 Good morning, everyone. I will ask everyone to take their seats. Welcome, we have a few more coming in. Good morning. My name is Heather Connelly. I'm director and senior fellow of the Europe program here at CSIS. And on behalf of my colleagues, Scott Miller, who chairs our international business program, and Jim Lewis, who directs our strategic technology program, welcome to the second installment in a series that CSIS is hosting a roundtable series on digital trade in the international economy. In January of this year, we held our first discussion in this series that brought Meredith Broadbent, a commissioner in the International Trade Commission, to give us the landscape and to release a recent report by the ITC on the scope and scale of the digital economy. And we brought some colleagues, some congressional staff colleagues, to help us understand this growing impact of digital trade on the US economy and its international implications. So as we try to understand the dynamics of digital trade policy and that intersection of the global infrastructure as well as national and international trade rules, I'd like to tell you we had the absolute perfect foresight of timing in holding our second roundtable discussion with the timing of negotiations here in Washington of the Safe Harbor Agreement. But I'll claim success we didn't, but we had great timing on our side. And we are delighted to focus our next conversation on the Safe Harbor Agreement. Clearly over the last several days, news coming from both Brussels as well as Washington suggests that differences are being narrowed over the Safe Harbor Agreement. Yet some challenges still remain. Exceptions for national security, judicial redress. And of course, within the European Union, a one stop shop question of how we can look at the Safe Harbor Agreement. I think it's so important, particularly in the transatlantic context, because if we don't get this right, it will be very unlikely that we will get the transatlantic trade and investment partnership right. So the stakes are enormously high. We're so grateful today to be in partnership with the European Union delegation and having this as an EU rendezvous event. And we are so delighted that CSIS has had a fantastic partner in the EU delegation and deputy head of delegation, Francois Rivesaux, has been such a great partner and thought leader as we look at the larger transatlantic challenges of data protection, data privacy. And I'd just like to welcome Francois up to say a few opening words. And then we will start this fantastic panel discussion on the future of the Safe Harbor Agreement, Francois. And we're telling him he was trying out for the French World Cup team. And he had a small accident on the pitch. That's why he's going to take a slow walk up. So thank you, Francois. Good morning, everyone. And thank you for being there. Thank you, Heather, for organizing that in such a timely manner. Thank you to CSIS and to Dr. Hamre to help us developing our discussions with you on one issue, which is really key today. When we talk about data protection today, as a European, there are various aspects to that. We have worked on various aspects today. We have in town negotiation. You are going to... I deliver you the top negotiator, which is Mr. Paul Nemitz, who is here. You will be able to discuss the pros and cons and the details of the negotiation and the philosophy behind it. But we have been asked to reflect about the issue of data protection or protectionism. Let me tell you two things on this global theme. First of all, it is absolutely sure that there is a strong connection between what we are going to decide in the umbrella agreement on one hand, in the implementation which will reverberate in its turn on what we call the safe harbor agreement. I will elaborate a bit on it just after that. And on the TTIP. There is a strong connection. Let me just remind you that the safe harbor agreement, I don't detail you all know what it is, but let me tell you less figures we have end of last year. The safe harbor agreement is under the membership of 3,246 companies. And you know that till now, the US companies are considered as certified as compliant to the safe harbor regulations, which allow US company to store datas of EU citizens in the US. Nevertheless, after the crisis created by somebody, somebody help me in the name, I just forgot the name. Well, something to see with a weather, bad weather. No, I think or something like that. Well, let me tell you that a survey carried out by the Cloud Security Alliance found that 56% of respondents in Europe were hesitant to work with any US-based cloud service provider. That's the impact in monetary terms of a consumer mistrust. This revelation will cost to the US cloud computing industry between 22 to 35 billion in lost revenues over the next three years. Lost trust means lost revenues. And in this context, what to do? There is indeed a need if we want to achieve a meaningful trade agreement between EU and US. There is an absolute need to maintain the possibility of exchange of datas without barriers, which would be non-tariff barriers in that case, between the two sides of the Atlantic. And that's why the negotiations we are in are absolutely key. And let me just conclude by telling you a bit how we see it from the European delegation. The European Commission and the European Union as such and the member states have all, we have all welcomed President Obama's remarks and presidential directives on the review of the US intelligence program. We are particularly interested and welcoming the willingness of President Obama to extend safeguards currently available to US citizens as regard data collection for national security purposes to non-US citizens. This commitment should now be followed by legislative action. And we have been impressed by the first draft of Senator Sensenbrenner. We hope that it will go through and as untouched as possible. But this is one aspect. Unilateral commitments, administrative commitments are great, but it's not enough. We have also in the so-called umbrella agreement, data privacy protection agreement, to translate that appropriately in bilateral commitment between the EU and the US. And as I said, if we are not able to conclude the umbrella agreement, don't forget that the European Parliament in its previous composition has already requested on March 12th this year the suspension of the safe harbor agreements, obviously. It's only parliamentary resolution, something looking a bit like a sense of Congress, not much more. But nevertheless, it put on pressure the commission because the new commission, maybe you followed a bit the debate which exists in Europe, it's not so easy to have everybody agreeing about the new commission, and it's likely that when the commissioners will present their program and will be heard and approved by the parliament, there will be some pressure exerted on them. So that's why the earliest and the better we could conclude this negotiation, the safest for all of us. To conclude, protectionism or data protection, privacy protection, they should not be seen as two opposite poles. There's one point which is sure. In Europe, the data protection question is not linked to protectionism, that it's not seen from a protectionist angle because the heterogeneity of our industries is such that there's no big appetite in the European industry to see the cloud separating and the sort of protection between Europe and the US. It is seen from an ethical value and privacy protection point of view almost exclusively. So there's no protectionism back-thinking in the mind of a European on that, but it can have protectionists unwisht and unforeseen consequences if we are not successful. That's why we are going to put all our efforts and as Heather said, I'm relatively optimistic on the outcome, but we have not to lose time. That said, thank you once again, Heather. Well, thank you, Francois and Heather. And let me add my welcome. I'm Scott Miller. I run the International Business Program here at CSIS. And we are delighted you're all here today. We had built this event as a round table, but we didn't have a big enough table that we could never sit around. So thank you for your interest in this. I apologize for the theater style seating. In any case, we now get to hear from four genuine experts on this very important subject. You have their biographical information in front of you, so I won't read it to you, but I will give you the order in which the panelists will make opening remarks. And as soon as they finish their comments, we'll turn to you for your questions and engage in your dialogue with the audience. We're gonna hear first from Paul Nemitz, the chief negotiator for the European Union on Safe Harbor Talks. Then from Ted Dean. Ted is the Deputy Assistant Secretary of Commerce for Services. That position has a very broad mandate to improve the competitiveness of the U.S. services sector and the Safe Harbor negotiations fall within Paul's duties, excuse me, Ted's duties. Then we'll