 Good afternoon everybody. My name is Barry Devereaux, I'm the managing partner of McCann Fitzgerald and it's my pleasure today to welcome you all to this afternoon's seminar. We're partnering with the Institute of International and European Affairs, the IIEA. It's only six weeks since we last partnered with them but it seems about six months ago because then we talked about the parallels of a breakfast and the conference in May and here we are two months later facing into an entirely different future. We're delighted that they've chosen to partner with us. They've done some tremendous work and we're very much appreciated being part of their plans. And today is, as we know, the privacy shield and the future of Europe. I think when we set this agenda, the future of Europe had an entirely different meaning than it has at the moment. We're not going to get into all of that. As we know, governments across the year of the union have finally given the green light to a new deal on how consumer data can be transmitted with the United States, ending months of delay caused by concerns over U.S. surveillance. Privacy shield, the new commercial data transfer pact, was provisionally agreed by the EU and the U.S. in February and has come into effect as of about two hours ago. The decision was notified to the member states. So I guess our choice of date was a coincidence but it is good to know that it's now law. And a couple of months ago, I guess there was some doubt about when the EU might get its act together, but it's actually finally done that and given a lot of certainty. And as we know, the EU's top court had struck down the previous data transfer agreement, Safe Harbor, on concerns about intrusive U.S. surveillance, leaving companies like Google, Facebook and Mastercard and Legal Limbo. The free flow of data, as we know, is essential to the ever-growing segment of the global economy. Yet some policy makers and advocates citing privacy concerns have called for shutting off the faucet and the stricken data flow to the detriment of European consumers and European businesses, both small and large. Just yesterday, Microsoft said, Privacy Shield puts data flows between Europe and the U.S. on a solid legal foundation. And as we know, there's a huge dependence in the global economy on the ability to transmit data fast and safely. And last Friday in the Guardian in the UK, there was a opinion piece that said the framework will entertain over 250 billion of transatlantic trade in digital services annually by facilitating cross-border data transfers that are crucial to international business. That's all I have to say and should also mention that we're delighted not just long to welcome you today, but we have also, through webinar, we have quite a number of people that are dialing in from the United States, United Kingdom and continental Europe. So welcome to everybody who's not here in the room. And I'm going to hand you over shortly to Paul Lavery. I should just say that we're delighted to have Julie Brill with us here. Julie, as you know, is a former commissioner of the Federal Trade Commission. She's currently a partner and co-head of the Privacy and Cybersecurity Group in Hogan levels. Paul Lavery is the head of our technology and innovation group. We in McCanns are very fortunate to have someone supposed caliber to head the group here. Paul is an acknowledged expert in this area and for many years has been championing the cause to great effect. Paul will now leave the session with Julie. I'll hand you over to Paul. Thanks very much indeed. Thanks very much, Barry. As Barry mentioned, my name is Paul Lavery. I'm the head of the technology and innovation group in the capital cells. I'm going to be chairing the seminar today, but I've got a very easy job because basically I just guess to introduce an acknowledged expert in the field and somebody with quite an astounding CV that makes the rest of a field, I suppose, an adequate comparison. So just to give you a rundown on Julie, she was a partner in Hogan levels and the co-leader of their Privacy and Cybersecurity practice. From 2010 until recently, she was a commissioner of the U.S. Federal Trade Commission and far as the commissioner, Julie was widely seen as the commission's most important voice on internet privacy and data security issues. She was also heavily involved in the negotiations between the U.S. and the EU on replacements for the Safe Harbor Agreements. And I remember last year at a conference in Cambridge, where she was very able to work through defend the position of the U.S. in respect of a lot of questions that were coming in from members of the commission that were at the conference as well. And I thought there was only one winner in that argument sort of itself. Prior to serving as FTC commissioner, Julie was also the senior deputy attorney general in chief of consumer protection and antitrust for the North Carolina Department of Justice. And for more than 20 years, she served as an assistant attorney general for consumer protection and antitrust for the state of Vermont. So as the title of the seminar suggests, Julie will be discussing the EU-U.S. Privacy change. And I know Barry described what has happened, so I'd like to pretend that we knew what was all going to happen today. He's organized the six weeks in advance. If there wasn't the cans, that's not a lift, maybe with IAWA, that's not a different set. But on behalf of McCaffer-Serral Gandhi Institute of International and European Affairs, I'm delighted to welcome you all today. I'm also delighted to welcome those who are joining us by webinar. And I'd like to welcome Julie Beall. Thank you so much. Thank you, Barry. And thank you, Paul, for that lovely introduction. And I'd like to thank both McCann and Fitzgerald and, of course, the Institute for International and European Affairs for inviting me to speak here today. Let's see if I can guess. Are we good on them, Mike? Yeah. Okay. These are a set of issues that are really near and dear to my heart. And as has been alluded to, our timing could not have