 This book is really something very special to me. When I began out in my work in data privacy, it was with working with John at the Department of Homeland Security as a law student where I clerked. I didn't really know too much about this field before then. And John really introduced me to this subject matter. And it wasn't for John. It's quite likely that I never would have made it to the Berkman Center. So this is really quite a special thing for me to be able to be here and talk about this book. So a bit about my background. I'm a research fellow here at the Berkman Center. I'm also a private practice lawyer at Perkins Cooley. I've been working in the data privacy field both in the United States and in Europe under English law. And the focus of my work at the Berkman Center in private practice is really European and global data privacy law in the conflicts which it presents. With me is John Crawford. He's the lead author and the architect of this book. He is the former Deputy Chief Privacy Officer of the Department of Homeland Security, current head of privacy at Northrop Grumman, 10 plus years in the State Department, and is just has an abundance of knowledge and resource on this subject matter. John? Thanks very much, Neil. I hope everybody can hear me okay through the miracle of Skype. I've got thumbs up, so that's good. I just want to say first off, greetings from Washington, D.C., and I do really appreciate Berkman's flexibility in of all places to be technically savvy. I would expect Berkman to be able to manage this quite well. So thank you, Berkman Center, for allowing me the ability to come to you from Skype in Washington. I'd like to get a sense from as we go around the room just briefly when you do introductions, just kind of everybody's background, if it's law, if it's international affairs, if it's IT or internet, just to help kind of gauge where everybody's interest might be. I'll just say briefly about myself. I've kind of been, I wouldn't say I had a pre-planned career, I've been somewhat of a nomad, but I've been at work as an attorney at the Department of Justice, worked then at the State Department, where I started to do privacy and Freedom of Information Act law. I left that to go to the most illogical place possible, which was former Soviet Union country of Turkmenistan for two years with my wife, who was a Foreign Service Officer, came back and I could see that privacy was still very big on an international level and moved over to Homeland Security, where I worked with them building an international privacy team and then serving as deputy for their privacy office. And then I've continued to work in privacy in the private sector now since really 2012. Trained as an attorney, but I've hopped on both sides of the fence between law and policy all around privacy because I think privacy has got one leg in law, one leg in policy and one leg in IT. So it's a fascinating area. I would say that privacy picked me. I didn't really pick privacy. I'm going to basically also give my one disclaimer, which is the remarks you're going to hear from me today are really my own personal remarks. They don't reflect the remarks of the past government agencies I've worked for or my current employer. Great. Thank you very much for sharing your backgrounds. Now we're going to, John's going to give a bit of insight into what he was thinking when preparing the book and what it really means for him. I'm going to give some thoughts on the book myself. Then we're going to open it up to discussion. I'll lead with a few questions and then to the rest of the room. John. Thanks, Neil. And I guess I'll just open by saying, I'll explain the motivations for the book. It is, I'll say that the old saying that necessity is a mother of invention. Well, that's really what prompted the book. I found myself after September 11th, both at the State Department and then later at Homeland Security, involved in a number of negotiations with a lot of our European friends to share personal information. And it started around really with Australia for lost and stolen passport information. There was no established or systematized way to share that type of information between lost and stolen passports in our two countries. That evolved further with both State Department and Homeland Security. I participated on three different negotiations over something called the passenger name record agreement or the P&R agreement, as it became known, that was involving the exchange of personal information held by the airlines where those flights were outbound out of the EU into the US and what information could be shared under the European directive. It also extended into a negotiation around what they called at one time the high level contact group. It's been called different things, the umbrella group, but it was really intended to be a negotiation to come up with an established set of principles of privacy and data protection to share law enforcement information. And during those negotiations, I was, as a lawyer, I wanted to see what had been done before. What was the prior practice? And there really was no one single source to go and look at how had these information sharing agreements gone on before. I thought surely this has been done before. Perhaps there's a reference tool. Well, there wasn't. And so I really did this because I wanted a reference tool. I wanted a collection of information sharing agreements that the US had engaged in to really show how had this been done before, really to have as a handbook. And I recall early on as a very junior attorney at the State Department, there was the one thing I had always hoped to work on were treaties and international agreements. And there is a wonderful book out there that is out of print, but I always remembered it. It's called The Treaty Maker's Handbook. And it's actually by a former high-level UN official Hans Blix. And it's basically a guide of how an agreement should look, what kind of provisions it should have in it. So I kind of took that as my model. And I really then went back and tried to pull all of the past information