hear from Harriet Pearson. Harriet is a partner at Hogan-Levels and the co-chair of the Georgetown University's Cyber Security Law Institute and a longtime expert in privacy matters. And finally, we'll hear from our own Jim Lewis, the director of CSIS's Strategic Technologies Program. With that, Paul, look forward. Yes, thank you very much for this opportunity. I think there cannot be enough transatlantic dialogue on privacy and data protection. It is really one of the defining issues of the future. The way we handle this challenge defines our life and maybe also the life of our children. Let me position this a little bit in the context of law. My proper official title is Director for Fundamental Rights. I'm responsible for the implementation of the European Charter of Fundamental Rights, of which the right to privacy is one right. So the right to privacy, the right to data protection has constitutional status in Europe. And that's why we have here a lawyer with an employer which is a justice ministry, so to say, negotiating with a colleague, Ted, from the Commerce Department. And so what we lawyers have to learn is the importance of technology and of course the important contribution to growth the new technologies make. And we have to understand what the relationship between privacy and growth is and I will say something about this in a moment. On the other hand, I think when we're talking across the Atlantic, it's also important that those who have responsibility in the United States for commerce and business understand that in Europe we're talking about fundamental right which has a history which goes far back before the digital age. The title of today is a polemic provocation. It has filled the room, it has served its purpose and that's why the title was good. But to say that the protection of the freedom of the individual against overreach, first of all by the state, that's where it started. And today, also about the overreach of powerful corporations who know and who can read you as a person, but you cannot read them because you don't know the algorithm and this applies to Americans as well. The function of data protection and privacy is therefore to protect the individual in its dignity and its freedom. And so yes, it has a protective function, but it has not the function of protectionism. What is the relationship between growth on the one hand and the protection of individual rights on the other? We believe and I think we are joined in this by major U.S. corporations that there is no contradiction between developing high technology and moving forward into the digital age, into the new business models, into growth and employment and to make this driver of growth and employment benefit all of us on the one hand and the protection of people, of human beings in their dignity and freedom on the other hand. Why is there no contradiction? Well, we believe on the contrary, there's a synergy. There is a synergy between both. And what does this synergy consist of? It consists of the trust which individuals need to have in this new digital world that their personal data and that their lives and their personality are not being misused and abused either by the state or by powerful corporations. And only if this trust is there, people will make good use of these services and only then the economy will thrive and growth will be moving forward in a sustainable way. What we observe is that more and more people start to worry. What happens to their data? What happens in the hands of the state? What happens in the hand of economic operators? And this is becoming a growth impediment. And if you want to talk about barriers to trade and I can develop it later in the discussion between Europe and the United States, one of the biggest barriers to trade is the activity of the NSA. Unchecked spying, mass bulk collection of data is a huge disincentive for Americans to use services coming from Europe. Because if you, for example, simply use an EU email service provider instead of your American service provider, because your email comes from Europe and because it transits through the transatlantic cable, and maybe if it's a modern Swedish service provider who provides encryption for free, then your email will be captured probably by the NSA. But if you as an American stay with a US service provider, hopefully it will not be captured. So when we talk about protectionism here today, we have to look at the whole picture and we have to look at many American laws and this is probably the most flagrant example which are disincentive for free trade and services across the Atlantic. Now when Ted and me, when we talk about the safe harbor, we talk about a successful model of free flow of data which has grown from 300 participants to more than 3000 corporations in the US participating and the first message to take from that is that everybody who says that American high tech companies can't operate under EU rules for privacy and data protection is completely wrong because the success of the safe harbor, the voluntary signing up of more than 3000 major corporations to the safe harbor shows that American companies happily are able to integrate these rules in their successful business model. So I would say the safe harbor is a success of free flow of data. Basically through the safe harbor we grant the same status to American companies operating in the United States in Silicon Valley as is granted to any company within the market in Europe and I think this is a huge privilege which is extended to the United States and as a counterpart and that was the original intention of the safe harbor, it is only normal that the protection of the data of Europeans which is transferred, the personal data of Europeans is transferred to the United States for processing that then these data are also protected here in the way we Europeans expect because this is the data of our people which is transferred to the United States for reasons of business efficiency and this original purpose of the safe harbor when it was concluded has to be maintained into the future and also under the new conditions of digital age and NSA spying and that's the challenge we are facing together in our negotiations and this is where I will end the original purpose of the safe harbor was to guarantee to Europeans when their data is transferred here a higher level of protection than is available under the normal American law to Americans this purpose of the safe harbor has been put into question by NSA bulk collection and we have to find a solution to this challenge to the safe harbor, it is not Europe which has challenged the viability and the success of this very successful model of free trade of data, thank you very much Thank you all for coming and thank you Paul it's a pleasure to be here, it's a rare opportunity when I sit on the same side of the table as Paul so it's a view I haven't had before so I'm happy to be here and happy to have an opportunity to have what I really think is an important conversation and talk about the work that Paul and I are doing together let me just say a few words about safe harbor and why I think it's important I'll talk a little bit about the progress we've made and then I'm really most interested in the conversation we can have together I couldn't agree more with Paul's comment that it's a successful model and one that we want to maintain and that's why we're working so hard on this it's important because it provides in the first instance because it provides protections for EU citizens data which would be difficult to replicate without it so that US companies subscribe to certain privacy principles when they join safe harbor they put in place compliance procedures to ensure that they're honoring those privacy principles when they're in the safe harbor and that by making public representations about their participation in safe harbor the Federal Trade Commission is allowed to bring or is capable of bringing enforcement actions against companies that violate those principles or don't live up to the commitments they make and so Commissioner Brill and others at the FTC have spoken publicly about how their job is easier bringing those enforcement actions to protect EU citizens because the program is in place and operates the way it does it's also important because although we're having some very difficult conversations sometimes including Paul and myself about privacy between the EU and Europe when we get to the end of this process and are successful and I think we will be and step back from this I think we will agree that there are much more that the Europe and the United States have in common when we look in privacy than we do with most countries in the world and so it's important that our work together reflects those shared values and that we can in fact at the end of this process have the room to step back and look at what we have in common on these issues it's also important because this is a conversation in my view between friends and allies who have many other common interests outside of the