I will get started in encourage everyone to congregate again. Thanks to those who stuck with us, at the 2016 cato institute. This is going to focus on the intelligence aspects. We tend to focus on the Fourth Amendment and do medicinmestic. This is really global in scale and so as a result it has implications for the human rights of people around the world but also for our political and diplomatic and economic relationships with other countries, in particular the economic interest of u. S. Businesses who hope to do business around the world. We have allen butler who will talk about the sh rerems case. And talk about cross data, in figuring out what kind of jurisdiction applies with regard to Law Enforcement. Thanks for having me. Im happy to be here today to speak with you about a new International Dimension over this u. S. Surveillance authorities, many of you probably know about the sh rere decision, it was used by businesses to transfer personal data between the u. S. And the European Union also led to a mandate of privacy agreement between the two governments and open up new challenges to surveillance activities, historically the movement has applied to statutory when you think about the there have been groups engaged and vocal on these issues, but these International Issues havent necessarily played a major role on policy making in surveillance but that all changed after 2013 and the snowden revelations, especially in the eu for surveillance abctivities, in th eu in particular theres a strong independent Enforcement Authority by regulators in each of the membered countries and traditionally these data authorities have focus on the action on private companies but the Prison Program provided for the European Court a clear link between the actions of companies that collect and transfer personal data and the surveillance activities of the u. S. Government and didnt help under section 702 ignores the privacy interest of foreign citizens in the u. S. But at the time prior to the sh re shrems case what leverage it would have to push back on this broader sense it was being revealed. Then an individual mark sh rere filed a suit. And exposed him to these surveillance activities through facebo facebook. They have Major Business productions, and they had authority to bring it for the eu charter. The eu privacy directive specifically applies tony company that is processes personal data in europe and limits the ability to transfer that data to other countries in particular when those countries do not provide adequate protection for that data or equivalent protection to that data relative to whats provided the eu. So that transfer of personal data between the eu and the u. S. Specifically has historically been authorized that the go governments entered into called the safe harbor agreement that they could sign on and agree to and therefore transfer data freely the between the two countries without the fear of violating the directive or eu law and this was called into question on the sh reremshrems they argued it was exposing him to u. S. Surveillance, the Protection Agency in ireland couldnt find an action against facebook because they were through safe harbor, a question was sent up to the highest court in the eu, and it was whether that safe harbor agreement was valid or whether that violated the fundamental rights and the eu privacy directive and ultimately the court of justice found it was invalid. It was held in 2015 and sort of the bombshell that dropped on the privacy world last year around central to this case was the surveillance alleged in mr. Sh rerem s case. And ultimately what the court of justice found was that the safe harbor agreement was nothing essentially more than an agreement that didnt provide under the directive. Its hard to under state how much of a fundamental shift this has caused between the u. S. And the eu as julian alluded to before. This has really created an entirely new dimension to the debate over surveillance activities in that now there are all of these companies that engage in these transfers of data every day. Lots of money at stake, and by knocking out safe harbor the court of justice really put a lot of uncertainty and a lot of risk for Companies Transferring data that are concerned now there will be major enforce. Actions brought against them suits against them for violating the directive and the deal thats been negotiated in the time since the sh rrem decision came down called Privacy Shield it is not at all clear it will be upheld by the court of justice either because again the court of justice ultimately focused on both the limited scope of u. S. Privacy protections and limited readdress for eu citizens for u. S. Surveillance activities and so with those two sort of looming questions there is now a new case being brought again in ireland again related to a complaint by mr. Sh rereshrems. And this case likely to go back up to the European Court of justice has to do with the only alternative mechanism at the moment before a Privacy Shield was put into place to transfer data and these are contractual agreements between the eu and the u. S. Also provided as a mechanism under the directive so here the companies essentially enter into a private agreement defined by the European Commission as adequately conducting personal data, but the same question is at issue which is if it is transferring personal data to the u. S. Are they exposing the eu individuals to the u. S. Government without providing for adequate