sharing agreements that I knew of, that as far as I could find, they went all the way back, going back to the 70s of all places that seemed the most unlikely, but they had actually a couple dozen information assuring agreements were the Social Security Administration engaged in what they called totalization agreements that was sharing of pension information between our different citizens who would say go to work in Italy, pay into their pension system and need a record of what they'd paid into, sent back to the US and vice versa, if an Italian citizen came to the US to work. So there had been this long-standing practice of these information sharing agreements. So it's not very sexy to say that, but it is really just a reference book in that way. So from a practical standpoint, that was motivation number one. The second motivation was really more around when we got into a discussion with our European friends, it seemed to me as if we were doing this at year one, as if this was the first time anybody was trying to engage in information sharing. I found this to be especially true around the PNR agreement. And it was almost as if there was just an absence of any knowledge over the prior practice. So the book was also meant to kind of be a documentation of an established record that there has been a prior practice around these information sharing agreements. And so it was meant to put on the record what the US practice had been in sharing with our European friends and allies and other friendly countries around the world. So it established that. And one of the trends that I did notice in doing this is that information sharing had previously been very been kind of handled at a very subject matter or technical level without a lot of fanfare, without a lot of media attention to it. Again, I'll go back and use the example of the social security totalization agreements. They were very straightforward in the beginning. They had simple couple of clauses or a couple of sentences that would address that the two countries will mutually recognize each other's frameworks for privacy and information sharing. But after 9-11, these very simple mutual recognition clauses became much more complex and there was much more attention paid to them. And so the agreements for information sharing became much more detailed. And they were really following common principles that had been established in both the US and Europe around the fair information practice principles that had been documented in both the European Directive and the US Privacy Act and also in the OECD guidelines of 1980. So this book really is, as you see through the more modern agreements, follows the principles that are enumerated under the fair information practice principles. And I really do try to give examples at each stage of what, say, a purpose limitation principle would look like in an agreement. So again, it's a very practical kind of a guide but meant to really put on the record what our practice has been. And I would say also, as this started out back in the 70s, information sharing was much more technical. Now it's become extremely political. All you have to do is open the paper and just see the tensions that are going on that you can read about between the information sharing worlds in the US and EU has probably got the most press. And it's both in the cultural sector and also in the law enforcement sector as well. I think that might be enough just to sort of set up the premise of why I did this and I want to leave some plenty of time for discussion. So I'm going to pause here and really turn things over to Neil. And I want to say that I met Neil one summer when he was working at Homeland Security and I was still really leading on the international privacy work and he was very interested in it and I was extremely happy to have him as a willing assistant to help do research on the book later because he was willing to do it and interested. And so he's really been quite a resource. So I'll pause here and just say, Neil, why don't you comment on where you saw the book going and what you saw the book doing in the field of international privacy? I spent the majority of my career in private practice. So what I've thought a great deal about is how these international data sharing agreements impact private entities, NGOs, corporations. I'd like to give a couple examples of how that's really played out over the last few years in my experience. So we've talked about the passenger name record agreement. Other agreements also exist that facilitate the sharing of personal data, personal information between a private organization here being airlines over to the government. Another good example is the terrorist finance tracking program that allows the sharing of data from private organizations over to government. There are still many other instances where we don't have agreements in place and I think it's interesting to focus on those because it puts these private entities in an interesting conflict of laws scenario. So for example, we have a great culture of non-governmental organizations operating around the world, NGOs, to function they need to receive money essentially. They get the money from donors, from governments, from all kinds of sources. When they're given money from most organizations, including governments, there's a grant agreement that has stringent vetting clauses. They require to be able to check that the money is going where it's meant to. The US government has a particular interest in ensuring that it's not funding, say, terrorist activities or other activities that it would not think well of. Historically, most NGOs did this vetting internally, but over the last number of years due to a change in climate, several US government departments, agencies have begun to do vetting themselves, requesting that the NGOs hand over data of their key employees and their partner organizations when operating abroad. These organizations will be subject to their own local laws and by giving the data to the US, there's an interesting question of how does that exchange happen. When we look at the passenger