lanes that we are working in but also have a very important trading relationship the United States and Europe trade over a trillion dollars a year of goods and services we have over close to I think the correct phrasing should be close to four trillion dollars federal of foreign direct investment in each other's markets and so if you look at the affiliate of US and European companies in each other's markets if you look in particular the services trade of data flows back and forth this is a vital economic relationship and underpinning that economic relationship is the data that flows with goods trade services trade and investment so for all of those reasons it's very important that we're having this conversation together today and we can have more public opportunities like this but also why Paul the work that Paul and I are doing I think is important that we come to the end of this given that importance let me just say a few words about the approach that we're trying to take in the our work at the commerce department and you know the commission has a public document with their 13 recommendations about safe harbor we've now been in very intensive consultation with Paul and his team but we don't have a public statement so let me say just a few words about the approach that we're taking the first comment I would make I did a similar round table in Brussels a little while ago and I was introduced with the same job title that Paul was here as the chief negotiator on safe harbor and I would draw one important distinction and that is that I view my job as the chief administrator of this program my office actually administers the program and so these over 3,000 companies that are in safe harbor certified to our office at the commerce department and we process those applications to be part of safe harbor and so we have a very very strong interest in our work in making sure that the end of this we come to something that works that we can implement that we can act on that it serves the purpose of allowing data flows that comply with the EU data protection directive that it serves its purpose of protecting the privacy of EU citizens and that in doing those things and we got to get that right first but in doing those things it facilitates the trade relationship between the United States and Europe given that the approach that we've tried to take in our in our meetings with Paul and his colleagues is not as what the I mean one approach to this would have been sort of trade negotiation style no offense to my friends at USTR but trade negotiation style what's the very least I can get by to the end of this process and I think what we've tried to do is look at what is the most we can do within our resources our statutory constraints to address the concerns that the EU have raised and I think the fact that Paul and I are here together is a sign that my respect for him and the work that DG Justice is doing on this issue but hopefully also I think they've recognized the effort that we're putting into this work to make sure that we come out at a good place at the end of this process and I think we've made tremendous progress we can talk in more a little more detail about that as we go and where we are I think we appreciate the comments from Vice President Redding on Friday about the progress that we have already made in any negotiation sometimes the tough issues are dealt with last and we're still working on some tough issues but I remain very optimistic that we get to a good place at the end of this. Let me close because I am more interested in the discussion here by just making a couple of sort of stepping back from Safe Harbor and making a couple of comments about the larger privacy conversation that's happening between the United States now. I've read things in Europe or heard things in Europe which I think to an American ear might have sounded like we get privacy and you don't and to be honest I've heard things said in this town in Washington that I think to a European ear probably sounded like we innovate and you don't or they sounded like dangerous world and you don't quite get that and I think none of those characters about views in the United States or views in Europe do justice to the views of either government the debate that is going on about these issues in either country but I think those characters and this is why this kind of forum is so valuable those characters put us at some risk of talking past each other and so let me just mention very quickly three places where I think we can avoid talking past each other the first is as a basis for this is the big data report that was came out just a few weeks ago that is the result of the review that John Podesta led and I think if a European audience reading that report very carefully would probably frankly find some things that they might not completely agree with but I think they would also look at that as a very thoughtful effort to deal with some tough issues and then a basis for a very full discussion of pathways forward as we look at big data and I know there is work going on at the European Commission on exactly these issues and so it is my hope that we can sit down with the outcome of that work in the big data report and look very closely at some of these tough issues another area I will mention my office is also outside of Safe Harbor very involved in these issues in an APEC context and has worked on a system called cross-border privacy rules and we a couple of months ago announced with the article 29 Working Party the organization of data protection authorities in Europe are referential comparing the APEC cross-border privacy rules and binding corporate rules in Europe and so we sat down and said what are our systems having in common and how are they different and again an area where we can sort of isolate what are some of those concrete differences and the last area which I think is a good base for the discussion is exactly the work that Paul and I are doing where we are working through yes what are some difficult issues but to Paul's point taking something that we do think is a successful model and looking at how can we do how can we ensure that it continues to serve its purpose in the future and how can it serve its purpose where there are differences in privacy regimes in the United States and Europe how do we bridge that and ensure that there is protection for you citizen data that comes here but also that we do facilitate the trade that relies on Safe Harbor but so much to talk about on these issues but perhaps I'll stop there Thank you Ted Harriet Thank you and good morning I think my role on the panel today maybe I am the person on the panel that actually was somewhat involved and participating from the business community perspective during the negotiation of Safe Harbor 1.0 I'll call it back in 1999-2000 and also voice of and view of practical implementation issues and practical impact of these issues on the functioning of commerce and business and I'll take those two roles and address a couple of points in turn and then look also forward to the discussion and I think the discourse so far has been very, very heartening because at the foundation of this the motivations behind the current Safe Harbor discussions and the prior ones I think are rooted in the tradition that both of the jurisdictions involved have a lot in common in terms of the values and in terms of the approach to data privacy there's a lot of commonality and the motivations today are similar to what were in place 10-14 years ago around facilitating transfer and access to data but doing so in a respectful way of both countries both jurisdictions so in terms of the history it's hard to kind of overstate the difference 14 years can make in terms of the technologies in the year 2000 think about it the internet obviously was there, the web was there but in terms of calling the Safe Harbor 1.0 the early sketches of what were to be the social communication, social computing mobile computing weren't even there and the simple structure of web 1.0 and Safe Harbor 1.0 I think says that there are some opportunities to the Safe Harbor program and enhance it so it's meaningful that we have the discussions underway right now practical impact for the last 10 years it's true the program has grown from around 300 to over 3000 and not a day passes at this point in my practice where I don't get a call from a company asking about how do we enroll in Safe Harbor what are the steps and oh by the way we have to be there in a few years that is a question that is absolutely there and the companies that we've worked with and I think from a business community perspective overall the answer has to be yes the answer must be yes it is an exceedingly important mechanism for the transfer and access of data and there are a couple of reasons for that one is and I think Paul you mentioned the role of large corporations and I think the very important point to keep in mind is that large corporations who are availing themselves and registering with a Safe Harbor program are