senate side, senators john thune and patrick leahy. We thank them for their support of educationallal events like this. And just a little bit of housekeeping before we get started, the twitter hashtag is e. U. Safe harbor, and all of our twitter accounts, the panelists information is on your program. We also have a few upcoming events, both of which are listed. On october 21st, therell be a happy hour with the Facebook Team and october 22nd the Second Annual congressional app challenge will kick off. For more information about how to get your office involved, visit our web site or talk to our executive director. Im now going to turn it over to mary ellen call a hand callahan, former chief privacy officer for the department of homeland security. Thank you very much, rachel. Thanks for coming. I want to thank my panelists who ill degreely introduce. Briefly introduce. From my far right, damian levy is the head of the trade section of the European Union to the United States. Adam. Losser is the director for the center for Global Regulatory Cooperation International at the u. S. Chamber of commerce. Gayle slater is the Vice President of the Internet Association and Amy Stepanovich is u. S. Policy manager at access. I want to thank them all for coming, and fest lets talk about what are we talking about here today, right . Were talking about boat, all sorts of sinking, that doesnt sound very good. Im going to ask my panelists to tell me whether or not im right and where were going in the future. So the safe harbor decision that was decided by the European Court of justice on october 6, 2015, actually has its origins 20 years earlier. In 1995 the European Union passed a Data Protection directive which has rules and regular rations regulations and general standards by which e. U. Member states have to adhere to Data Protection or privacy regulation. Theres a prohibition in the directive about allowing the crossborder transfer of personal data, which is very broadly defined and it pretty much is all electronic information. You cannot be have crossborder transfer unless the country to whom youre transferring the information has adequate Privacy Protections or, alternatively, some other sorts of protections. The United States has a sectoral approach to privacy and is not considered to be adequate under the european regime. It wasnt in 95, and to this day it is still not considered to have an adequate privacy regime. So whats a u. S. Company to do . From 19982000 the u. S. Department of commerce negotiated with the European Commission and created something called the u. S. e. U. Safe harbor. The u. S. e. U. Safe harbor is a regime and it basically follows the e. U. Standards, the e. U. Privacy principles. And if companies go and make a public problem that mission, i, company, adhere to the u. S. e. U. Safe harbor, theyre listed on the department of commerces web site which i believe currently disabled but they go and make a promise, and they say i agree to adhere to these standards. The federal trade commission has the authority to investigate whether or not people have the ability to whether or not they are actually keeping that promise. And you have to renew that promise every year in a public statement, and the list is about 4500 Companies Currently have safe harbor regime. That safe harbor was considered to be an adequate Legal Process under the European Commission. And theres been some questions, and there have been throughout from 2000 on there had been a lot of questions, is safe harbor sufficient, is this public promise sufficient, shouldnt there be stronger e. U. Guidance on this and so on. Kind of came to and by the way, that deal, the u. S. e. U. Safe harbor deal is an executive branch decision, so there was no congressional approval over it. It was the u. S. Department of commerce directly with the European Commission from a legislative per pebtive perspective for those in the room n. 2013 we had the unauthorized disclosures colloquially known as snowden. I try to call them the unauthorized disclosures of 2013 to not personalize this. But after those disclosures, an austrian law student went to the ireland Data Protection commissioner and said i think facebook is violating e. U. Privacy law even though they are safe harbor certified. The eye spanish dpa irish dpa said i cant decide this. The i ooh rich high court Irish High Court concurred with the Data Protection authority, then it was appealed to the European Court of justice. The European Court of justice, first, the advocate general came out with a decision late in september that said based on the u. S. systemic failures in Privacy Protection and particularly pointing out the june 2013 disclosures associated with surveillance and wholesale collection of particularly European Union citizen databased off of the reporting, that the advocate general recommended invalidating safe harbor. The European Court of justice concurred and invalidated safe harbor as of october 6th. Its a long way to get there, but i thought itd be helpful with some framing. My question to you, damian, is what did the court decide on, and whats scope of the decision . Thank you very much for this great summary. The court of justice was actually asked by the high court in dublin actually, its the firstlevel court that concur with the the dpa, and the high court did not rule against, but actually asked the court a question to court of justice asking whether or not we have this safe harbor decision of the commission of 2000. The irish Data Protection authority is telling that it doesnt have any duty to investigate this case. Is that right under e. U. Law, or is it the case that despite this decision of 2000 by the commission that rules on this side or privacy principles are equivalent to the rules on the european side . Is it the case that Still NationalData Protection authorities have a duty to in fact a claim when a person to investigate a claim when a person says i think my rights have been violated . The short answer is the court is basically saying, yes, indeed. The National Authorities retain a duty to investigate a claim by citizens. And the reason why the court takes that decision is to say under e. U. Law and european charter for fundamental rights, you need the right of redress. And you need to be and so also the right to privacy of the protection of personal data is a fundamental right in our european be charter and, therefore, National Authorities have also a duty to enforce compliance of that right, if you want. And so by combining in the directive and european charter, the court comes to that conclusion. But to come to that conclusion, the court also says since the claim was the safe harbor decision of the commission of 2000 is invalid and the high court in dublin seems to go along with that decision, i mean, its not i havent read the irish court decision, i only read the European Court of justices decision. Its kind of interesting to say that the European Court said, yeah, indeed that irish court seems to go along with the things, therefore, i need to invest this issue of validity or invalidity of the safe harbor decision under e. U. Law and primary law, what we call the e. U. Treaty, if you want. Which is, anyway, equivalent to your constitution. And so the court looks at the safe harbor decision of 2000, article i and then article iii, and shecks whetherw3 itc consis that the Commission Decision remains valid under the law given the fact, given what, what has appeared since then. But also from day one. It looks at how the safe harbor arrangement is constructed. Its not a commitment by United States government. Its a system of certification by american companies, and the court says, well, thats okay. Its better that the laws protect the data of private