been more appropriate. For the second time in less than a month, Europe stands on the threshold of history. As many Europeans are still trying to wrap their heads around the idea of a union without Britain, the European Commission has been moving toward ratification of a landmark data protection agreement with the United States. The agreement, which is known as Privacy Shield, will provide European citizens with unprecedented protection for their personal and commercial data. It will also make Europe a vital hub in the global flow of digital information. And as has also been alluded to a couple of times today, just today, an hour or two ago, European Commissioner for Justice Vera Yarova and US Secretary of Commerce Penny Pritzker signed the Privacy Shield Agreement, marking its final approval and opening the door on a new era of safe, secure digital commerce for European citizens and businesses. But immediately following this historic step, Privacy Shield is certain to face legal challenges, leaving the courts to decide its fate. These decisions will have a monumental impact on the future of Europe and on the EU's place in the global economic hierarchy. Now before I get into the weeds, and as a former United States Federal Trade Commissioner, I assure you I can get into the weeds, I want to take a moment to give you a preview of what I'll be discussing today. First, I'll briefly describe how Privacy Shield came about, how it differs from its forebear, the safe harbor, and how it provides essentially equivalent protections to those enjoyed by Europeans in their own countries. Second, I'll discuss the ways that Europe's attitude towards Privacy Shield strikes at the future it sees for itself in the global economy and community. Third, I'll argue that the ratification of Privacy Shield has been essentially, has been essential precisely because it is not a panacea, but one step in the continuing evolution of the law, which must evolve to keep pace with the digital ecosystem that increases in complexity each and every day. There's never been a more important moment for Privacy Protection than the one that we face today, both with regard to data sharing and with regard to our broader economy. The European Union and the United States have an opportunity to embrace our shared beliefs in free market economic principles and more essentially in the democratic process. To quote my former boss, President Obama, what binds us together is greater than what drives us apart. I believe that the Privacy Shield agreement captures these common values and that's why I have been such a strong supporter of its ratification and its implementation. Now, I do not take notions about privacy lightly. In the sometimes pitched battle between the machinery of the free market and consumers' rights, I have staked my career on descending the ladder. Before I was a commissioner of the U.S. Federal Trade Commission, as Paul has mentioned, I spent 20 years enforcing privacy laws at the state level in the United States, first as an assistant attorney general for consumer protection and antitrust in Vermont and then as chief of consumer protection and antitrust in North Carolina. In my six years as commissioner at the Federal Trade Commission, the agency brought hundreds of enforcement actions against companies, including many tech giants, that we believe had failed to keep consumers' data reasonably secure, had misrepresented their data collection and use practices, had treated consumers and their data unfairly, or had violated one of the many specific laws designed to protect sensitive data. We obtained millions of dollars in penalties and restitution in these privacy and data security actions, and we placed numerous companies under 20-year orders with robust requirements for future compliance. Throughout my tenure, I championed the consumers' rights to transparency, notification, and privacy, efforts that were recognized when I was named the 2014 Privacy Leader of the Year by the International Association of Privacy Professionals. Since leaving the Federal Trade Commission in March, I have continued my advocacy work, including appealing for more stringent regulation governing the U.S. government's ability to access electronic data about its citizens. Now, I recognize that in detailing my work history, it may sound a little bit like I'm applying for a new job, but I assure you that is far from the case, as nice as it is here. I love my work, and I am very happy to be leading Hogan Level's global privacy and cybersecurity practice. Instead, the reason I gave you this career summary is to demonstrate when I say that I believe Privacy Shield is an effective and essential framework for the protection of European consumer data, I say it with some street cred as a proven and tireless consumer advocate. So, what is Privacy Shield? What protections does it offer? And why do they matter? And how did we arrive at a point where we've been operating up until today without a seamless framework for our transatlantic data flows? To answer those questions, let me give you a little taste of some of the history. Back in the year 2000, the United States Department of Commerce and the European Commission finalized a privacy framework called Safe Harbor. It was designed to protect the rights of European citizens as their data traveled across the Atlantic. American companies that adhered to Safe Harbor were allowed to collect and use data about European consumers and employees and store the data on US servers. By October of last year, some 4,500 US and European companies, all large or small, were relying on Safe Harbor to handle the data of 10,000 of European and American employees and to do business with millions of European citizens. Then in October of last year, as also has been alluded to, the Court of Justice of the European Union invalidated Safe Harbor, holding that it did not appear to provide Europeans with the levels of protection to which they were entitled as EU citizens. But while the Court of Justice's decision in the Shrems case sounded the death knell to Safe