actually quite small companies and the role of Safe Harbor as a practical mechanism to facilitate the accountable transfer and access to personal data across borders between the EU and the US is essential the process has been administered in a very good way here in the United States it's a simple process but it's also quite a visible one I'm talking about sunlight being a good disinfectant the sunlight of enrolling yourself I will tell you that the discussions that I've had with companies before they signed their names somebody actually has to sign a name and file publicly it's a very serious step people take it very seriously and in the main that is part of I think the success of the program and the viability of it for smaller companies is a particularly important piece the fact that the principles in the Safe Harbor are very similar to or are essentially the fair information practice principles which underlie all of the major privacy laws in the world has also been very helpful because it creates a way of having a common language so to speak around privacy compliance and so the companies that enroll in Safe Harbor are also perhaps exploring the APEC cross border privacy rules they certainly are working on domestic compliance with laws in Europe and they're working on domestic compliance with laws in the United States all based pretty much on the same language so it's also been a very practical mechanism going forward now that we are at a position of perhaps looking at Safe Harbor 2.0 depending on the outcome of the discussions here the path forward I think is a vital one and I would offer a couple of thoughts about going forward as assuming success here so first I think we will continue and I think from a business community perspective it's essential to continue having a similar similar view and reflecting the commonality that exists between the EU and the US systems having practiced privacy law now since 1995 and so have seen the development of the directive and the implementation and the transposition of the directive and now the regulation proposal and the formalities are much much more than the differences the difference in the implementation of course is there and obviously there are differences but having that continue in a matter of comedy is important Paul you mentioned the importance of trust in the private sector there is an intense focus on the trust building aspects of use of the Safe Harbor mechanism going forward and it is one of the tools that companies do use to signal to their constituents external as well as internal to their own people that they have a program in place that they take privacy data protection very seriously so it is going to be continued to be used in that way I believe going forward now are there practical enhancements possible are there ways to make the program more evident more robust in terms of having information about the enrollees available the process available to European citizens for example how to access it to have more disclosures potentially in the Safe Harbor privacy policies those are all potentially open questions and useful enhancements and I encourage to hear that there is a fair amount of consensus on some aspects of those being incorporated and essentially leading to what I think is the biggest and most important objective of the business community on both sides of the Atlantic because I think we should remember that it's not only US based companies who use the Safe Harbor it's also European based companies who have operations in both the US and the EU that use the Safe Harbor they're all united in my view and my experience in the desire for a predictable sustainable mechanism where you don't have to ask every now and then is this going to still be here so the permanence of the mechanism the permanence of having an interoperable approach to data sharing amongst and between allies who have a common philosophy and a common grounding and the value of privacy is essential and we're heartened to hear the progress and the good spirit with which these discussions are being held thank you Harriet Jim great thanks it's always good to be last so I'm going to be brief or brief for me at least and if Harriet was practical I guess I'll be the opposite which is impractical which I guess is perhaps a role for a think tank so first a little bit of a gloss on the history that Harriet gave you the internet was designed on assumptions that there would be sort of a single global set of values and that these values would resemble to a fair extent the values of the United States and particularly of the California environment so that's kind of built into the technology the thing that's been built out of the technology is privacy so you don't have any privacy on the internet and if you learned anything from Snowden that's what you should have learned the question is and we can talk about that more if you want see whenever I make fun of NSA this happens it used to be when I made fun of China until I don't know sports fans it's difficult to explain I think people are just beginning to realize the extent to which the business model of the internet depends on advertising and depends on harvesting your personal data and using that to drive revenue if you dry up that stream the internet will look very different from what we have now some difficult business issues here one of the things I ask is can we build privacy back in and I think the answer is yes but it will be difficult and at first blush the regulations we're thinking about now may not achieve that goal we're having fun we're about to start a project with Sharon McGuire is out there in the audience we're about to start a project on the internet of things and so one of the questions when your refrigerator connects to the internet under European policy does it have to notify you, obtain your consent to use a cookie the world is going to change very dynamically many many things will be connected and one of the problems we've seen in the past is that regulations don't necessarily have the flexibility to accommodate that change this will affect European companies as you heard as much as American companies because they will be the ones providing the industrial internet the internet of things consumer internet so this is not a purely one way problem it's a transatlantic problem right the US and Europe do share values and that sometimes gets hidden in this debate which can be a little noisy but I'm not sure our values are perfectly congruent when it comes to privacy and the example for me that best showed that it was the decision by the European Court of Justice on the right to be forgotten a simple Anglo-Saxon term for that would be censorship that was a very shocking decision that an individual can go and ask for portions of a public record to be erased that indicates we don't see eye to eye on some things I have a larger question about privacy and we don't have to talk about that now and privacy is a fundamental right we have taken this as sort of a given and it deserves some examination it may be more of a derived right than a fundamental right but that's a larger discussion the debate here over Safe Harbor and the Snowden revelations is part of a larger debate that fits into the fact that nations having come to terms with the internet and with the global cyberspace are extending sovereign control into it right so we see this the European Court of Justice ruling was one example of that but you can see it in India you can see it in China you can see it in Turkey nations ask why don't my rules apply to my networks and the answer is well of course they do right the issue is the tension between sovereignty and the extension of sovereignty and extraterritoriality right this is a debate even within the EU right so you have rules they apply to your networks but you also given how the internet works you want them to apply to those who are not otherwise subject to your law right you want extraterritorial reach and we're having a hard time coming to grips with that issue but how we resolve this will reshape the politics of the internet and how you use it we have just touched briefly on on espionage and I say it's come up a couple times I think Americans underestimate the effect of this in Europe but I think Europeans are entirely honest in their own discussion again a separate issue perhaps the dilemma here is that intelligence and espionage are not necessarily areas of competency for the EU so it's very difficult to see how you would get an agreement putting aside the fact there is no international law on espionage because nations don't want it they don't want agreements on this if this is going to be a hurdle it will be a major hurdle and one that we probably want to back away from and quietly slip under the rug again noting that there are things that need to change for me the larger problem is ultimately and this applies to both the internet governance cyber security perhaps to the privacy issues how do we define responsible state behavior in cyberspace for me a good definition of