individuals, but till its okay. And then looks at how its enforced, how its organized and enforced and comes to the conclusion i dont need to go into the details now that basically its not a sufficient protection and, therefore, the rights of the citizens are not sufficiently protected and, therefore, the Commission Decision is invalid. Im doing a very short summary of that. And so, therefore, not only the answer to the irish court is, yes, you have to tell the irish Data Protection authority, you need to investigate this case on facebook, but its also ruling [inaudible] and this ruling is binding within European Union including commission and all the national Data Protection authorities. Actually, that decision of 2000 is not valid. So the decision that the safe harbor is not valid, amy, i have a question for you. Do you think that this is a decision thats related to sur is vail lance surveillance and the unauthorized disclosures of 2013, or is it related to commercial data privacy decision . Thank you, mary ellen. So i think at its heart we have to say this is a surveillance decision. The impetus for the entire case are the 2013 revelations by the Washington Post and in the guardian about surveillance conducted specifically under section 702 of the fisa amendments act and more specifically, a program called prism. So that was these revelations were what really motivated the case to ask for an investigation, to ask for the Irish National authority to look is into safe harbor. So everything that has come out of that initial decision has come out because of surveillance. And the European Court of justices opinion really spent a lot of time looking at surveillance and looking at what the u. S. Allows and what standards the uses in order to judge what surveillance is necessary. So the rest of the world really uses International Human rights standards to guide their surveillance programs. They say that surveillance was only appropriate if it is necessary or it is proportionate. Thats a standard that the e. U. Uses, its a standard under the iccpr, the International Covenant of civil and political rights, and its a standard that kind of was incorporated into safe harbor. Theres a huge exception for National Security in safe hard hard harbor. Only if that surveillance conducted in the name of National Security or Law Enforcement or Public Safety is necessary. And so the u. S. Really, what the court of justice found is that the u. S. Practices are not necessary, and they do not insure this very high level of protection that is adequate for european data. Now, all of that said, the but is coming. Its a surveillance decision, but safe harbor is about commercial data practice. It is primarily a commercial data mechanism. And if you read through the court of justices decision, they actually spend a fair amount of time talking about the inadequacies of safe harbor, about the fact that its a selfcertified mechanism so that theres no independent audit that say if an entity is complying, that theres not enough transparency, accountability. So you have to look at the entirety of the decision and realize that anything that flows out of it also has to meet kind of these deficiencies that the court is identifying in the safe harbor mechanism also from a commercial perspective. So you really have to kind of dual consider what do we need to do from a surveillance perspective to make sure that the United States law and practice is in line with the International Standards that the e. U. Thinks it should be in line with, and also what do we have to do from a commercial privacy perspective to make sure that whatever new mechanism comes in and we will certainly talk about new mechanisms in a bit actually complies with what the court of justice thinks it should comply with. Because now that the court of justice has said that national norths have a basketball National Authorities have a ability to review decisions from the commission, we can expect any new mechanism can a also go up to the court of justice, and so you dont want another period of indecision following this where an inadequate mechanism can get struck down a couple years from now. Adam, im going to ask you the same question which is, is this a surveillance decision or a commercial pryce decision, and regardless of the answer, if you could let our audience know why transborder data flows are so important and whats the impact of this decision. Sure. Well, first, id like to add a point of clarification about the actual ruling by the court of justice. So in the ruling there was no examination of the commercial practices. It was examination of the National Security side, and it wasnt even based on an investigation. It was based on allegations and powerpoints and guardian articles. So it would be very helpful moving forward if the European Court of justice, if the Data Protection authorities could conduct a thorough investigation examining the changes to United States law made since 2013. The discussion in the ruling was based on practices as understood when safe harbor was created. And that also brings us to the point that the ruling is a process ruling. So the decision is based on the tact that when safe harbor was agreed upon, the commission, according to the court, didnt do a thorough investigation of the National Security side of how the exemption in the safe harbor would be used by the United States and what our practices were in the year 2000 when it was agreed upon. So while safe harbor was invalidated on process grounds, there is no examination yet on the commercial be side. And, in fact, the United States department of commerce, ftc and the commission have been undergoing a review and an enhancement of safe harbor for the past two years. So there are some changes in place. There was a report that was put out by the Commission Two years ago, and both seeds of the atlantic have been work both sides of the atlantic have been working very hard to satisfy the decision conditions in that report. To your question, it was a surveillance decision. Is so i think that, hopefully, answers that. The other piece is on the commercial side, the United States is has a really strong system of enforcement. If you violate your selfcertification, the ftc will carry out an enforcement action. Theres nothing like that anywhere else in the world. And the European Commission, when they conduct adequacy determinations, often do not take the enforcement side into account. So while in the United States our commercial privacy practices arent exactly in line with the european rules on paper, in words, in many areas we go above and beyond what the europeans do. In fact, some of the other governments that are deemed adequate include argentina, and im sure they have a robust system of enforcement in their own way, but im willing to bet in the United States we have stronger privacy practices how it works in reality, not just on paper. But getting to your second question about why is this whole issue important, why are we here, why do we care . Its not just spam and advertising, its the backbone of the Global Economy and the transatlantic economy. At the u. S. Chamber, we represent the interest over f of over three Million Companies in every single sector, every single size. Energy companies, manufacturing, consumer goods, hospitally, plus the internet and technology the side. Every company you can think of relies on the internet today, and you need to be able to transfer data. Something very tangible, very easy is credit cards. You travel around the world, you go to europe, you can use our credit card. Yes, you have money in your account, it goes to other companies to verify that, yes, youre you, and the purchase is satisfied within mere seconds. On the businesstobusiness side, its