Harbor, negotiations on an updated data security framework between the US and the EU had already begun. Two years before Shrems, and in fact after Edward Snowden revealed that US intelligence agencies had been collecting personal consumer data held by American companies. The Shrems decision certainly added urgency to these negotiations, but the writing had been on the wall since Snowden. European policymakers and European privacy advocates believe that Safe Harbor's protections were no longer adequate. So privacy shielded the results of the negotiations that began in 2014. It is a new framework designed to replace and improve upon Safe Harbor. I believe it is the framework that Europeans deserve today. Safe, sorry, privacy shield strengthens consumer protections with regard to both government and commercial access to data. In doing so, it addresses the European Court of Justice's two major concerns about Safe Harbor. First, privacy shield outlined the fortifications to existing safeguards against government access to personal data for the purposes of national security surveillance. And second, it provides clear, inexpensive avenues of redress for individuals concerned that their data is being used improperly. These provisions are designed to meet the court's demands that the protections governing any data transfer of European data out of the EU be essentially equivalent to those protections found in European law. So to understand privacy shield and why protections are adequate, it's first important to understand the requirements for business and government agencies faced under the current regime of American privacy law. It's true that the U.S. has no single law like the baseline data protections laws that are found in most EU member states. But taken as a whole, U.S. laws and regulations do provide a layered assemblage of strong consumer safeguards. Indeed, U.S. law was clearly the inspiration for many of the guiding principles that informed the drafting of the new European data protection regulations, including an emphasis on data security and breach notifications, a focus on heightened protections for children's data, and a prioritization of the identification of sensitive data. Now, let me turn first to the United States' series and assemblage of laws that deal with government collection of data. Where government collection of personal data is concerned, the idea of a fundamental constitutional right of privacy is a cornerstone of American law, deeply woven into our social and legal fabric. Recently, the right to privacy has been extended through the U.S. Supreme Court and lower courts to include new technologies and new forms of communication. Moreover, the Judicial Redress Act, the USA Freedom Act, and President Obama's policy director, number 28, all adopted in the wake of the Snowden revelations honor and strengthen this tradition by providing new limitations on the way data is collected and used by U.S. intelligence services. The Judicial Redress Act, which explicitly extends the protections of the privacy actifying citizens, is particularly noteworthy in this discussion. Now, other U.S. laws now turning to the commercial arena protect information about children, finances, medical data, and student data, as well as information used to make substantive decisions about consumers' credit, insurance, employment, and housing. And at the state level, a level which I know very well, there are many privacy laws. Indeed, just last year, there were more than 60 privacy laws enacted in the states, the various states of the United States. The attorneys general of each of the 50 states, as well as a region of federal agencies, all of whom are led by the Federal Trade Commission, each have broad imperatives to enforce these laws and bring to account those whose actions do harm to consumers. Now, privacy shield clarified this amalgam of restrictions already in the United States. With respect to government surveillance, the privacy shield framework incorporates letters from the Office of the Director of National Intelligence, as well as the Department of Justice, which describes the limitations on government access to data for intelligence and law enforcement purposes. These letters are significant on at least two levels. First, they lay out the U.S. government's binding commitments to apply the same protections to European citizens' data that it applies to the U.S., to citizens in the U.S. and their data. These commitments include the government's fortification of citizens' protections in the USA Freedom Act and the U.S. Foreign Intelligence Surveillance Act, and the improvements in the operation of the, what's known as the FISA Court, the Court Under the U.S. Foreign Intelligence Surveillance Act. Second, these letters, in my view, demonstrate that the United States, and in particular, the intelligence and law enforcement communities, take the European Court of Justice's concerns seriously. Now, of course, such assurances are only as good as one's capacity to enforce them. That is certainly the belief that generally exists in the United States. To that end, Privacy Shield mandates the creation and appointment of an ombuds person. This ombuds person will sit within the State Department and will operate independently of the national security agencies and will be available exclusively to Europeans. Any European citizen with concerns about U.S. surveillance of his or her data may file a complaint to the ombuds person who will in turn verify that any surveillance measure has been implemented in accordance with law and will correct any anomalies or violations of the system's rights. It's worth noting that the ombuds person bears a striking resemblance to what is known as the National Oversight Commission, which is the solution in France to the balancing of individual rights and national security. Now, on the commercial side, Privacy Shield significantly enhances protections that were built into safe harbor. For instance, Privacy Shield requires data controllers to obtain consent from Europeans before they share data with third