this which we don't have would be one that caught both NSA and the PLA we don't know what that looks like yet but I think it's possible to come to this if you look at the work on safe harbor we should all be relatively pleased if you looked at the prognosis a while ago it was very grim and the negotiators or the administrators have made tremendous strides so I'm very optimistic that we can find a pragmatic solution in the near term but that won't necessarily fix the long term problems which will keep coming up and I think a good way to think about this is a good evolution would emphasize the shared political values between Europe and the United States noting that privacy might not be one of them entirely and it would emphasize a way to rebuild trust really on both sides of the Atlantic there's been damage on both sides that doesn't always come out so I think a near term pragmatic solution and a longer term discussion to get us to a new way to think about how we will deal with this transnational phenomenon on the internet in a way that preserves the rights of our citizens and allows states to exercise their responsibilities to protect their citizens why don't I stop there that was inflammatory so but intentionally last speaker intervention and certainly what's interesting to me is there are different kinds of disclosure that get treated differently everyone who operates in the internet most firms at least seek desperately to avoid inadvertent disclosure of information and you saw what happened of the CEO of Target and some of the security efforts that are made on reducing inadvertent disclosure very large and there's this large area of voluntary disclosure between the consumer and the company which is really the subject of safe harbor and as I think Harriet correctly illustrated a point of great practical commonality of interest and a lot going on where Jim ended was on what I would characterize as mandatory disclosure where governments require information to be disclosed to them and that is a transnational problem those kinds of problems are typically solved with laws and treaties but the work is incomplete and subject to very rapid technological change as the panelists also pointed out helpful discussion would like to open it up to our very knowledgeable audience with three reminders as we start the questioning first wait for the microphone we webcast this event and we'll be taped so no one will hear your question out there in cyberspace if you don't wait for the microphone second introduce yourself in your organization and if you have a question for a specific panelists make that known up front and third make sure your question is actually in the form of a question no statements please so yes sir thank you hi I'm Ben Hancock from inside US trade thanks very much for having this panel a question first the negotiators Mr. Dean you talked a little bit about the progress you were making this week can you walk us through a little bit of that you know map out some of the areas where you're finding consensus with Mr. Nemitz here also a question for Mr. Nemitz as well you talked about the challenges that the NSA revelations have had for safe harbor or opposed for safe harbor but out of the recommendations that the commission put forward only two of them addressed national security exception and none of them were binding recommendations or recommendations for new binding rules so how do you see this process as in any way addressing or fixing some of the problems that the NSA revelations revealed thank you well first of all on the recommendations one has to recall that we're not talking here about bilateral agreement under international law but we're talking when we talk about the safe harbor about the commission decision recognizing the commitments which the US has put on the table so basically when the commission said it's a recommendation well it's a recommendation to itself and thus sets out our line of thinking so that the US government the European parliament and member states know what our intentions are so basically you know this is I think also against what Ted and me are working now it is true that out of the 13 recommendations only two concern the issue of national security one is the recommendation that companies should make transparent to their customers under which laws they are obliged to make information available to governments and which privacy principle therefore they may have to set aside and the other recommendation is that government access to data shall only take place when this is national when this is necessary and proportional for national security reasons or reasons of law enforcement and this test of necessity and proportionality to come also to the remark of James on the competences is indeed a matter of European law and the European commission and we have no problem with our competences there because what we are talking about in the safe harbor is not spying in the sense of governments trying to get information from other governments you know listening to the telephone of the German Chancellor that's not what we're talking about that's not a competence of the European commission we are talking about mass collection of what any individuals do on the internet and there we are in the area of privacy protection and data protection which is fully a competence of the European Union and the court of justice has said even to our own member states that if a member state invokes national security grounds to do something then the member state must demonstrate that what it does is necessary and proportional for the purpose of national security when we are talking here to the United States what on this point the talks need to come to is a concretization of what this means necessary and proportional in relation to the data transmitted over the safe harbor so we need a concretization and this is probably 50% of the result it's one of 13 recommendations but it's the big elephant in the room let's be very clear about it and I hear on both sides we want the safe harbor it's commercially very important well the US government has to make up their mind of what's important and this is very much like to the discussion which you have inside the United States I see American companies taking very clear position on what would be necessary to regain trust the internet also in the domestic debate and I'm heartened by that and there is an element of this debate which pertains also to Europeans because Europeans have the same right to protection and the same right to trust in the internet as others and so basically what we are now seeing is a reform process in the United States which is very much focused on domestically and the safe harbor is the opportunity to fulfill the promises and the perspective set out by the president in his speech on 17th of January policy directive number 28 which says we will extend protection also to non-Americans and here we have an opportunity to concretize this announcement and to come to real impacts of protection also for Europeans when their data is transferred over the safe harbor let me say a word about the Google judgment I would say first of all the Google judgment has to be read together with the other big judgment on the digital which is on data retention and here you can see if you read these two judgments together of the European Court of Justice that it's not correct to put Europe into the same sentence with India and China and Russia and those who terribly want to take away the freedom from the internet but I would put to you the contrary thesis the European Court of Justice has taken the leadership in the judicial structuring of the challenging of the future of the digital with one judgment which rejects what American citizens are now subject to and will be in the future namely retention of telephony metadata what you are discussing in the United States now as the great progress of liberty which is to move the retention from the NSA to private companies in the judgment on data retention which by the European Court of Justice has been declared illegal under European laws so please don't put us in the same sentence with India China and Russia when it comes to freedom this judgment could be great inspiration for Americans to understand what freedom is about in Europe the freedom now is not to have European law which has basically unlimited data retention on telephony data read it and be inspired for your domestic debate so here's one judgment limiting what the state can do and there's another judgment which rebalances the situation on the internet that's the Google judgment in a way which is totally normal and fully in line with a long line of jurisprudence also on television and newspapers and so on there is no right of a television station to put a camera up and you know just film your garden 24 hours a day you know just see what's going on no, you have a protected space of privacy and these basic principles of privacy protection somehow have to be translated also into the digital age and the court has very very clearly