redress, so it puts money in the stake over the debate over the scope of these surveillance protections and i think it raises a lot of fund mental questions about how privacy law will be structured in the u. S. One issue thats going to be coming up for the next 12 months is the renewal of the 702 authorities themselves. The next issue were going to see in the next few months and certainly the next 12 months is whether a new administration will Carry Forward some of the privacy provisions adopted by the Obama Administration and you know people have different views about how protective or not those provisions may be, but one of the fundamental flaws that the European Court is likely to recognize is relying on executive orders is that they can be resistecindrescinded. They dont exist in law. It will be a test in these cases and whats happening in a new administration for the courts to be able to watch as privacy law changes in realtime in the u. S. And react to that. And thats really this new dimension is to have an outside view of whats happening with u. S. Surveillance authorities Going Forward. So, thats the short 15minute version of the sh rrem s case. These cases are going to continue to raise really fundamental issues about how the u. S. Structures, its privacy protections to nonu. S. Persons abroad. So thank you. [ applause ] so, first a huge thanks to cato for putting on this terrific conference and for julian to inviting me to speak here today. I see two sides of the coins, data thats outside the territorial boundary outside of the United States and data that happens to be within the United States. In my view the current set of rules are enforcing arbitrary limits on where that data is held. It blaitly its divisaabili y divisaability these make increa increasingly arbitrary basis. They under cut privacy as well as security and Economic Growth and invasionovationinnovation. This was the issue that was decided this summer by the Second Circuit known as the microsoft ireland case, i assume everyone is familiar with it. It started back in december of 2013 when the u. S. Government served a warrant pursuant to the privacy, associated with a particular account. Microsoft turned over the noncontent data, things like name, ip address, but refused to turn over information that was over in ireland and therefore the warrant was invalid. This was not a traditional search warrant that involved u. S. Law enforcement officials crossing over into ireland territory and seizing property there, rather it was directed at microsoft requiring that microsoft disclose sought after communications, yes, the data was in ireland, but people in washington could access the data from the United States. It came to a compelled disclosure order pursuant to a second subpoena. Concluding that the relevant statute is about privacy not disclosure that it was an extra territorial search and the u. S. Pursuant to akba this case since the ruling has been sdw b described as a privacy wing be many. Im not so sure this is true. First remember the government got a warrant based on probable cause. It had not been able to access it had it been located in the United States and no privacy violation assuming that everything was fine with the warn warrant. It doesnt become a privacy thinks that any obstacle in the way of u. S. Law enforcement is a good thing. The end result means that if the United StatesLaw Enforcement officials seek data that happens to be outside our borders, it needs to now make a mutual Legal Assistance request for that data, and then the Foreign Government should it choose to respond access that data according to its own standards. In my would say, in most situations, those standards are lower, theyre less protective than a warrant based on probable cause overseeing by an independent magistrate or judge. And second, even if this case is about privacy, it is not at all obvious that as a Second Circuit concluded that the privacy intrusion occurs in ireland. Remember, microsoft already has access to this data as a caretaker. And in fact moves it around without notice to or consent by the user. Any additional privacy intrusion it seems takes place not when microsoft moves the data which it does anyway, but when that data is turned over to the u. S. Government. That happens in the United States. Not ireland. This ruling also has a number of potentially significant Practical Implications for the u. S. Ability to access data lawfully, even when the targets u. S. Based, u. S. Citizen and the government has probable cause to access that data because of where it is held. This happens for three reasons, first, the slowness of the mutual Legal Assistance process, it can be too long to be useful. Second, the United States only has mutual Legal Assistance treaties with about a third of the worlds countries, it may not have a workable means of accessing sought after data, and, third, not all companies are structured like microsoft which has a relatively location driven approach to how it stores and accesses data. Companies like google and facebook, for example, are constantly moving data around in ways that can make it sometimes hard to even ascertain where particular data is located at the particular moment that a warrant is served. But more importantly, a company like google, for example, has structured its operations so that its data can only be accessed by Law Enforcement teams that are located in the United States. Now, lets assume that the United States government