name record agreement or the terrorist finance tracking program, there's a specific framework in place, but here the organizations have to decide am I going to risk being breached with my own local law without a government-to-government agreement framework being in existence or am I not going to take the money. It presents a lot of difficult issues and one of the things that we'll talk about today is when do we get to a point where the government decides we need to put in place this framework, we need to allow these entities to have legal certainty to be able to conduct operations. Another example, which I think is quite interesting is how personal data is transferred out of the European Union to the United States. Many of you may be familiar with the EU-US Safe Harbor Program. This is one of many data transfer mechanisms that can be used. In addition, you have EU model contracts, binding corporate rules, consent for very limited purposes, legal principles, several others. But what's interesting, I think many of you are aware the EU-US Safe Harbor Program has been under a lot of scrutiny the last couple years. There are questions about when information is provided over to the US authorities to law enforcement. But what's interesting is that the alternative, which is recommended by the European Commission and the European Parliament, is say, well, if we don't want to use Safe Harbor while that's being worked out, you should put in place a model contract. As compared to Safe Harbor, the data will transfer in either scenario. But under Safe Harbor, the private entities that are participating will be in compliance with their laws. And it's that some of the European authorities don't like the way that allows data to then be sent on to the government. In a model contract, it's the entities themselves may possibly be in breach of that model contract. The data will still go over to the authorities, but the difference being they're saying, if you decide to use this, then you'll be in breach and they can seek recourse against you. And I find this interesting because the data flows are still happening and there seems to be a preference in putting the private entities in breach of their contractual obligations rather than necessarily solving diplomatic channels. Which is what is currently being sought after is to find this resolution but at the same time, Safe Harbor is in the courts before the European Court of Justice and it's interesting which one will So these are some of the way I think about these issues and the things that I'm working on with this book. I'd now like to open up to questions. I'm going to ask John a few to get things going. So to begin with, John, when does the U.S. government decide that it's necessary to enter into a data sharing agreement? What are the catalysts? Well, it's really a wide spectrum of catalysts. You could say, you know, from a purely commercial standpoint, there would be a desire to enter into an agreement and an example of that would be the Safe Harbor agreement of 1990. I think somebody expressed interest in that as we went around the room. And that was really a recognition by U.S. companies that, you know, there is this 1995 European Data Protection Directive that put restrictions on information flowing out of the country. So that's what we call and really motivated the commercial world to enter into that agreement. Then at the other end of the scale would be law enforcement, our national security, counterterrorism concerns. Again, following 9-11, you had a number of laws that were passed by Congress, for example, that law that really changed, the visa waiver program. And it's a program that countries want to be qualified for because it is a very streamlined and expeditious way for your citizens to get visas to enter into the U.S. And Congress set some statutory requirements for countries to enter into the visa waiver program. And one of them was that the country entered into an information-sharing agreement around counterterrorism information. And so that was pushed by statute. But really there can be a wide mix of reasons to open up these agreements, form policy, as I said, commercial immigration considerations. Also, perhaps an assessment of whether or not the partner has an existing framework of privacy laws or has a respect for the rule of law. So there is sort of these additional extra considerations that go on. And I think they're only going to increase in the need to have more and more agreements in this area. I know that the T-TIP discussions with the European Union, the free trade negotiations that are underway, there's a big debate right now as to whether or not data protection will be an element of that particular agreement. It's still ongoing. Thank you. To follow up on that question, another thing that's quite interesting is in your experience, when the U.S. is negotiating these agreements, what are its key concerns? What are its must-haves in the agreement in order to be thought to walking away successful? Well, I think I'll speak to as a privacy voice in the room at the table on these negotiations, what I'm looking for as a privacy advocate is that there be an adherence to the fair information practice principles, which is what the U.S. framework is built around under the Privacy Act of 1974. But a lot of this is driven initially by the question as to what is the primary purpose of the agreement? Is the primary purpose of the agreement really centered around information sharing or is it centered around something else where personal information is somewhat secondary to the whole arrangement? And an example of that might be and I talked about this in the book somewhat, an example of that might be where you have SEC has engaged in a number of international agreements to do cross-border enforcement of security violations, security violations. Privacy there is not the highest priority to that agreement, so it might not get the full set of protections that you would normally see in say the PNR agreement where the principal purpose of the PNR agreement was to share personal information. So what we're looking