said that the right to privacy must be balanced with the right to information and it is not correct what James said that records have to be erased according to this judgment links have to be erased on Google but that doesn't mean that the record is erased nor does it mean that the information cannot at all be found on the internet it's a delicate balance but this delicate balance and this work on this delicate balance is necessary for a free society because you know to put the question even bigger than James has put it the question we are facing in the digital age is whether technology rules alone or whether human beings with their freedom and dignity are still respected as individuals that is the big question we are facing and that is also the balancing exercise that we have to do when we are facing the potential of technologies namely Google makes everything transparent allows profiling of individuals big time based on public sources and on the other hand we have an individual which is completely stripped of any individuality and freedom and dignity because advertising is the money source of the internet I mean you know this is something European law doesn't allow and honestly I've studied in the United States I think Americans also don't want it Americans also want individual freedom and if you look at the opinion polls about the worries of people they are not very different we share the same values it's true and also the empirics are the same American people also don't want to be stripped totally of any right to privacy protection and protection of personal data and want to be profiled all the time big time by data dealers, address dealers and so on Ted would you would you like to either respond to Paul or the original question give Jim a chance to respond I know at least one person agrees with you so that's a I am so happy James is here because I spent so much time debating with Paul that now that someone else can come in and debate with Paul so that is great I think your question was about exactly kind of where we are in the process in the progress we made and perhaps my shortest answer would be no I don't want to go in exactly that I'm getting along so well with Paul that I don't want to sort of negotiate in public on this but what I would say in sort of going back to my initial comments on this is you know I view what we have come together on the first 11 recommendations on safe harbor as not concessions we have made but rather improvements on the program that we were able to come together and say yes these are improvements on the program and so some of those have been simply endorsing recommendations that the commission has made where we thought they were going to make good sense some of them have been where there are some challenging issues as we looked at the recommendation coming up with creative ways to address the concern if the recommendation itself is challenging and in the course of this process we've looked at what are other things we can do beyond the 13 recommendations that we think would make this work in the long term I think it's important as we talk about safe harbor we don't want in the history of this program which now is 14-15 years to leave people with the impression that somehow this is a loophole in EU law that the US discovered that safe harbor operates the way it does because after what I believe and Harriet would know better than I multi-year negotiation we agreed that this is the way it would operate it's certainly true that a program that had a few dozen companies in the first years a program that in a very different technological environment a program with very different business models were in use this is a good time to look at this but again I don't view the work that the Commerce Department is doing this is negotiating over concessions but rather how do we get this right to serve the purposes where if this is a successful model that is important how do we make sure we deliver on that it may come as a great shock to some of you in the audience but it will not be my office at the Commerce Department which resolves on its own recommendation 13 but as I sit here representing the US government I do feel some obligation to talk about is what Paul has described as the elephant in the room I think one of the we're working hard on this but one of the key points I would make describing what's out there in public is that the European Commission's report on safe harbor came out in November there were through the course of the fall intensive consultations between the United States and Europe on these issues in January on January 17 the president gave a speech on signals intelligence and they released PPD 28 looking at these issues and one of the points I've made when I've spoken about this in Europe is if you go back and read that speech a very significant portion of the speech actually addresses these international issues and I was trying to think of a policy debate where there are significant domestic debate in play where a similar high percentage of the sort of public speech of the president United States was also about the concerns of folks internationally and I don't think I think it's worth going back and looking at that and recognizing just how much work went into that part of the speech that just how much was included that addressed these issues and looking at the PPD and so since the commission's report PPD 28 made announcements about particular things that changed immediately and then set in place several processes that continue now and so one milestone that we've already had is the pedestrian review on big data which had certain additional policy recommendations to the president the PPD 28 also tasked the intelligence community with additional work that would be done over a 180 day period so we still have work to do and we're still working at it but outside of the work we're doing in the safe harbor context the broader context has I think changed through that work and so I want to make that point clearly as well but these are lively issues and I think the other point I would make is I think we get to a good outcome at the end of this discussion on safe harbor but we need to have a lot more of this kind of forum here in the United States and in Europe with folks from USGE and from European Union talking about exactly this kind of issue because you know listen we don't need to James's point we don't need perfect congruence on how we think about these issues and in fact that's exactly the purpose of safe harbor is to take a place where we don't have perfect congress and find a way to have a bridge but to create those bridges and make it work you have to have a pretty open and honest conversation about how you're thinking about these issues and that's why I'm grateful for this opportunity and the conversations I've had with Paul and for this meeting today Thanks Jim you want to comment on sure just really quickly I mean remember this is a discussion among friends and so I'm very optimistic that we will get to a good outcome both in the near-term on safe harbor and in the long-term in the larger issues that come before us because we do share values we do share common cultures the alternatives perhaps aren't as nice I mean some may wish to I read that Marie Le Pen wishes to partner with Vladimir Putin have fun lady so at the end of the day we are we are partners naturally but there's a few points to bear in mind mass collection was done for counter-terrorism purposes and it was often done in cooperation with European services that the European public did not know this is more a comment on the weakness of oversight in the in European countries rather than the nature of the program itself and so one thing I would encourage our European colleagues to do is think about US style oversight of intelligence agencies it should not be three people in a dog who know what your intelligence agency is doing the second issue to think about is and if you think about European data retention laws the second issue to think about is there's a discrepancy that's troubling to Americans sometimes between national practice and the commission statements and these don't always align perfectly I would caution that one of the things that got NSA into trouble is everything NSA did was legal totally legal under both US and international law right but that was widely perceived as hair splitting and it's saying that well the link is removed but the document isn't a little too close to a little too close to the bone for me to be comfortable with if you can't find it if it's hidden if it's removed that's what we're worried about so right now I'd say the US and Europe share values but not solutions and so one of the benefits of this larger discussion is perhaps we can move from our shared values to solutions that are at least more compatible and that take into account both the need for privacy the need for responsible state behavior but also the need to ensure economic growth and economic activity this is one of the things that worries me sometimes about