serves a warrant on google for data associated with a particular account. If some or all of that data is outside the United States, google cant lawfully respond under the Second Circuit ruling. If the u. S. Government goes to that foreign jurisdiction, the Foreign Government says we would love to help you, but we cant. We dont have jurisdiction over the people who can actually access that data, you do. And the practical result is that it means there is no way for Law Enforcement to access that data, even pursuant to a warrant based on probable cause. Now, a big company like google obviously can restructure to resolve these problems, but at least in the short term this is a situation were in. And i think that this result has two concerning side effects. First, it encourages data location mandates as a means of ensuring access to data. Now, this isnt so much a trend in the United States, but rulings like the microsoft ireland case further incentivize foreign jurisdictions to mandate that data is held there in part to protect against what is often perceived as the big bad reach of the u. S. Law enforcement. The reality is, however, as i already stated, that in many cases the standards at those Foreign Governments will apply will be less protective of privacy rights than the standards that apply in the United States. And second, i think the reality is that powerful governments will find a way to access data if there is a sufficient need. And my fear is that a ruling like this shifts surveillance efforts into less transparent, less accountable, more surreptitious means of accessing data than a government like the United States might seek to access without independent review and oversight by a judge. Now, the governments appealing this ruling, i also think that there is problems with the governments position as well. And that the better ideal solution is for congress to step in and get involved. I encourage edge to read judge lynchs incredible concurring opinion in the Second Circuit on this point. In my view, and i deal on amendment, would permit the United States to access the Communications Content of its targets pursuant to a warrant, in investigations overserious crime, without regard to location of data. But also require the government and the reviewing court to take into account counterveiling factors like the nationality and location of the target, like the nature of the crime, like the laws of other nations that might preclude access and the potential conflict for with foreign nations. So as to help protect against the situation in which the United States claims access to data anywhere and everywhere without regard to the sovereign interests of other states. So now ill briefly turn to the converse problem, Foreign Governments seeking access to data located within the United States borders. So the same statute that is at issue in the microsoft ireland case also precludes u. S. Companies from turning over data to foreignbased providers, content of communications. So think about the same problem from the Foreign Government perspective. Uk Law Enforcement is investigating a london murder, the target, the witness and the victim are all in london. If they if the alleged perpetrator were using a ukbased provider, the uk could go the uk government, the Law Enforcement, could go to that provider and get access to that data within days, if not sooner. If instead the alleged perpetrator is using gmail and uk Law Enforcement officials go to google, google says, go through the mutual Legal Assistance treaty process, it takes an average of ten months for a response to be sent back to the uk, and just as u. S. Law enforcement officials are frustrated by the microsoft ireland decision, so too are Foreign Governments as a result of the inability to access data that happens to be u. S. Controlled. This is also in my view leading to a number of concerning responses, again, further encouraging data localization mandates, which i said permit governments to access data according to their own standards, often less privacy protective than the standards that exist in the United States. These kinds of mandates are also costly, they undercut the growth and efficiency of the internet and potentially shut out small startups from entering into the market because they simply cant comply with the cost of holding data in multiple jurisdictions. Were also seeing governments increasingly assert extra territorial jurisdiction without the regard to conflict of laws that ensues. This is not an academic hypothetical problem. In january 2015, there was a microsoft employee executive arrested in brazil, facebook facing similar problems as well. And as i already said, these kinds of restrictions also further incentivize and encourage surreptitious means of accessing data. So as with the microsoft ireland case, we need a solution. And i think we have a chance to design a solution that yields a race to the top, or at least the raising of baseline substantive and procedural protections across the board, rather than a race to the bottom where every nation is seeking access to data based on their own rules without regard to things like the nationality and location of the target and many rules many cases based on rules not particularly privacy protective. So recognizing this problem, the department of justice submitted legislation in the spring that would lift the blocking provision in certain circumstances. Specifically it would allow the executive branch to enter into exec