parties, including affirmative express consent to share sensitive data, such as health information. Privacy Shield also compels data controllers to allow Europeans to access, correct, or delete their transferred data. Crucially, data controllers will have to require their business partners who receive information about Europeans to live up to these principles as well. Finally, a raft of new procedural safeguards will make it easier and a lot less expensive for European consumers to pursue justice when they have been wronged by a participating company. For instance, U.S. companies that sign onto Privacy Shield must agree to provide independent resource mechanisms at no cost to the complainant. Should this measure fail, individuals can then take the company to binding arbitration, which will be at no cost to the individual, or the individual can take the company to court. Now, since Privacy Shield's debut in draft form three months ago, a number of stakeholders in Europe have analyzed and critiqued it. Most significantly, Europe's data protection watchdog, which are collectively known as the Article 29 Working Party, said that they welcomed Privacy Shield's significant improvements, but they also suggested some clarifications and expressed other continuing concerns. The negotiating parties, that is the Department of Commerce and the European Commission, have spent the past three months enhancing Privacy Shield to address the Article 29 Working Party's concerns. The resulting further improvements include added restrictions on the ability of Privacy Shield companies to retain data about EU citizens, and a clearer articulation of the extent of the armed persons' independence from the administration. Now, as I've traveled across Europe over the past several months, I've heard various stakeholders' voice an additional concern. They point out that because Privacy Shield does not have the status of a treaty, a new U.S. administration could water down Privacy Shield's protection. Now, these individuals are correct that Privacy Shield is not a treaty. The commitments of its signatories, however, are binding on both the United States government, as well as on the companies that voluntarily sign up. To me, it is really hard to conceive of a U.S. administration that would not eagerly embrace Privacy Shield and work hard to implement its highest levels of protection. But even if I'm wrong, and such an anomaly were to occur, there is a fail-safe. The new framework requires Europeans and Americans to consult, at least annually, on the framework's operation. And if the European Commission believes that the U.S. is violating its commitments, the Commission is empowered to suspend Privacy Shield. So let's take a moment here to answer a question that I'm guessing is nagging at more than one of you. And that is that post-TREM, that is, after the European Court of Justice's decision that invalidated State Harbor, you have been able to log onto Facebook and tweet to your heart's content. The data is continuing to flow, even without State Harbor in place. So with State Harbor invalidated, what set of rules has been in place to protect that data up until now? For the past eight months, businesses that previously relied on State Harbor have been permitted to employ other data transfer mechanisms that have been approved. They're known as standard contractual clauses, binding corporate rules, and a few others. And these were also designed to ensure that Europeans' data transfer practices, that data transfers that were made of Europeans' data, would meet the requirements set out under the EU law. Yet my view is that these data transfer mechanisms, unlike Privacy Shield, are opaque. For example, companies with approved binding corporate rules are listed on the European Commission's website, but the details of the rules that each company has created are not publicly available. And it can be similarly difficult to know which companies are using standard contractual clauses. In addition, these mechanisms can be expensive to implement, which makes them harder for small and medium enterprises to use. Now, this is especially harmful, and I say this with my head of the former competition regulator, because many SMEs on both sides of the Atlantic depend on the free flow of information to sell goods and services around the world, to build global workforces, and to take advantage of low cost cloud computing resources. Now, casting a little bit more uncertainty into this mix, my dear friend Helen Dixon, the Irish State Protection Commissioner who is here with us today, has just referred to the court the question of whether standard contractual clauses are adequate under European law. Businesses, which tend to rely on a stable landscape to deploy resources and make investments, are nervously watching this development. Now, we can already see the havoc that has been created by what I'll describe as broadly speaking as a result of all of these developments as a legal limbo. Adobe, Pepsi, and Unilever, which are not exactly unsophisticated players, were all signed by German regulators in June just last month for continuing to rely on safe harbor rather than setting up alternative channels for their data transfers. And in April, Cloud Storage Company box teamed with IBM to allow companies to store data in regional data storage facilities on European soil. That followed a similar arrangement between Microsoft and Deutsche Telecom. Now, while not in themselves really bad news, these arrangements may speak to the degree of uncertainty that businesses feel in the current climate and the seriousness with which they are responding to a perception of increasing European insularity. Forcing businesses to localize their data warehousing and split their storage capabilities will not foster robust competition or be an economically viable long-term solution. But more importantly, if you're going to turn further towards insularity, it would create a dangerous international precedent. Regimes around the world will be watching and they will point to the continent to justify