heavy handed regulation I know that some people find that weird coming from me but it does it is a problem regulation is essential I agree too much of it though kills economies yes sir Brian Bury Washington correspondent in Europe politics just a very specific question to follow up on a comment that Mr. Nimitz made about the difference between this being a bilateral agreement and a decision of the European Commission could you just explain why that point is important and what exactly it means and do you think the commission can sign off on this agreement without new US legislation specifically dealing with the ability of the US government to take mass data from the internet so first of all according to our understanding of US law limitations of the activities of the NSA and the other secret services are within the executive domain so the president can say don't do this don't do this, don't do this doesn't need a congressional law just the parentheses I don't want to confuse you but we have another negotiation going on with the United States on a bilateral agreement under international law for exchange of data in the area of police and judicial cooperation that's called the umbrella agreement and there the big issue is equal treatment in judicial protection of Americans in Europe which already is the case and Europeans in the US which is not the case in that negotiation we are asking to get equal treatment to have judicial review also for Europeans in the US this seems to require a law from congress but it's a different in the safe harbor we believe but American law question it's within the executive powers of the president to impose limits now why is the safe harbor a unilateral decision of the commission and not an international agreement under international law because that's what our law foresees that legally personal data can only be transferred from Europe to a third country if that country grants an adequate level of protection of the personal data adequate being measured on our laws whether that is the case or not is decided by the European commission and if the commission decides that there is an adequate level of protection then the data can be transferred and processed in the other country the United States has been considered not adequate by the European commission that's why the safe harbor negotiations was started and the system of the safe harbor is such that those corporations companies which self certify to comply with the privacy principles laid down in the safe harbor that these companies benefit from a limited privacy finding which is the decision of the commission to recognize the safe harbor system as sufficient protection as far as those companies are concerned right Harry you may want to clarify additionally this is a voluntary process from the US just a quick addition from a legal perspective yes I agree from a US law perspective that there is power in the executive branch to adjust and communicate policy that would not require legislation and so allow the discussion to proceed on the point you just made Mr. Nimitz on the on the need for unilateral agreement by the EU I think it's an important point to note for the future development of sustainable and predictable interoperable there are probably other mechanisms and other ways to come to a handshake so to speak between the EU and the US on data transfers so at the moment in the year 2000 there was an opportunity to have an agreement reached the way it was the way it was structured with the safe harbor and I think everyone is heartened by the fact that it appears that you know safe harbor 2.0 is going to emerge pretty much in the same construct but the idea that there's only one way to have that handshake I think is something that ought to be examined there are ways to take the same idea that says we have a common set of principles companies would sign up to abide by them but have that agreement made potentially in a trade agreement for example among other kinds of entities is something that is possible and we ought not to I think fall into the trap of if policy was made once in one way then policy has to be made again the same way if I could add I just want to take advantage of a rare opportunity to agree with both of the previous speakers I just wanted to be clear that on the question of the advocacy finding the legal construct this is not a point of discussion or disagreement and in fact I mean I direct you to our on the Commerce Department website you can easily find the safe harbor framework and I believe there are public documents which are the letters that were exchanged in 2000 as the framework was put in place but it is a safe harbor rests on this advocacy finding from the European Commission and so that's the legal contract likewise I agree with Harriet that you know one of the things that about this I as I've said before do believe we get to a good outcome on this given growth of the program changes in technologies changes in business models I don't think our work ends when we conclude this and again not looking at what the mechanism is for you know future agreements or future adaptation on this again viewing this is something a program that my office administers you know we need to continue to work very closely with DG Justice on problems as they surface we need to continue to work and we're in fact deep in our cooperation with European data protection authorities to make sure as problems surface they're addressed some of the recommendations that are in that commission's report deal with things like false claims when a company says they're in safe harbor and they are not in fact in safe harbor you know looking at this the primary interest is the how you make this work for privacy but frankly as the administrator of this program that's just bad for my brand you know when a problem surfaces like that if people you ensure trust well people have to know that when they look at a privacy statement and they see representations about safe harbor that they know that that company is actually certified in the Department of Commerce that the Federal Trade Commission has enforcement authority and so you know we have a very strong interest in and I think we'll have to to make this work on administrative continuing this work as perhaps not quite as intensively as we have over the last few months but continuing to work very very closely with partners in Europe to make it work. Can I make one more practical observation is I think we've also talked a fair amount about the internet and advertising based business models and I think it is absolutely essential I made earlier the point that a lot of small businesses smaller size businesses that are utilizing the safe harbor mechanism the other point to note is the nature of the data transfers and flows here I would bet I don't have a firm statistic but if you look at 3200 companies that are enrolled and the types of data that are being covered here in the safe harbor and that are prospectively will be covered it's a lot of what HR information information that you're using to run your business data that may absolutely transits perhaps the internet or internet like systems or networks but this is not in the main about enabling you know certain business models it's about enabling all business models including the operations of organizations that are operating to serve customers across borders that are you know engaging in trade and they're engaging in frankly the more routine type of data transfers that are essential to an international economy and the sooner I think we get that in the lexicon of how we talk about the safe harbor the better off will be in terms of coming in terms of coming together as allies to create a mechanism that's sustainable that actually supports the real business of business next point about the back office just real quickly on that too this is a point that will probably lead us to agreement because it will affect the European companies operating in the US as much as American companies operating in Europe so when you look at the extensive presence of European firms in the US they'll need to do the HR, the finance the shipping and data transfers and this is an area of commonality that I think will help us reach agreement thank you another question I don't mean to neglect this side of the room but you're being quiet yes sir thank you very much, good morning everyone Jorge Carrera from the Spanish Embassy Justice Consul concerning equal footing on rights privacy rights protection concerning John Podesta's report there is a statement that more or less says that privacy rights should be extended to non US citizens so I would like to know in which extent this point is enlightened your negotiation and as it seems to me maybe establishing an equal footing in legal terms for non US citizens would require some legislative action so is one thing linked to the other so is it possible to reach for example an agreement on safe harbour and then waiting for another moment in order to make I would say a legislative reform in order to