for from a U.S. privacy standpoint is following the well-established fair information practice practice principles and the result being mutual recognition that the other country recognizes your privacy framework. Mutual recognition is now got a new a lot of people refer to it under a different nomenclature they call it interoperability but I'm using the old-fashioned term mutual recognition. Under the European framework they've kind of taken it as a one-way approach saying we will decide if you're adequate or not. Some people could say that that is a one-directional, it's no longer mutual recognition but it's one-way recognition. So I'll stop there. Anything you want to add, Neil? No, I think that was great. Just one last question. How have you seen the climate change after the Snowden revelations and trying to negotiate these agreements? Yeah, I mean I have my time in government service I left after the Snowden revelation so I've all just been watching it from the newspapers and the press. It has been interesting though, clearly the Snowden revelations have had an impact on safe harbor. There were I think 13 reforms that were presented by the European Union to the safe harbor arrangements that were a result of were post-Snowden and of those I think at least three were national security issues about how is that information shared with law enforcement, how is it shared with your intelligence services and that the European Union has asked that the U.S. side, that is the Department of Commerce address these national security concerns. That's a very tough issue because the safe harbor agreement is really, it isn't a commercial channel and it really both the Department of Commerce and the European Union side the DPAs it's outside their areas of what they call competence in the European Union or outside of the Department of Commerce is jurisdiction. So those are difficult questions to address and how they will address them remains to be seen. I know that there is the case before the European Court of Justice that is expected to come out. I think the Advocate General's opinion is going to come out next month, June 24 which will maybe be an indicator as to how the European Union views the post-Snowden world as it impacts the safe harbor. The other thing I would say is the way post-Snowden has affected these negotiations is I mentioned at the top of the presentation there has been an ongoing negotiation for law enforcement sharing between the U.S. and the EU. Most recently Congressman Sensenbrenner has introduced a bill in the House that would actually give non-U.S. persons rights of judicial redress in U.S. courts under certain circumstances under the Privacy Act which as the Privacy Act is written now basically allows judicial redress only for U.S. citizens or lawful permanent residents. That is something that you could say was a direct influence by post-Snowden and in fact the Chamber of Commerce and a long list of other tech companies have come out in support of that legislation. That is certainly all because I think the post-Snowden revelations and in the last area not so much around agreements but it does affect the cloud area. I think somebody expressed interest in cloud storage and the Snowden issue has been used by a lot of European companies to say we want to localize our clouds now because we can't trust you all on the other side of the Atlantic because of what's going on over there. Definitely lots of impacts. One thing I might add to that there's been an interesting fallout on private companies that are active elsewhere in the world particularly in the EU. One of the data transfer mechanisms I mentioned a moment ago Binding Corporate Rules is really considered the gold seal of data transfer arrangements not too many entities have it maybe 50 worldwide. Those that do it's not just a means of legal compliance but it's supposed to attest to that organization's ability to be a good data privacy citizen. I've worked on these Binding Corporate Rules for several organizations and after Snowden revelations it instantly became much more difficult to get approvals for American companies. I have had local governments of data protection authorities approve Binding Corporate Rules in member states only to have the political arm of the government and the Ministry of Justice to what should have been a rubber stamp seal of approval hold up the process and turn it into a political engagement and ask us to really lobby behind the scenes and this was just before unprecedented. The interesting thing is these are organizations which are trying to be good data privacy citizens that want to be compliant with the law but they're essentially being frustrated due to what's happened. So this time to open up the floor to any questions you might have we have a microphone that we don't need to use and we'll put it back. Please. I am a former law enforcement officer from United States Customs and Border Protection Agency and Homeland Security and I did handle PNRs a lot and as a federal officer we were I always came under strict strict scrutiny when I handled those documentation any flights coming to the United States entering U.S. space to three out before the flight entered in the United States space we were given that documentation not before that. Any other information well the documentation at that time between 2003 and 2007 it came on paper I don't know how it's happening now and then you know we would use the PA I was part of the intelligence unit and also we were part of the enforcement team and I don't know what happened after that we would give it to our supervisors after we used it and then what it called as far as I work also the seaport anything any commas that came into the United States for LQE landed quantity verification they had to comply with CTPAT customs partnership against terrorism there's a certain scope there because you have to meet the ACS and EES automated export system automated custom selectivity is a criteria for passengers entering the United States you got to meet the attack for people coming from what it called visa waiver countries