their own data localization laws and their ensuing efforts to increase their government's access to their citizens' data and to data of others, often without the safeguards that exist in democracies like the United States and the EU member states. With today's finalization of the Privacy Shield Framework, the US and the EU have affirmed what Vera Yerova said last October. It is important that transatlantic data flows continue as they are the backbone of our economy. I might add that they are also the backbone of our democracy. In affirming that principle today, governments on both sides of the Atlantic have also affirmed that the transfer of this data requires a clear set of guidelines. We need rules that allow consumers to consent to or reject overtures to collect or use their data and a transparent set of mechanisms for consumers to seek recourse when they feel that their fundamental rights to privacy has been abridged. Look, Privacy Shield is not perfect. No, large-scale regulatory framework is, especially not on first pass. The perfection is not what the moment calls for. Instead, we should view Privacy Shield as a living framework. As I noted, the US Department of Commerce and the EU Commission will engage in ongoing consultations about its effectiveness and about whether the parties are living up to their commitment. The European Data Protection Authority and the US Federal Trade Commission will also hold continual discussions about enforcement issues under the framework. The ultimate test of Privacy Shield effectiveness will be how well it works in practice in the months and years to come. As for today, I'm confident in saying that the protection provided to European citizens under Privacy Shield are essentially equivalent to those that they enjoy on their own soil. Now, the final decision about Privacy Shield's adequacy is not going to be made by me. It's going to be made by the European Court of Justice. I am hopeful that the court will provide itself with the means to appreciate the full spectrum of protection that are built into Privacy Shield as they adjudicate, that is, as the court adjudicates the near certain challenge to come. Now, let me turn to the future. And actually, it's really the present we can call it the future if we want to. As the merits of Privacy Shield are going to be debated and determined, both in the court at Luxembourg as well as the court of public opinion, it's just as important to keep our eye on the ultimate prize, which is continually guaranteeing consumers the right to privacy, even if the ground beneath us relentlessly shifts. This requires more than statutes and agreements that govern oversight and data stewardship. It requires intelligence and vigilance, innovation, and collaboration. How we foster a safe, fertile environment for the flow of data depends on our willingness to work together to adapt to the changes brought by ever-evolving technologies. As just one example, let me point you to the Internet of Things. We are connecting nearly everything to the Internet these days, from cars and buildings to clothing and even light bulbs. The pace and scale of these changes are truly breathtaking. Cisco reports that there are 25 billion network devices in the world today and predicts that there will be 50 billion by the year 2020. That's only four years away, folks. Sensors in these devices, along with our smartphones, tablets, and computers, generate twice as much data today as they did just two years ago, and this trend shows no sign of slowing down. To my eye, this can all be to the good, from enabling cities to better maintain their infrastructures to developing effective treatments for some of the most intractable diseases we stand at the brink of possibility. But as the ad network devices to our homes, our classrooms, and our clothes, much more sensitive data will be collected. User interfaces on devices will shrink or disappear, making it more difficult for consumers to know and keep track about when their data is being collected and making it more difficult for them to exercise choice over this data movement. These developments will pose difficult challenges for privacy, security, and indeed fairness in our societies. Without data security, there is no such thing as privacy. My former agency, the U.S. Federal Trade Commission, noted that the Internet of Things Network, the network that's created of connected devices that forms the Internet of Things, is only as secure as its weakest link. And the expansion in threat vectors created by this network creates a risk not only to the data but also to the devices themselves, which can include cars and medical devices that are implanted in our bodies. If we are serious about protecting the privacy of consumers, we must focus on the damage that is done by an attack that threatens data and devices and their security as much as we focus on the damage done by unauthorized transfers to third-party vendors. The geometric rate of increase in devices used and data collected makes it all the more essential to reach outward to our allies rather than shrink inward and batten down the hatches. The opportunity we have now is to balance the competing interests that complicate decisions in any free society. I believe that within these larger issues presented by newer and data-intensive technologies and the highly connected world that they create, the United States and Europe may be able to forge a constructive dialogue. Here we may find common approaches to simultaneously foster innovation and address the challenges these technologies pose to fundamental principles of privacy, security and fairness in our society. Once we have a new data transfer mechanism in place and once we begin an honest conversation about the ways in which our law enforcement and intelligence data collection practices are essentially equivalent, the United States and Europe will be primed to face the challenges that these brave new developments present. Then we will position ourselves to protect our citizens' data and their privacy in the future. Thank you very much.