establish equal footing for privacy act protecting or you will wait until in case it's necessary this legislative action that they could thank you Ted I think it's about for you on the recommendation of the big data report it relates to administratively how can you through policy changes extend and I can't remember I don't have the exact language privacy act like but it's administrative changes and so that's a recommendation of the president that is being and work is beginning on it is I think I'll leave to Paul the sort of the negotiating position of the EU on this it is as Paul said earlier that consolation of issues around the privacy act and judicial redress are part of the umbrella agreement negotiation and not directly relevant to safe harbour to your point on how do you sequence and how do you make this work I think one thing we need to be conscious of is there's a cost born both in the United States and in Europe to delays and uncertainty about this and so one of the reasons we've engaged so intensely and been working so hard on this is because the sooner we get this done the better for everybody and I'll give you two sort of concrete examples to make that point one is sort of at the micro level in my office I have folks who are you know busily preparing for my meetings with Paul later this week and reviewing documents that we're exchanging things like that I want them to get done with that process and go out and make these changes and so at a basic level to the extent that we've defined improvements in the program and I think we have the sooner we get them implemented the better that's sort of a micro level for me but more generally uncertainty on these issues has cost for business and there as I said cost born in the US and Europe I think sometimes there's a perception that well if a US firm in Europe loses some business because of uncertainty in this or there's a customer of an American company who's worried that their data might be transferred to the United States and are safe harbor and is it a reliable instrument will it be around in a few years well that's lost business to the American firm well on this if the European firm didn't want to work with the US firm this doesn't matter it only matters because there's a European firm on the other side who looking at the cost and performance of that solution wants to adopt the work with the US partner and so there are costs that are born there there are costs that would be born by the over 100 European companies that are themselves safe harbor members so how that plays out as we move forward in terms of sequencing I'm not sure but we all need to work expeditiously on this because we do bear costs for not getting it done yes sir very quickly I think the US government has for long recognized and the FTC also says it regularly that there are gaps in US privacy legislation President Obama presented his blueprint of baseline legislation and I think 2012 2012 then the Podesta report also so I think there is no doubt that the US the government wants to move forward but it's not happening and I'm sure Harriet can explain the reasons better than I know why not now what's the relation of this not happening to the safe harbor it's very simple when we look at the adequacy of the country we first look at all their laws and the enforcement system if the US would have laws and a good enforcement system then maybe one day we don't need the safe harbor anymore because maybe one day we come to adequacy for the US as a whole but this requires legislation and independent authorities which enforce this legislation and let me also say very clearly here because I hear you know we have to respect the values of both sides there's always you know I mean Harriet is a master in well you know let's talk about it in trade agreements sorry Harriet no we will not negotiate this down there is no way that privacy standards of the European Union can be negotiated downwards you know let's meet in the middle respecting both parties like in a trade agreement you do why because they are of constitutional requirements and I also would predict for you outside the law I'm not talking now as a lawyer for privacy there's only one way from now on and this is true for the United States for Silicon Valley and for Europe and the rest of the world which is more protection more of it not less you see this is one of those invisible threats which people only realize about after a number of incidents and so on it's like atomic power or Julie Brill says it's like smoking I say it's like atomic power in both cases invisible threats we don't know what's happening to our data people will learn about it and this is on to have more protection and I know those who have advertising revenues and make money by stripping people of their private life and personal data they have a problem with it they stall their masters in keeping legislation away and some on the podium are grandmasters in this but there is only one way to go and everybody who has a sustainable business model and wants to make money sustainably to hear the bells ringing because sooner or later those people who try to make money by screwing individuals and that's what's happening in the real world they will not make money anymore because the trust issue is in the room and so there are some businesses which will lose trust and some businesses which will do the right things and they will gain trust and so from that point of view privacy is also a business differentiator and a competitive advantage for Europe we're doing something good for our businesses because they will be able European businesses will be able to offer also to Americans certainty that your personal data and your life is not abused for money Ted, do you want to comment? There's a number of very valuable conversations that we're having at once today I want to draw that's one way to say it one narrow distinction and that is that I'll help you out a company that has an advertising based business model a company that uses big data, a company that uses these business models that we're having as part of these conversations can subscribe to the principles that are in safe harbor they can have compliance procedures which ensure that they honor those procedures they can have the Federal Trade Commission there as a the cop on the beat that I think has a great deal of credibility and respect in Europe that when they violate those procedures they could be subject to very significant enforcement actions as has in fact happened with some of these very companies so that the cop on the beat has made a rest so to speak and so there's a valuable conversation to have about and the pedestrian report talks about this about online advertising, business models about some of these issues that is not we don't need to resolve that conversation to come to agreement on how safe harbor should operate because companies again can have all the notice and choice principles can comply as we've agreed and operated for 15 years with the European Commission on their how those principles which align with European law and continue with their businesses so CSIS will not go out of business continuing to host lively discussions on some of these topics but we can still finish safe harbor before those conversations are concluded last three points I have to address this there are privacy laws in the United States and so this is a very informed audience but just for the record because it was said there are dozens and dozens and dozens of privacy laws and causes of action out there and it keeps many many lawyers very busy helping organizations do the right thing with respect to compliance but then also do more in terms of maintaining trust that's one point. Second is it's important I think pull back all the way why are we having this discussion in the first place we are living in historic times and I think you can absolutely wax eloquent about the challenge here but I think if you pull back even farther say we are living in historic times in terms of the rapidity with which technology innovations are embedding themselves in our daily lives and in our businesses and how we actually operate the world and so in that kind of environment of course we're going to have conversations and debates about fundamental important issues like privacy and cybersecurity and all the other issues and as we have those debates it is important to take a look at the dynamic governmental systems that exist and see how well they're responding to those changes and I would put the U.S. system at a pretty equal if not equal footing at least in terms of how dynamic and how self self exploratory it is in terms of saying what are the right answers how do we go move forward and it's not easy to pass legislation you don't want to pass legislation every few years on these issues we end up having many many statutes you want to be thoughtful about it and I think that's the way the system is working and it has worked in the last number of decades and it will continue to work. Thank you Harriet I actually think that