you got to NTC national targeting center in Langley whatever they called whatever their base they would get a descramble information about you know potential candidates I would call them and then if there was anything given to us it would come to us through the attack system terrorist affiliated country system and then we would process it from there but everything at that time was extremely extremely as a federal officer all this came under scrutiny like making sure the information never really went out to anybody else so even if I saw something I would just I didn't see two minutes later I said I forgot so it is like it came under strict scrutiny probably it is really advanced now and just to add to that that's a very good point from being on the ground with actually using that data under the under the different agreements in our agreements it's worth noting that not only does the privacy office for Homeland Security do oversight but once a year we would have a delegation come over from the European Union and we would have at least a two to three day review where they would come out and actually go do site visits to go to CBP and see their operations and they would do a review of the entire process to satisfy themselves under the agreement that we were following how PNR was being handled so that's just to give you a level of scrutiny that goes on with some of these arrangements with the U.S. government I know in a different arrangement with the Department of Treasury I believe it was the the terrorist financing information sharing arrangement they actually have a the way the agreement is worded is an eminent European expert is to come over and do the review so it's almost even a higher level of of I wouldn't say a higher level of intrusion you would say maybe from a foreign government actually to come in and sit and make a determination as to whether the agreement is operating properly or not so one of the new features as I mentioned there was a simple set of sentences that would have mutual recognition pronounced in the agreement we've gotten now to the point where there is regular oversight annual oversight by the foreign government participating in the agreement to do a review great other questions comments so John mentioned Sensenbrenner's bill that would extend protection to non-residents of the U.S. over data and you said the IP and tech industry was in favor of that and that surprised me a little bit because I would assume that why do you want to increase your liability if you can avoid it I was wondering if you could expand upon the thinking there a little bit sure and again I say this as I'm now I guess retired but I'm an interested sideline observer because I live through so much of that so I am very interested all of those things the Sensenbrenner bill I've looked it over once and it isn't as the way the media reported it is it was just to give European Union citizens only rights of judicial redress and if that was truly the case that would be highly discriminatory against the rest of the world however if you read the bill it actually says that a determination will be made on a country by country basis as to whether their citizens may have the rights of judicial redress but the more interesting point is the one that you raise which is why would this group of companies and you can go online I think and look at the department of the Chamber of Commerce has a copy of the letter online but all the big companies Google, Microsoft Facebook all the ones that the EU loves to kind of love to go after signed on to this letter and if you think about it it really is no skin off of their nose because what they're asking for is that the US government amend the Privacy Act of 1974 it doesn't apply to companies it applies to the US government so no one is going to be making a claim against Google or Facebook under this amendment it's going to be the burden of the US government to take that on now way back when the when the Privacy Act was drafted there was some OMB guidance that said when you get into these mixed systems where you've got US citizens and non US citizens if you can try to treat it as if everybody has Privacy Act rights but at DHS the way we solve that is we come up with a policy and we said if you're not a US citizen we'll give you administrative rights but you can't go into court only Congress can change the law on that so I have no idea what the likelihood is of the bill passing because I don't know what the constituency really holds for this I mean if these companies are serious how hard are they going to lobby I don't know and I know former Secretary he would commit to go to Congress to push for this added right I don't know what the new Attorney General's position is on this but I hope that answers your question it makes a lot of sense I would also like to add as far as organizations deciding to differentiate how they're going to treat individuals and how they're going to comply with law as they structure their business this has been something that's been around for quite some time as any multinational organization will be subject to different requirements each jurisdiction if you go on to their websites and you read their privacy policy and try to get a deeper dive into how they're structuring their privacy you'll see that some of these organizations try to thread the needle and afford rights and protections based on where you're located or their data is located but a lot of other organizations they have a concern people might go on they'll see this and we don't want the public to perceive us as only giving certain rights to say people need you and not for them to Americans one of these areas where it becomes very clear is the topic of data subject rights the right to request a copy of your data to correct it, delete it to block it and many times we'll see privacy policy will say if you're a citizen of the European Union or if you're a resident in the EU, if your data is in the EU they'll try to carve it out but in ever increasing rate that's not happening and a good example is if you look at Facebook you can now go on to Facebook it doesn't matter where you are you can pull off a copy of your data it's really stemming from an obligation under European law but it's open to Americans, people in South America people in Russia, anywhere you are they're extending this right and I think this is a reflection of the globalization of privacy a very oddly silent Birkin crowd I'd like to say I'll mention just I really I'm interested in watching to see whether a global privacy framework will emerge or not I mean you sort of have I mean very very roughly you have the European model which really is an omnibus approach where data protection is a fundamental human right then you have the US model which is a much more sectoral approach I mean it's all depending on what type of data is and what sector you're in you're going to have a different you may have a different law that applies and then you have the rest of the world which is kind of deciding where they want to go, do they want to blend of both, do they want to go with the European approach or still wait and watch and I'm I'm an optimist and I'm confident that this can be worked out eventually we seem to be able to work out global standards in other areas of international commerce and standards so I should privacy not be able to work out a global arrangement of some type I know the UN is actually there has been calls in the United Nations to come up address a convention around this whether that will happen I don't know but to me it's just it's indicating that there is more and more interest in trying to find a global framework What effect would the proposed Trans-Pacific Treaty have on privacy either here or in the other countries that sign it I'm sorry the transmission was broken there I just heard Pacific Treaty could you repeat the question was how do you view the Trans-Pacific trade agreement impacting privacy and what might come out of that yeah that's a good question I wish I had followed that closer I don't know I really don't know to the extent that privacy has been the focus of any prolonged negotiation there I mean I think that the Europeans are watching are watching what happens with the Trans-Pacific agreement to see you know it will that set any kind of a precedent for what happens with their agreement but I I just haven't heard of privacy being a big focus with the Pacific Agreement we could add that in the Trans-Atlantic Agreement many Europeans have called for privacy to actually it's quite split some call for privacy to be taken off the table someone to be put on the table and I guess the main obstacle is that much of trade negotiations are behind closed doors and what we see is really a brief summary into what is going on so transparency is definitely an issue I will add to that that I mean within APEC there is a privacy framework from 2005 that basically follows the Fair Information Practice principles with one additional principle and that is a principle of harm that harm really has to be part of any showing of in a privacy framework and within APEC they have been developing basically a cross-border privacy regime I think they call it CBPR and it's really looking to try to say that any country that signs on to these principles under the APEC privacy framework and can demonstrate that they have a privacy enforcement authority part of this regime it's still very early going the U.S. has signed up I believe Mexico and Japan have expressed some interest and possibly Canada so APEC will certainly have a lot of trade clout and may have some influence on the Pacific negotiations and while I mean talking and people have questions and it's outside of the area of agreements but it's I think another interesting area to watch is the right to be forgotten which was the Google case that came out of Spain and there are questions right now as to you know some in Europe want to see that that right to be forgotten applied to the world and Google is maintaining well they will adhere to the European Court of Justice opinion within the European Union but they're not going to apply it worldwide and so again this is a bigger global question and it's an intersection between privacy and international law and where that comes out and to further on the topic right to be forgotten it really is a good case study of the globalization of privacy and how countries are working together so in the EU itself the European Commission has called for a harmonization of criteria as to how they evaluate right to be forgotten cases but what we're seeing is each member state as they go and try their own cases and with the DPA they're not all the same and so you have member states sovereign countries trying to have a measure of autonomy and how they're going to be decided yet the EU at the top saying we want to bring under one regime and it creates this conflict another example on this topic many have may have seen that Facebook was recently in trouble with the Belgian Data Protection Authority the way European Data Privacy Law is structured by the EU basically for Facebook it goes to Ireland I'll save you the long legal explanation but by establishing the EU it goes to one member state with privacy because it tends to be something that can be very important to people very important to governments you'll see that countries will sometimes try to assert jurisdiction where it's questionable and as privacy is further globalized it's quite difficult even where you have an international framework in place to ensure that all the actors including the governments are going to really toe the line as they say any other questions or comments we often talk about the internet here as being based upon giving away our personal information that they say if something is free then you're the product and yet this seems like it could fly in the face in particular of European notions of privacy and data protection and so I'm curious about where we're going to come down are we going to see the Europeans at least in a business to business environment allow for more readily third party data sharing cloud storage everything else or is Facebook going to have to do what the Belgians want to do and do it around the rest of the world as you were suggesting they're doing with some of their privacy policies big question I'm sorry John would you like to take a I'll just make some observations probably not well thought out but I noticed companies like Facebook and Google are building very large server farms in Europe so I think that they recognize that there's going to be some localization coming their way I think that's the direction that the European Union is looking to reform their data protection directive into a regulation and in many ways it's going to be it's going to have some major controls around around the internet and around localization so I think that's why some of these big companies are doing what they're doing the most extreme example which is not EU but just to put it out there to illustrate the point is Russia has a very draconian law that is about to go into effect which really requires that the data can't leave Russia it has to stay in Russia and that is an extreme example of localization I think you're right it runs counter to the idea of a cloud a cloud is supposed to be efficient and borderless and the European Union they've been very direct about saying look we need time for some of our companies to catch up so in some ways this is almost a protective measure but again my personal observations only I would also just add to that there really is not enough case law in this area yet and when you see reports that came out of Belgium and other reports from different governments around the world a lot of this is the regulator making a statement and an opinion going through the courts quite often when it does it comes out differently regulators are known to be a bit more aggressive you can take a lot of liberties when inserting jurisdiction in a opinion or report then you might be able to take and say in front of a court and so there's definitely a difference between what we see in case law and to what we see maybe coming out of the commission or a member state case or anywhere else in the world the gentleman had a question this idea of setting up data centers in the does the physical location actually matter if the company is an American company that's a debate I've heard a number of times in the you for what purpose well when it comes to deciding whether certain data is to be handed over to us authorities well I was going to say for example I mean that was that was a big issue in the Google case you know Google the Spain is I mean Spain asserted jurisdiction over Google because it was on the basis actually of advertising that they were able to claim jurisdiction over the American Google headquarters so I think companies are recognizing that you know they're going to come under the jurisdiction of Europe so they may have to actually put themselves in a position where they are local in case they're going to be these restrictions on moving the data out and in regards to the cloud providers what you'll see if you get into the agreements is that most of the big cloud providers will now allow you to either designate the country or region of storage that's intended to allow companies to better comply with their own local laws so you don't have to necessarily address data transfer obligations if the data isn't leaving that country I guess the question then becomes if you have an organization with storing data wholly so if you have say Microsoft you have Microsoft Azure you're a customer in Europe and you select a member stay in Europe to store your data for but you're say maybe running this through the US as the client but for your European customers you're allowed to stay there does the US courts have authority to issue a subpoena to Microsoft to get the data on behalf of this American company which being sort exclusively in Europe that I think we're still waiting to see it come out and it'll be interesting to find out what happens any other last questions or comments we have a couple more minutes what did you guys have for lunch this you know data centers being set up in Europe and if the data cannot leave in the European countries to come to the IRC that means you know I've been studying servers the last couple of years and there's something called as Active Directory and inside Active Directory of the GPO Global Policy Objects Group Policy Objects the Group Policy Objects is a US company it will be controlled by somebody in the United States so they will decide whether they can pull up the data through cloud and bring it to the United States so how is that how is that how is that jurisdiction going to work because the US company you call the shots in the United States and I'll go inside and I'll open up open up GPO I'll go to Active Directory, GPO, bank I'll transfer everything down here from the server that's found in Europe fragile cloud bring it to the United States nobody exceeds that and that's what Microsoft has created because I'm MCSS certified so that's what I've learned there's no doubt that they can technically because you know you can keep your servers anywhere as long as you have the if you have Microsoft Windows Server 2012 out to sitting on it that's the best to honest it they've created at least thousands and thousands of VMs on them and put everything up in the cloud and start manipulating your GPOs and Active Directory nobody will know unless somebody in NSN knows about it so I think on that note we'll conclude for the day I have a couple copies of the book with me up at the front if you want to take a look they're available on the American Bar Association's website and to the Berkman Center being hosting us today and hosting this past year as a research fellow so thank you very much to Berkman and David we'll do that after but John any closing comments no I just appreciate everyone showing up on their lunch hour and I hope you found the discussion useful and I would just say watch this space privacy and international developments are going to continue to be interesting to watch and I think that the dialogue is just getting started so keep watching and thanks again for your hospitality